help BPDU Guard and BPDU Filter enable ??

Answered Question
Jan 18th, 2010

Dear Experts,

We are using  one 3550 and 8 2950 switches in my ISP.

Can i enable on uplink port and also on all access port to enable BPDU guard and Filter enable when portfast not enable ??

all access interface working on same VLAN.

Thanks in ADV,

Vaib...

I have this problem too.
0 votes
Correct Answer by Mohamed Sobair about 6 years 10 months ago

Hi Vaib,

Yes , thats correct

HTH

Mohamed

Correct Answer by Mohamed Sobair about 6 years 10 months ago

Hi Vaib,

To optimize your spanning-tree config , you should statically make the 3550 is the root bridge for vlan 2, and make tone of the other 2950 switches is the secondary root, no matter what VTP mode is used.

Pls rate helpful posts

Mohamed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Marwan ALshawi Mon, 01/18/2010 - 05:09

i think if you enable root guard on all your links connected to your customers to avoid having a customer switch to became a root switch and make a big problem

this feature will put the interface in error disable if it receive inferior bpdu ( better root from that interface connected to the customer )

bpdu filter will only filter out the bpdu but will not disable the interface in the case of recieving bpdu

Ganesh Hariharan Mon, 01/18/2010 - 06:29

Hi Vaibhav,

BPDU Filtering configured on the interface level will COMPLETELY stop send/receive BPDU, and if you plug in two switches then you may have a loop because they don't 'see' each other as a problem.

BPDU Guard on the other hand will alert you to that mistake/mayhem and will shut down the port instead of letting the loop shut down your network.

BPDU Filtering at the global level will work with Portfast interfaces, and simply kick them out of portfast if a BPDU is received.

The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port.

So what i suggest you to configure root gaurd if you feel any therat at access layer switches that somebody will plug a switch on those ports.

Hope that clear out your query!!

Regards

Ganesh.H

csawest.dc Tue, 01/19/2010 - 00:11

Dear experts,

Thanks to both of you , should i configure spanning-tree root guard on all access port when it portfast disable ??

pl check my bellow templats to configure on all access port in cisco 35590 and also 2950. if  any changes so pl suggest me.

interface FastEthernet0/4
  description *** ADCOM (Paradyne) Fiber-2 ***
  switchport access vlan 2
  switchport mode access
  switchport protected
  switchport block multicast
  switchport block unicast
  no ip address
  no cdp enable
  ip access-group Virus-Block in
  storm-control broadcast level 10.00
  mac access-group Block-Invalid-Frames in
  spanning-tree portfast disable

spanning-tree root guard

Thanks in ADV,

Ganesh Hariharan Tue, 01/19/2010 - 00:31

Hi Vaibhav,

Root guard will place this interface in the root-inconsistent or blocked state to prevent the customer switch from becoming the root switch or from being in the path to the root.

Uplinkfast is incompatible with RootGuard, so you must disable it on your access switches. Use the no spanning-tree uplinkfast configuration command to do so.


Apply root guard to both  switches on the links that connect to your second access switch with the spanning-tree guard root interface command.

DS1(config)#int fast 0/27
DS1(config-if)#spanning-tree guard root

Hope that clears out your query!!

Regards

Ganesh.H

Mohamed Sobair Tue, 01/19/2010 - 00:30

Vaib,

Normally (root Guard) configured on the uplink ports connected to different switch.

could you let us know what is connected to your Access ports and the uplink ports, and are all of these devices Intra domain Switches or Interdomain Switches connected to different Enterprises.I may suggest you different configuration.

HTH

Mohamed

csawest.dc Wed, 01/20/2010 - 01:18

Dear Mohamed,

Pl find herewith attachment of my HQ Switch config of cisco 3550.

Breif Details :

cisco 3550 48 ports

Port 1 and 2 as a uplink from Billing Authenticaion server

port 3  and 4 connected to cisco 2950 swtich at different location.

port 5 to 48 connectd to DSLAM to connetd different location

port 5 to 48 (more than 50 users connect each port through IP DSLAM).

we are facing huge issue when loop occure at all the location.

Thanks in ADV,

Vaib...

