BPDU Guard in Virtual Switches

Hi,
where can I find information about BPDU guard handling in Oracle's virtual switches?
I have a T5-2 server with Solaris 11.1 and OVM 3.1.1.
Thanks in advance for your comments.
Regards,
Juan.

Hi Luigi,
“Network connections ethernet properties panel disappear”
Do you mean the properties of the physical NIC cannot be opened or there is nothing in it or something else ?The screenshot seems not to make it clear .
I have checked my own machine .I can open the properties both the physical NIC and the virtual NIC (the virtual NIC on a bridge network adapter)
Will the network work correctly both the virtual machine and the host machine ?Have you tried to restart the machine and then have a check ?
We can run “ncpa.cpl” to get the network connections interface quickly .
Best regards

Similar Messages

BPDU Guard

Ok, it's been a while since this was discussed, so I wanted to throw out another question about BPDU Guard...
As is taught in CCNA Security, BPDU Guard is NOT enabled by default.
If command:
spanning-tree portfast
is issued, BPDU Guard is NOT configured automatically, correct?
Now, I'm confused on the per interface and global config commands.
If I issue
spanning-tree bpduguard enable
from global config, it will be turned on with all ports running portfast that are NOT trunked, correct?
Final question, what does:
spanning-tree portfast bpduguard default
accomplish? Is this a valid command statement? Because if that command is issued, if I do a sho run on a particular interface, and if that command actually turns on bpduguard, shouldnt I see "spanning-tree bpduguard enable"?
Thanks!

Question about this topic, why recommeds Cisco LMS 4.0 Best practice to use both BPDUfilter?
LMS reports a Best Practice Deviation if PortFast is enabled and BPDU-Guard is not enabled on a port. BPDU-Guard prevents spanning-tree loops by moving a port into the errdisable state when a BPDU is received on that port. When you enable BPDU-Guard on the switch, spanning tree shuts down the interfaces that receive BPDUs instead of putting the interfaces into the spanning-tree blocking state. Impact Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts). The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU is received on those ports. BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies to all PortFast-enabled ports on the switch.
LMS reports a Best Practice Deviation when BPDU Filter is not enabled on access ports. Impact BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies to all PortFast-enabled ports on the switch. When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled port is also disabled.

BPDU guard on Nexus 2k

Is there a way by which BPDU guard can be disabled on N2K?
Does N2K support normal trunking with downstream switch?
All the documentation that I have gone through mentions that you cannot disable BPDUguard on fex ports, it is enabled by default.
FEX will not allow you to connect a switch to it with trunking enabled.
We have a requirement where they want to connect switch to N2K.
What is the best practice while connecting a switch to N2K?

Is there a way by which BPDU guard can be disabled on N2K?
BPDU, on all the Nexus parent switches (5K, 7K) are PERMANENTLY enabled. No one will be able to disable BPDU Guard on the Nexus.
If you want to connect another non-Nexus switch to a 2K, you will need to disable STP on that switchport.

How to configure PortFast & BPDU Guard on an Aruba controller.

Requirement:
An Aruba controller running 6.4.3.x and above.
Solution:
PortFast:
PortFast feature basically causes a switch port or a trunk port to directly enter the forwarding state instead of going through listening and learning state of the STP.
PortFast is usually configured on an edge port, which means this port should not receive any STP BPDUs.
If this port receives any STP BPDU, this port moves back to normal/regular mode and will end up participating in listening and learning states.
BPDU Guard:
The BPDU Guard feature basically guards the port against receiving any BPDUs.
If it detects any incoming BPDUs on the port, it would put the port into ErrDis (Error-Disable).
This port remains in the ErrDis state unless until this port is manually changed by using a configuration command “shut” followed by a “no-shut” applied on this interface.
Configuration:
Below screen shot show the configuration of Portfast for both Trunk and Access ports.
Below screen shot shows the configuration of BPDU Guard for switch ports.
Verification
We can verify if the Portfast is enabled using the commands shown in below screen shot.
We can verify if the BPDU Guard is enabled using commands shown in below screen shot.

