Enable BPDUGuard on Spanning-tree Portfast Trunk Port: Yes or No?

Hello to all the Cisco Experts,
I have been searching around to get a confirmed answer as per my subject, but yet unable to come into any conclusion that could help me.
This is all started when I configured the switchport configuration for my ESXi Server which is a dot1q trunk port. The reference will be as below URL:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006628
The configuration of the switchport will be as below:
interface GigabitEthernet1/0/1
 description ESXi
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11,15
 switchport mode trunk
 spanning-tree portfast trunk
end
The catch is, I had the bpduguard enabled on the global level in my switch = spanning-tree portfast bpduguard default.
This will enable the bpduguard on the trunk port above due to the switchport is in portfast (the command: spanning-tree portfast trunk).
Some of the guys in this forum mentioned that it is not recommended to have bpduguard on trunk port and some mentioned it is okay to have this.
So, what do you all think on this? Any real life experience dealing with this kind of situtation that can be shared to us over here?
Thank you in advance.

Hi Leo,
First of all, I would never, ever, consider any comment of yours as being offensive so don't worry, none taken. :)
Enabling portfast on a trunk is so "yesterday", in my opinion.  If a trunk port(s) or an etherchannel is configured correctly, there's a significant chance portfast is irrelevant.  The speed to get the ports to go from down to passing traffic is really boils down to one or two seconds.
Perhaps this is at the core of our different views. To my best knowledge, without the PortFast, a trunk - be it a single port or an EtherChannel - will become forwarding 30 seconds after entering the up/up state, not less. This is valid for STP, RSTP, and MSTP. In addition, if a new VLAN is created or added to the list of enabled VLANs on the trunk, it may take additional 30 seconds for that VLAN to become operational (forwarding) on that trunk. There is nothing besides PortFast and Proposal/Agreement that can cut down this time: the STP must go over the Listening-Learning-Forwarding sequence, and RSTP/MSTP must go through the Discarding-Learning-Forwarding sequence. The "one or two seconds" you have mentioned is perhaps the combined delay incurred by autonegotiation, LACP/PAgP, and DTP, but STP will take its own time and will not be deterred by any of these mechanisms.
I see no benefit but mischief when you enable BPDU Guard on an inter-switch link.   
Absolutely agree. That is why it doesn't make any sense to put a BPDU Guard on an inter-switch link, and I have never suggested doing that. The original post, however, deals with enabling PortFast on a trunk link that does not go to another switch but rather connects to an ESXi server on which, obviously, different virtual machines are bridged onto different VLANs.
So what is the reaction of the port if you do happen to enable portfast and BPDU guard on an inter-switch link?  Wouldn't the two be a "Jekyll & Hyde", wouldn't it?
It would be just the same as enabling PortFast and BPDU Guard on an access port that happens to be connected to another switch. Upon link-up, the port would become forwarding immediately, and after receiving a BPDU, it would be shot down to err-disabled. The fact the port is an access port or a trunk port makes no difference here. Just as before, I stress that this kind of configuration simply isn't meant to be used on inter-switch links. However, on trunks connected directly to routers, servers, autonomous APs supporting several SSIDs mapped to different VLANs, even to IP phones (remember the mini-trunk config used on old switches on which the switchport voice vlan command only instructed CDP to advertise the voice VLAN but did not cause the port to accept tagged frames in the voice VLAN so it had to be configured as a trunk?) - in all these situations, the PortFast can be beneficial. The BPDU Guard is a natural protective companion to the PortFast - wherever PortFast is eligible to be configured, the BPDU Guard is a natural additional protection to be activated as well.
But given the complexity of interconnection of different switches to various stuff going around, we're happy with leaving portfast on a trunk port disabled.
No argument here - but again, this is about trunks between switches on which I would never suggest using the PortFast or the BPDU Guard. The original post is talking about trunks to end hosts (i.e. edge trunk ports if we extend the terminology a little).
Best regards,
Peter

