[c-nsp] BPDU Guard issue

Discussion:

Stanly Johns

2009-11-03 06:25:32 UTC

Hi,
Is it possible for a BPDU guard enabled switch port to get disabled without
connecting any other device than the IP Phone and a PC ? I had to do a shut
and no shut to bring it up !
The logs are as follows. your inputs are highly appreciated.

Nov 2 04:13:02.388: %VQPCLIENT-7-RECONF: Reconfirming VMPS responses
Nov 2 04:19:15.286: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port
FastEthernet0/21 with BPDU Guard enabled. Disabling port.
Nov 2 04:19:15.286: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/21,
putting Fa0/21 in err-disable state
Nov 2 04:19:16.334: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/21, changed state to down
Nov 2 04:19:17.332: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed
state to down
Nov 2 04:43:59.058: %SYS-5-CONFIG_I: Configured from console by XXX on vty0
(X.X.X.X.)
Nov 2 05:09:57.162: %LINK-5-CHANGED: Interface FastEthernet0/21, changed
state to administratively down
Nov 2 05:10:03.193: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed
state to down
Nov 2 05:10:03.327: %ILPOWER-7-DETECT: Interface Fa0/21: Power Device
detected: Cisco PD
Nov 2 05:10:07.446: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed
state to up
Nov 2 05:10:08.453: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/21, changed state to up

3560#sh runn int f0/21
Building configuration...
Current configuration : 187 bytes
!
interface FastEthernet0/21
switchport access vlan dynamic
switchport mode access
switchport voice vlan 440
no mdix auto
spanning-tree portfast
spanning-tree bpduguard enable
3560#sh cdp nei f0/21 det
-------------------------
Device ID: SEP0012802908E5
Entry address(es):
IP address: X.X.X.X
Platform: Cisco IP Phone 7960, Capabilities: Host Phone
Interface: FastEthernet0/21, Port ID (outgoing port): Port 1
Holdtime : 166 sec
Version :
P00308000900
advertisement version: 2
Duplex: full
Power drawn: 6.300 Watts
Management address(es):
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Peter Rathlev

2009-11-03 07:16:11 UTC

Permalink

Post by Stanly Johns
Is it possible for a BPDU guard enabled switch port to get disabled
without connecting any other device than the IP Phone and a PC ?

If the PC sends BPDUs, yes. :-)

Post by Stanly Johns
I had to do a shut and no shut to bring it up !

You can use "err-disable recovery" to automate the shut/no shut
function, but IMHO that would be wrong in this case. You should find out
from where those BPDUs come. (One way would be to temporarily turn off
BPDU guard and "debug spanning-tree bpdu receive".)

Post by Stanly Johns
The logs are as follows. your inputs are highly appreciated.
Nov 2 04:13:02.388: %VQPCLIENT-7-RECONF: Reconfirming VMPS responses
Nov 2 04:19:15.286: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on
port FastEthernet0/21 with BPDU Guard enabled. Disabling port.

Typically when we see this it's some creative user having connected both
the "=> Switch" and "=> PC" ports to the wall, with the phone forwarding
BPDUs between the switch ports. You wouldn't happen to see some of the
same messages from another switch at the same time? (The fact that you
can shut/unshut without the link going down again could also point
towards the other end maybe being err-disabled too.)

--
Peter

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Rubens Kuhl

2009-11-03 10:44:47 UTC

Permalink

Post by Stanly Johns
Hi,
Is it possible for a BPDU guard enabled switch port to get disabled without
connecting any other device than the IP Phone and a PC ? I had to do a shut
and no shut to bring it up !
The logs are as follows. your inputs are highly appreciated.

Some Broadcom fault-tolerance drivers uses BPDUs in active-active
configurations... an l-user might turn it on by mistake

Rubens
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Ian Henderson

2009-11-03 12:51:37 UTC

Permalink

Post by Stanly Johns
Is it possible for a BPDU guard enabled switch port to get disabled
without connecting any other device than the IP Phone and a PC ? I had
to do a shut and no shut to bring it up !

I've run into this - Virtualbox uses Windows bridging to handle
networking which runs spanning-tree. Google shows the answer as:

"You can prevent the Bridge from forwarding packets by editing the
registry. In your favorite registry editor, navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BridgeMP

Create a new DWORD value and name it DisableForwarding. Double click the
new entry and set its value to 1. You'll need to reboot to apply the
change. You can disable the Spanning Tree Algorithm in a similar manner,
by creating a DWORD value in the same key called DisableSTA and setting
its value to 1."

http://articles.techrepublic.com.com/5100-22_11-5569815.html via
http://forums.virtualbox.org/viewtopic.php?f=6&t=6264&start=0.

Rgds,

- I.
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Lincoln Dale

2009-11-04 11:11:13 UTC

Permalink

Post by Stanly Johns
Is it possible for a BPDU guard enabled switch port to get disabled without
connecting any other device than the IP Phone and a PC ? I had to do a shut
and no shut to bring it up !
The logs are as follows. your inputs are highly appreciated.

you had a loop on a portfast port, BPDU guard prevented that from
causing it to melt your network down.
you should be thankful.

i've seen loops caused by all sorts of things. some virtualization
software does it. some vendors' iLO ports can be bridged with a non-
iLO port, and some teaming/"failsafe" NIC drivers can do it.

my suggestion is to find out the root cause and fix that.

cheers,

lincoln.

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/