Giuseppe, thank you for your precious answer.
This is the output of the command you suggested.

--------------
Port 3 (FastEthernet0/3) of VLAN0001 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.3.
   Designated root has priority 4097, address c89c.1d4c.e080
   Designated bridge has priority 32769, address 000f.901a.3c80
   Designated port id is 128.3, designated path cost 4
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   Bpdu guard is enabled by default
   BPDU: sent 35, received 0
--------------

I would say both portfast and bpduguard are enabled on the port.

Iguess I'm wrong somewhere, but I cannot figure out where.

Thank you for you kind help,

Giovanni

Hi,

I don't see any BPDUs received on this interface from this output

BPDU: sent 35, received 0

So it is normal it hasn't been err-disabled by BPDU guard.

BPDU guard is not there to protect against loops,  that is the role of STP anyway.

Regards.

Alain

Hi Alain.
I did notice that line, too.

I supposed BPDU to be the only traffic (looped back) to appear on the port.
Surely, if a BPDU is sent out from a port, and an "Hub" is connected to the port, and two ports of the hub are connected togheter with the same cable, that BPDU is looped back to the same port.
With this in mind, I tought to BPDUGuard.

Now my problem is the following:
How to allow the users to use their portable mini-switch (they love those devices here), avoinding the risk to shut down the whole network?
I

s it someway possible or I have to disallow the use of those devices at all?
I could allow one mac address only per switchport, for security.
But doing so the user mini-switch would became useless, of course.

Plese any help/suggestion si appreciated.

Thank you for your precious help.
Giovanni

Hi,

With STP disabled in miniswitch, it ideally forwards BPDU's and it should not only process the BPDU itself. In case, the miniswitch discards the BPDU's with STP disabled, then BPDU Guard in the uplink switch should not work. Probably that is the case in the output of uplink switch, BPDU's are not received and only sent.

HTH

Arun

Thank you Narainarun for your answer.

I cannot guess which kind of device a user attaches to a port, but usually are those 8-port unamanaged miniswitches that surely ignore STP. They are very simple store-and-forward swtiches that are just more than hubs.

But I could say that now my question moved away from the main topic I originally posted (BPDUGuard), so I will re-arrange the question in a new topic.

Thank YOU ALL for your kind help.

Giovanni

Hello Alain.

I just have tested BPDUGuard feature on a spare switch and it works as I aspected.

I put a miniswitch on port fas0/7 and then plugged the two ends of a cable into two ports of the miniswitch.

After a second at console I see:

sw-test-249#

*Mar  1 00:26:51.678: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/7 with BPDU Guard enabled. Disabling port.

*Mar  1 00:26:51.678: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/7, putting Fa0/7 in err-disable state

*Mar  1 00:26:52.693: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down

*Mar  1 00:26:52.693: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

*Mar  1 00:26:53.691: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down

and then:

sw-test-249#sh int status err-disabled

Port      Name               Status       Reason               Err-disabled Vlans
Fa0/7                        err-disabled bpduguard

Also, I see on this interface 0 BPDU sent, and I think it's because I have just taken it back from the err-disabled state.

What could have gone wrong on the production switch?

Any idea to put me on the right way to allow those miniswitches without a so great danger is appreciated.

Thank you.

Regards,

Giovanni