Bpdu guard on catalyst 2924M IOS 12.0.5-WC14

Similar Messages

• Assistance Disabling BPDU Guard: Catalyst 3560 CG

  Good Morning Guys,
  Here's the situation:
  Configuring  cisco wireless bridges -  every time I get both devices up in my wireless controller, the port my root bridge is connected to on the catalyst 3560 CG switch gets disabled with the following error:
  "SPANTREE - 2- BLOCK_BPDUGUARD: Received BPDU on port,  *** with BPDU Guard enabled, disabling port."
  I've done some research on BPDU Guard and I've tried applying the following commands to no avail:
  1. errdisable detect cause bpdguard shutdown vlan    (global and config mode)
  2. spanning-tree bpduguard disable           (configuration mode at the interface)
  any assistance to prevent the port from shutting down would be greatly appreciated.
  Christian

  You should double check the interface configs on both. It is shutting the port down because it is receiving BPDUs. This could be cause your switch port is configured for access but the WLC is configured as trunk...

• BPDU guard - weird situation

  Hi guys,
  This morning unpleasant surprise happened to me. One of critical ports was err-disabled because of BPDU guard (device B). This wouldn't be surprise if this port (on Device B) wasn't configured as L3 port (I agree that BPDU filter shouldn't be enabled at all here, this is legacy config), and other end have BPDU filter enabled (Device A). Here is port config:
  Device A:
  interface GigabitEthernet4/0/24
   switchport access vlan 10
   switchport trunk encapsulation dot1q
   switchport mode access
   switchport nonegotiate
   logging event trunk-status
   spanning-tree bpdufilter enable
  Device B:
  interface GigabitEthernet2/45
   no switchport
   ip address 10.0.0.1 255.255.252.0
   ip helper-address 172.16.249.5
   logging event link-status
   logging event trunk-status
   spanning-tree portfast
   spanning-tree bpduguard enable
  Log from Device B indicating that it was err-disabled:
  Apr 20 20:08:52.336 CETS: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi2/45 with BPDU Guard enabled. Disabling port.
  Apr 20 20:08:52.336 CETS: %PM-4-ERR_DISABLE: bpduguard error detected on Gi2/45, putting Gi2/45 in err-disable state
  Log form Device A indicating that BPDU never sent from this port:
  DeviceA#show spanning-tree vlan 10 detail
   Port 186 (GigabitEthernet4/0/24) of VLAN0010 is designated forwarding
     Port path cost 4, Port priority 128, Port Identifier 128.186.
     Designated root has priority 28740, address 001a.6da4.f000
     Designated bridge has priority 28740, address 001a.6da4.f000
     Designated port id is 128.186, designated path cost 0
     Timers: message age 0, forward delay 0, hold 0
     Number of transitions to forwarding state: 1
     Link type is point-to-point by default
     Bpdu filter is enabled
     BPDU: sent 0, received 0
  Did anyone had ever similar experience? By all logical explanations, this should never happen
  Thanks

  On the other hand, most SOHO switches do not implement Spanning Tree. If you are concerned about users installing switches, you need to take other precautions as well.
  You can stop the users using a switch to fan out a port, by configuring port security and only allowing one MAC address on the port.
  The BPDU guard will give you some protection against certain malicious user practices, even if the rogue switch does not do Spanning Tree. For example, the user who plug in a SOHO switch, and then plugs two other ports of that SOHO switch back-to-back with a cross-cable. In this case, your Catalyst will see its own BPDUs circulating round the loop, and will close the port down. (If the SOHO switch is not doing Spanning Tree, then it will pass the BPDUs through transparently.) This is why you should not have bdpu-guard and bpdu-filter on the same port.
  Kevin Dorrell
  Luxembourg