I was having troubles with this as well when a customer had an older Aruba Controller and 2 Access Points. We went with a couple IAP-205s and needed LDAP integration. Using the above configuration there were some additional items needed. I found that I needed the DISPLAY NAME of the admin for the Admin-DN. I had created a user with the first name Aruba and the last name LDAP. This made the DISPLAY NAME "Aruba LDAP". This is what needs to be in the CN= for the Admin-DN.I also found there is a difference in using the CN= and OU=Currently our admin account is in the Users group which is a “Container”. Our actual user accounts are stored in an Orginizational Unit with sub OUs as well. So the Admin-DN needed the CN=Users and the Base-DN needed the OU=MyUserOU.For the windows machines I had to download and install the Aruba GTC Shim because the customer was previously using GTC and they were not going to a RADIUS server at the moment. My Android phone and IPHONE did not need any additional addins for the authentication. The windows laptop I am using I needed to manually create a wireless profile with… Security Tab >“Choose a network authentication method:”Microsoft: Protected EAP (PEAP)Settings >Select “Trusted Root Certification Authorities”GeoTrust Global CASelect Authentication Method:EAP-Token (This is the Aruba GTC Shim) This allowed me to use my domain login credentialsUsernamePasswordDomain (This is blank because the Base-DN already has this, if anything is put in here the authentication fails)

BPDU Guard without ERR-Disable

Hi Everyone,
I recently had an instance in one of my networks where a user plugged in a home router to our network. The router then started handing out incorrect IP addresses to clients.
I know I can use DHCP Snooping or BPDU guard to stop this happening again and we do have BPDU Guard running at other sites successfully. The problem has always been if we enable it in a new production network we might disable ports that have legitimate devices on the other end. For example someone is using a small switch to share a port between a PC and a printer.
Is there a way of turning on BPDU guard but without it putting ports into an Err-Disabled mode and just alerting in the logs instead?
Regards, Daniel

Hi Leo,
Thanks for your input in the discussion. However I think you are misunderstanding why I am asking this question.
I WANT to enable BPDU guard on this network, I know its not a PIA and I am well aware of what it does and why it would be implemented.
The reason I am asking this question is because I need to transition from a network that doesn't have BPDU guard enabled to one that does. If i turn the feature on it will start disabling ports on switches and stop peoples workflow until it is resolved. The reason people have unidentified switches plugged into the network might be legitimate, but the way they got around their problem wasn't the best.
My goal is to find out where these rogue switches are, find out why they are there. Find an alternative way to connect these devices to the network by either purchasing new switches or running more cabling. This network does not have any onsite IT and therefor all this needs to be figured out remotely.
So the crux of the problem is. How to find STP devices that are plugged into my switches.
Thoughts?

Disabling LACP BPDU Forwarding on brocade switch

Hi,
I'm having an issue with ports belonging to a Solaris 11 aggregated link becoming saturated. The LACP link saturation causes our brocade switch to flood all vlan ports with unwanted traffic. According to the brocade documentation this is normal behavior.
From: Deploying a LAG
"When LACP forwarding is enabled, the link OAM packets received on the LACP forwarding enabled interface will be processed and flooded on the VLAN. If the LACP forwarding is not enabled, the link OAM packets will be processed and then dropped."
Can LACP BPDU Forwarding on a brocade switch be safely disabled when used with a Solaris 11 host?
If so, what is the expected behavior when a Solaris 11 host saturates a link in an LACP group? Will it start utilizing the next available link?
Any info will be greatly appreciated.
Thanks,
Rick

I never enable bpdu guard on AP switchports. Primarily because our business relies heavily on APs and I don't want something accidentally connecting to it that could start sending bpdus in some way. That being said, is there another AP that's in bridge mode or is this AP in bridge that could be receiving a bpdu from the other switchport? That's the only thing off the top of my head that could cause this.
Yes, I also avoid putting bpdu guard on trunks unless I know it's a port for a host and a phone.
HTH,
John

Assistance Disabling BPDU Guard: Catalyst 3560 CG

Good Morning Guys,
Here's the situation:
Configuring cisco wireless bridges - every time I get both devices up in my wireless controller, the port my root bridge is connected to on the catalyst 3560 CG switch gets disabled with the following error:
"SPANTREE - 2- BLOCK_BPDUGUARD: Received BPDU on port, *** with BPDU Guard enabled, disabling port."
I've done some research on BPDU Guard and I've tried applying the following commands to no avail:
1. errdisable detect cause bpdguard shutdown vlan (global and config mode)
2. spanning-tree bpduguard disable (configuration mode at the interface)
any assistance to prevent the port from shutting down would be greatly appreciated.
Christian

You should double check the interface configs on both. It is shutting the port down because it is receiving BPDUs. This could be cause your switch port is configured for access but the WLC is configured as trunk...

