CCIE Routing & Switching v5 Workbook -
CCIE R&S v5 Advanced Technology Labs -
LAN Switching
STP BPDU Guard
A Note On Section Initial Configuration Files: You must load the
initial configuration files for the section, named LAN Switching Initial
Spanning Tree, which can be found in
. Reference the Virtual Routers &
Physical Switches Diagram to complete this task.
Task
Configure a port-channel between SW3 and SW4 as follows:
SW3’s side should be a Layer 3 port-channel with IP address
169.254.34.3/24.
SW4’s side should be a Layer 2 port-channel in VLAN 10.
Both switches should actively initiate negotiation using a standard protocol.
Configure Spanning-Tree BPDU Guard on SW4 so that the etherchannel is disabled
if a BPDU is detected.
SW4 should attempt to re-enable the etherchannel after two minutes.
Do not use the global
portfast
command to accomplish this.
Configuration
SW3:
default interface range FastEthernet0/23 - 24
!
interface Port-channel34
no switchport
ip address 169.254.34.3 255.255.255.0
!
interface range FastEthernet0/23 - 24
no switchport
channel-group 34 mode active
SW4:
default interface range FastEthernet0/23 - 24
!
interface range FastEthernet0/23 - 24
channel-group 34 mode active
!
interface Port-channel34
switchport mode access
switchport access vlan 10
spanning-tree bpduguard enable
!
errdisable recovery cause bpduguard
errdisable recovery interval 120
Verification
The STP BPDU Guard feature is used to enforce access layer security on the
termination of the STP domain. When an interface running BPDU Guard receives a
BPDU (STP packet), the interface is transitioned into err-disable state. This ensures
that unauthorized switches cannot be plugged in to the network, for example, to
perform a Layer 2 man-in-the-middle (MiM) attack. If configured, the
errdisable
recovery
feature can then be used to bring the interface out of err-disable state
automatically after a configured interval.
Note that no BPDUs have been received on the interface and BPDu Guard is
enabled at the interface level:
SW4#show spanning-tree interface port-channel34 detail
Port 328 (Port-channel34) of VLAN0010 is designated forwarding
Port path cost 12, Port priority 128, Port Identifier 128.328.
Designated root has priority 4106, address 0013.605f.f000
Designated bridge has priority 8202, address 001a.a174.2500
Designated port id is 128.328, designated path cost 38
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by defaultBpdu guard is enabled
BPDU: sent 19,received 0
!
!SW4#show spanning-tree interface fastEthernet0/23 detail
Port 328 (Port-channel34) of VLAN0010 is designated forwarding
Port path cost 12, Port priority 128, Port Identifier 128.328.
Designated root has priority 4106, address 0013.605f.f000
Designated bridge has priority 8202, address 001a.a174.2500
Designated port id is 128.328, designated path cost 38
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by defaultBpdu guard is enabled
BPDU: sent 34,received 0
!
!SW4#show spanning-tree interface fastEthernet0/24 detail
Port 328 (Port-channel34) of VLAN0010 is designated forwarding
Port path cost 12, Port priority 128, Port Identifier 128.328.
Designated root has priority 4106, address 0013.605f.f000
Designated bridge has priority 8202, address 001a.a174.2500
Designated port id is 128.328, designated path cost 38
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by defaultBpdu guard is enabled
BPDU: sent 45,received 0
By re-configuring SW3’s port-channel as Layer 2, STP BPDUs are generated and
SW4 will err-disable the port-channel:
SW3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
!SW3(config)#no interface port-channel34
SW3(config)#default interface range fastEthernet0/23 - 24
SW3(config)#interface range fastEthernet0/23 - 24
SW3(config-if-range)#channel-group 34 mode active
!
!SW4#show interfaces port-channel34 status err-disabled
PortNameStatusReasonErr-disabled Vlans
Po34err-disabled bpduguard
!
!SW4#show interfaces fastEthernet0/23 status err-disabled
PortNameStatusReasonErr-disabled Vlans
Fa0/23err-disabled bpduguard
!
!SW4#show interfaces fastEthernet0/24 status err-disabled
PortNameStatusReasonErr-disabled Vlans
Fa0/24err-disabled bpduguard
As soon as Etherchannel is negotiated via LACP the following log messaged will be
displayed by SW4, identifying the problem:
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/23, putting Fa0/23 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24, putting Fa0/24 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Fa0/23 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Fa0/24 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Po34 in err-disable state
Based on the configured err-disable recovery functionality, after two minutes SW4
will try to recover it and thus re-activate it, however the scenario will repeat as
BPDUs are received on the ports:
%PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Fa0/23
%PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Po34
%PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Fa0/24
!%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Po34 with BPDU Guard enabled. Disabling port.
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/23, putting Fa0/23 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24, putting Fa0/24 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Fa0/23 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Fa0/24 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Po34 in err-disable state
Verify that err-disable recovery is activated for BPDU Guard and check timers:
SW4#show errdisable recovery
ErrDisable Reason
Timer Status
-----------------
--------------
arp-inspection
DisabledbpduguardEnabled
channel-misconfig (STP)
Disabled
dhcp-rate-limit
Disabled
dtp-flap
Disabled
gbic-invalid
Disabled
inline-power
Disabled
l2ptguard
Disabled
link-flap
Disabled
mac-limit
Disabled
loopback
Disabled
pagp-flap
Disabled
port-mode-failure
Disabled
pppoe-ia-rate-limit
Disabled
psecure-violation
Disabled
security-violation
Disabled
sfp-config-mismatch
Disabled
small-frame
Disabled
storm-control
Disabled
udld
Disabled
vmps
Disabled
psp
Disabled
Timer interval: 120 seconds
Interfaces that will be enabled at the next timeout:
InterfaceErrdisable reasonTime left(sec)
---------
-----------------
--------------
Fa0/23
bpduguard
66
Fa0/24
bpduguard
66
Po34
bpduguard
66