• Info needed on use of BPDU guard

  The place where I am working, we have 7606 router which is connected to various LAN segments. Sub-interfaces are defined in Ethernet ports for VLAN segments. Each LAN segment is running RSTP in rings, so BPDU packets is expected on VLAN subinterfaces of router, but spanning-tree BPDU Guard is enabled on interface(not subinterface) as shown below.
  interface GigabitEthernet1/6
   description "Towards xyz"
   mtu 9000
   no ip address
   storm-control broadcast level 0.10
   storm-control multicast level 0.10
   spanning-tree bpduguard enable
  interface GigabitEthernet1/6.852
   description "Cluster 14"
   encapsulation dot1Q 852
   ip address 172.19.129.188 255.255.255.224
   standby version 2
   standby 83 ip 172.19.129.190
   standby 83 timers msec 300 1
   standby 83 priority 110
   standby 83 preempt
  interface GigabitEthernet1/6.853
   description "Cluster 14"
   encapsulation dot1Q 853
   ip address 172.19.145.188 255.255.255.224
   standby version 2
   standby 84 ip 172.19.145.190
   standby 84 timers msec 300 1
   standby 84 priority 110
   standby 84 preempt
  interface GigabitEthernet1/6.854
   description "Cluster 14"
   encapsulation dot1Q 854
   ip address 172.19.161.188 255.255.255.224
   standby version 2
   standby 85 ip 172.19.161.190
   standby 85 timers msec 300 1
   standby 85 priority 110
   standby 85 preempt
  interface GigabitEthernet1/6.855
   description "Cluster 14"
   encapsulation dot1Q 855
   ip address 172.19.177.188 255.255.255.224
   standby version 2
   standby 86 ip 172.19.177.190
   standby 86 timers msec 300 1
   standby 86 priority 110
   standby 86 preempt
  I need to know that will there be any effect of BPDU Guard in this situation?
  Whats the point of enabling BPDU Guard here?
  Will BPDU packets received on subinterface VLAN will disable the whole interface as BPDU Guard is enabled?

  Please find spanning tree command output:
  R1#sh spanning-tree  int gi1/6
  no spanning tree info available for GigabitEthernet1/6
  R1#sh spanning-tree interface GigabitEthernet1/6.852
  no spanning tree info available for GigabitEthernet1/6.852
  R1#sh spanning-tree
  MST0
    Spanning tree enabled protocol mstp
    Root ID    Priority    4096
               Address     588d.09b5.8740
               This bridge is the root
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
    Bridge ID  Priority    4096   (priority 4096 sys-id-ext 0)
               Address     588d.09b5.8740
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Interface           Role Sts Cost      Prio.Nbr Type
  Gi1/1               Desg FWD 20000     128.1    P2p
  Gi1/2               Desg FWD 20000     128.2    P2p
  Gi1/3               Desg FWD 20000     128.3    P2p
  Gi1/4               Desg FWD 20000     128.4    P2p
  Gi1/15              Desg FWD 20000     128.15   P2p
  Gi1/16              Desg FWD 20000     128.16   P2p
  Gi2/4               Desg FWD 200000    128.260  P2p
  Te2/11              Desg FWD 2000      128.267  P2p
  I think port is not involved in STP. Now, I would like to know what will happen if BPDU packet is received on any VLAN sub-interface of this interface. Will it simply drop BPDU packet as STP not running on it or, BPDU guard will disable the port completely ??

• BPDU guard on Nexus 2k

  Is there a way by which BPDU guard can be disabled on N2K?
  Does N2K support normal trunking with downstream switch?
  All the documentation that I have gone through mentions that you cannot disable BPDUguard on fex ports, it is enabled by default.
  FEX will not allow you to connect a switch to it with trunking enabled.
  We have a requirement where they want to connect switch to N2K.
  What is the best practice while connecting a switch to N2K?

  Is there a way by which BPDU guard can be disabled on N2K?
  BPDU, on all the Nexus parent switches (5K, 7K) are PERMANENTLY enabled.  No one will be able to disable BPDU Guard on the Nexus.
  If you want to connect another non-Nexus switch to a 2K, you will need to disable STP on that switchport.

• How to configure PortFast & BPDU Guard on an Aruba controller.

  Requirement:
  An Aruba controller running 6.4.3.x and above.
  Solution:
  PortFast:
  PortFast feature basically causes a switch port or a trunk port to directly enter the forwarding state instead of going through listening and learning state of the STP.
  PortFast is usually configured on an edge port, which means this port should not receive any STP BPDUs.
  If this port receives any STP BPDU, this port moves back to normal/regular mode and will end up participating in listening and learning states.
  BPDU Guard:
  The BPDU Guard feature basically guards the port against receiving any BPDUs.
  If it detects any incoming BPDUs on the port, it would put the port into ErrDis (Error-Disable).
  This port remains in the ErrDis state unless until this port is manually changed by using a configuration command “shut” followed by a “no-shut” applied on this interface.
  Configuration:
  Below screen shot show the configuration of Portfast for both Trunk and Access ports.
  Below screen shot shows the configuration of BPDU Guard for switch ports.
  Verification
  We can verify if the Portfast is enabled using the commands shown in below screen shot.
  We can verify if the BPDU Guard is enabled using commands shown in below screen shot.

