BPDU guard

Answered Question
Jun 18th, 2010
User Badges:

Hello,


I understand that a blocking port on a switch that is part of a spanning tree relies on recieving the BPDU packets every 2 seconds and shoudl it not then the port is changed to forwarding mode.  I worries my that should this happen I would get some loops and serious issues on my network, how can I tell a port to always be in blocking mode, is it the BPDU guard option on the port?


How do you guys get alerted should the switch recieve a spanning tree issue/loop?


Many thanks

Correct Answer by Ganesh Hariharan about 6 years 11 months ago
So if you are adding a switch into your enfironment and you are not
sure if it will create a STP look it's best to put the BPDU port guard
on and leave it for a bit?  Otherwise if there is a loop it could
shutdown a link somewhere else in your switching environment?


Hi Andy,


Let me try to explain with some more detail about usage of BPDU gaurd


In our network we enable BPDU Guard only on access ports (access ports lead to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology.

BPDU Guard is enabled on an access port:


Swith(config-if)#spanning-tree bpduguard enable


Once BPDU Guard is enabled it will keep an eye open for any BPDU's entering the access ports. The only devices which can reliably create and transmit BPDU's are switches.We want to keep a predictable topology and not allow other switches outside our control onto our network.  If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has "better" values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users.


By configuring the "BPDU Guard" feature on the access-ports enables the spanning-tree protocol to shut the port down in the event that is receives a BPDU. As a rule of thumb, BPDU's are really only expected across trunk links.


If a rogue switch is plugged into a port configured for BPDU Guard, the port will disable as soon as the first BPDU is received, by shutting the port down we prevent the rogue switch from affecting our spanning-tree topology.


To re-enable a port disabled by BDPU Guard you will need to remove the offending device and then bounce the port by issuing the shut/no shut command.


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Fri, 06/18/2010 - 03:39
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hello,


I understand that a blocking port on a switch that is part of a spanning tree relies on recieving the BPDU packets every 2 seconds and shoudl it not then the port is changed to forwarding mode.  I worries my that should this happen I would get some loops and serious issues on my network, how can I tell a port to always be in blocking mode, is it the BPDU guard option on the port?


How do you guys get alerted should the switch recieve a spanning tree issue/loop?


Many thanks

Hi Andy,


BPDU Guard  will alert you to that mistake and will shut down the port instead of letting the loop shut down your network.BPDU Guard protects against this disastrous possibility. If any BPDU comes in on a port that´s running BPDU Guard, the port will be shut down and placed into error disabled state.


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

Andy White Fri, 06/18/2010 - 05:22
User Badges:

So if you are adding a switch into your enfironment and you are not sure if it will create a STP look it's best to put the BPDU port guard on and leave it for a bit?  Otherwise if there is a loop it could shutdown a link somewhere else in your switching environment?

Correct Answer
Ganesh Hariharan Fri, 06/18/2010 - 05:39
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

So if you are adding a switch into your enfironment and you are not
sure if it will create a STP look it's best to put the BPDU port guard
on and leave it for a bit?  Otherwise if there is a loop it could
shutdown a link somewhere else in your switching environment?


Hi Andy,


Let me try to explain with some more detail about usage of BPDU gaurd


In our network we enable BPDU Guard only on access ports (access ports lead to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology.

BPDU Guard is enabled on an access port:


Swith(config-if)#spanning-tree bpduguard enable


Once BPDU Guard is enabled it will keep an eye open for any BPDU's entering the access ports. The only devices which can reliably create and transmit BPDU's are switches.We want to keep a predictable topology and not allow other switches outside our control onto our network.  If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has "better" values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users.


By configuring the "BPDU Guard" feature on the access-ports enables the spanning-tree protocol to shut the port down in the event that is receives a BPDU. As a rule of thumb, BPDU's are really only expected across trunk links.


If a rogue switch is plugged into a port configured for BPDU Guard, the port will disable as soon as the first BPDU is received, by shutting the port down we prevent the rogue switch from affecting our spanning-tree topology.


To re-enable a port disabled by BDPU Guard you will need to remove the offending device and then bounce the port by issuing the shut/no shut command.


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

Andy White Fri, 06/18/2010 - 05:44
User Badges:

Such a good well explained answer, thanks very much.  Just to add to you make as rule your access ports (non trunk ports) use the port guard option then just in case a switch is added with a lower bridge id?

francisco_1 Fri, 06/18/2010 - 05:56
User Badges:
  • Gold, 750 points or more

Andy,



to do add to the comment above,


If bpduguard is enable globally and a port in portfast mode receive a bpdu, the port is error-disabled to prevent port from participating in STP.

If bpduguard is enable on the interface level and that port in portfast mode and receives bpdu, the port is disabled to prevent port from participating in STP.

If bpduguard is enable globally & interface level and portfast is not enable on the port and the port receive bpdu, the port is error-disabled.



Francisco

Andy White Fri, 06/18/2010 - 05:58
User Badges:

Is it off by default, and is it normal practise to enable it on all ports apart from trunk ports?

Ganesh Hariharan Fri, 06/18/2010 - 06:00
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Is it off by default, and is it normal practise to enable it on all ports apart from trunk ports?


Hi Andy,


It is not the default behavior, genrally best practices on switching environment to maintain the intact topology.


Hope to Help !!


Ganesh.H

francisco_1 Fri, 06/18/2010 - 08:20
User Badges:
  • Gold, 750 points or more

if you mean bpduguard, you havre to enable the BPDU guard feature by default on all PortFast ports, use the spanning-tree portfast bpduguard default to enable it globally or interface level spanning-tree portfast bpduguard.


You should use this command only with interfaces that connect to end stations not between connected switches that exchange STP bpdu's ; otherwise, an accidental topology loop could cause a data packet loop and disrupt the  network operation.


As mentioned BPDU guard disables a port if it receives a BPDU. BPDU guard is applied only on ports that are PortFast enabled and are in an operational PortFast state.


Francisco.

Andy White Fri, 06/18/2010 - 08:38
User Badges:

Thanks I understand that I was just wondering if engineers enable it by default for workstations or just leave as deafults?

Actions

This Discussion