Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

BPDU guard issue

Cat 5000, running with older release. If i turn on BPDU gurad, I can't going out to network. My network team forced us to make this change. Currently it's off..

PLS. help

6 REPLIES

Re: BPDU guard issue

BPDU guard is not a feature that you can enable on any port. It only makes sense on ports that will never be connected to another switch. You should push back on an administrative decision to enable the feature everywhere, as it looks like it is what you are facing. Just see on the CatOS console what port BPDU guard put in errdisable state to convince yourself, and the others;-)

Regards,

Francois

Community Member

Re: BPDU guard issue

Thx for comment.

I have two Vlans on this cat5000 and each Vlan has 20 some connections. Currently, we have turned BPDU guard off at this two Vlan. He (Netadmin corp) level installing new gear and he doesn't want me to continue with this practice. If i turned on this on my Vlan than i can't reach it his gateway which will provide me further corp connection. any suggestion...

Re: BPDU guard issue

BPDU guard is in fact applied per-port. On some version of CatOS (yours is probablyone of them), the command was applied to all the ports configured for portfast.

Portfast should only be configured on ports that are not connecting to other bridges. It seems that it is not the case in your setup. Go to the CatOS console, identify the ports that were shut down by BPDU guard (you cannot resolve this by staying at the level "I cannot reach my gateway anymore";-) Those ports must have portfast disabled.

Regards,

Francois

Community Member

Re: BPDU guard issue

What software version i have to have in my SP module for cat 5000? for sup 1, 2, 3.

Re: BPDU guard issue

Simply upgrading your cat5k will not change anything. There is no dumb way out, you really have to understand what is happening;-)

Regards,

F.

Community Member

Re: BPDU guard issue

First, your network team is actually getting you to do a Very Good Thing. BPDUGuard prevents idiot users from hooking up cheap hubs and switches unbeknownst to you and causing spanning tree loops. It allows you to maintain control over your network and provides proactive punishment to your users. If they do something bad they have to call you and meekly admit what they did, at which time you wave your favorite LART at them before re-enabling the port. After a couple of times they will stop doing it. Been there, done that.

If enabling BPDUGuard caused so many problems, you ALREADY have something broken that needs fixed. BPDUGuard did not break you, you were already broken, you just did not know it.

The other posters are right, if you have portfast enabled on ports connecting switches, hubs, or bridges you are doing a Very Bad Thing that can cause all kinds of spanning-tree issues. I believe that if you universally enable BPDUGuard (I recommend it) it is turned on on all portfast trunks. By default a port disabled by BPDUGuard stays disabled until you fix it (forcing the user to own up) but you can have a timer that re-enables the port after some time.

See http://www.cisco.com/warp/public/473/65.html for more information.

In short, this is something you should embrace.

131
Views
24
Helpful
6
Replies
CreatePlease to create content