BPDU guard - weird situation

Hi guys,
This morning unpleasant surprise happened to me. One of critical ports was err-disabled because of BPDU guard (device B). This wouldn't be surprise if this port (on Device B) wasn't configured as L3 port (I agree that BPDU filter shouldn't be enabled at all here, this is legacy config), and other end have BPDU filter enabled (Device A). Here is port config:
Device A:
interface GigabitEthernet4/0/24
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode access
switchport nonegotiate
logging event trunk-status
spanning-tree bpdufilter enable
Device B:
interface GigabitEthernet2/45
no switchport
ip address 10.0.0.1 255.255.252.0
ip helper-address 172.16.249.5
logging event link-status
logging event trunk-status
spanning-tree portfast
spanning-tree bpduguard enable
Log from Device B indicating that it was err-disabled:
Apr 20 20:08:52.336 CETS: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi2/45 with BPDU Guard enabled. Disabling port.
Apr 20 20:08:52.336 CETS: %PM-4-ERR_DISABLE: bpduguard error detected on Gi2/45, putting Gi2/45 in err-disable state
Log form Device A indicating that BPDU never sent from this port:
DeviceA#show spanning-tree vlan 10 detail
Port 186 (GigabitEthernet4/0/24) of VLAN0010 is designated forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.186.
   Designated root has priority 28740, address 001a.6da4.f000
   Designated bridge has priority 28740, address 001a.6da4.f000
   Designated port id is 128.186, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Bpdu filter is enabled
   BPDU: sent 0, received 0
Did anyone had ever similar experience? By all logical explanations, this should never happen
Thanks

On the other hand, most SOHO switches do not implement Spanning Tree. If you are concerned about users installing switches, you need to take other precautions as well.
You can stop the users using a switch to fan out a port, by configuring port security and only allowing one MAC address on the port.
The BPDU guard will give you some protection against certain malicious user practices, even if the rogue switch does not do Spanning Tree. For example, the user who plug in a SOHO switch, and then plugs two other ports of that SOHO switch back-to-back with a cross-cable. In this case, your Catalyst will see its own BPDUs circulating round the loop, and will close the port down. (If the SOHO switch is not doing Spanning Tree, then it will pass the BPDUs through transparently.) This is why you should not have bdpu-guard and bpdu-filter on the same port.
Kevin Dorrell
Luxembourg

Spanning Tree PortFast BPDU Guard Enhancement

Will this solve our problems interconnecting 2 ports configured in 2 different vlans?
TIA

Hi Windell,
STP portfast BPDU guard is the feature which is specifically desinged for the ports running stp portfast on them so that a temporary introduction of a switch with lower bridge ID should not disrupt the network topology.At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state.
Please see the link:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
I didnot get your question. Can you eleborate more on this.
regards,
-amit singh

Bpdu guard status still reflected disabled after configuration

Hi,
Has anyone encountered after configuring
(config#)spanning-tree portfast bpduguard default
bpdu guard status still reflected disabled after configuration using
#sh spanning-tree summary totals
Thanks.
Christina

BPDU Guard takes effect only on portfast ports. You can therefore think of BPDU guard the same as portfast BPDU guard when a port is a portfast port.
PortFast BPDU guard can prevent loops by moving a nontrunking port into the errdisable state when a BPDU is received on that port. When the BPDU guard feature is enabled on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. Reception of a BPDU by a PortFast-configured interface signals an invalid configuration, such as connection of an unauthorized device. The BPDU guard feature provides a secure response to invalid configurations, because the administrator must manually put the interface back in service.
When enabled on the switch, spanning tree applies the PortFast BPDU guard
feature to all PortFast-configured interfaces.
Portfast BPDU guard can be enabled or disabled on a global basis, thus
affecting all ports with portfast configured.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

Server loses internet connection after creating virtual switch in hyper-v

On a fresh Server 2012R2 Essentials install, I set up Hyper-v and created an external virtual switch. Connection to the vm is good but Health Report no shows loss of internet connectivity and that the router is incorrectly setup.
However, I still have a working internet connection? I worry that the server may not update or allow Anywhere Access at some time. Any suggestions? Thanks

If Hyper-V virtual switch behaves strange and server is destined for testing, then it's correct and I recomend delete this virtual switch and create it again.
Here is some issues with internet connection and Hyper-V switch, none of them does not match your problem, but can be inspirative for troubleshooting:
Windows 8 Hyper-V - how to give VM internet access?
Hyper-V kills internet connection when bridging
Configuring Hyper-V for multiple subnets with only one NIC (Server 2008 R2 Edition)
How does basic networking work in Hyper-V?
Best Regards,
thennet

How to route traffic across subnets when one NIC is a hyper-V virtual switch?

Having a bit of a problem with a hyper-V environment which does not seem to route network traffic on two different subnets between each other.
If it were a purely physical server with two NICs and a gateway set traffic would automatically be forwarded between the two different subnets.
However when one of those NICs is a hyper-V virtual switch this simple routing no-longer seems to work and no traffic gets forwarded between subnets?
Situation is:
Hyper-V server with two NICs
NIC 1 = 192.168.0/24 - main Internal company network.
NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router
Virtualized Domain Controller.
One or two virtualiszed NICs as necessary
How then does traffic get routed between these two subnets? If RRAS has to be configured to do this where is the best place to do it, on the hyper-V host or on the virtualized domain controller?
Thanks,

Hi ,
You can create an internal virtual switch and configure an IP for it (I assume it is 192.168.1.2/24) .
After you enable RRAS in hyper-v host there will be two gateways for different subnets .
" NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router "
The problem is here ,if these VMs need to access internet .
So , these VMs can not configure their gateway same as the IP of internal virtual switch , you may set VM's gateway as the ADSL internet router's IP meanwhile add a static route entry for every VM .
Please refer to the Syntax :
route add -p 192.168.0.0 mask 255.255.255.0 192.168.1.2
Hope this helps
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

"Server either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned" error driving me nuts!

