Folks-

Noob here, still working through CCENT with CCNA as a goal...

I have a switch on my network that is showing a port as DOWN, ERR-DISABLED due to BPDUGuard.

I don't know anything about BPDUGuard. What I *think I understand* about it is:

-it is related to STPF
-it is utilized to keep 2 or more trunked ports between two switches working without causing loops. IE: in normal use, only one of the trunked ports will remain up. If the UP port goes down (unplugged cable, thumb-fingered electricion given keys to a backhoe, etc), it will bring up the DOWN port to maintain connectivity.
-in all honesty, I doubt I have the above right.

Please help me understand this- if you have a link to a whitepaper that would be wonderful, so long as it's not at too high a level. I have a way to go yet before I understand some of you guys!

Found this: http://www.cisco.com/en/US/docs/switche ... #wp1095752 and it looks like I am WAAAAAY off. Any more input surely appreciated, particularly if it's less in-depth.

So on the interface that is disabled... You probably have the command spanning-tree bpduguard enable configured on it. When the switch's interface sees a BPDU on it, it sends the interface into an error disabled state. You should only enable BPDUGuard on switch ports that you do not expect switches on, like host ports.

From that article:
" Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred"

... which caused a lightbulb to go off. Checked the switches in our area where I know we have two spare switches connected together. Sure enough there is another switch attached there, though it is unconfigured. Believe this to be the problem...

hopped over to the test rack, sure enough, that port is going to the other switch in that area. It's not configured. Jumped into the problem switch via Putty, did a "no spanning tree bpduguard enable" followed by a shut and no shut, all good now..

Thanks very much for the help (again!), Swagger!

You're welcome.

does that fix the loop in your network ?

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

BPDUguard is a Root Bridge protection mechanism, not a loop detection mechanism like Loop Guard. BPDUGuard just protects from downstream rogue switches from becoming the root bridge, which could cause long convergence and MITM attacks due to traffic flow changes through the new root bridge.

no

_________________
http://blog.alwaysthenetwork.com

Vito: No that's not correct, or what?

It's not correct. He seems to be talking about Root Guard.

_________________
http://blog.alwaysthenetwork.com

OK. Is it correct to say that BPDUguard is a security feature- any BPDU received on that port will put the port into Err-Disabled mode?

It is a security feature. It prevents loops from occurring when a switch is plugged into a port configured with BPDUGuard. Like we talked about earlier, it will put the port into an error disabled state.

yea

_________________
http://blog.alwaysthenetwork.com

Yes,

quoted from Cisco documentation on the BPDUGuard page:
The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console.

http://www.cisco.com/en/US/tech/tk389/t ... 482f.shtml

Root Guard is also a root bridge protection mechanism, but behaves differently. It will place a port into loop-inconsistent state upon the receipt of a Superior-BPDU, not any BPDU like BPDUGuard.

Read your initial explanation. It's most definitely wrong.

_________________
http://blog.alwaysthenetwork.com

Can you please explain what is wrong about it? I was focusing on the fact that BPDU Guard is not a loop detection mechanism, it is enabled on access ports only, along with PortFast, to protect against downstream switches causing reconvergence in the STP domain.

There, I've bolded it for you. It is a loop prevention mechanism and it has nothing to do with who the root bridge is.

_________________
http://blog.alwaysthenetwork.com

Oh, did you not read the Cisco doc on this stuff?