06-09-2009 04:15 AM - edited 03-06-2019 06:09 AM
In one of our schools we have multiple Cat3750 stacks. Recently a student/teacher plugged an ethernet cable into two wall jacks and created a physical loop on one of the switches in the stack. When this happened all traffic leaving/entering the stack stopped and only traffic local to the stack would flow. Is there anything we can add/remove form our configuration that could prevent this from happening again.
Solved! Go to Solution.
06-09-2009 02:14 PM
Adam,
As Global mentioned, spanning-tree bpdu-guard will prevent this issue in the future.
With that said, there are 2 ways of implementing this feature; global or interface level.
At the global level, you use the command spanning-tree portfast bpduguard default while at the interface level, you use the command spanning-tree bpduguard enable
The main difference of the two commands is that the global will only enable bpduguard protection on portfast enabled port, for instance client ports while the second command will enable bdpuguard at the interface level regardless its portfast status.
If you implement portfast only on client ports, the first option would be the recommended choice as you don't need to worry about not enabling bpduguard on inter-switch links (they don't have portfast enabled).
The second choice provides a higher degree of security but you need to be careful that isn't applied to a inter-switch link.
HTH,
__
Edison.
Please rate helpful posts
06-09-2009 04:23 AM
bpdu-guard would be one thing to add under all physical interfaces that are in portfast mode. can you post the output from one of your interfaces so we can see what you've already got implemented??
06-09-2009 04:31 AM
Thank you for the suggestion. I am looking into the BPDU-guard feature. Here is the configuration for one of our interfaces.
interface FastEthernet4/0/25
switchport access vlan 16
switchport mode access
switchport port-security maximum 10
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
mls qos trust cos
storm-control broadcast level 2.00
storm-control action trap
spanning-tree portfast
Thanks again.
06-09-2009 02:42 PM
I use bpduguard at global level.
It's a good idea to configure a recovery timer.
errdisable recovery cause bpduguard
errdisable recovery interval 30
!
spanning-tree portfast bpduguard default
errdisable recovery interval
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml
Guido.
Please rate all the helpful comments.
06-09-2009 01:51 PM
Where is the spanning-tree bpduguard enable?
06-09-2009 02:14 PM
Adam,
As Global mentioned, spanning-tree bpdu-guard will prevent this issue in the future.
With that said, there are 2 ways of implementing this feature; global or interface level.
At the global level, you use the command spanning-tree portfast bpduguard default while at the interface level, you use the command spanning-tree bpduguard enable
The main difference of the two commands is that the global will only enable bpduguard protection on portfast enabled port, for instance client ports while the second command will enable bdpuguard at the interface level regardless its portfast status.
If you implement portfast only on client ports, the first option would be the recommended choice as you don't need to worry about not enabling bpduguard on inter-switch links (they don't have portfast enabled).
The second choice provides a higher degree of security but you need to be careful that isn't applied to a inter-switch link.
HTH,
__
Edison.
Please rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide