error message BPDU Port errdisabled

Answered Question
May 9th, 2008
User Badges:

i got gollowing err in sh log of router


May 9 13:39:42.441 PDT: %SPANTREE-SP-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet4/21 with BPDU Guard enabled. Disabling port.

May 9 13:39:42.441 PDT: %PM-SP-4-ERR_DISABLE: bpduguard error detected on Fa4/21, putting Fa4/21 in err-disable state


any help please

Correct Answer by cisco_lad2004 about 9 years 1 week ago

BPDUGUARD will protect u against loops.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
rsohi Fri, 05/09/2008 - 13:24
User Badges:

Hi there, basically, BPDU Guard is used on the port which applies PortFast. As long as the port received any BPDUs, the BPDU Guard ports will kept in errdisable status.


Seems someone maybe trying to insert a switch into that port which sends bpdu packets. The port is configured to not allow this so it goes into an error disable mode and shuts the port down. You have to do a shut and no shut on the port to bring it back up. However, it may go down again if the device sending bpdu's is still active on the port.


If your intention is connect this device you must turn bpdu guard off on the port.


hope this helps, regards,

Raj


Istvan_Rabai Fri, 05/09/2008 - 23:43
User Badges:
  • Gold, 750 points or more

Hi Mahesh,


Raj is right, turn off BPDUguard with the "no spanning-tree bpduguard enable" interface command on Fa4/21, if you want to connect a switch to this port.


Otherwise you should leave it as it is, because it will protect your network from connecting rogue switches to that port. Enabling a rogue switch can change the entire topology of your network:


If it is configured with a lower bridge priority, then it will take over the role of the root switch and the traffic patterns may change to the worse within your network.


In addition, if this new switch is configured as a VTP server or client with a higher VTP revision number, then it will overwrite all the vlan information in all switches. This can simply disrupt the whole network.


So take care.


Cheers:

Istvan

bvsnarayana03 Sat, 05/10/2008 - 01:18
User Badges:
  • Silver, 250 points or more

BPDUguard puts a port in err-disable state when it recv a bpdu on access port. To reuse the port, you need to shut/noshut the port.


You may also use the rootguard command as replacement of bpdu guard, this also disables the port when it recv a superior bpdu & recovers the port by itself when it ceases to hear bpdu's on the port.

mahesh18 Sat, 05/10/2008 - 11:11
User Badges:

Thanks for reply,

so BPDU should not be received at access port?

cisco_lad2004 Sat, 05/10/2008 - 14:07
User Badges:
  • Gold, 750 points or more

When u define an access port, you would typically have an end station at the other end. so no BPDUs should be received.

Hoover to protect yourself against mis cabling, on malicious activity. you need to be prepared in case an access port start receiving BPDU, meaning a switch is connected to access port.

This is where bpdu guard comes in handy.


Rootguard is useful but will only protect u against superior BPDUs. if u have a loop due to miscabling, BPDUs might not be superior. SPT loop will kill ur switched network.


a recommendation is to leave BPDU guard on and add "errdisable recovery interval x

" where X is ur time to try to bring port up automatically instead of doing shutdown and no shutdown.


Pls rate all helpful posts.


HTH


Sam

mahesh18 Thu, 05/15/2008 - 15:28
User Badges:

thanks for reply,

if someone plug cable on two ports on same

switch will it cause loop?

how we can protect in this case if cabling

loop occurs?

thanks

Correct Answer
cisco_lad2004 Thu, 05/15/2008 - 21:51
User Badges:
  • Gold, 750 points or more

BPDUGUARD will protect u against loops.

mahesh18 Fri, 05/16/2008 - 10:40
User Badges:

thanks for reply,


so u mean to say we should apply BPDU guard

on all ports??????????

access ports right ????????????

not on trunk ports right?????????


cisco_lad2004 Fri, 05/16/2008 - 14:30
User Badges:
  • Gold, 750 points or more

1-No not needed on trunks as SPT takes care of loops.

2-Only needed on access ports that are configured to be portfast, ie where you practically have SPT disabled.


Sam




mahesh18 Fri, 05/16/2008 - 15:20
User Badges:

Thanks for reply


so STP takes care of loops only on Trunk

ports not on access ports right?

cisco_lad2004 Fri, 05/16/2008 - 22:32
User Badges:
  • Gold, 750 points or more

STP takes care of both Trunk and access ports.

for access ports in old days when only STP was around as opposed to RSTP, an access port still had to wait for 50 sec convergence before forwarding frames, so portfast was introduced to speed this up.

Portfast assumes no switch is at other end on access sport and therefore speeds up convergence, effectively it skips SPT steps. BPDUGUARD was used in case a port that is portfast, start receiving BPDUs.


so in short :-) STP takes care of loops everywhere.


HTH


Sam

Actions

This Discussion