BPDU Guard root help

Answered Question
May 4th, 2010
User Badges:

Dear  Experts,



Please help me , i am so confuse about BPDU Guard root , we are using 3550 48 port switch in our HQ.


in this swich port 5 , 6 , 7  and 10 connected with other vender switch not cisco.


Should i configure on this port BPDU Guard root ?? which is conneted with other vender switch for loop prevent , when occure from these switch customers ??


and one more thing , many ports connected with IPDSLAM,  on this port , should i configure spanning-tree portfast on these interface ??  and in global mode bpdu filter portfast enable for loop prevent ???



Please help me , your help very usefull for me.


Thanks in ADV,


Vaib...

Correct Answer by Ganesh Hariharan about 6 years 10 months ago

Dear Ganesh,


Thanks for ur gr8 support.


We are using IP DSLAM for the perpose of , in cisco 3550 switch port 16 to 48 port are connected with IPDSLAM


e.g intfefface port 15 to 48 cisco port -----> connected with each IPDSLAM .


in IPDSLAM there are 48 ports in each DSLAM


48 customers connected with ADSL Modem throug each DSLAM



Diagram :


customers PC >>>> ADSL Modem >>>> DSLAM port  ( 1 to 48 each DSLAM ) >>>> interface port 16 to 48 cisco.


we need to know should i configure in cisco interface port 16 to  48 , Spanning-tree portfast "  ??? when the port connected with DSLAM ??


then in global mode configure " spanning-tree bpdufilter portfast enable ??? for loop prevent....



Thanks in ADV,


Vaib...

Hi Vaibhav,


With BPDU Filter, it will ignore in/out BPDUs.So you could end up with a loop in your network.BPDU Filtering at the global level will work with Portfast interfaces, and simply kick them out of portfast if a BPDU is received.BPDU Filtering configured on the interface level will completely stop send/receive BPDU, and if you plug in two switches then you may have a loop because they don't 'see' each other as a problem.


What i would suggests you to configure BPDU gaurd enabled in these ports if any BPDU is dedected on these ports then port will go down to err-disable mode.


Hope to Help !!


Ganesh.H


Remeber to rate the helpful post

Correct Answer by Ganesh Hariharan about 6 years 10 months ago

Dear Ganesh & Rajat,



Ganesh you are always helpfull for me and rajat thanks for sharing....


you both explained me in details  so that is good indicate , but i am not very much aware related about BPDU functions in cisco.


Please give me any simply configure templat or any suggetion , when in cisco 3550 , some ports conneted with other Cisco switche and some ports are conneted with other vendor swtitch , in this situation which protocol i need to configure for loop prevent  in cisco 3550 switch. and also in this switch some ports connected with IPDSLAM , which configure  i have to config for loop prevent.


Summery :



in cisco 3550 conneted intererface details


1 . port 5 , 6 , 7 , 10 ( connected with other vendor switch) <---- what configure i have to do for loop prevent. ??


2. port 12 , 13 , 14 ( connected with Cisco switch) <----- what configure i have to do for loop prevent.??


3 port 15 to 48 ( connected with IPDSLAM - 40 users connetd per DSLAM) <-------  what confige i have to do for loop prevent ???



Please request you what configure for loop prevent when above three setution in cisco 3550.



Thanks in ADV,


Vaib...


Hi Vaibhav,


If you want your cisco 3550 switch to be the root bridge for your stp domain and no other switch should become a root bridge then i would suggests configure the ports 5,6,7,10,12,13,14 with root gaurd enabled.As Root guard allows the device to participate in STP as long as the       device does not try to become the root. If root guard blocks the port,       subsequent recovery is automatic. Recovery occurs as soon as the offending       device ceases to send superior BPDUs.


Check out the below link for configuring root gaurd in switch ports


http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml


and need to know how IP DSLAM is configured with your setup.


