Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

bpduguard default

how important is having this setting configured?

we are having many spanning tree loops. could this help?

if not, what advice would you give to remove this threat?

thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: bpduguard default

HI Mike, [Pls Rate if HELPS]

A Cisco router will give you a warning when you configure PortFast:

SW1(config)#int fast 0/5

SW1(config-if)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION

%Portfast has been configured on FastEthernet0/5 but will only

have effect when the interface is in a non-trunking mode.

SW1(config-if)#

Not only will the switch warn you about the proper usage of PortFast, but you must put the port into access mode before PortFast will take effect.

But there is a chance - just a chance - that someone is going to manage to connect a switch to a port running Portfast. That could lead to two major problems, the first being the formation of a switching loop. Remember, the reason we have listening and learning modes is to help prevent switching loops. The next problem is that there could be a new root bridge elected - and it could be a switch that isn't even in your network!

BPDU Guard protects against this disastrous possibility. If any BPDU comes in on a port that's running BPDU Guard, the port will be shut down and placed into error disabled state, shown on the switch as err-disabled. A port placed in err-disabled state must be reopened manually.

BPDU Guard is off on all ports by default, and is enabled as shown here:

SW1(config)#int fast 0/5

SW1(config-if)#spanning-tree bpduguard enable

It's a good idea to enable BPDU Guard on any port you're running PortFast on. There's no cost in overhead, and it does prevent the possibility of a switch sending BPDUs into a port configured with PortFast - not to mention the possibility of a switch not under your control becoming a root switch to your network!

Refer link below for Understanding Spanning Tree Protocol:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/cwsimain/cwsi2/cwsiug2/vlan2/stpapp.htm

Hope i am Informative and this HELPS.

PLS RATE if HELPS

Best Regards,

Guru Prasad R

2 REPLIES

Re: bpduguard default

Hi Michael, I would suggest go over couple of links, fisrt one to help indentify forwarding loops.

Things to look into in identifying bridging loops, this link sort of gives you steps to look into and narrow down where loops can occur , look at the examples and identify redundant links, root and backup root bridge etc..

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080136673.shtml#intro

This other link provides usage guidelines in implementing loopguard, bpdu guard etc..

http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html#wp1019943

HTH

Jorge

Re: bpduguard default

HI Mike, [Pls Rate if HELPS]

A Cisco router will give you a warning when you configure PortFast:

SW1(config)#int fast 0/5

SW1(config-if)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION

%Portfast has been configured on FastEthernet0/5 but will only

have effect when the interface is in a non-trunking mode.

SW1(config-if)#

Not only will the switch warn you about the proper usage of PortFast, but you must put the port into access mode before PortFast will take effect.

But there is a chance - just a chance - that someone is going to manage to connect a switch to a port running Portfast. That could lead to two major problems, the first being the formation of a switching loop. Remember, the reason we have listening and learning modes is to help prevent switching loops. The next problem is that there could be a new root bridge elected - and it could be a switch that isn't even in your network!

BPDU Guard protects against this disastrous possibility. If any BPDU comes in on a port that's running BPDU Guard, the port will be shut down and placed into error disabled state, shown on the switch as err-disabled. A port placed in err-disabled state must be reopened manually.

BPDU Guard is off on all ports by default, and is enabled as shown here:

SW1(config)#int fast 0/5

SW1(config-if)#spanning-tree bpduguard enable

It's a good idea to enable BPDU Guard on any port you're running PortFast on. There's no cost in overhead, and it does prevent the possibility of a switch sending BPDUs into a port configured with PortFast - not to mention the possibility of a switch not under your control becoming a root switch to your network!

Refer link below for Understanding Spanning Tree Protocol:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/cwsimain/cwsi2/cwsiug2/vlan2/stpapp.htm

Hope i am Informative and this HELPS.

PLS RATE if HELPS

Best Regards,

Guru Prasad R

254
Views
0
Helpful
2
Replies
CreatePlease to create content