[c-nsp] Switch port with BPDU guard
Brett Frankenberger
rbf+cisco-nsp at panix.com
Mon Jan 30 11:31:58 EST 2006
On Mon, Jan 30, 2006 at 12:10:49PM +0100, Vincent De Keyzer wrote:
> Hello,
>
> I am trying to connect a switch of us to the IX switch, and things are not
> working.
>
> My config is:
>
> interface FastEthernet0/18
> load-interval 30
> switchport access vlan 880
> spanning-tree bpdufilter enable
> no cdp enable
>
>
> When I do a "sh spanning-tree vlan 880", I get
> Spanning tree 880 is not currently active
>
> Jan 30 09:50:11: %SPANTREE-SP-2-BLOCK_BPDUGUARD: Received BPDU on port
> GigabitEthernet2/5 with BPDU Guard enabled. Disabling port.
"spanning-tree bpdufilter enable" would stop the switch from sending
BPDUs out that port. However, you have spanning-tree disabled on the
VLAN anyway, so the switch isn't generating any BPDUs, so the
"bpdufilter" configuration is meaningless.
When the switch is not running spanning-tree on a VLAN, it becomes
transparent to spanning-tree BPDUs -- any BPDUs received will be
forwarded just like any other packet would be. (And bpdufilter will
have no effect on that -- bpdufilter only prevents the transmission of
bpdus originated by the switch.)
What is probably happening here is that the switch is receiving a BPDU
on another port, and then forwarding it out Fa0/18.
One think you could do is enable spanning-tree on the VLAN, then
configure portfast and bpdufilter on every port in that VLAN.
Option possible options, which I've never tried, but which should work
unless there's magic happening in the switch with respect to the
spanning-tree MAC address:
MAC address ACLs, if you're on a platform that allows such. (Wire a
filter to discard packets to the BPDU MAC Address.)
Putting a static entry in the mac-address table to poing the BPDU MAC
address to discard.
(The MAC Address to which standard BPDUs are sent is: 0180C2000000.)
-- Brett
More information about the cisco-nsp
mailing list