Spanning Tree & err-disabled

AxiomConsulting · ‎01-13-2009

Hi All,

I am trying to connect a 3com switch to our Cisco 3750 stack, however when I connect it to the switchport on the Cisco stack it goes into err-disabled mode.

After a little investigation I found that this was becasue the bpduguard and portfast had been enbaled on the switchport. However I would like your advise as to what to do next? should I remove the BPDU Guard feature from this switchport, if so what are the implications?

Thanks for your help

Steve

glen.grant · ‎01-13-2009

Yes remove both . This feature is to protect the network from users who would stick a switch on the network without permission and not for known devices that you want on the network . Only remove it for the one port that this switch is attached to .

Roberto Salazar · ‎01-13-2009

The BPDU guard feature can be globally enabled on the switch or can be enabled per port.

At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state if any BPDU is received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred.

With that explanation, BPDU guard should not be enabled on port connecting to other switches because those are surely to send BPDU. Portfast should never be enabled on ports connecting to other intermediate devices such as switch, hubs, routers.

rohitrattan · ‎01-13-2009

Hello Steve,

You should configure the connecting ports on both the switches as trunk (if the 3com switch supports dot1q), that will solve you problem and if the 3com switch does not support trunking, you should configure the 3750 port as static access but disable the portfast feature.

(config-if)# no switchport host

HTH

Regards

Rohit

AxiomConsulting · ‎01-13-2009

Hi all,

Thanks so much for your help, I just wanted to get it clear in my head any implications of turing it off.

Rohit, would you mind explaining a little more the command you mentioned...

(config-if)# no switchport host

rohitrattan · ‎01-13-2009

Sure,

The port on cat 3750 is an access port and that means it should essentially connect to a host device e.g. a PC. Access ports usually take 50 seconds to move into fully operational state when you first connect it to a device and that's a bridging loop prevention mechanism that takes up the time to evaluate and prevent any potential loops. With the portfast feature enabled the port instantaneously moves into operational state without pre-checking for any possible bridging loops in the network. BPDU is a sort of a probe that is sent by every switch to negotiate a loop free topology and a port configured with portfast should not receive a BPDU. Thus to guard against accidental Bridging loops the BPDU Guard is enabled. You should never disable it on a port configured with portfast. The "no Switchport Host" command will disable spanning-tree portfast. Thus you wont need BPDU Guard and hence your port will not go into err-disable mode...

HTH

Regards

Rohit

francisco_1 · ‎01-13-2009

All active ports in portfast state (designated) will transmit bpdu for active vlans on the interfaces. this is because STP needs to know the state of those ports in thr STP topology. As long as STP is concern, any port in portfast mode should not receive bpdu's except transmit. Portfast should always be in forwarding state when the port is active.

Trunks ports for example towards the root brige will receive bpdu's for all active vlans in spanning forwarding state and they are taking part in STP and can be in either blocking or forwarding state.

Francisco.