[c-nsp] Switch port with BPDU guard

Jyotirmay Samanta jyotirmay.samanta at gmail.com
Tue Jan 31 14:59:24 EST 2006 

Superb!!! Analysis Brett Frankenberger. I like it !!!!

Regards,
Jyotirmay.


On 1/30/06, Brett Frankenberger <rbf+cisco-nsp at panix.com> wrote:
>
> On Mon, Jan 30, 2006 at 12:10:49PM +0100, Vincent De Keyzer wrote:
> > Hello,
> >
> > I am trying to connect a switch of us to the IX switch, and things are
> not
> > working.
> >
> > My config is:
> >
> > interface FastEthernet0/18
> > load-interval 30
> >  switchport access vlan 880
> >  spanning-tree bpdufilter enable
> >  no cdp enable
> >
> >
> > When I do a "sh spanning-tree vlan 880", I get
> > Spanning tree 880 is not currently active
> >
> > Jan 30 09:50:11: %SPANTREE-SP-2-BLOCK_BPDUGUARD: Received BPDU on port
> > GigabitEthernet2/5 with BPDU Guard enabled. Disabling port.
>
> "spanning-tree bpdufilter enable" would stop the switch from sending
> BPDUs out that port.  However, you have spanning-tree disabled on the
> VLAN anyway, so the switch isn't generating any BPDUs, so the
> "bpdufilter" configuration is meaningless.
>
> When the switch is not running spanning-tree on a VLAN, it becomes
> transparent to spanning-tree BPDUs -- any BPDUs received will be
> forwarded just like any other packet would be.  (And bpdufilter will
> have no effect on that -- bpdufilter only prevents the transmission of
> bpdus originated by the switch.)
>
> What is probably happening here is that the switch is receiving a BPDU
> on another port, and then forwarding it out Fa0/18.
>
> One think you could do is enable spanning-tree on the VLAN, then
> configure portfast and bpdufilter on every port in that VLAN.
>
> Option possible options, which I've never tried, but which should work
> unless there's magic happening in the switch with respect to the
> spanning-tree MAC address:
>
> MAC address ACLs, if you're on a platform that allows such.  (Wire a
> filter to discard packets to the BPDU MAC Address.)
>
> Putting a static entry in the mac-address table to poing the BPDU MAC
> address to discard.
>
> (The MAC Address to which standard BPDUs are sent is: 0180C2000000.)
>
>     -- Brett
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list