i got gollowing err in sh log of router
May 9 13:39:42.441 PDT: %SPANTREE-SP-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet4/21 with BPDU Guard enabled. Disabling port.
May 9 13:39:42.441 PDT: %PM-SP-4-ERR_DISABLE: bpduguard error detected on Fa4/21, putting Fa4/21 in err-disable state
any help please
Solved! Go to Solution.
Hi there, basically, BPDU Guard is used on the port which applies PortFast. As long as the port received any BPDUs, the BPDU Guard ports will kept in errdisable status.
Seems someone maybe trying to insert a switch into that port which sends bpdu packets. The port is configured to not allow this so it goes into an error disable mode and shuts the port down. You have to do a shut and no shut on the port to bring it back up. However, it may go down again if the device sending bpdu's is still active on the port.
If your intention is connect this device you must turn bpdu guard off on the port.
hope this helps, regards,
Raj is right, turn off BPDUguard with the "no spanning-tree bpduguard enable" interface command on Fa4/21, if you want to connect a switch to this port.
Otherwise you should leave it as it is, because it will protect your network from connecting rogue switches to that port. Enabling a rogue switch can change the entire topology of your network:
If it is configured with a lower bridge priority, then it will take over the role of the root switch and the traffic patterns may change to the worse within your network.
In addition, if this new switch is configured as a VTP server or client with a higher VTP revision number, then it will overwrite all the vlan information in all switches. This can simply disrupt the whole network.
So take care.
BPDUguard puts a port in err-disable state when it recv a bpdu on access port. To reuse the port, you need to shut/noshut the port.
You may also use the rootguard command as replacement of bpdu guard, this also disables the port when it recv a superior bpdu & recovers the port by itself when it ceases to hear bpdu's on the port.
When u define an access port, you would typically have an end station at the other end. so no BPDUs should be received.
Hoover to protect yourself against mis cabling, on malicious activity. you need to be prepared in case an access port start receiving BPDU, meaning a switch is connected to access port.
This is where bpdu guard comes in handy.
Rootguard is useful but will only protect u against superior BPDUs. if u have a loop due to miscabling, BPDUs might not be superior. SPT loop will kill ur switched network.
a recommendation is to leave BPDU guard on and add "errdisable recovery interval x
" where X is ur time to try to bring port up automatically instead of doing shutdown and no shutdown.
Pls rate all helpful posts.
thanks for reply,
if someone plug cable on two ports on same
switch will it cause loop?
how we can protect in this case if cabling
thanks for reply,
so u mean to say we should apply BPDU guard
on all ports??????????
access ports right ????????????
not on trunk ports right?????????
1-No not needed on trunks as SPT takes care of loops.
2-Only needed on access ports that are configured to be portfast, ie where you practically have SPT disabled.
STP takes care of both Trunk and access ports.
for access ports in old days when only STP was around as opposed to RSTP, an access port still had to wait for 50 sec convergence before forwarding frames, so portfast was introduced to speed this up.
Portfast assumes no switch is at other end on access sport and therefore speeds up convergence, effectively it skips SPT steps. BPDUGUARD was used in case a port that is portfast, start receiving BPDUs.
so in short :-) STP takes care of loops everywhere.