The spanning-tree portfast bpduguard default global configuration command must work in conjunction with the spanning-tree portfast interface subcommand.
Best Practices and Recommendations:
Since the combination of both the spanning-tree portfast bpduguard default global configuration command and the spanning-tree portfast interface subcommand must be implemented in order to disable a particular switch port upon receiving BPDUs, always implement the spanning-tree bpduguard enable interface subcommand across non-ISL switch ports to prevent bridging loops due to misconfiguration on hosts.
However, relying solely upon receiving BPDUs to detect bridging loops is ineffective, a bridging loop can occur when a host bridges 2 connections to a switch, filters or drops the BPDUs originated from the switch, and eventually the BPDUs were not being propagated across the bridged connection.
Implement the detection and prevention mechanisms upon bridging loops using the RMON and storm control features respectively.
C2960#sh run | in spanning-tree portfast C2960# C2960#sh run int gi0/1 Building configuration... Current configuration : 60 bytes ! interface GigabitEthernet0/1 switchport mode access end C2960# C2960#debug spanning-tree events Spanning Tree event debugging is on C2960# 00:20:03.807: setting bridge id (which=3) prio 32769 prio cfg 32768 sysid 1 (on) id 8001.0021.565e.e200 00:20:03.807: set portid: VLAN0001 Gi0/1: new port id 8001 00:20:03.807: STP: VLAN0001 Gi0/1 -> listening 00:20:05.803: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:20:05.812: STP: VLAN0001 heard root 32769-000f.2395.f500 on Gi0/1 00:20:05.812: supersedes 32769-0021.565e.e200 00:20:05.812: STP: VLAN0001 new root is 32769, 000f.2395.f500 on port Gi0/1, cost 19 00:20:06.810: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up 00:20:18.814: STP: VLAN0001 Gi0/1 -> learning 00:20:33.821: STP[1]: Generating TC trap for port GigabitEthernet0/1 00:20:33.821: STP: VLAN0001 Gi0/1 -> forwarding C2960# C2960#sh spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000f.2395.f500 Cost 19 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0021.565e.e200 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi0/1 Root FWD 19 128.1 P2p C2960# C2960#conf t Enter configuration commands, one per line. End with CNTL/Z. C2960(config)#int gi0/1 C2960(config-if)#spanning-tree bpduguard enable C2960(config-if)# 00:20:59.977: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/1 with BPDU Guard enabled. Disabling port. 00:20:59.977: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/1, putting Gi0/1 in err-disable state 00:20:59.985: STP: VLAN0001 we are the spanning tree root 00:21:00.983: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down 00:21:01.990: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down C2960(config-if)# C2960(config-if)#no spanning-tree bpduguard enable C2960(config-if)#shut C2960(config-if)#no shut C2960(config-if)#exit C2960(config)# 00:21:15.605: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down 00:21:18.172: setting bridge id (which=3) prio 32769 prio cfg 32768 sysid 1 (on) id 8001.0021.565e.e200 00:21:18.180: set portid: VLAN0001 Gi0/1: new port id 8001 00:21:18.180: STP: VLAN0001 Gi0/1 -> listening 00:21:18.524: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:21:19.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up 00:21:20.185: STP: VLAN0001 heard root 32769-000f.2395.f500 on Gi0/1 00:21:20.193: supersedes 32769-0021.565e.e200 00:21:20.193: STP: VLAN0001 new root is 32769, 000f.2395.f500 on port Gi0/1, cost 19 00:21:33.187: STP: VLAN0001 Gi0/1 -> learning 00:21:48.194: STP[1]: Generating TC trap for port GigabitEthernet0/1 00:21:48.194: STP: VLAN0001 Gi0/1 -> forwarding C2960(config)# C2960(config)#do sh run int gi0/1 Building configuration... Current configuration : 60 bytes ! interface GigabitEthernet0/1 switchport mode access end C2960(config)# C2960(config)#spanning-tree portfast bpduguard default C2960(config)# C2960(config)#int gi0/1 C2960(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast has been configured on GigabitEthernet0/1 but will only have effect when the interface is in a non-trunking mode. C2960(config-if)# 00:22:28.393: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet0/1 with BPDU Guard enabled. Disabling port. 00:22:28.393: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/1, putting Gi0/1 in err-disable state 00:22:28.393: STP: VLAN0001 we are the spanning tree root 00:22:29.