Similar Messages

  • Spanning-tree portfast trunk

    Hi all,
    i read that portfast should only be enabled on access ports  not on trunk ports.
    when this command is used
    spanning-tree portfast trunk?
    under what cases we will use portfast command on trunk port ?
    thanks
    mahesh

    .... and there is one more case:
    you have access switch full of users and you want to provide them redundancy for internet connection, sou you use HSRP for example and now you have switch connected to 2 or more routers with internet links
    now, those links between switch and routers are also trunks and the topology is like a triangle with the switch on the tip , omitting PCs for now , at this point the only device taken into consideration is the switch - others don't use STP because routers have configured IP addresses on subinterfaces (each for one VLAN) so they break BRdomain and computers don't care about STP. In this case, you are sure that no routing loop can occur because other devices (all of them are L3) are boundary for that L2 segment and arp requests broadcasted in your LAN stay inside.
    What you've just managed to make is faster trunk transition to UP state so after reload of that switch, your users can quickly use network again.

  • Purpose of "spanning-tree portfast trunk"

    We are going to try out two wireless accesspoints.  I won't name the manufacturer.  Their tech support asked for two ports in our Catalyst 3750g to be configured as trunk, dot1q, etc., and with "spanning-tree portfast trunk".  What is the purpose of this?
    Thanks in advance.

    As Inayath as already described, traditional portfast does not apply to trunked ports. In order for a trunked port to take the portfast status, you need to specify the 'trunk' keyword.
    The key thing to understand is why would you use this - trunked ports usually go between switches and you shouldn't be configuring portfast for such connections. However, keep in mind that you usually configure trunked interfaces for connections going to VMs, etc as well. These are typically treated as end hosts but since they may carry multiple VLANs over them, you can configure the port as a trunk.
    In such situations, you can go ahead and configure such trunked ports for portfast status as well.
    Regards,
    Aninda

  • Spanning tree portfast

    Hello,
    If I have port configure as spanning tree portfast and I plugged another switch instead of computer what will happened can it create loop or shutdown the port?

    Hello horacio27,
    You can use PortFast on access switch ports  or trunk ports that are connected to a single workstation, server to allow those devices to connect to the network immediately, instead of waiting for the port to transition from the listening and learning states to the forwarding state.
    You can use PortFast to connect a single end station or a switch port to a switch port. If you enable PortFast on a port that is connected to another Layer 2 device, such as a switch, you might create network loops.
    To Prevent loops, in network  the most secure implementation of PortFast is to enable it only on ports that connect end stations to switches. Because PortFast can be enabled on nontrunking ports connecting two switches, spanning tree loops can occur because BPDUs are still being transmitted and received on those ports.
    PortFast with BPDU guard prevents loops by moving non trunking port to err-disable state.

  • Rapid spanning tree / portfast

    hello together,
    i have a question about rapid spanning tree.
    If I enable per vlan rapid spanning tree do i have to configure portfast on the access ports or is this nativly done in rstp?
    best regards
    lars

    Hi Lars,
    In RSTP, the access ports are known as "edge" ports. To configure a port as an "edge port" you use the same command to enable portfast to do this.
    "Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree portfast interface configuration command, the edge port immediately transitions to the forwarding state. An edge port is the same as a Port Fast-enabled port, and you should enable it only on ports that connect to a single end station."
    http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/3550scg/swmstp.htm
    HTH,
    Bobby
    *Please rate helpful posts.

