Multiple-Instance Spanning Tree Protocol (MSTP)
Lab 3-7: BPDU Guard
Fa0/2 Desg FWD 3019 128.4 P2p Fa0/19 Altn BLK 3019 128.21 P2p Fa0/23 Root FWD 3019 128.25 P2p
Remember, the preceding changes can seriously alter your current spanning tree topology.
Erase the configuration on all routers and switches and reload them before proceeding to the next lab.
Lab 3-7: BPDU Guard
Figure 3-12 illustrates the topology that will be used in the following tasks.
R2
BPDU Guard works with interfaces that have been configured as PortFast or edge ports.
BPDU Guard will transition these ports into err-disable state if that port receives a single BPDU. The BPDU Guard feature disables these interfaces to avoid a potential bridg-ing loop. The BPDU Guard feature is used to protect the Spannbridg-ing Tree domain from external influence. BPDU Guard is disabled by default, but it is recommended for all ports on which the PortFast feature has been enabled. This prevents false information from being injected into the Spanning Tree domain on ports that have spanning tree disabled.
When a port is connected to a host device, we can enable PortFast so that we can speed up the port-initialization process and put the port into the forwarding state almost immediately. This process eliminates the 30 seconds of delay that would have been
ptg19878261 a workstation, and as such it should never send BPDUs or take part in the STP domain;
therefore, disabling spanning tree on a port connected to a host should never be an issue.
However, if we removed the host and connected a switch, this new switch would imme-diately start to generate BPDUs and could possibly take over the role of the root bridge, or it could generate an undesirable loop in the topology. BPDU Guard will prevent this by providing a secure response to invalid configurations or unauthorized switches appearing on the network. This process is considered secure because the administrator must manu-ally reenable the err-disabled interface after fixing the invalid configuration or removing the unauthorized switch. It is also possible to set up a timeout interval after which the switch will automatically try to reenable the interface. However, if the invalid configura-tion or switch is still present, the switch will err-disable the interface again.
Task 1
Shut down all ports on SW1 and SW2 and configure an industry-standard trunk between the two switches using port F0/19. Only the F0/19 interface should be in no shutdown state.
On SW1:
SW1(config)# interface range FastEthernet0/1-24 SW1(config-if-range)# shut
SW1(config)# interface FastEthernet0/19
SW1(config-if)# switchport trunk encapsulation dot1q SW1(config-if)# switchport mode trunk
SW1(config-if)# no shut
On SW2:
SW2(config)# interface range FastEthernet0/1-24 SW2(config-if-range)# shut
SW2(config)# interface FastEthernet0/19
SW2(config-if)# switchport trunk encapsulation dot1q SW2(config-if)# switchport mode trunk
SW2(config-if)# no shut
Task 2
Configure the F0/1 interface of SW1 such that if it detects any BPDUs, it transitions into err-disable mode.
Remember, the F0/1 interface of SW1 is connected to R1’s F0/0 interface, and both ports
ptg19878261
On SW1:
SW1# show interface FastEthernet0/1 status
Port Name Status Vlan Duplex Speed Type
Fa0/1 disabled 1 auto auto 10/100BaseTX
BPDU Guard is the feature that can accomplish this task. BPDU Guard can be enabled in two different ways:
■ Globally
■ On a per-interface basis
When BPDU Guard is enabled globally, it will affect all ports that are PortFast-enabled.
If a port that is configured as PortFast receives BPDUs, the BPDU Guard feature will shut down the port in err-disabled mode. To enable the BPDU Guard feature globally, you must use the spanning-tree PortFast bpduguard default global configuration command.
If BPDU Guard is enabled on a given interface and the port receives BPDUs, it will shut the port down in err-disabled mode.
Note In this mode, PortFast does not need to be enabled.
To enable BPDU Guard on a per-interface basis, you must use the spanning-tree bpduguard enable interface configuration command:
On SW1:
SW1(config)# interface FastEthernet0/1
SW1(config-if)# spanning-tree bpduguard enable SW1(config-if)# no shut
Let’s test and verify the configuration (keep in mind that you must wait for the F0/1 interface of SW1 to transition into the forwarding state):
On SW1:
SW1# debug spanning events
Spanning Tree event debugging is on
ptg19878261 In order to test this feature, R1 is configured as a bridge to send BPDUs:
On R1:
R1(config)# bridge 1 protocol ieee
R1(config)# interface FastEthernet0/0 R1(config-if)# bridge-group 1
R1(config-if)# no shut
On SW1:
set portid: VLAN0001 Fa0/1: new port id 8003
STP: VLAN0001 Fa0/1 -> listening
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/1 with BPDU Guard enabled.
