I had a problem on my LAN and I hope you can help me to figure out the cause.
What happened: an employee attached a mini-switch to his desk lan outlet and then attached the two ends of same cable in two ports of the miniswitch.
As a result, a loop was generated and all the network "freezed". The cpu of the core switches went to 99%.
When the first time this issue happened, I thought the loop was caused by bpdu frames looped back into the same switchport.
So I configured BPDUGuard on all the access switches.
On the switch where the user mini-switch was attached to (port fa0/3) in can see the config info I report at the end of the post.
Now, would like to know: Is BPDUGuard really enabled? Can you see where I am wrong?
And if BPDUGuard is enabled, can you drive me to the way to figure out what could caused the issue?
Really thank you for your precious help.
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
no ip address
#sh int fa0/3 switchport
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
#sh spanning-tree summary totals
Switch is in rapid-pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is enabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
41 vlans 41 0 0 73 114
you can check the STP features on fas0/3 by using
show spanning-tree interface fas0/3 [detail]
note that you have spanning-tree portfast default and then in port configuration you have configured postfast manually
I'm afraid that most specific configuration applies and that BPDU guard might be disabled on that specific port.
the show command described before should provide the feedback
bridging loops are not caused by BPDUs, seeing the BPDU back on the port is a symptom of loop not a cause of it
Hope to help
Giuseppe, thank you for your precious answer.
This is the output of the command you suggested.
Port 3 (FastEthernet0/3) of VLAN0001 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.3.
Designated root has priority 4097, address c89c.1d4c.e080
Designated bridge has priority 32769, address 000f.901a.3c80
Designated port id is 128.3, designated path cost 4
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Bpdu guard is enabled by default
BPDU: sent 35, received 0
I would say both portfast and bpduguard are enabled on the port.
Iguess I'm wrong somewhere, but I cannot figure out where.
Thank you for you kind help,
I don't see any BPDUs received on this interface from this output
BPDU: sent 35, received 0
So it is normal it hasn't been err-disabled by BPDU guard.
BPDU guard is not there to protect against loops, that is the role of STP anyway.
I did notice that line, too.
I supposed BPDU to be the only traffic (looped back) to appear on the port.
Surely, if a BPDU is sent out from a port, and an "Hub" is connected to the port, and two ports of the hub are connected togheter with the same cable, that BPDU is looped back to the same port.
With this in mind, I tought to BPDUGuard.
Now my problem is the following:
How to allow the users to use their portable mini-switch (they love those devices here), avoinding the risk to shut down the whole network?
s it someway possible or I have to disallow the use of those devices at all?
I could allow one mac address only per switchport, for security.
But doing so the user mini-switch would became useless, of course.
Plese any help/suggestion si appreciated.
Thank you for your precious help.
With STP disabled in miniswitch, it ideally forwards BPDU's and it should not only process the BPDU itself. In case, the miniswitch discards the BPDU's with STP disabled, then BPDU Guard in the uplink switch should not work. Probably that is the case in the output of uplink switch, BPDU's are not received and only sent.
Thank you Narainarun for your answer.
I cannot guess which kind of device a user attaches to a port, but usually are those 8-port unamanaged miniswitches that surely ignore STP. They are very simple store-and-forward swtiches that are just more than hubs.
But I could say that now my question moved away from the main topic I originally posted (BPDUGuard), so I will re-arrange the question in a new topic.
Thank YOU ALL for your kind help.
I just have tested BPDUGuard feature on a spare switch and it works as I aspected.
I put a miniswitch on port fas0/7 and then plugged the two ends of a cable into two ports of the miniswitch.
After a second at console I see:
*Mar 1 00:26:51.678: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/7 with BPDU Guard enabled. Disabling port.
*Mar 1 00:26:51.678: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/7, putting Fa0/7 in err-disable state
*Mar 1 00:26:52.693: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down
*Mar 1 00:26:52.693: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 00:26:53.691: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down
sw-test-249#sh int status err-disabled
Port Name Status Reason Err-disabled Vlans
Fa0/7 err-disabled bpduguard
Also, I see on this interface 0 BPDU sent, and I think it's because I have just taken it back from the err-disabled state.
What could have gone wrong on the production switch?
Any idea to put me on the right way to allow those miniswitches without a so great danger is appreciated.