How do you configure BPDU guard on CatOS ? It looks to be set up in our switches right but it works for one switch and not the other.
In the one switch this line is enabled:
set spantree global-default bpdu-guard enable
and under the module it says bpdu-guard default as well.
In the other switch this line is enabled:
set spantree global-default bpdu-guard disable
but under the modules it says
set spantree bpdu-guard 2/1-48 enable
Does the global one mean anything? It doesnt seem to matter since in the second example it is disabled globally and enabled on the module and it works.
For the first example should I set the on under the module to "bpdu-guard enable" instead of "bpdu-guard default"?
I'm extrapolating from IOS (that I'm familiar with). The global-default is different. When you enable bpdu-guard with global default, the bpdu-guard feature will apply to any port that is operationally portfast enabled. The idea is that port operationally portfast enable are edge ports (connecting to hosts). The global-default command is a simple way of enabling bpdu-guard on all the edge ports (where it matters the most).
The per-port command is different and is not dependent on the portfast configuration. If you enable bpdu-guard on a port with this CLI... well, bpdu-guard will be effective on this port.
So if I entered the command:
"set spantree global-default bpdu-guard enable"
would it automatically put the statement:
"set spantree portfast bpdu-guard default"
under the modules?
Or do I need to put the second statement in myself, or not at all?
I missed this subtle difference earlier and might have not answered your question exactly...
-a- set spantree global-default bpdu-guard enable
-b- set spantree portfast bpdu-guard default
I think that -a- and -b- are two formats for the same command (again, I don't have much CatOS memories;-). The oldest is probably -b-, as I guess that -a- was introduced with some other global-default commands.
In the CatOS showing -a- in its configuration, you should still be able to enter -b- and it's going to be interpreted as -a-.
In the latest versions (whether it's CatOS or IOS), this global configuration command now has a per-interface configuration that does not depend on portfast.
This is the statements in the config...
#spantree global defaults
set spantree global-default portfast disable
set spantree global-default loop-guard disable
set spantree global-default bpdu-guard enable
set spantree global-default bpdu-filter disable
set spantree portfast 2/48 disable
set spantree portfast 2/1-47 enable
set spantree bpdu-filter 2/1-48 default
set spantree bpdu-guard 2/1-48 default
This is before I enabled portfast on all the ports and enabled bpdu-guard on all the ports.
But the ports are still not operating like portfast nor do they disable the port when I plug a test switch into one of the ports.
Along with my problem above this one...on the IOS switch I am working with I entered the command:
"spanning-tree portfast bpduguard"
I read that this command would enable bpduguard on all interfaces configured as portfast but it doesnt disable when I test.
With the config you have above, portfast is enabled on 2/1-47
bpduguard is enabled globally. Those port should run bpduguard. A subtle thing thought... as I mentioned earlier, the global bpduguard command applies to port that are *operationally* running portfast. If the port receives a bpdu, portfast gets disabled on it. So if you received a bpdu on a port before you configured global bpduguard, the feature will not be activated on this port. Flapping the link should fix the issue.
If bpduguard does not kick in after that (check that the test bridge you are inserting is actually sending bpdus btw), then I don't know what's happening;-)
Again, I'm just trying to answer a CatOS question by extrapolating IOS behavior...
The thing is, I believe I've enabled bpdu-guard gloablly AND specificly on the ports. and also enabled portfast specificly on the ports. When I went to test it tho, I believe 2 of the 3 modules shut down the port when they recieved bpdu's but the other didnt. But also, none of them were in portfast. The 2 of the 3 shutdown the port before the LED even went green. If it was portfasting it would go green then be shutdown I thought (at least this is what I've seen on another switch).
If you configure bpduguard explicitly on a port (which was not the case in the config you posted), then its portfast status is irrelevant: the feature is then enabled on the port.
Also, be careful that it's not because you are connecting a bridge running STP that it is going to send a single bpdu. Even if it's a race condition, it's possible that the bridge you are connecting is receiving a superior bpdu as soon as the link comes up and stays silent.
Yes, good point. Is there any other way I can test it with the bridge I'm using to shut down the switch port if it really is getting a superior bpdu?
bpdu guard will kick in regardless of whether the bpdu received is inferior or superior. It's just that you need to make sure that the switch you connect cannot be silent. Do your test with a bridge having a very low priority (0 should do it;-)
For IOS these config lines should be fine for just enabling the guard on one port right?
int fast 3/4
spanning-tree bpduguard enable
(already set as portfast)
Also, did you say there was a global command for enabling bpdu-guard on all previously configured portfast ports?
I found this command:
spanning-tree portfast bpduguard
I did try this command and it was supposedly accepted but when I just tried a port I didnt specificly set bpdu-guard on, it never disabled the port.?