  • BPDU-STP Discrpancy - Help Please - spanning-tree portfast bpduguard

    Hi,
    I get this discrepancy report by the CicoWorks saying that BPDU-STP is disabled on ports (all te ports on my switch). I have seen a document on this and how to enable this Spanning Tree feature but I am not really sure if I need to do this or not? what is the benefit in having or not having this feature enabled? if enabled, then, wont I get into the port disabling and traffic disrruption business? understanding that there is a time out feature available as well.
    Thx,
    Masood

    Hi Masood.
    STP BPDUGuard is used only on the ports which are set to STP portfast. As when the portfast is enabled on the switch it trnasitions from blocking --> forwarding as soon as you connect any device on it. If you connect a switch or a bridge, this can cause a STP loop in your network which can bring your entire N/W to halt/down.
    STP BPDUguard is specially designed for the edgeports. So as far as you have a centralized control on your network device and no one can connect any device without proper approval (your) ,you can have it disable. But if you understand the potential impact of connecting a switch or a bridge by anyone without proper authority then you might want it enable it on your switch.
    http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
    HTH, Please rate if it does.
    regards,
    -amit singh

  • Spanning Tree PortFast BPDU Guard Enhancement

    Will this solve our problems interconnecting 2 ports configured in 2 different vlans?
    TIA

    Hi Windell,
    STP portfast BPDU guard is the feature which is specifically desinged for the ports running stp portfast on them so that a temporary introduction of a switch with lower bridge ID should not disrupt the network topology.At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state.
    Please see the link:
    http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
    I didnot get your question. Can you eleborate more on this.
    regards,
    -amit singh

  • Spanning tree and blocked ports

    Hello
    I have a network built with 5 3560 switches. They are linked together over 6 fiber gigabit links. Two of them are for redundancy. I set up STP and all works fine. STP root is on the same switch for all VLANs.
    But I'm wondering why blocked links are only show state blocked on one of the two connected switches. I've read the docu but didn't found a hint.
    Thanks for any comment.
    Thomas

    I guess your question in fact translates to: why is there only one side of my redundant link that is blocking instead of both ends. There are several possible answers to that:
    First, because blocking one side is enough;-)
    But the an explanation I prefer is to remind that STP cannot know that this link is a fiber going to a single neighbor bridge. This link could be connected to a hub, where on the top of the neighboring bridge there would be some hosts (PCs, routers etc...). To put it short, STP must provide connectivity to this link. That's why *every* link has a designated port that connects it to the root bridge.
    Hope this helps;-)
    Francois

  • Spanning-Tree Port Type Edge & Router

    I am wondering if a switch trunk port that is facing a router that is connected with subinterface can be classified as an edge port in the eyes of Spanning-Tree.
    Thanks.

    Ricardo
    You should configure the switchport as "spanning-tree portfast trunk"
    As Glen says that is assuming you are not connecting to a switch module on the router.
    Jon

