Switchport configuration ?

Unanswered Question
Apr 9th, 2009


I have a developer in our team who uses virtual box for development purposes. Virtual box has built in switching capabilities which means the switch sends BPDU's on the interface. Throughout my LAN I have BPDUGuard enabled and PortFast for access ports. Obviously when he plugs in it causes the switchport to go into a err-disable state. I really dont want this on my LAN but fear I will have to suport it. What is the safest way to manage this? I looked into BPDUFilter Enable which seems a reasonable solution? Your thoughts? I am concerned as today we had STP convergance and we traced it down to his machine! Fortunately this was early in the morning and didn't cause a major issue! Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dario.didio Thu, 04/09/2009 - 06:15


you can just remove the spanning-tree portfast command from the port your developer is connected to.

You can also go for BPDUfilter.

When BPDUfilter is used globally (in global config mode) it will remove portfast automatically when a BPDU is received on a port with port-fast configured on.

When BPDUfilter is used on a port level (interface config mode) it will just not send BPDUs out that port.

I personally don't like BPDUfilter, especially not in combination with BPDUguard (which I like :)

Also, you can use rootguard on the port connected to your developer virtual box, preventing it from becoming STP root and causing STP recalculations.

I personally would go for the no spanning-tree portfast.



darren-carr Thu, 04/09/2009 - 06:32


Thanks Dario.

Given at this stage the port is configured as BPDUFilter enable from what you are suggesting I should remove BPDUFilter, add rootguard and disable spanning-tree portfast at the interface level?


dario.didio Thu, 04/09/2009 - 06:44

That is what I should do.


- Disabling portfast, you let STP negotiate listening, learning, forwarding.

- Enabling root guard, you specify that this port can never become root port.

You will loose some time when the port comes up because it needs to pass the different states, but you will be sure no loop exists.

Good luck.

lamav Thu, 04/09/2009 - 07:36

Can you create a vlan just for him?

I guess you're running pvst+, yes?

If so, an STP instance will be created for each vlan.

So, configure his port as an access port, put his device alone in the vlan and you'll be OK..




This Discussion