Mohamed Sobair Wed, 01/20/2010 - 02:18

Hi,

Breif Details :

cisco 3550 48 ports

Port 1 and 2 as a uplink from Billing Authenticaion server

port 3  and 4 connected to cisco 2950 swtich at different location.

port 5 to 48 connectd to DSLAM to connetd different location

port 5 to 48 (more than 50 users connect each port through IP DSLAM).

we are facing huge issue when loop occure at all the location

-----------------------------------------------------------------------------------------------------------

1-  Port1 and 2 , should be configured with (spanning-tree portfast and bpduguard enabled).

2- port 3 and 4 should be configured with (spanning-tree guard root), however, on the Cisco 2950 switches , make sure all access ports to the DSLAM are configured with portfast bpdu filter.

3- port 5 to 48 , should be configured with spanning-tree bpdu filter and spanning-tree portfast.

Note:

make sure you properly set your spanning tree root bridge for the Active vlans is the 3550 .

A gain, maks sure all access ports on the 2950 switches are configured with Spanning tree bppdu filter and portfast.

With the above config, loop should be prevented on the Network

HTH

Mohamed

csawest.dc Wed, 01/20/2010 - 05:43

Dear Mohamed,

Pl check my bellow config templates of both switches cisco 3550 and 2950 as per your suggation. pl let me know if need to any changes.

IN cisco 3550 :

On interface port 1 & 2 (Which is connectd with billing Authentication Server as a Uplink)

Spanning-tree portfast

Spanning-tree bpduguard enable

On interface 3 & 4 (Which is connected to cisco 2950)

spanning-tree guard root

On interface 5 to 48 ( Which is connected to IP DSLAM with more than 50 users each inerface)

spanning-tree portfast

spanning-tree bpdufilter enable

IN cisco 2950 :

On interface 1 (which is connectd with cisco 3550 )

spanning-tree guard root

on interface 2 to 24 ( Which is connect to IP DSLAM with conneted more than 50 users each interface)

spanning-tree portfast

spanning-tree budufilter enable

But, i dont understand  which is you said me

Note:

"make sure you properly set your spanning tree root bridge for the Active vlans is the 3550 .

A gain, maks sure all access ports on the 2950 switches are configured with Spanning tree bppdu filter and portfast. "

please clear it.

Please check my above config templates and suggest me if needs to any change.

Thanks in ADV,

Vaib...

Mohamed Sobair Wed, 01/20/2010 - 06:28

Hi Vaib,

Yes your config template should be fine.

what I meant by making sure syntax, is to set your primary root bridge for the Active vlans is Switch 3550 by configuring the bellow on 3550:

Assuming you are running PVST+ ,

spanning-tree vlan 2,3 root primary

spanning-tree vlan 2,3 priority 0

On the 2950 , you should configure the Access ports toward the DSLAM as follows:

spanning-tree portfast

spanning-tree bpdu filter enable

spanning-tree vlan 2,3 root secondary

HTH

Mohamed

csawest.dc Wed, 01/20/2010 - 07:03

Dear Mohamed,

Thanks man have great support .

There are in cisco 3550  all ports including  port 1 and 2 also in same VLAN 2 only. and cisco 2950 also access VLAN 2 all ports.

vtp mode transperant  in all 3550 and 2950 also.

so what is the config

IN cisco 3550 ;

Assuming you are running PVST+ ,

spanning-tree vlan 2 root primary

spanning-tree vlan 2 priority 0

In cisco 2950 :

spanning-tree vlan 2  root secondary

Pl suggest like above config should i configure ??? in both 2950 and 3550 switches ??

Thanks in ADV,

Vaib...

Correct Answer
Mohamed Sobair Wed, 01/20/2010 - 07:15

Hi Vaib,

To optimize your spanning-tree config , you should statically make the 3550 is the root bridge for vlan 2, and make tone of the other 2950 switches is the secondary root, no matter what VTP mode is used.

Pls rate helpful posts

Mohamed

csawest.dc Wed, 01/20/2010 - 07:25

Dear Mohamed,

So my final config in global mode for both swithch as under:

IN cisco 3550 ;

spanning-tree mode  PVST+ ,

spanning-tree vlan 2 root primary

spanning-tree vlan 2 priority 0

In cisco 2950 :

Spanning-tree mode PVST+

spanning-tree vlan 2  root secondary

Thats right ??

Thanks in ADV,

Vaib...

csawest.dc Wed, 01/20/2010 - 07:38

Dear Mohamed,

Ok now i will try to do this within couple of days then let you know what happend.

Thanks have great support!!!

Cheers!!!

Vaib...

Actions

This Discussion