  • Cisco Noob - Layer 3 Routing / VLAN / Spanning Tree

    Hi All ...
    I need some pointers on which commands / settings and where, I know what I want to achieve but the things I am trying seem to be 'mutually exclusive' - either that or i'm missing something - I am not a Cisco IOS expert but I know my way around a network.
    Take 3 3560 switches in Layer 3 mode, there is a 'local' fibre spanning tree ring serving mulriple switches on each, each ring is it's own IP segment / VLAN. There is then a trunk between each switch on which I want to establish a load sharing / spanning tree circuit i.e.
    SW1 hosts VLAN 2 via copper on fa0/1 -12, ip address 10.10.2.254
    SW1 hosts VLAN 3 via a fibre spanning tree circuit on G0/1 & G0/2, dhcp 10.10.3.0/24, trunk 1 on G0/3 and trunk 2 on G0/4
    SW1 hosts VLAN 10, ip address 10.10.10.1 (trunks 1 and 2 have no IP address but are members of VLAN 10)
    SW2 hosts VLAN 4 via a fibre spanning tree circuit on G0/1 & G0/2, dhcp 10.10.4.0/24, trunk 1 on G0/3 and trunk 2 on G0/4
    SW2 hosts VLAN 10, ip address 10.10.10.2 (trunks 1 and 2 have no IP address but are members of VLAN 10)
    SW3 hosts VLAN 5 via a fibre spanning tree circuit on G0/1 & G0/2, dhcp 10.10.5.0/24, trunk 1 on G0/3 and trunk 2 on G0/4
    SW3 hosts VLAN 10, ip address 10.10.10.3 (trunks 1 and 2 have no IP address but are members of VLAN 10)
    SW1 G0/3 is a SMF trunk to SW2 G0/3
    SW1 G0/4 is a SMF trunk to SW3 G0/3
    SW2 G0/4 is a SMF trunk to SW3 G0/4
    The trunks are configured as "trunk encapsulation dot1q", ip routing is  enabled.
    I can get the trunks working OK - but I can't seem to get routing to work across them - if I define an interface on SW1 with an IP set in SW3 the switch complains so it can clearly see it so which command have I missed.
    All VLAN's are part of the same domain, each VLAN has it's own DHCP hosted on it's hosting switch. The VLAN ip address is excluded from DHCP and is the default gateway for each VLAN.
    All VLAN's must be able to reach VLAN2 (contains SQL servers and DNS, Time etc etc), the VLAN's are working, DHCP etc is all working - but I can't get anything other than VLAN 10 IP's to talk across the trunks - I've tried adding spanning-tree vlan 2,3,4,5,10 but this hasn't worked, the ip route-map shows nothing, if you show spanning-tree the trunk ports do show up as an interface for all VLAN's - and yet no traffic passes across them - show route displays nothing. I tried adding ip route 10.10.*.0 255.255.255.0 10.10.2.254 (where 10.10.2.254 is the ip address of VLAN 2) but that's done nothing.
    I have tried various combinations - unsuccessful so far - I need the trunks to be not only fault tolerant but load sharing which kind of negates fixing IP's on them - or does it ?? - what am I missing ?
    (switches are all running IP services IOS)