  I was having troubles with this as well when a customer had an older Aruba Controller and 2 Access Points. We went with a couple IAP-205s and needed LDAP integration. Using the above configuration there were some additional items needed. I found that I needed the DISPLAY NAME of the admin for the Admin-DN. I had created a user with the first name Aruba and the last name LDAP. This made the DISPLAY NAME "Aruba LDAP". This is what needs to be in the CN= for the Admin-DN.I also found there is a difference in using the CN= and OU=Currently our admin account is in the Users group which is a “Container”. Our actual user accounts are stored in an Orginizational Unit with sub OUs as well. So the Admin-DN needed the CN=Users and the Base-DN needed the OU=MyUserOU.For the windows machines I had to download and install the Aruba GTC Shim because the customer was previously using GTC and they were not going to a RADIUS server at the moment. My Android phone and IPHONE did not need any additional addins for the authentication.  The windows laptop I am using I needed to manually create a wireless profile with… Security Tab >“Choose a network authentication method:”Microsoft: Protected EAP (PEAP)Settings >Select “Trusted Root Certification Authorities”GeoTrust Global CASelect Authentication Method:EAP-Token (This is the Aruba GTC Shim) This allowed me to use my domain login credentialsUsernamePasswordDomain (This is blank because the Base-DN already has this, if anything is put in here the authentication fails)

• BPDU Guard without ERR-Disable

  Hi Everyone, 
  I recently had an instance in one of my networks where a user plugged in a home router to our network. The router then started handing out incorrect IP addresses to clients. 
  I know I can use DHCP Snooping or BPDU guard to stop this happening again and we do have BPDU Guard running at other sites successfully. The problem has always been if we enable it in a new production network we might disable ports that have legitimate devices on the other end. For example someone is using a small switch to share a port between a PC and a printer.
  Is there a way of turning on BPDU guard but without it putting ports into an Err-Disabled mode and just alerting in the logs instead?
  Regards, Daniel

  Hi Leo, 
  Thanks for your input in the discussion. However I think you are misunderstanding why I am asking this question.
  I WANT to enable BPDU guard on this network, I know its not a PIA and I am well aware of what it does and why it would be implemented.
  The reason I am asking this question is because I need to transition from a network that doesn't have BPDU guard enabled to one that does. If i turn the feature on it will start disabling ports on switches and stop peoples workflow until it is resolved. The reason people have unidentified switches plugged into the network might be legitimate, but the way they got around their problem wasn't the best. 
  My goal is to find out where these rogue switches are, find out why they are there. Find an alternative way to connect these devices to the network by either purchasing new switches or running more cabling.  This network does not have any onsite IT and therefor all this needs to be figured out remotely.
  So the crux of the problem is. How to find STP devices that are plugged into my switches.
  Thoughts?

• BPDU Guard in Virtual Switches

  Hi,
      where can I find information about BPDU guard handling in Oracle's virtual switches?
  I have a T5-2 server with Solaris 11.1 and OVM 3.1.1.
  Thanks in advance for your comments.
  Regards,
  Juan.

  Hi Luigi,
  “Network connections ethernet properties panel disappear”
  Do you mean the properties of the physical NIC cannot be opened or there is nothing in it or something else ?The screenshot seems not to make it clear .
  I have checked my own machine .I can open the properties both the physical NIC and the virtual NIC (the virtual NIC on a bridge network adapter)
  Will the network work correctly both the virtual machine and the host machine ?Have you tried to restart the machine and then have a check ?
  We can run “ncpa.cpl” to get the network connections interface quickly .
  Best regards  

• Spanning Tree PortFast BPDU Guard Enhancement

  Will this solve our problems interconnecting 2 ports configured in 2 different vlans?
  TIA