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Reza Sharifi Tue, 05/04/2010 - 20:15
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

csawest.dc wrote:


Dear  Experts,



Please help me , i am so confuse about BPDU Guard root , we are using 3550 48 port switch in our HQ.


in this swich port 5 , 6 , 7  and 10 connected with other vender switch not cisco.


Should i configure on this port BPDU Guard root ?? which is conneted with other vender switch for loop prevent , when occure from these switch customers ??


and one more thing , many ports connected with IPDSLAM,  on this port , should i configure spanning-tree portfast on these interface ??  and in global mode bpdu filter portfast enable for loop prevent ???



Please help me , your help very usefull for me.


Thanks in ADV,


Vaib...


Hi Vaib,


Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs. So if your devices are the root, it is a good idea to deploy it.  Also spanning tree port fast should be enabled on ports connecting to end user devices ie workstations, printers, etc..


HTH

Reza

csawest.dc Tue, 05/04/2010 - 21:58
User Badges:

Dear Reza,



Thanks for shring.... , pl explain me , our 3550 switch interface ( 5 , 6 , 7 10) connected with other vendor as a uplink ok ,


I want to prevent loop when occure, so should i configure on these ports " BPDU guard root "  ??? for prevent loop.


and other think in cisco 3550 many ports conneted with IPDSLAM ( more than 40 users connect through ipdslam via adsl moden) , on these port which is c onnected with IPDSLAM ,. should i configer " spannig-tree portfast " on interface and in global mode " spanning-tree bpdu filter portfast enable " ?? for loop prevent.


Pl see bellow example.


port 5

description connect to Zyxcel switch

switch port access vlan 2

switchport mode protected

spannig-tree bpdu guard root <------------ should i configure ??

spanning-tree portfast disable



port 6

description connect to optilink switch

switch port access vlan 2

switchport mode protected

spannig-tree bpdu guard root <------------ should i configure ??

spanning-tree portfast disable


port 16

description connect with IPDSLAM

switchport access vlan 2

switchport mode access

switchport protected

spanning-tree portfast <----------- should i configure ???


and in global mode " spanning-tree bpdufilter portfast enable " <--------- should i configure ??



Please help me ,


Thanks in ADV,


Vaib...

rajatsetia Tue, 05/04/2010 - 23:01
User Badges:
  • Bronze, 100 points or more

Hi Vaib,


To prevent loops, we use STP. that you have already done by disabling portfast on the ports which are connected to other switches in the network.


Root Guard is STP feature, you enable root guard to deny any rouge (wrongly configured) switch to become STP root. this way you preserve the sanity of your layer 2 network design and there will be no change spanning tree structure.


e.g. if on port 5 , some replace the connected switch and the new switch is better candidate to become STP root, if you donnt have root guard enabled on port 5. new switch will become root and your whole topology will change.


with root gurad enabled on 3550, it will change the state of port 5 , root-inconsistent state (blocked).



you can configure portfast on global mode and recommendation is to also configure BPDU guard on global level.


BPDU guard will disable the port which is portfast enabled, it it receives a BPDU on that port.


So you got portfast feature which will give you the advantage to bypass STP process (where you are sure there will be no layer 2 device connected)  and with BPDU guard you avoid any surprises if anybody connect layer 2 device on portfast enabled port.


Regards,

Rajat

Ganesh Hariharan Wed, 05/05/2010 - 00:32
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Dear Reza,



Thanks for shring.... , pl explain me , our 3550 switch interface ( 5 , 6 , 7 10) connected with other vendor as a uplink ok ,


I want to prevent loop when occure, so should i configure on these ports " BPDU guard root "  ??? for prevent loop.


and other think in cisco 3550 many ports conneted with IPDSLAM ( more than 40 users connect through ipdslam via adsl moden) , on these port which is c onnected with IPDSLAM ,. should i configer " spannig-tree portfast " on interface and in global mode " spanning-tree bpdu filter portfast enable " ?? for loop prevent.