    Hi John ,, here is the sh ip route and sh ip eigrp from all three.
    The ip address I'm trying to reach from SW1, SW2 is 10.10.2.253 - the DNS server - the server is available and connected to a copper port designated and assigned to VLAN 2 (which has the root ip of 10.10.2.254) dhcp is not enabled for VLAN 2.
    I can ping the DNS box from VLAN 5 (same switch as VLAN 2).
    The copper ports on the SW1 and SW2 boxes refuse to 'come up' - they remain shutdown no matter what. I haven't yet configured VLAN 10 ....
    (NOTE - these switches are on the bench right now - I intend to ge tthe config sorted / tested and verified before they go into production)
    SWITCH 1 - Host for VLAN 3 and 10
    SW1#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is not set
         10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
    D       10.10.2.0/24 [90/3072] via 10.10.10.6, 01:19:29, GigabitEthernet0/2
    C       10.10.10.0/30 is directly connected, GigabitEthernet0/1
    C       10.10.10.4/30 is directly connected, GigabitEthernet0/2
    SW1#sh ip eigrp interfaces
    EIGRP-IPv4:(10) interfaces for process 10
                            Xmit Queue   Mean   Pacing Time   Multicast    Pending
    Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
    Gi0/2              1        0/0         1       0/1            0           0
    Vl3                0        0/0         0       0/1            0           0
    SW1#
    SWITCH 2 - Host for VLAN 4 and 10
    SW2#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is not set
         10.0.0.0/30 is subnetted, 2 subnets
    C       10.10.10.8 is directly connected, GigabitEthernet0/1
    C       10.10.10.0 is directly connected, GigabitEthernet0/2
    SW2#sh ip eigrp interfaces
    EIGRP-IPv4:(10) interfaces for process 10
                            Xmit Queue   Mean   Pacing Time   Multicast    Pending
    Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
    Gi0/2              0        0/0         0       0/1            0           0
    Gi0/1              0        0/0         0       0/1            0           0
    Vl4                0        0/0         0       0/1            0           0
    SW2#
    SWITCH 3 - Host for VLAN 2, 5 and 10
    SW3#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is not set
         10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
    C       10.10.10.8/30 is directly connected, GigabitEthernet0/1
    C       10.10.2.0/24 is directly connected, Vlan2
    C       10.10.10.4/30 is directly connected, GigabitEthernet0/2
    SW3#sh ip eigrp interfaces
    EIGRP-IPv4:(5) interfaces for process 5
                            Xmit Queue   Mean   Pacing Time   Multicast    Pending
    Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
    Vl2                0        0/0         0       0/1            0           0
    Vl5                0        0/0         0       0/1            0           0
    EIGRP-IPv4(0)(0) interfaces for process 0
                            Xmit Queue   Mean   Pacing Time   Multicast    Pending
    Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
    EIGRP-IPv4:(10) interfaces for process 10
                            Xmit Queue   Mean   Pacing Time   Multicast    Pending
    Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
    Gi0/2              1        0/0         1       0/1           50           0
    Vl5                0        0/0         0       0/1            0           0
    Vl2                0        0/0         0       0/1            0           0
    SW3#
    SW3#show vlan
    VLAN Name                             Status    Ports
    1    default                          active   
    2    SERVERS                          active    Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                    Fa0/17, Fa0/18, Fa0/19, Fa0/20
    4    DB5-LAN                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                    Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                    Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                    Gi0/1, Gi/2
    10   MANAGER                          active    Fa0/21, Fa0/22, Fa0/23, Fa0/24
    1002 fddi-default                     act/unsup
    1003 token-ring-default               act/unsup
    1004 fddinet-default                  act/unsup
    1005 trnet-default                    act/unsup
    VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
    1    enet  100001     1500  -      -      -        -    -        0      0  
    2    enet  100002     1500  -      -      -        -    -        0      0  
    3    enet  100003     1500  -      -      -        -    -        0      0  
    4    enet  100004     1500  -      -      -        -    -        0      0  
    5    enet  100005     1500  -      -      -        -    -        0      0  
    10   enet  100010     1500  -      -      -        -    -        0      0  
    1002 fddi  101002     1500  -      -      -        -    -        0      0  
    1003 tr    101003     1500  -      -      -        -    srb      0      0  
    1004 fdnet 101004     1500  -      -      -        ieee -        0      0  
    1005 trnet 101005     1500  -      -      -        ibm  -        0      0  
    Remote SPAN VLANs
    Primary Secondary Type              Ports
    PPS : I'm using ports Gi0/1 and Gi0/2 for now - I removed these from DB5-LAN and can now 'ping' from SW1 but not from SW2 - but the local copper is still dead on SW1 and SW2
    Copper channels not dead - faulty patch lead ... the simplest things ....

  • When is it appropriate to use "spanning-tree bpdufilter enable"

    What exactly does enabling bpdu filter do?  I see some examples where bpdu filtering is enabled on access ports?  Is this correct or are there dangers in this approach? 

    Hi John,
    Simple way of saying would that it would disable the STP on that port.
    BPDU filter filters the BPDU's coming in both directions. which means it effectively disable the STP on the port.
    Detailed explanation:
    ===============
    BPDUfilter on the other hand just filters BPDUs in both directions, which effectively disables STP on the port.Bpdu filter will prevent inbound and outbound bpdu but will remove portfast state on a port if a bpdu is received.Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
    Following are the method to configure BPDU Filter in switches
    Interface mode:
    spanning-tree bpdufilter enable                        (Results port to not participate in STP, loops may occur).
    Global mode:                                                
    spanning-tree portfast bpdufilter default             (It enables bpdufiltering on ports that have port-fast configuration, so it sends a few bpdu while enabling port then it filters bdpu unless receives a bpdu, after that itchanges from port-fast mode and disables filtering for port to operate like a normal port cause it has received bpdu).
    You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.you would use bpdufilter when you want a switch plugged into your network but you don't want it participating in spanning tree.
    An example:  In an office environment where someone needs  another network drop under their desk but you don't have time/budget to  run a new line for now.  you are been given a small switch but don't want it to break spanning tree.The switch  you have lying around for this task is a simple unmanaged switch and  will only have one uplink into your network. so you put bpdufilter on your  switch port.
    Ref:https://supportforums.cisco.com/docs/DOC-11825
    HTH
    Regards
    Inayath
    *Plz rate if this info is helpfull and mark as answered if this resolved your query.