  Hi Windell,
  STP portfast BPDU guard is the feature which is specifically desinged for the ports running stp portfast on them so that a temporary introduction of a switch with lower bridge ID should not disrupt the network topology.At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state.
  Please see the link:
  http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
  I didnot get your question. Can you eleborate more on this.
  regards,
  -amit singh

• BPDU Guard

  Ok, it's been a while since this was discussed, so I wanted to throw out another question about BPDU Guard...
  As is taught in CCNA Security, BPDU Guard is NOT enabled by default.
  If command:
  spanning-tree portfast
  is issued, BPDU Guard is NOT configured automatically, correct?
  Now, I'm confused on the per interface and global config commands.
  If I issue
  spanning-tree bpduguard enable
  from global config, it will be turned on with all ports running portfast that are NOT trunked, correct?
  Final question, what does:
  spanning-tree portfast bpduguard default
  accomplish? Is this a valid command statement? Because if that command is issued, if I do a sho run on a particular interface, and if that command actually turns on bpduguard, shouldnt I see "spanning-tree bpduguard enable"?
  Thanks!

  Question about this topic, why recommeds Cisco LMS 4.0 Best practice to use both BPDUfilter?
  LMS reports a Best Practice Deviation if PortFast is enabled and BPDU-Guard is not enabled on a port. BPDU-Guard prevents spanning-tree loops by moving a port into the errdisable state when a BPDU is received on that port. When you enable BPDU-Guard on the switch, spanning tree shuts down the interfaces that receive BPDUs instead of putting the interfaces into the spanning-tree blocking state. Impact Cisco recommends that you enable BPDUGuard to block incoming BPDUs on edge devices (end-hosts). The Cisco BPDUGuard feature, when enabled, informs the switch to disable PortFast ports if a BPDU is received on those ports. BDPUGuard can be enabled on each port or globally. When you enable BPDUGuard globally, it applies to all PortFast-enabled ports on the switch.
  LMS reports a Best Practice Deviation when BPDU Filter is not enabled on access ports. Impact BPDU filtering allows you to avoid transmitting BPDUs on PortFast-enabled ports that are connected to an end system. When you enable PortFast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether PortFast is enabled. BDPUFilter can be enabled for each port or globally. When you enable BPDUFilter globally, it applies to all PortFast-enabled ports on the switch. When you disable PortFast on a port, the BPDU Filter that was globally enabled on the PortFast enabled port is also disabled.

• Bpdu guard status still reflected disabled after configuration

  Hi,
  Has anyone encountered after configuring
  (config#)spanning-tree portfast bpduguard default
  bpdu guard status still reflected disabled after configuration using
  #sh spanning-tree summary totals
  Thanks.
  Christina

  BPDU Guard takes effect only on portfast ports. You can therefore think of BPDU guard the same as portfast BPDU guard when a port is a portfast port.
  PortFast BPDU guard can prevent loops by moving a nontrunking port into the errdisable state when a BPDU is received on that port. When the BPDU guard feature is enabled on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. Reception of a BPDU by a PortFast-configured interface signals an invalid configuration, such as connection of an unauthorized device. The BPDU guard feature provides a secure response to invalid configurations, because the administrator must manually put the interface back in service.
  When enabled on the switch, spanning tree applies the PortFast BPDU guard
  feature to all PortFast-configured interfaces.
  Portfast BPDU guard can be enabled or disabled on a global basis, thus
  affecting all ports with portfast configured.
  http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

• Trying to interconnect Catalyst 4506 (IOS) & Catalyst 6509 (CatOS) using FS

  Hey all,
  I'm currently having a problem interconnecting a Catalyst 4506 using IOS and a Catalyst 6509 using CatOS via FSO. The FSO is all setup and they show that they are talking but when we plug the fiber optic cables into the switches, we get a notconnect status on the switches. The link lights on both switches don't light up either. I have configured both sides as follows
  6509 (the Gigabit Port is 2/6):
  set port negotiation 2/6 disable
  set trunk 2/6 nonegotiate dot1q 1-1005,1025-4094
  4506 (the Gigabit Port is 1/1):
  interface GigabitEthernet 1/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  speed nonegotiate
  We were told by the FSO company that both ends must turn off negotiation in order for it to work. On the end with the Catalyst 6509, I have tried plugging another known working fiber optic line into the 2/6 port and the link light lights up so we know that the port isn't broken. Any ideas? I am lost.
  Background:
  We currently have a T1 line that serves as a point to point between the two buildings. We were trying to get rid of it and go with Free Space Optics (FSO) to increase bandwidth between the two buildings. We have 5 VLANs on each side (on the 4506 side, Vlans 110, 120, 132, 140, & 104 and on the 6509 side, Vlan 10, 20, 32, 40, 4) and the point to point is on the 200 network to interconnect the switches.

