CCIE Routing & Switching v5 Workbook -
CCIE R&S v5 Advanced Technology Labs -
LAN Switching
STP BPDU Guard Default
A Note On Section Initial Configuration Files: You must load the
initial configuration files for the section, named LAN Switching Initial
Spanning Tree, which can be found in
. Reference the Virtual Routers &
Physical Switches Diagram to complete this task.
Task
Configure a port-channel between SW3 and SW4 as follows:
SW3’s side should be a Layer 3 port-channel with IP address
169.254.34.3/24.
SW4’s side should be a Layer 2 port-channel in VLAN 10.
Both switches should actively initiate negotiation using a standard protocol.
Configure Spanning-Tree BPDU Guard on SW4 so that the etherchannel is disabled
if a BPDU is detected.
SW4 should attempt to re-enable the etherchannel after two minutes.
Do not use interface-level commands to accomplish this.
Configuration
SW3:
default interface range FastEthernet0/23 - 24
!
interface Port-channel34
no switchport
ip address 169.254.34.3 255.255.255.0
!
interface range FastEthernet0/23 - 24
no switchport
channel-group 34 mode active
SW4:
default interface range FastEthernet0/23 - 24
!
spanning-tree portfast bpduguard default
spanning-tree portfast default
!
interface range FastEthernet0/23 - 24
channel-group 34 mode active
!
interface Port-channel34
switchport mode access
switchport access vlan 10
!
errdisable recovery cause bpduguard
errdisable recovery interval 120
Verification
The BPDU Guard Default feature works in conjunction with Portfast to automatically
enable BPDU Guard on any interfaces in the Portfast state. Portfast can be enable
at the global level, or interface level, task requirements restrics interface-level
commands. Verify that BPDU Guard is enabled by default, at the global level:
SW4#show spanning-tree interface port-channel34 detail
Port 328 (Port-channel34) of VLAN0010 is designated forwarding
Port path cost 12, Port priority 128, Port Identifier 128.328.
Designated root has priority 4106, address 0013.605f.f000
Designated bridge has priority 8202, address 001a.a174.2500
Designated port id is 128.328, designated path cost 38
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1The port is in the portfast mode by default
Link type is point-to-point by defaultBpdu guard is enabled by default
BPDU: sent 5,received 0
!
!SW4#show spanning-tree interface fastEthernet0/23 detail
Port 328 (Port-channel34) of VLAN0010 is designated forwarding
Port path cost 12, Port priority 128, Port Identifier 128.328.
Designated root has priority 4106, address 0013.605f.f000
Designated bridge has priority 8202, address 001a.a174.2500
Designated port id is 128.328, designated path cost 38
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1The port is in the portfast mode by default
Link type is point-to-point by default Bpdu guard is enabled by default
BPDU: sent 20,received 0
!
!SW4#show spanning-tree interface fastEthernet0/24 detail
Port 328 (Port-channel34) of VLAN0010 is designated forwarding
Port path cost 12, Port priority 128, Port Identifier 128.328.
Designated root has priority 4106, address 0013.605f.f000
Designated bridge has priority 8202, address 001a.a174.2500
Designated port id is 128.328, designated path cost 38
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1The port is in the portfast mode by default
Link type is point-to-point by defaultBpdu guard is enabled by default
BPDU: sent 26,received 0
!
!SW4#show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID
is enabledPortfast Defaultis enabled
PortFast BPDU Guard Default
is enabled
Portfast BPDU Filter Default is disabled
Loopguard Defaultis disabled
EtherChannel misconfig guard is enabled
UplinkFast
is disabled
BackboneFast
is disabled
Configured Pathcost method used is short
<output omitted>
By re-configuring SW3’s port-channel as Layer 2, STP BPDUs are generated and
SW4 will err-disable the port-channel:
SW3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
!SW3(config)#no interface port-channel34
SW3(config)#default interface range fastEthernet0/23 - 24
SW3(config)#interface range fastEthernet0/23 - 24
SW3(config-if-range)#channel-group 34 mode active
!
!SW4#show interfaces port-channel34 status err-disabled
PortNameStatusReasonErr-disabled Vlans
Po34err-disabled bpduguard
!
!SW4#show interfaces fastEthernet0/23 status err-disabled
PortNameStatusReasonErr-disabled Vlans
Fa0/23err-disabled bpduguard
!
!SW4#show interfaces fastEthernet0/24 status err-disabled
PortNameStatusReasonErr-disabled Vlans
Fa0/24err-disabled bpduguard
As soon as Etherchannel is negotiated via LACP the following log messaged will be
displayed by SW4, identifying the problem:
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/23, putting Fa0/23 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24, putting Fa0/24 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Fa0/23 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Fa0/24 in err-disable state
%PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Po34 in err-disable state