RIP, EIGRP, OSPF, IS-IS, BGP, MPLS, VTP, STP.
DieselJeeper
Ultimate Member
Posts:
509
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

BPDUGuard- break it down for me

Tue Jan 17, 2012 12:15 pm

Folks-

Noob here, still working through CCENT with CCNA as a goal...

I have a switch on my network that is showing a port as DOWN, ERR-DISABLED due to BPDUGuard.

I don't know anything about BPDUGuard. What I *think I understand* about it is:

-it is related to STPF
-it is utilized to keep 2 or more trunked ports between two switches working without causing loops. IE: in normal use, only one of the trunked ports will remain up. If the UP port goes down (unplugged cable, thumb-fingered electricion given keys to a backhoe, etc), it will bring up the DOWN port to maintain connectivity.
-in all honesty, I doubt I have the above right.

Please help me understand this- if you have a link to a whitepaper that would be wonderful, so long as it's not at too high a level. I have a way to go yet before I understand some of you guys! :)

DieselJeeper
Ultimate Member
Posts:
509
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: BPDUGuard- break it down for me

Tue Jan 17, 2012 12:33 pm

Found this: http://www.cisco.com/en/US/docs/switche ... #wp1095752 and it looks like I am WAAAAAY off. Any more input surely appreciated, particularly if it's less in-depth.

User avatar
swagger
Post Whore
Posts:
1395
Joined:
Mon Nov 23, 2009 7:55 pm
Certs:
CCNP, CCNA Sec

Re: BPDUGuard- break it down for me

Tue Jan 17, 2012 12:41 pm

So on the interface that is disabled... You probably have the command spanning-tree bpduguard enable configured on it. When the switch's interface sees a BPDU on it, it sends the interface into an error disabled state. You should only enable BPDUGuard on switch ports that you do not expect switches on, like host ports.

DieselJeeper
Ultimate Member
Posts:
509
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: BPDUGuard- break it down for me

Tue Jan 17, 2012 12:42 pm

From that article:
" Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred"

... which caused a lightbulb to go off. Checked the switches in our area where I know we have two spare switches connected together. Sure enough there is another switch attached there, though it is unconfigured. Believe this to be the problem...

DieselJeeper
Ultimate Member
Posts:
509
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: BPDUGuard- break it down for me

Tue Jan 17, 2012 12:47 pm

hopped over to the test rack, sure enough, that port is going to the other switch in that area. It's not configured. Jumped into the problem switch via Putty, did a "no spanning tree bpduguard enable" followed by a shut and no shut, all good now..

Thanks very much for the help (again!), Swagger!

User avatar
swagger
Post Whore
Posts:
1395
Joined:
Mon Nov 23, 2009 7:55 pm
Certs:
CCNP, CCNA Sec

Re: BPDUGuard- break it down for me

Tue Jan 17, 2012 12:52 pm

You're welcome.

User avatar
ristau5741
Post Whore
Posts:
10425
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: BPDUGuard- break it down for me

Tue Jan 17, 2012 3:39 pm

DieselJeeper wrote: "no spanning tree bpduguard enable"


does that fix the loop in your network ?
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

musicjunky
New Member
Posts:
14
Joined:
Thu Jun 30, 2011 4:31 pm
Certs:
CCNP, CCDA

Re: BPDUGuard- break it down for me

Tue Jan 17, 2012 7:37 pm

ristau5741 wrote:
DieselJeeper wrote: "no spanning tree bpduguard enable"


does that fix the loop in your network ?


BPDUguard is a Root Bridge protection mechanism, not a loop detection mechanism like Loop Guard. BPDUGuard just protects from downstream rogue switches from becoming the root bridge, which could cause long convergence and MITM attacks due to traffic flow changes through the new root bridge.

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: BPDUGuard- break it down for me

Tue Jan 17, 2012 8:08 pm

musicjunky wrote:
ristau5741 wrote:
DieselJeeper wrote: "no spanning tree bpduguard enable"


does that fix the loop in your network ?


BPDUguard is a Root Bridge protection mechanism, not a loop detection mechanism like Loop Guard. BPDUGuard just protects from downstream rogue switches from becoming the root bridge, which could cause long convergence and MITM attacks due to traffic flow changes through the new root bridge.


no
http://blog.alwaysthenetwork.com

DieselJeeper
Ultimate Member
Posts:
509
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 7:14 am

Vito: No that's not correct, or what?