  • Why the host ports are also seen in the spanning-tree output ?

    Why the host ports are also seen in the spanning-tree output ?
    Switch1#show spann
    VLAN0001
      Spanning tree enabled protocol ieee
      Root ID    Priority    32769
                 Address     0000.0CA2.138B
                 This bridge is the root
                 Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
      Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
                 Address     0000.0CA2.138B
                 Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
                 Aging Time  20
    Interface        Role Sts Cost      Prio.Nbr Type
    Fa0/1            Desg FWD 19        128.1    P2p
    Fa0/2            Desg FWD 19        128.2    P2p
    Fa0/15           Desg FWD 19        128.15   P2p
    interface FastEthernet0/15
    description PC0 Interface
    switchport mode access
    spanning-tree portfast
    interface FastEthernet0/16
    I read somewhere that all the ports of a switch will participate in STP by default. Is there any way to remove the STP operation on host ports ?
    Regards,
    Chandu       

    All ports participate in Spanning Tree by default.
    Spanning tree is there to block redundant L2 paths in order to prevent loops. All ports are capable of causing a loop so you would not want to turn spanning tree off, in fact I don't think you can switch it off on a per port basis. You can switch it off on a per vlan basis.
    You are already using portfast which allows host ports to transition into a forwarding state without going through the listening and learning states of STP. If you switch off STP on a port, you risk the chance of a L2 loop.
    https://supportforums.cisco.com/docs/DOC-5180

  • 2960X 15.0(2)EX5 Stack Bug? Master Switch Ports link in Orange, no spanning Tree

    Is anyone aware of a bug in version 15.0(2)EX5 for 2960X Switches that would cause a switch in the master role to stop linking in new ports in green (and passing traffic).  I have 2 2960X-48FPD-L Switches in a stack and whichever switch I designate master will only link new connections in orange and not pass traffic.  All ports linked in show up/up and can be seen in a show cdp neighbor but won't pass any other traffic. 
    If I unplug the Stacking cables both switches become masters and ports linked in green on the previous member switch stay green, but after it switches to master any new connections plugged in only link in orange. 
    If I switch priorities and reboot the problem switches to the new master switch and the problem goes away on the member switch.
    Also, a switch in the master role does not show any spanning tree instances for ports in the orange link state. 
    Has anyone seen this issue and do you know of a solution? 
    Jim

    A quick update for those with this same problem.
    1.  15.2(3)E turned out to be very unstable causing my switch stack to randomly lockup/reboot one of the switches about once a week.
    2.  I downgraded back to 15.0(2)EX5 but found a workaround.  It turns out the switch stack with the 15.0 versions does not like the switchport voice vlan command on any of the interfaces on the master switch.  I simply removed the voice vlan configuration on the interfaces and all the switch ports linked in just fine.  I would prefer to run the phones on a voice vlan, but it still works without, just the PC's and phones are on the same vlan. 
    Jim

  • Spanning tree loops

    Hi we are having regular spanning tree issues in our network.
    On our config we do not have bpduguard configured from what I can see? Could this be an issue?
    What can be done centrally on the core switches to remove this threat? Are their default configs that a wise network administrator would apply as standard?
    HELP!

