From: Tarun Pahuja (pahujat@gmail.com)
Date: Sun Nov 11 2007 - 15:28:13 ART
BPDU guard is applied only on ports that are PortFast enabled and are in an
operational PortFast state. If you plan on implementing bpdu-guard on all
ports connected to hosts on a switch, it would be beneficial to specify it
globally, it would only apply to ports which are in portfast mode and
operational.
HTH,
Tarun
On Nov 11, 2007 1:14 PM, Joseph Brunner <joe@affirmedsystems.com> wrote:
> Dude the only way to find these things out is to lab them up... that's it.
> That's what it takes to get a #.
>
> So here goes,
>
> My test scenario will cover both cases
>
> 1. spanning-tree portfast default & spanning-tree portfast bpduguard
> default
>
> rack1sw3#sh run | inc spanning-tree portfast
> spanning-tree portfast default
> spanning-tree portfast bpduguard default
>
> rack1sw3#sh run int f0/3
> Building configuration...
>
> Current configuration : 186 bytes
> !
> interface FastEthernet0/3
> switchport mode access
> dot1x pae authenticator
> dot1x port-control auto
> dot1x guest-vlan 33
> dot1x auth-fail vlan 33
> wrr-queue bandwidth 30 20 10 10
> end
>
> Now, Router3 is on that port, so I do something to get R3 to send BPDU's
> to
> get it in trouble with the switch...
>
> rack1r3(config)#bridge irb
> rack1r3(config)#bridge 1 pro ieee
> rack1r3(config)#int f0/0
> rack1r3(config-if)#bridge-group 1
> rack1r3(config-if)#
>
> and watch the switch freak out and disable the port...
>
> rack1sw3#
> 10:23:35: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/3 with
> BPDU
> Guard enabled. Disabling port.
> rack1sw3#
> 10:23:35: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/3, putting
> Fa0/3 in err-disable state
> 10:23:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3,
> changed state to down
>
> Ok, so with the 2 default global options we get a disabled port. The port
> was placed in portfast, but it later send a bpdu so our bpduguard default
> came in.
>
> 2. lets see if we can just use spanning-tree bpduguard default with
> spanning-tree portfast just on the port (no global spanning-tree portfast
> default command this time)
>
>
> rack1sw3#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> rack1sw3(config)#no spanning-tree portfast default
> rack1sw3(config)#int f0/3
> rack1sw3(config-if)#spanning-tree portfast
> %Warning: portfast should only be enabled on ports connected to a single
> host. Connecting hubs, concentrators, switches, bridges, etc... to this
> interface when portfast is enabled, can cause temporary bridging loops.
> Use with CAUTION
>
> NOPE - the global "spanning-tree portfast bpduguard default" kicks in even
> with the interface configured "spanning-tree portfast" and disables the
> port
> upon hearing a bpdu
>
> 10:29:09: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/3 with
> BPDU
> Guard enabled. Disabling port.
> rack1sw3#
> 10:29:09: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/3, putting
> Fa0/3 in err-disable state
> rack1sw3#
> 10:29:11: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down
>
> Now, I wonder, I if I leave just the global "spanning-tree portfast
> bpduguard default" will the port be disabled if the interface is not a
> portfast port (no spanning-tree portfast anywhere"
>
> rack1sw3(config)#int f0/3
> rack1sw3(config-if)#no spanning-tree portfast
> rack1sw3(config-if)#shut
> rack1sw3(config-if)#no shut
>
> rack1sw3(config-if)#
> 10:32:21: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up
>
> That's it. The port doesn't go down again...
>
> So to answer your question, the global command
> "spannig-tree portfast bpduguard default" perform bpduguard on ANY
> portfast
> port regardless whether the interface configured "spanning-tree portfast"
> or
>
> Globally configured "spanning-tree portfast default" command was used to
> port the port into portfast state.
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Rana
> Bilal
> Sent: Sunday, November 11, 2007 12:48 PM
> To: ccielab@groupstudy.com
> Subject: bpduguard ............Confusion
>
> Folks/Experts,
>
> I need expert opinion on bpduguard. Here is what confusing me:
>
> Enabling portfast globaly on a switch: spanning-tree portfast bpduguard
> default <----(command)
>
>
> Enabling portfast on a single port :
>
> interface FastEthernet0/11
> switchport access vlan 120
> switchport mode access
> spanning-tree portfast
> spanning-tree bpduguard enable
>
>
> My confusion is that do I need to have port fast configured on my access
> ports, in order for the global spanning-tree portfast bpduguard default
> command to work.................or It will work without the access port
> configured for the port fast...... The main concern here is that in the
> global command option i have to add the portfast word in the command
> ????????...............
>
> 2nd question is that what is a good practice, do I need to enable the
> command globaly while adding a switch in a spanning tree domain or it will
> be a good thing to enable on per access port basis.
>
>
> Bilal
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:29 ART