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down 00:22:30.406: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down C2960(config-if)# C2960(config-if)#do sh int gi0/1 GigabitEthernet0/1 is down, line protocol is down (err-disabled) Hardware is Gigabit Ethernet, address is 0021.565e.e201 (bia 0021.565e.e201) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:11, output 00:00:13, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 97 packets input, 13276 bytes, 0 no buffer Received 84 broadcasts (84 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 84 multicast, 0 pause input 0 input packets with dribble condition detected 33 packets output, 8808 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out C2960(config-if)# C2960(config-if)#exit C2960(config)#do sh run int gi0/2 Building configuration... Current configuration : 59 bytes ! interface GigabitEthernet0/2 switchport mode trunk end C2960(config)# 00:23:19.823: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up 00:23:20.830: setting bridge id (which=3) prio 32769 prio cfg 32768 sysid 1 (on) id 8001.0021.565e.e200 00:23:20.830: set portid: VLAN0001 Gi0/2: new port id 8002 00:23:20.830: STP: VLAN0001 Gi0/2 -> listening 00:23:21.837: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up 00:23:22.835: STP: VLAN0001 heard root 32769-000f.2395.f500 on Gi0/2 00:23:22.835: supersedes 32769-0021.565e.e200 00:23:22.835: STP: VLAN0001 new root is 32769, 000f.2395.f500 on port Gi0/2, cost 19 00:23:35.837: STP: VLAN0001 Gi0/2 -> learning 00:23:50.844: STP[1]: Generating TC trap for port GigabitEthernet0/2 00:23:50.844: STP: VLAN0001 Gi0/2 -> forwarding C2960(config)# C2960(config)#do sh run | in spanning-tree portfast bpduguard spanning-tree portfast bpduguard default C2960(config)# C2960(config)#int gi0/2 C2960(config-if)#spanning-tree portfast ? disable Disable portfast for this interface trunk Enable portfast on the interface even in trunk modeC2960(config-if)#spanning-tree portfast trunk %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION C2960(config-if)# 00:24:10.977: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet0/2 with BPDU Guard enabled. Disabling port. 00:24:10.977: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/2, putting Gi0/2 in err-disable state 00:24:10.994: STP: VLAN0001 we are the spanning tree root 00:24:11.984: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down 00:24:12.999: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to down C2960(config-if)# C2960(config-if)#no spanning-tree portfast trunk C2960(config-if)#shut C2960(config-if)#no shut C2960(config-if)#exit C2960(config)# 00:24:30.850: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down 00:24:32.922: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up 00:24:35.648: setting bridge id (which=3) prio 32769 prio cfg 32768 sysid 1 (on) id 8001.0021.565e.e200 00:24:35.648: set portid: VLAN0001 Gi0/2: new port id 8002 00:24:35.648: STP: VLAN0001 Gi0/2 -> listening 00:24:36.655: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up 00:24:37.653: STP: VLAN0001 heard root 32769-000f.2395.f500 on Gi0/2 00:24:37.653: supersedes 32769-0021.565e.e200 00:24:37.653: STP: VLAN0001 new root is 32769, 000f.2395.f500 on port Gi0/2, cost 19 00:24:50.655: STP: VLAN0001 Gi0/2 -> learning 00:25:05.662: STP[1]: Generating TC trap for port GigabitEthernet0/2 00:25:05.662: STP: VLAN0001 Gi0/2 -> forwarding C2960(config)# C2960(config)#do sh run int gi0/2 Building configuration... Current configuration : 59 bytes ! interface GigabitEthernet0/2 switchport mode trunk end C2960(config)#int gi0/2 C2960(config-if)#spanning-tree bpduguard enable C2960(config-if)# 00:25:47.857: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/2 with BPDU Guard enabled. Disabling port. 00:25:47.857: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/2, putting Gi0/2 in err-disable state 00:25:47.865: STP: VLAN0001 we are the spanning tree root 00:25:48.864: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down 00:25:49.879: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to down C2960(config-if)# C2960(config-if)#do sh int gi0/2 GigabitEthernet0/2 is down, line protocol is down (err-disabled) Hardware is Gigabit Ethernet, address is 0021.565e.e202 (bia 0021.565e.e202) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:08, output 00:00:10, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 272 packets input, 28612 bytes, 0 no buffer Received 251 broadcasts (251 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 251 multicast, 0 pause input 0 input packets with dribble condition detected 61 packets output, 11356 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out C2960(config-if)#
No comments:
Post a Comment