Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
5
Replies

Spanning-tree portfast help.

amyskitchen
Level 1
Level 1

‎07-06-2010 01:18 PM - edited ‎03-06-2019 11:55 AM

I have spanning-tree porfast enabled across all (non-trunk ports) in our enterprise. In fact, using the auxiliar vlan on ports ( switchport voice vlan X) enables spanning-tree on the port.  I have also enabled globally spaning-tree portfast bpdu guard default to mitigate the posibility of anyone plugging a smart switch in these port and create a loop.

Last friday, someone in the conference rooms looped 2 ports by plugging a dumb-switch (non managable) to 2 ports on the wall configured as edge port (spanning-tree portfast) and created a loop and the network almost dropped. Eventually one of the ports got disabled due to spaning treee portfast bpdu guard, but during 2 to 3 minutes the network was in disarray.

How can I mitigate this from ever happening again? I thought portfast bpdu guard default would do the trick but it did not, or at least not rapidly enough to avoid network problems and user complaints. Do I have to disable spanning tree portfast on all edge ports?  I have Voip phones on many of these ports. I've opened a case with cisco and basically that what they told me is to disable spaning tree porfast if I can  or advised me to enable port-security but that another topic I dont want to pursue just yet.

Any help, solutions would be welcomed and very well appreaciatted.

Labels:
0 Helpful
5 Replies 5

Edison Ortiz
Hall of Fame
Hall of Fame

‎07-06-2010 01:26 PM

Dumb switches do not send BPDUs so BPDUGuard won't be useful. What we usually recommend is implementing port-security in addition to BPDUGuard. If you know the port limit is 2 MAC-Address, implement port-security with such limit. As soon as a 3rd device is known via that switchport, it will go into err-disabled.

Regards,

Edison

0 Helpful

amyskitchen
Level 1
Level 1
In response to Edison Ortiz

‎07-06-2010 02:00 PM

Thanks for replying Edison,

Yes, dumb switches don't send BPDU's but since  the port its connected back to a second port on the managable switch wouldn't that send BPDUs'?

port1:switcha<-----(dumb-switch)------>port2:switcha  where switch a is a 3750 with bpdu guard-default and portfast on both ports.

Imagine a situacion where someone with a bit of knowledge maliciously take a patch cord and plug-it from porta to portb (patch cord might need to be X-over). If there is no other solution, but port-security I will or ultimately disable spanning-tree portfast across the enterprise.

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to amyskitchen

‎07-07-2010 01:35 PM

I understand your concern but there isn't any other solution to this dilemma.

Another common practice is to disable unused ports.

Regards,

Edison

0 Helpful

amyskitchen
Level 1
Level 1
In response to Edison Ortiz

‎07-08-2010 04:37 PM

For the record:

I intentionally created a loop using a dumb switch and also a direct connection from fast 0/z to fast 0/x and bpduguard seem to have mitigated the issue right away. One of the ports gets err-disabled right away. I tried several times, all all with the same results. 

Now I wonder why on our other building it took at least 5 minutes before detecting the anomally. ???

   Anyone has further ideas?

0 Helpful

vdineshkumar83
Level 1
Level 1

‎07-08-2010 10:47 PM

Hi,

      Did you try bpdu filter?

Regards,

V Dinesh Kumar

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card