Pl see bellow example.


port 5

description connect to Zyxcel switch

switch port access vlan 2

switchport mode protected

spannig-tree bpdu guard root <------------ should i configure ??

spanning-tree portfast disable



port 6

description connect to optilink switch

switch port access vlan 2

switchport mode protected

spannig-tree bpdu guard root <------------ should i configure ??

spanning-tree portfast disable


port 16

description connect with IPDSLAM

switchport access vlan 2

switchport mode access

switchport protected

spanning-tree portfast <----------- should i configure ???


and in global mode " spanning-tree bpdufilter portfast enable " <--------- should i configure ??



Please help me ,


Thanks in ADV,


Vaib...

Hi Vaibhav,


When you configure Root gaurd ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

With BPDU Filter, it will ignore in/out BPDUs.So you could end up with a loop in your network.BPDU Filtering at the global level will work with Portfast interfaces, and simply kick them out of portfast if a BPDU is received.BPDU Filtering configured on the interface level will completely stop send/receive BPDU, and if you plug in two switches then you may have a loop because they don't 'see' each other as a problem.

Just check it out before applying this on per port basis.

Hope to Help !!

Ganesh.H


csawest.dc Wed, 05/05/2010 - 04:10
User Badges:

Dear Ganesh & Rajat,



Ganesh you are always helpfull for me and rajat thanks for sharing....


you both explained me in details  so that is good indicate , but i am not very much aware related about BPDU functions in cisco.


Please give me any simply configure templat or any suggetion , when in cisco 3550 , some ports conneted with other Cisco switche and some ports are conneted with other vendor swtitch , in this situation which protocol i need to configure for loop prevent  in cisco 3550 switch. and also in this switch some ports connected with IPDSLAM , which configure  i have to config for loop prevent.


Summery :



in cisco 3550 conneted intererface details


1 . port 5 , 6 , 7 , 10 ( connected with other vendor switch) <---- what configure i have to do for loop prevent. ??


2. port 12 , 13 , 14 ( connected with Cisco switch) <----- what configure i have to do for loop prevent.??


3 port 15 to 48 ( connected with IPDSLAM - 40 users connetd per DSLAM) <-------  what confige i have to do for loop prevent ???



Please request you what configure for loop prevent when above three setution in cisco 3550.



Thanks in ADV,


Vaib...

Correct Answer
Ganesh Hariharan Wed, 05/05/2010 - 04:39
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Dear Ganesh & Rajat,



Ganesh you are always helpfull for me and rajat thanks for sharing....


you both explained me in details  so that is good indicate , but i am not very much aware related about BPDU functions in cisco.


Please give me any simply configure templat or any suggetion , when in cisco 3550 , some ports conneted with other Cisco switche and some ports are conneted with other vendor swtitch , in this situation which protocol i need to configure for loop prevent  in cisco 3550 switch. and also in this switch some ports connected with IPDSLAM , which configure  i have to config for loop prevent.


Summery :



in cisco 3550 conneted intererface details


1 . port 5 , 6 , 7 , 10 ( connected with other vendor switch) <---- what configure i have to do for loop prevent. ??


2. port 12 , 13 , 14 ( connected with Cisco switch) <----- what configure i have to do for loop prevent.??


3 port 15 to 48 ( connected with IPDSLAM - 40 users connetd per DSLAM) <-------  what confige i have to do for loop prevent ???



Please request you what configure for loop prevent when above three setution in cisco 3550.



Thanks in ADV,


Vaib...


Hi Vaibhav,


If you want your cisco 3550 switch to be the root bridge for your stp domain and no other switch should become a root bridge then i would suggests configure the ports 5,6,7,10,12,13,14 with root gaurd enabled.As Root guard allows the device to participate in STP as long as the       device does not try to become the root. If root guard blocks the port,       subsequent recovery is automatic. Recovery occurs as soon as the offending       device ceases to send superior BPDUs.


Check out the below link for configuring root gaurd in switch ports


http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml


and need to know how IP DSLAM is configured with your setup.