  Hie David,
  Just to start with are we sure that Rx of one switch terminates on Tx of other and vice versa. The fiber cable which is plugged in the trnasmitter of one switch must go to the receiver of another switch. You can just try swapping the TX and RX points at one switch.
  I doubt this because as you have said even the link light is not coming up.

• Catalyst 4500 ios upgrade question

  I am currently running cat4000-i9s-mz.122-25ewa6 on a catalyst 4503 supervisor II plus TS, which doesnt support SSH management. Will upgrading to one of the following do the job:
  12.2.31-SGA1 (ED)
  12.2.31-SGA (ED)
  12.2.31-SG1 (ED)
  12.2.31-SG (ED)
  12.2.25-SG1 (ED)
  12.2.25-SG (ED)
  I want to keep the same functionality but just add ssh. Also, which one should I go with, the latest 12.2.31-SGA1 (ED)? And can someone explain what the letters represent, EWA6, SG, SGA1, ED, etc. Thanks for the help.

  Hi
  Your ideal image should be cat4000-i9k91s-mz.122-25.EWA8.bin and also do ensure you have 32 mb flash and 256 mb dram. This would ensure same functionality.
  Follow the link
  http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosresult.cgi?get_crypto=&data_from=&hardware_name=CAT4500-SUP2-PLUS-TS&software_name=BASIC%20L3%203DES%20%28RIP%2CST.ROUTERS%2CIPX%2CAT%29&release_name=12.2.25-EWA8&majorRel=12.2&state=:HW:RL:SW&type=Early%20Deployment
  But if you do want to get SG images you can use this cat4500-ipbasek9-mz.122-31.SGA1.bin but this requires higher flash 64mb and dram is still 256mb.
  The link
  http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosresult.cgi?get_crypto=&data_from=&hardware_name=CAT4500-SUP2-PLUS-TS&software_name=IP%20BASE%20SSH&release_name=12.2.31-SGA1&majorRel=12.2&state=:HW:RL:SW&type=Early%20Deployment
  HTH
  Hoogen
  Do rate if this helps :)

• Catalyst 2980 IOS upgrade

  Hi:
  Can I upgrade the Cat2980/2948 from CatOS to IOS?

  Hi,
  The 2980G switch are pure L2 switches and have a Cat4000 Sup2 architecture hence they only support CatOS and cannot support IOS.
  But in case of 2980G-L3, you have ONLY IOS running on them as they are L3 switches and can support L3 routing as well. So in summary there is no conversion possible from CatOS to IOS or the other way round on Cat4000 architecture switches.
  Hope this helps..
  Regards,
  Param

• Catalyst 4500 IOS to IOS XE command compatibility check?

  Good Day.
  I will be performing 4500 non-E chassis to 4500E chassis upgrade this week.
  non-E chassis has IOS 12.2 running on it while 4500E will have IOS-XE 3.2.5SG code running. Is there any website where I can paste the IOS configuration to see if they are compatible on IOS XE code?
  Thank you, sir.

  There's no website or tool that I'm aware of to do such a pre-upgrade check for IOS to IOS-XE. That said, I've done several without issue. Just about all old commands carry forward.
  One thing indirectly command-related is to make sure you have the same license level on the new switch (i.e. lanbase, ipbase or ipservices). If your new switch has a lower license level and you were using features that require the higher license level on the old switch, those commands won't be parsed on the new one because the features aren't available without the necessary license.
  To verify, you should connect to the physical console port and log the output to a file while the system loads. Any commands that aren't parsed or have been deprecated will be logged as exceptions during the boot process. You can do this using the old switch configuration file loaded onto the new switch in advance of the actual cutover and resolve any issues ahead of time.