Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
4
Helpful
4
Replies

BPDU-guard - granularity is physical interface, not subinterface?

mheuzenroeder
Level 1
Level 1

‎08-15-2009 07:17 AM - edited ‎03-06-2019 07:15 AM

If I have .1q can I configure subinterfaces with bpdu-guard so I one VLAN receives a BPDU and the other doesn't, only the subinterface which received the BPDU is SHUT, not the whole physical interface?

Thanks, MH

Labels:
0 Helpful
4 Replies 4

Lucien Avramov
Level 10
Level 10

‎08-15-2009 10:09 AM

If you have BPDU gard on a subinterface, only the subinterface will be shut.

If BPDU guard is on a physical interface that has no subinterfaces, the physical interface will be shut.

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Lucien Avramov

‎08-15-2009 01:18 PM

Hello,

Please correct me if I am wrong, but I have always seen the BPDU Guard implemented only on switches, and it is not possible to create subinterfaces on switchports. I wonder under what circumstances would a subinterface be considered a switchport with available BPDU Guard setting.

Any idea is appreciated!

Best regards,

Peter

0 Helpful

mheuzenroeder
Level 1
Level 1
In response to Peter Paluch

‎08-15-2009 05:21 PM

Hi Peter,

Excellent point.

Currently I have an Access switchport with bpdu-guard on it with an SVI on this VLAN.

This is on a C6509.

I'll be changing this Access switchport to an 802.1Q trunk. It will have 2 VLANs on it each with an SVI associated with them.

You're right, there are no subinterfaces (my mistake).

I imagine the bpdu-guard can only be applied to the trunk interface and not to SVI and not to individual VLANs - right?

Hence a BPDU seen on any VLAN, including the Native VLAN, will shut the trunk port down thus affecting all VLANs - right?

I'd rather it only affect the VLAN the bpdu was received on - not sure if this is possible or how to achieve this.

Thanks for your help so far, MH

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎08-15-2009 10:43 PM

Hi,

I think Peter means is that layer-3 ports doesnt exchange BPDUs, However, you could have Bpdu-guard on subinterfaces if thoses sub-interfaces are part Of (Integrated routing Bridging) IRB , in other words if the sub interfaces are bridged.

Coming to the (Bpdu-guard), The recommended approach is to have BPDU-Guard configured on Access ports with spanning-tree port-fast, this is a securty feature as well as prevents from spanning-tree loop because as soon as the port recieves BPDUs , it will be shutted down.

I havent seen BPDU guard enabled on trunk ports or recommended to do so (Cisco doesnt recommend or mentioned that in thier documenatation). and the other fact that, BPDU-Guard feature is not configurable per vlan so you cant predict it from being recieved by other vlans.

Pls rate if it helps,

HTH

Mohamed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card