    HI Mike [Pls Rate if HELPS]
    Refer link below for examples and identify redundant links, root and backup root bridge etc..
    http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080136673.shtml#intro
    Refer link for usage guidelines in implementing loopguard, bpdu guard etc..
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html#wp1019943
    A Cisco router will give you a warning when you configure PortFast:
    SW1(config)#int fast 0/5
    SW1(config-if)#spanning-tree portfast
    %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION
    %Portfast has been configured on FastEthernet0/5 but will only
    have effect when the interface is in a non-trunking mode.
    SW1(config-if)#
    Not only will the switch warn you about the proper usage of PortFast, but you must put the port into access mode before PortFast will take effect.
    But there is a chance - just a chance - that someone is going to manage to connect a switch to a port running Portfast. That could lead to two major problems, the first being the formation of a switching loop. Remember, the reason we have listening and learning modes is to help prevent switching loops. The next problem is that there could be a new root bridge elected - and it could be a switch that isn't even in your network!
    BPDU Guard protects against this disastrous possibility. If any BPDU comes in on a port that's running BPDU Guard, the port will be shut down and placed into error disabled state, shown on the switch as err-disabled. A port placed in err-disabled state must be reopened manually.
    BPDU Guard is off on all ports by default, and is enabled as shown here:
    SW1(config)#int fast 0/5
    SW1(config-if)#spanning-tree bpduguard enable
    It's a good idea to enable BPDU Guard on any port you're running PortFast on. There's no cost in overhead, and it does prevent the possibility of a switch sending BPDUs into a port configured with PortFast - not to mention the possibility of a switch not under your control becoming a root switch to your network!
    Refer link below for Understanding Spanning Tree Protocol:
    http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/cwsimain/cwsi2/cwsiug2/vlan2/stpapp.htm
    Hope i am Informative and this HELPS.
    PLS RATE if HELPS
    Best Regards,
    Guru Prasad R

  • ISE - 802.1X - Loop not detected by spanning-tree

    Hello,
    I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
    The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
    A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
    The loop created has not been detected by the switch !
    I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard  20 seconds after the port up).
    Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
    Switch port with 802.1X is following :
    interface GigabitEthernet1/0/9
    switchport access vlan 950
    switchport mode access
    switchport nonegotiate
    switchport voice vlan 955
    no logging event link-status
    authentication control-direction in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 950
    authentication event server dead action authorize voice
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    storm-control broadcast level 10.00
    storm-control multicast level 10.00
    spanning-tree portfast
    If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
    Is there any reason for spanning-tree not works properly with 802.1X ?
    Thanks,
    Olivier

    Hello Olivier
    When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
    Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
    http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/
    http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/
    https://learningnetwork.cisco.com/thread/21103
    http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/
    Please rate if this helps

Maybe you are looking for

  • Dealer Excise Invoice-Issue while posting MIRO

    Dear All, Today i was doing Domestic procurement with Dealer for Gas Cylinder. In PO we entered total value which includes Excise amount also (1000+103)& VAT @ 14% (154,42). While doing GR i selected as Only captured excise inv, checked MRP indicator

  • How do I redeem a gift card in iTunes music store, without upgrading iTunes

    I am trying to use a gift card in the iTunes music store, and am given prompts to upgrade to the newest version of iTunes. I do not want to upgrade, and have found no option to use gift card without the upgrade. Suggestions?

  • MSS 60.1,What are backend roles required for Manager in Backend

    Dear all, I am configuring MSS 60.1.0 with R/3 4.70 and Portal 7.0. Portal user is connected to a PERNR in backend, this PERNR is a chief for a particular org unit. Can some body please suggest me what R/3 roles* I need to assign to PERNR in backend

  • Cash discount in taxinn

    Dear Gurus, I am purchasing a excisable  material with following details. Basic= 100Rs, BED,AED,ECS,say 14Rs. Total inclusive of taxes =100+14=114 Rs. Now cash discount 4 Rs. So new total for CST=110. On this new total 4% cst. How to do this as all t

  • Calling two smartforms in one Abap program

    Hi ABAPers, Can anybody know how to call 2 smartforms in 1 abap program?actually i used the FM SSF_FUNCTION_MODULE_NAME...and two smart forms are called...but my main problem is...the first smartforms is called and the print dialog box appeared...onc