Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

catos bpdu guard

How do you configure BPDU guard on CatOS ? It looks to be set up in our switches right but it works for one switch and not the other.

In the one switch this line is enabled:

Code:

set spantree global-default bpdu-guard enable

and under the module it says bpdu-guard default as well.

In the other switch this line is enabled:

Code:

set spantree global-default bpdu-guard disable

but under the modules it says

Code:

set spantree bpdu-guard 2/1-48 enable

Does the global one mean anything? It doesnt seem to matter since in the second example it is disabled globally and enabled on the module and it works.

For the first example should I set the on under the module to "bpdu-guard enable" instead of "bpdu-guard default"?

15 REPLIES
Community Member

Re: catos bpdu guard

What CAT OS Version is on each ?

Community Member

Re: catos bpdu guard

version 8.6

Re: catos bpdu guard

I'm extrapolating from IOS (that I'm familiar with). The global-default is different. When you enable bpdu-guard with global default, the bpdu-guard feature will apply to any port that is operationally portfast enabled. The idea is that port operationally portfast enable are edge ports (connecting to hosts). The global-default command is a simple way of enabling bpdu-guard on all the edge ports (where it matters the most).

The per-port command is different and is not dependent on the portfast configuration. If you enable bpdu-guard on a port with this CLI... well, bpdu-guard will be effective on this port.

HTH,

Francois

Community Member

Re: catos bpdu guard

So if I entered the command:

"set spantree global-default bpdu-guard enable"

would it automatically put the statement:

"set spantree portfast bpdu-guard default"

under the modules?

Or do I need to put the second statement in myself, or not at all?

Re: catos bpdu guard

I missed this subtle difference earlier and might have not answered your question exactly...

-a- set spantree global-default bpdu-guard enable

-b- set spantree portfast bpdu-guard default

I think that -a- and -b- are two formats for the same command (again, I don't have much CatOS memories;-). The oldest is probably -b-, as I guess that -a- was introduced with some other global-default commands.

In the CatOS showing -a- in its configuration, you should still be able to enter -b- and it's going to be interpreted as -a-.

In the latest versions (whether it's CatOS or IOS), this global configuration command now has a per-interface configuration that does not depend on portfast.

Regards,

Francois

Community Member

Re: catos bpdu guard

This is the statements in the config...

#spantree

#spantree global defaults

set spantree global-default portfast disable

set spantree global-default loop-guard disable

#portfast

set spantree global-default bpdu-guard enable

set spantree global-default bpdu-filter disable

#Module2

set spantree portfast 2/48 disable

set spantree portfast 2/1-47 enable

set spantree bpdu-filter 2/1-48 default

set spantree bpdu-guard 2/1-48 default

This is before I enabled portfast on all the ports and enabled bpdu-guard on all the ports.

But the ports are still not operating like portfast nor do they disable the port when I plug a test switch into one of the ports.

Community Member

Re: catos bpdu guard

Along with my problem above this one...on the IOS switch I am working with I entered the command:

"spanning-tree portfast bpduguard"

I read that this command would enable bpduguard on all interfaces configured as portfast but it doesnt disable when I test.

Re: catos bpdu guard

With the config you have above, portfast is enabled on 2/1-47

bpduguard is enabled globally. Those port should run bpduguard. A subtle thing thought... as I mentioned earlier, the global bpduguard command applies to port that are *operationally* running portfast. If the port receives a bpdu, portfast gets disabled on it. So if you received a bpdu on a port before you configured global bpduguard, the feature will not be activated on this port. Flapping the link should fix the issue.

If bpduguard does not kick in after that (check that the test bridge you are inserting is actually sending bpdus btw), then I don't know what's happening;-)

Again, I'm just trying to answer a CatOS question by extrapolating IOS behavior...

Regards,

Francois

Community Member

Re: catos bpdu guard

The thing is, I believe I've enabled bpdu-guard gloablly AND specificly on the ports. and also enabled portfast specificly on the ports. When I went to test it tho, I believe 2 of the 3 modules shut down the port when they recieved bpdu's but the other didnt. But also, none of them were in portfast. The 2 of the 3 shutdown the port before the LED even went green. If it was portfasting it would go green then be shutdown I thought (at least this is what I've seen on another switch).

Re: catos bpdu guard

If you configure bpduguard explicitly on a port (which was not the case in the config you posted), then its portfast status is irrelevant: the feature is then enabled on the port.

Also, be careful that it's not because you are connecting a bridge running STP that it is going to send a single bpdu. Even if it's a race condition, it's possible that the bridge you are connecting is receiving a superior bpdu as soon as the link comes up and stays silent.

Regards,

Francois

Community Member

Re: catos bpdu guard

Yes, good point. Is there any other way I can test it with the bridge I'm using to shut down the switch port if it really is getting a superior bpdu?

Re: catos bpdu guard

bpdu guard will kick in regardless of whether the bpdu received is inferior or superior. It's just that you need to make sure that the switch you connect cannot be silent. Do your test with a bridge having a very low priority (0 should do it;-)

Regards,

Francois

Community Member

Re: catos bpdu guard

For IOS these config lines should be fine for just enabling the guard on one port right?

int fast 3/4

spanning-tree bpduguard enable

(already set as portfast)

Re: catos bpdu guard

yep (this, I'm sure;-)

And this again irrespective of portfast configuration.

Regards,

Francois

Community Member

Re: catos bpdu guard

Also, did you say there was a global command for enabling bpdu-guard on all previously configured portfast ports?

I found this command:

spanning-tree portfast bpduguard

I did try this command and it was supposedly accepted but when I just tried a port I didnt specificly set bpdu-guard on, it never disabled the port.?

804
Views
0
Helpful
15
Replies
CreatePlease to create content