Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Looped ports do not errdisable

Hi, I have a 3560G-48PS switches connected using port channels to 2 x 3750-12S switches. they are set up to use PVST. If a network loop is created with a cat5 cable from one port to another on the same switch, I am expecting one of the interfaces to become errdisable, but it does not. Each interface is configured like this:

interface GigabitEthernet0/4
switchport voice vlan 50
priority-queue out
mls qos trust dscp
spanning-tree portfast

Each switch is running IOS:12.2(35)SE5

errdisable is enabled:

ErrDisable Reason    Detection status
-----------------    ----------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
psecure-violation    Enabled
unicast-flood        Enabled
vmps                 Enabled
loopback             Enabled
unicast-flood        Enabled
pagp-flap            Enabled
dtp-flap             Enabled
link-flap            Enabled
l2ptguard            Enabled
sfp-config-mismat    Enabled
gbic-invalid         Enabled
dhcp-rate-limit      Enabled
storm-control        Enabled
inline-power         Enabled
arp-inspection       Enabled
community-limit      Enabled
invalid-policy       Enabled

I do not understand why it does not become errdisable - do I need more commands?

many thanks in advance for any assistance

Ian

13 REPLIES
Bronze

Re: Looped ports do not errdisable

Hello,

You have to enable bpduguard on each access port with the command:

switch(config-if)#spanning-tree bpduguard enable

Cheers.

New Member

Re: Looped ports do not errdisable

Is this because of the PVST?

bdpuguard is enabled globally - why would not aplly to the interfaces?

Ian

Cisco Employee

Re: Looped ports do not errdisable

Hi, Ian,

There is slight difference between global- and interface-level BPDU guard.

At the global level, you enable BPDU guard on Port Fast-enabled interfaces by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down interfaces that  are in a Port Fast-operational state. In a valid configuration, Port  Fast-enabled interfaces do not receive BPDUs. Receiving a BPDU on a Port  Fast-enabled interface signals an invalid configuration, such as the  connection of an unauthorized device, and the BPDU guard feature puts  the interface in the error-disabled state.

At the interface level, you enable BPDU guard on any interface by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the interface receives a BPDU, it is put in the error-disabled state.

See here: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swstpopt.html#wp1095752

On this link above and this link: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swtrafc.html#wp1038501 you can also read about other features you might want to set up, like Storm Control.

Cheers, Iron

--

If   this helps you and/or answers your question please mark the question  as  "answered" and/or rate it, so other users can easily find it.

Bronze

Re: Looped ports do not errdisable

Hello,

If you have bpduguard globally enabled with the command: "spanning-tree portfast bpduguard default", it should work for all ports configured with "spanning-tree portfast".

Could you please post the output of "show spanning-tree summary" and "show spanning-tree interface gigabitethernet0/4 portfast" commands?

Sometimes the portfast feature is not properly acepted by the ports and it needs to be applyed twice.

Regards.

New Member

Re: Looped ports do not errdisable

Many thanks for your replies .

Do you know if this will also protect against a loop between ports when they are connected via a phone?

for example:

int gi0/4 -----phone-------int gi0/5

kind regards

Ian

Bronze

Re: Looped ports do not errdisable

Hello,

Cisco IP phones forward BPDUs whilst some Avaya IP phones (depending on firmware) do not. So, bpduguard will work with Cisco IP phones.

Regards.

New Member

Re: Looped ports do not errdisable

We have Avaya phones - I'll have to check the firmware

(they've been working for 2 years without any problems! I am sure there there is something else affecting the network - the symptoms are shown by high CPU on the router for the data and voice vlans. But when testing for loop detection (out of hours), I could not get the ports to errdisable when I created a cable loop or a phone loop)

regards

Ian

Bronze

Re: Looped ports do not errdisable

Please, try enabling terminal monitor on the switches to see if any host flapping messages appear, indicating the ports affecting the loop.

What switch model are you using?

Regards.

New Member

Re: Looped ports do not errdisable

switch#show spanning-tree summary

Switch is in pvst mode

Root bridge for: none

Extended system ID           is enabled

Portfast Default             is disabled

PortFast BPDU Guard Default  is disabled

Portfast BPDU Filter Default is disabled

Loopguard Default            is disabled

EtherChannel misconfig guard is enabled

UplinkFast                   is disabled

BackboneFast                 is disabled

Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active

---------------------- -------- --------- -------- ---------- ----------

VLAN0001                     0         0        0         38         38

VLAN0050                     0         0        0         38         38

---------------------- -------- --------- -------- ---------- ----------

2 vlans                      0         0        0         76         76

switch#show spanning-tree interface gigabitethernet0/4 portfast

no spanning tree info available for GigabitEthernet0/4

switch#

Purple

Re: Looped ports do not errdisable

  If you are plugging 2 ports together it won't neccesarily disable the ports.   Spanning tree "should"  (though we have seen this isn't true in all cases) take care of the looped port and one should go into blocking mode.  Verify with "show spanning tree blocked ports" command.

Bronze

Re: Looped ports do not errdisable

Hello,

I see from your output that Bpduguard is disabled globally:

PortFast BPDU Guard Default  is disabled

the output of the gi0/4 shows nothing because the port is down at the moment.

Enable bpduguard globally or in a per-interface basis to resolve your problem.

Regards.

New Member

Re: Looped ports do not errdisable

...aha - interface gi0/5 is up:

switch#show spanning-tree interface gigabitethernet0/5 portfast
VLAN0001         enabled
VLAN0050         enabled
switch#

Bronze

Re: Looped ports do not errdisable

Thanks. Only enabling bpduguard is needed now to make it work.

Cheers

637
Views
0
Helpful
13
Replies
CreatePlease login to create content