Disabling port.
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/1, putting Fa0/1 in err-disable state
Let’s verify the result:
On SW1:
SW1# show interface FastEthernet0/1 status
Port Name Status Vlan Duplex Speed Type
Fa0/1 err-disabled 1 auto auto 10/100BaseTX
SW1# sh errdisable detect | inc Err|bpdu
ErrDisable Reason Detection Mode bpduguard Enabled port
Because the port is not in the administratively down state, a no shutdown will not enable the interface. The no shutdown command only works if the port’s state is administratively down. In order to enable a port that is in err-disabled mode, the port must be placed in the administratively down state first, using the shutdown interface configuration command. Then it can be enabled by using the no shutdown command.
ptg19878261
Task 3
Configure SW2 such that the existing and future ports that are PortFast-enabled transition into err-disabled mode upon detection of BPDUs.
The following command enables BPDU Guard globally on SW2. When this feature is enabled globally, it must also include the PortFast feature. This affects existing and future ports that are PortFast-enabled.
On SW2:
SW2(config)# spanning-tree PortFast bpduguard default
Let’s verify the configuration:
On SW2:
SW2# show spanning-tree summary | include BPDU Guard
PortFast BPDU Guard Default is enabled
Let’s test the configuration:
Note SW2’s F0/1 interface is configured with spanning-tree PortFast, and the debug spanning-tree events is enabled.
On SW2:
SW2(config)# interface FastEthernet0/1 SW2(config-if)# spanning-tree PortFast SW2(config)# no shut
SW2# debug spanning events
Spanning Tree event debugging is on
Because R1 is already configured as a bridge, you don’t need to configure bridge 1 protocol ieee again. All you need to do is to apply the bridge configuration to the F0/1 interface of R1 using the bridge-group 1 command and then enable the interface:
On R1:
R1(config)# interface FastEthernet0/1 R1(config-if)# bridge-group 1
R1(config-if)# no shut
ptg19878261 You should see the following debug output on SW2:
On SW2:
set portid: VLAN0001 Fa0/1: new port id 8003
STP: VLAN0001 Fa0/1 ->jump to forwarding from blocking
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/1 with BPDU Guard enabled.
Disabling port.
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/1, putting Fa0/1 in err-disable state
Let’s verify the configuration:
On SW2:
SW2# show interface FastEthernet0/1 status
Port Name Status Vlan Duplex Speed Type
Fa0/1 err-disabled 1 auto auto 10/100BaseTX
Task 4
Configure SW1’s F0/1 interface to automatically recover from errdisable mode caused by BPDU Guard. This recovery should occur every 30 seconds. If the interface of the switch detects BPDUs, it should once again transition back into errdisable mode. If it does not detect BPDUs, it should remain in the up/up state.
On SW1:
SW1(config)# errdisable recovery cause bpduguard SW1(config)# errdisable recovery interval 30
ptg19878261 Let’s verify the configuration:
On SW1:
SW1# show errdisable detect | include Err|bpdu
ErrDisable Reason Detection status bpduguard Enabled
Every 30 seconds, the port tries to recover from BPDU Guard on the F0/1 interface. You should see the following console messages every 30 seconds as the switch tries to recover from the errdisable mode:
00:54:19: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Fa0/1
The interface comes up:
00:54:21: set portid: VLAN0001 Fa0/1: new port id 8003 00:54:21: STP: VLAN0001 Fa0/1 -> listening
00:54:23: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
The interface once again detects BPDUs:
00:54:23: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port
The interface (F0/1) has BPDU Guard enabled and transitions into errdisable mode:
FastEthernet0/1 with BPDU Guard enabled. Disabling port.
00:54:23: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/1, putting Fa0/1 in err-disable state
00:54:25: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
Erase the configuration on all routers and switches and reload them before proceeding to the next lab.
ptg19878261
When PortFast is enabled on a port, the port will still send out BPDUs and it will accept and process received BPDUs. The BPDU Guard feature would prevent the port from receiving any BPDUs, but it will not prevent it from sending them. The BPDU Filter fea-ture effectively disables STP on the selected ports by preventing them from sending or receiving any BPDUs.
BPDU filtering supports the ability to prevent switches from sending BPDUs on PortFast-enabled interfaces. Ports configured for the PortFast feature typically connect to host devices. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.
When enabled globally, BPDU filtering has the following effects:
■ It affects all operational PortFast ports on switches that do not have BPDU filtering configured.
■ If BPDUs are seen, the port loses its PortFast status, BPDU filtering is disabled, and the STP sends and receives BPDUs on the port as it would with any other STP port on the switch.