OK; have been trying to setup a test VM based RDS deployment for a few days now with no luck.
this error mentioned above:
"Server <server name> either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned" error is driving me nuts!
I have removed and re-added the RD Virtualization Host role numerous times, each time having the "create a virtual switch" checkbox selected, but it did NOT create any virtual switch.
I created the external virtual switch manually and tried to create the desktop collection again, no luck with the same error.
a few questions:
1. you don't assign IP to a switch! you assign IP to Network Interfaces. why does the error puts it like this?! it is technically wrong.(yeah yeah I know all about how you'd assign IP to managed switches in real world to telnet into them and manage them.
you know better than me that it is not the case here!)
2.the RDS Virtualization hosts are using their wifi card as the card for the virtual switch. could that be the reason? I even disabled their unplugged wired NIC just to make sure that the wifi is the only available option for the RDS wizard to use for the
virtual switch creation; but it didn't use it and it didn't create any virtual switch automatically.
3.if WIFI nic is indeed the reason, is it your suspension or an official documents is there somewhere stating so (that the WIFI NICS on a Virtualization hosts are not supported as the hub for a virtual switch).
4.what are the properties of the virtual switch the RDS requires? does it have to be external? why can't it work even with my manually created external switch?
5.how would I fix it?
P.S: the environment is made up of 2 laptops, having windows 2012 R2 trial installed on them, using their wifi to connect to the out world. no cable is plugged into their wired NIC card.

Hi,
Thank you for posting in Windows Server Forum.
The simplest short term solution was to connect each computer to a small switch that had no other connectivity. This brought up the link light on the external NIC and allowed the creation of the collection to complete. You need to use an external switch. You
can create one external switch which might fix the problem.
Please check below article for information.
VDI Deployment Error About Virtual Switch
In addition please referthis article for information regarding virtual switch.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support

How to get the maximum bandwidth/MaxSpeed/Capacity of a Hyper-V virtual-switch?

We are trying to monitor Hyper-V environment (Windows 2008 R2 and Windows 2012) using WMI, and have a very specific question Hyper-V virtual-switch.
We have referred the below mentioned classes and their properties.
1. Win32_NetworkAdapter (namespace:root\cimv2, property:Speed)
2. Msvm_InternalEthernetPort (namespace:Root\virtualization\v2, property: Speed and Maxspeed)
3. Msvm_EthernetSwitchBandwidthData (namespace:Root\virtualization\v2, property:Capacity and Reservation)
All of the above classes and their properties returns 10000000000 (10 GBps) as MaxSpeed, which is NOT correct (as we know that our network connection is of 1 GBps)
Here is our question: How to get the maximum bandwidth/MaxSpeed/Capacity of a Hyper-V virtual-switch?

Until MSFT makes a change to increase the max speed of the virtual switch (and the resulting virtual ports) it will be 10 Gbps.
It has been this way since the original introduction in 2008.
What you are looking for is the most limiting segment in the path. The virtual switch does not assume the properties of the most limiting segment. Since the physical side could be a team, it could be a single NIC.
Your management layer must interpret the most limiting segment.
If you have not already been here:
http://blogs.msdn.com/b/tvoellm/archive/2009/04/23/monitoring-hyper-v-performance.aspx Then take a look.
Brian Ehlert
http://ITProctology.blogspot.com
Learn. Apply. Repeat.

Windows 8.1 crashes after an extern virtual switch is added

Hello, to get connected from a virtual machine in hyper v I must add an external virtual Switch.
If I do so, after 2 or 3 minutes I get a blue Screen with the message:
Unexpected_kernel_mode_trap.
I have changed the Driver for the Network Card from Intel drive (Intel pro Network Card) to the drive of Microsoft for this Network Card.
I have made 3 Trials with different Drivers for the Network Card.
But allways after some minutes I get the blue Screen mit the message: Unexpected_kernel_mode_trap.
In any case I have to restore the System from a backup, because it is demaged.
Thank you for any help.
Rowe10

Hi，
According to your description, it seems to be hyper v issue. So I suggest that you can post it in technet forum:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverhyperv
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

BPDU Guard in Virtual Switches

Similar Messages

Maybe you are looking for