[c-nsp] bpduguard and trunks?

Geert Nijs geert.nijs at gmail.com
Fri Dec 4 15:18:21 EST 2009 

Lincoln,

Just to be clear:

>>all 'edge' ports should be running with BPDU guard enabled.  'edge ports'
(those facing >>hosts) should NEVER send BPDUs out.  BPDU guard is there to
detect if they do - and if >>they do, its a sign that they have caused a
loop in the network.

ports with BPDU guard configured still send out BPDUs, but they will
*not *allow
incoming
BDPUs
if you also want to stop sending out BPDUs (not recommended), you configure
the port additionally with BPDU filter

regards,
Geert


2009/12/4 Lincoln Dale <ltd at cisco.com>

> On 04/12/2009, at 1:29 AM, Howard Jones wrote:
>
> > I've just run into an odd problem, and was wondering if anyone else
> > could clarify this for me.
> >
> > [c1]---[Sw1]----------[Sw2]---[c2]
> >
> > c1 and c2 are client devices. Sw1 and Sw2 are 3750Gs with a trunk
> > between them. c1 has a trunk to Sw1. One of the vlans in that trunk as
> > passed along the sw1-sw2 trunk to c2.
> >
> > The port facing c1 has bpduguard enabled. Halfway through adding vlans,
> > Sw2 complains about inconsistent BPDUs, and the root bridge mac address
> > is that of c1. It shuts down the trunk port, which is kind of annoying.
>
> sounds like C1 did something silly.
>
>
> > Does bpduguard only affect access ports and not trunks? That's the only
> > explanation I can see for what is going on. The manual doesn't exactly
> > say either way: "At the interface level, you enable BPDU guard on any
> > interface by using the spanning-tree bpduguard enable interface
> > configuration command without also enabling the Port Fast feature.". Sw1
> > also has '|no spanning-tree vlan 1-4090|' - will that help or hinder,
> here?
>
> disabling spanning-tree?  that doesn't sound like a very smart move.
>
>
> > I think the real answer is to stop using switches to ship stuff between
> > sites like this, but that is a battle for another day.
>
> nothing wrong with using L2.
>
>
> i think the issue here may relate to your knowledge of switching - and what
> spanning-tree is there for, and what its meant to do.
> its there to prevent loops.
>
> make use of it.
>
> all 'edge' ports should be running with BPDU guard enabled.  'edge ports'
> (those facing hosts) should NEVER send BPDUs out.  BPDU guard is there to
> detect if they do - and if they do, its a sign that they have caused a loop
> in the network.
>
>
> cheers,
>
> lincoln.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list