[c-nsp] bpduguard and trunks?

Lincoln Dale ltd at cisco.com
Thu Dec 3 22:43:42 EST 2009


On 04/12/2009, at 1:29 AM, Howard Jones wrote:

> I've just run into an odd problem, and was wondering if anyone else
> could clarify this for me.
> 
> [c1]---[Sw1]----------[Sw2]---[c2]
> 
> c1 and c2 are client devices. Sw1 and Sw2 are 3750Gs with a trunk
> between them. c1 has a trunk to Sw1. One of the vlans in that trunk as
> passed along the sw1-sw2 trunk to c2.
> 
> The port facing c1 has bpduguard enabled. Halfway through adding vlans,
> Sw2 complains about inconsistent BPDUs, and the root bridge mac address
> is that of c1. It shuts down the trunk port, which is kind of annoying.

sounds like C1 did something silly.


> Does bpduguard only affect access ports and not trunks? That's the only
> explanation I can see for what is going on. The manual doesn't exactly
> say either way: "At the interface level, you enable BPDU guard on any
> interface by using the spanning-tree bpduguard enable interface
> configuration command without also enabling the Port Fast feature.". Sw1
> also has '|no spanning-tree vlan 1-4090|' - will that help or hinder, here?

disabling spanning-tree?  that doesn't sound like a very smart move.


> I think the real answer is to stop using switches to ship stuff between
> sites like this, but that is a battle for another day.

nothing wrong with using L2.


i think the issue here may relate to your knowledge of switching - and what spanning-tree is there for, and what its meant to do.
its there to prevent loops.

make use of it.

all 'edge' ports should be running with BPDU guard enabled.  'edge ports' (those facing hosts) should NEVER send BPDUs out.  BPDU guard is there to detect if they do - and if they do, its a sign that they have caused a loop in the network.


cheers,

lincoln.



More information about the cisco-nsp mailing list