Can someone confirm how I think bpduguard works? I think it stops the potential for loops on a switchport that's configured with portfast by either shutting the port down, or sending an snmp trap(depending on which you choose)when it receives a bpdu on that interface...most likely caused by someone plugging in a switch on the other end.
Would this be a correct assessment?
Also, I know that you can set switch port security as well by way of the following commands:
>switchport port-security maximum 
>switchport port-security mac-address sticky
>switchport port-security violation [shutdown]
Can someone explain the second line, specifically the 'sticky' command? So... if you only allow one mac-address by way of the first command, does the second command say that it will dynamically learn the mac-address and keep that address in it's memory by way of the 'sticky' command?
What happens if you plug a different legimate PC into that port if that's what it means?
Hi there. You are correct on both cases. When configured on a port, BPDU Guard will disable the interface/send an snmp trap if it receives a BPDU.
On the switchport port-security mac-address sticky, that port will learn the mac-address of the first device plugged into it and will apply the port-security settings based on that mac-address. So, depending on how you have your port-security violation parameters setup, plugging in a different device with a different mac-address will trigger the violation. To clear the learned address and allow a new one to be learned use the 'clear port-security sticky interface' command.
In this configuration bpduguard only affects ports that are configured in portfast mode. Any port configured as portfast that receives a BPDU is disabled.
2) On an interface level. In this configuration bpduguard will shut down the port if the port receives a BPDU regardless of whether it is configured to be portfast or not.
Switchport sticky allows dynamically learned mac-addresses to be written into the running config. If you then save that config ie. "copy run start" or "wr mem", when the switch reboots it will still use that dynamically learned mac-address on the port.
I just want to confirm I am correct in thinking that with the switchport port-security sticky command, in order for the MAC addresses learnt on a port to be stored and survive a switch reload, you MUST save the running config?
The changes to the configuration that the sticky mac address causes doesn't seem to update the 'last configuration change' banner displayed when you issue the 'show run' command, which makes it hard to see if there have been any changes you might need to save.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...