RE: bpduguard ............Confusion

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Sun Nov 11 2007 - 15:14:29 ART

• Next message: Tarun Pahuja: "Re: Pim sparse mode..........rp confusion"
• Previous message: Rana Bilal: "Pim sparse mode..........rp confusion"
• Maybe in reply to: Rana Bilal: "bpduguard ............Confusion"
• Next in thread: Tarun Pahuja: "Re: bpduguard ............Confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dude the only way to find these things out is to lab them up... that's it.
That's what it takes to get a #.

So here goes,

My test scenario will cover both cases

1. spanning-tree portfast default & spanning-tree portfast bpduguard default

rack1sw3#sh run | inc spanning-tree portfast
spanning-tree portfast default
spanning-tree portfast bpduguard default

rack1sw3#sh run int f0/3
Building configuration...

Current configuration : 186 bytes
!
interface FastEthernet0/3
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 dot1x guest-vlan 33
 dot1x auth-fail vlan 33
 wrr-queue bandwidth 30 20 10 10
end

Now, Router3 is on that port, so I do something to get R3 to send BPDU's to
get it in trouble with the switch...

rack1r3(config)#bridge irb
rack1r3(config)#bridge 1 pro ieee
rack1r3(config)#int f0/0
rack1r3(config-if)#bridge-group 1
rack1r3(config-if)#

and watch the switch freak out and disable the port...

rack1sw3#
10:23:35: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/3 with BPDU
Guard enabled. Disabling port.
rack1sw3#
10:23:35: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/3, putting
Fa0/3 in err-disable state
10:23:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3,
changed state to down

Ok, so with the 2 default global options we get a disabled port. The port
was placed in portfast, but it later send a bpdu so our bpduguard default
came in.

2. lets see if we can just use spanning-tree bpduguard default with
spanning-tree portfast just on the port (no global spanning-tree portfast
default command this time)

rack1sw3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
rack1sw3(config)#no spanning-tree portfast default
rack1sw3(config)#int f0/3
rack1sw3(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

NOPE - the global "spanning-tree portfast bpduguard default" kicks in even
with the interface configured "spanning-tree portfast" and disables the port
upon hearing a bpdu

10:29:09: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/3 with BPDU
Guard enabled. Disabling port.
rack1sw3#
10:29:09: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/3, putting
Fa0/3 in err-disable state
rack1sw3#
10:29:11: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down

Now, I wonder, I if I leave just the global "spanning-tree portfast
bpduguard default" will the port be disabled if the interface is not a
portfast port (no spanning-tree portfast anywhere"

rack1sw3(config)#int f0/3
rack1sw3(config-if)#no spanning-tree portfast
rack1sw3(config-if)#shut
rack1sw3(config-if)#no shut

rack1sw3(config-if)#
10:32:21: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up

That's it. The port doesn't go down again...

So to answer your question, the global command
"spannig-tree portfast bpduguard default" perform bpduguard on ANY portfast
port regardless whether the interface configured "spanning-tree portfast" or

Globally configured "spanning-tree portfast default" command was used to
port the port into portfast state.

-Joe

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Rana
Bilal
Sent: Sunday, November 11, 2007 12:48 PM
To: ccielab@groupstudy.com
Subject: bpduguard ............Confusion

Folks/Experts,

I need expert opinion on bpduguard. Here is what confusing me:

Enabling portfast globaly on a switch: spanning-tree portfast bpduguard
default <----(command)

Enabling portfast on a single port :

interface FastEthernet0/11
switchport access vlan 120
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable

My confusion is that do I need to have port fast configured on my access
ports, in order for the global spanning-tree portfast bpduguard default
command to work.................or It will work without the access port
configured for the port fast...... The main concern here is that in the
global command option i have to add the portfast word in the command
????????...............

2nd question is that what is a good practice, do I need to enable the
command globaly while adding a switch in a spanning tree domain or it will
be a good thing to enable on per access port basis.

Bilal

• Next message: Tarun Pahuja: "Re: Pim sparse mode..........rp confusion"
• Previous message: Rana Bilal: "Pim sparse mode..........rp confusion"
• Maybe in reply to: Rana Bilal: "bpduguard ............Confusion"
• Next in thread: Tarun Pahuja: "Re: bpduguard ............Confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:29 ART