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 7:16 am

It's not correct. He seems to be talking about Root Guard.
http://blog.alwaysthenetwork.com

DieselJeeper
Ultimate Member
Posts:
509
Joined:
Wed Aug 03, 2011 12:24 pm
Certs:
MCSE, MCP+I, SEC+ (working on CCENT/CCNA)

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 8:12 am

OK. Is it correct to say that BPDUguard is a security feature- any BPDU received on that port will put the port into Err-Disabled mode?

User avatar
swagger
Post Whore
Posts:
1395
Joined:
Mon Nov 23, 2009 7:55 pm
Certs:
CCNP, CCNA Sec

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 9:36 am

It is a security feature. It prevents loops from occurring when a switch is plugged into a port configured with BPDUGuard. Like we talked about earlier, it will put the port into an error disabled state.

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 9:41 am

DieselJeeper wrote:OK. Is it correct to say that BPDUguard is a security feature- any BPDU received on that port will put the port into Err-Disabled mode?


yea
http://blog.alwaysthenetwork.com

musicjunky
New Member
Posts:
14
Joined:
Thu Jun 30, 2011 4:31 pm
Certs:
CCNP, CCDA

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 10:17 am

Vito_Corleone wrote:
no


Yes,

quoted from Cisco documentation on the BPDUGuard page:
The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console.

http://www.cisco.com/en/US/tech/tk389/t ... 482f.shtml

musicjunky
New Member
Posts:
14
Joined:
Thu Jun 30, 2011 4:31 pm
Certs:
CCNP, CCDA

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 10:26 am

Vito_Corleone wrote:It's not correct. He seems to be talking about Root Guard.


Root Guard is also a root bridge protection mechanism, but behaves differently. It will place a port into loop-inconsistent state upon the receipt of a Superior-BPDU, not any BPDU like BPDUGuard.

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 10:32 am

musicjunky wrote:
Vito_Corleone wrote:
no


Yes,

quoted from Cisco documentation on the BPDUGuard page:
The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console.

http://www.cisco.com/en/US/tech/tk389/t ... 482f.shtml


Read your initial explanation. It's most definitely wrong.
http://blog.alwaysthenetwork.com

musicjunky
New Member
Posts:
14
Joined:
Thu Jun 30, 2011 4:31 pm
Certs:
CCNP, CCDA

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 10:39 am

Can you please explain what is wrong about it? I was focusing on the fact that BPDU Guard is not a loop detection mechanism, it is enabled on access ports only, along with PortFast, to protect against downstream switches causing reconvergence in the STP domain.

User avatar
Vito_Corleone
Moderator
Posts:
9850
Joined:
Mon Apr 07, 2008 10:38 am
Certs:
CCNP RS, CCNP DC, CCDP, CCIP

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 11:05 am

musicjunky wrote:BPDUguard is a Root Bridge protection mechanism, not a loop detection mechanism like Loop Guard. BPDUGuard just protects from downstream rogue switches from becoming the root bridge, which could cause long convergence and MITM attacks due to traffic flow changes through the new root bridge.


There, I've bolded it for you. It is a loop prevention mechanism and it has nothing to do with who the root bridge is.
http://blog.alwaysthenetwork.com

musicjunky
New Member
Posts:
14
Joined:
Thu Jun 30, 2011 4:31 pm
Certs:
CCNP, CCDA

Re: BPDUGuard- break it down for me

Wed Jan 18, 2012 11:08 am

Vito_Corleone wrote:
musicjunky wrote:BPDUguard is a Root Bridge protection mechanism, not a loop detection mechanism like Loop Guard. BPDUGuard just protects from downstream rogue switches from becoming the root bridge, which could cause long convergence and MITM attacks due to traffic flow changes through the new root bridge.


There, I've bolded it for you. It is a loop prevention mechanism and it has nothing to do with who the root bridge is.



Oh, did you not read the Cisco doc on this stuff?

'
Next

Return to Cisco Routing and Switching

Who is online

Users browsing this forum: Exabot [Bot], FaceBook [Linkcheck], kamarale, mmcgurty, sergeyrar, TomWhitfield1991, Yahoo [Bot] and 45 guests