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

csawest.dc Wed, 05/05/2010 - 06:12
User Badges:

Dear Ganesh,


Thanks for ur gr8 support.


We are using IP DSLAM for the perpose of , in cisco 3550 switch port 16 to 48 port are connected with IPDSLAM


e.g intfefface port 15 to 48 cisco port -----> connected with each IPDSLAM .


in IPDSLAM there are 48 ports in each DSLAM


48 customers connected with ADSL Modem throug each DSLAM



Diagram :


customers PC >>>> ADSL Modem >>>> DSLAM port  ( 1 to 48 each DSLAM ) >>>> interface port 16 to 48 cisco.


we need to know should i configure in cisco interface port 16 to  48 , Spanning-tree portfast "  ??? when the port connected with DSLAM ??


then in global mode configure " spanning-tree bpdufilter portfast enable ??? for loop prevent....



Thanks in ADV,


Vaib...

Correct Answer
Ganesh Hariharan Wed, 05/05/2010 - 06:52
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Dear Ganesh,


Thanks for ur gr8 support.


We are using IP DSLAM for the perpose of , in cisco 3550 switch port 16 to 48 port are connected with IPDSLAM


e.g intfefface port 15 to 48 cisco port -----> connected with each IPDSLAM .


in IPDSLAM there are 48 ports in each DSLAM


48 customers connected with ADSL Modem throug each DSLAM



Diagram :


customers PC >>>> ADSL Modem >>>> DSLAM port  ( 1 to 48 each DSLAM ) >>>> interface port 16 to 48 cisco.


we need to know should i configure in cisco interface port 16 to  48 , Spanning-tree portfast "  ??? when the port connected with DSLAM ??


then in global mode configure " spanning-tree bpdufilter portfast enable ??? for loop prevent....



Thanks in ADV,


Vaib...

Hi Vaibhav,


With BPDU Filter, it will ignore in/out BPDUs.So you could end up with a loop in your network.BPDU Filtering at the global level will work with Portfast interfaces, and simply kick them out of portfast if a BPDU is received.BPDU Filtering configured on the interface level will completely stop send/receive BPDU, and if you plug in two switches then you may have a loop because they don't 'see' each other as a problem.


What i would suggests you to configure BPDU gaurd enabled in these ports if any BPDU is dedected on these ports then port will go down to err-disable mode.


Hope to Help !!


Ganesh.H


Remeber to rate the helpful post

csawest.dc Wed, 05/05/2010 - 08:29
User Badges:

Dear Ganesh,


You mean to say , i have to configure " spanning-tree bpdu guard enable " with portfast enable on interface not in global mode which is connected with IPDSLAM .



pl see my bellow config which is  connected with IPDSLAM ports.


interface port 16 to 48

switchport mode access

swtichport access vlan 2

switchport protected

spanning-tree portfast

spanning-tree bpdu guard enable



and bellow config which is connetect with other cisco and other vendor switches ports.


interface port 5 , 6,7,10,11

switchport access vlan 2

switchport protected

spanning-tree guard root


Pl suggest me if need to any changes.


Thanks in ADV,


Vaib...

Ganesh Hariharan Wed, 05/05/2010 - 23:04
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Dear Ganesh,


You mean to say , i have to configure " spanning-tree bpdu guard enable " with portfast enable on interface not in global mode which is connected with IPDSLAM .



pl see my bellow config which is  connected with IPDSLAM ports.


interface port 16 to 48

switchport mode access

swtichport access vlan 2

switchport protected

spanning-tree portfast

spanning-tree bpdu guard enable



and bellow config which is connetect with other cisco and other vendor switches ports.


interface port 5 , 6,7,10,11

switchport access vlan 2

switchport protected

spanning-tree guard root


Pl suggest me if need to any changes.


Thanks in ADV,


Vaib...

Hi Vaibhav,


Yes you are right you can configure on port basis for BPDU gaurd.


Hope to Help !!


Ganesh.H

Actions

This Discussion