spanning-tree etherchannel guard misconfig

Unanswered Question
Mar 19th, 2009

What EXACTLY does this command check or verify ? And how does it check this ?

(do you need Pagp or LACP or does it also work in mode on ?)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
Loading.
Francois Tallet Thu, 03/19/2009 - 10:43

It's a hack based on STP.

A channel is supposed to be point to point and the feature is adding a consistency check based on the source mac address of the BPDU received.

If you keep receiving BPDUs from several source mac addresses, this feature will assume that you have a bundling problem and shut down the port.

You can disable this behavior.

I think the feature should be removed because it is making an incorrect assumption on the source mac address of the BPDUs, but it has been there for ever and some people think it is necessary.

The "dispute mechanism" is able to detect bundling errors using STP and without those assumption, but it's only working with MST, and recently with Rapid-PVST (no support possible for PVST).

Regards,

Francois

gnijs Thu, 03/19/2009 - 10:47

Thanks. So if the remote side has STP disabled (for example because it does not support per-vlan RPVST, genre...HP?) and is not sending BPDUs at all, it will not make any difference ?

PS. (i am using LACP to build the channel)

Francois Tallet Thu, 03/19/2009 - 10:54

No relation to LACP. Just STP.

Yes, it should not complain if it's not receiving any BPDUs. Now... you have to be sure that no BPDUs are coming from your HP;-) In particular, be careful that PVST+ BPDUs are flooded through third party devices. So if your HP bridge has some other Cisco switches behind it, it might be forwarding some PVST+ BPDUs on your channel, certainly with different source macs. That's one of the reasons why I don't like this feature!

Regards,

Francois

Actions

This Discussion