Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

BPDU Guard issue

  

 
Cisco nsp RSS feed   Index | Next | Previous | View Threaded


johns.stanly at gmail

Nov 2, 2009, 10:25 PM

Post #1 of 5 (1312 views)
Permalink
BPDU Guard issue
Hi,
Is it possible for a BPDU guard enabled switch port to get disabled without
connecting any other device than the IP Phone and a PC ? I had to do a shut
and no shut to bring it up !
The logs are as follows. your inputs are highly appreciated.

Nov 2 04:13:02.388: %VQPCLIENT-7-RECONF: Reconfirming VMPS responses
Nov 2 04:19:15.286: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port
FastEthernet0/21 with BPDU Guard enabled. Disabling port.
Nov 2 04:19:15.286: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/21,
putting Fa0/21 in err-disable state
Nov 2 04:19:16.334: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/21, changed state to down
Nov 2 04:19:17.332: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed
state to down
Nov 2 04:43:59.058: %SYS-5-CONFIG_I: Configured from console by XXX on vty0
(X.X.X.X.)
Nov 2 05:09:57.162: %LINK-5-CHANGED: Interface FastEthernet0/21, changed
state to administratively down
Nov 2 05:10:03.193: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed
state to down
Nov 2 05:10:03.327: %ILPOWER-7-DETECT: Interface Fa0/21: Power Device
detected: Cisco PD
Nov 2 05:10:07.446: %LINK-3-UPDOWN: Interface FastEthernet0/21, changed
state to up
Nov 2 05:10:08.453: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/21, changed state to up

3560#sh runn int f0/21
Building configuration...
Current configuration : 187 bytes
!
interface FastEthernet0/21
switchport access vlan dynamic
switchport mode access
switchport voice vlan 440
no mdix auto
spanning-tree portfast
spanning-tree bpduguard enable
3560#sh cdp nei f0/21 det
-------------------------
Device ID: SEP0012802908E5
Entry address(es):
IP address: X.X.X.X
Platform: Cisco IP Phone 7960, Capabilities: Host Phone
Interface: FastEthernet0/21, Port ID (outgoing port): Port 1
Holdtime : 166 sec
Version :
P00308000900
advertisement version: 2
Duplex: full
Power drawn: 6.300 Watts
Management address(es):
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


peter at rathlev

Nov 2, 2009, 11:16 PM

Post #2 of 5 (1286 views)
Permalink
Re: BPDU Guard issue [In reply to]
On Tue, 2009-11-03 at 09:25 +0300, Stanly Johns wrote:
> Is it possible for a BPDU guard enabled switch port to get disabled
> without connecting any other device than the IP Phone and a PC ?

If the PC sends BPDUs, yes. :-)

> I had to do a shut and no shut to bring it up !

You can use "err-disable recovery" to automate the shut/no shut
function, but IMHO that would be wrong in this case. You should find out
from where those BPDUs come. (One way would be to temporarily turn off
BPDU guard and "debug spanning-tree bpdu receive".)

> The logs are as follows. your inputs are highly appreciated.
>
> Nov 2 04:13:02.388: %VQPCLIENT-7-RECONF: Reconfirming VMPS responses
> Nov 2 04:19:15.286: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on
> port FastEthernet0/21 with BPDU Guard enabled. Disabling port.

Typically when we see this it's some creative user having connected both
the "=> Switch" and "=> PC" ports to the wall, with the phone forwarding
BPDUs between the switch ports. You wouldn't happen to see some of the
same messages from another switch at the same time? (The fact that you
can shut/unshut without the link going down again could also point
towards the other end maybe being err-disabled too.)

--
Peter


_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


rubensk at gmail

Nov 3, 2009, 2:44 AM

Post #3 of 5 (1275 views)
Permalink
Re: BPDU Guard issue [In reply to]
On Tue, Nov 3, 2009 at 4:25 AM, Stanly Johns <johns.stanly [at] gmail> wrote:
> Hi,
> Is it possible for a BPDU guard enabled switch port to get disabled without
> connecting any other device than the IP Phone and a PC ? I had to do a shut
> and no shut to bring it up !
> The logs are as follows. your inputs are highly appreciated.

Some Broadcom fault-tolerance drivers uses BPDUs in active-active
configurations... an l-user might turn it on by mistake


Rubens
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


ianh at ianh

Nov 3, 2009, 4:51 AM

Post #4 of 5 (1274 views)
Permalink
Re: BPDU Guard issue [In reply to]
On Tue, 3 Nov 2009, Stanly Johns wrote:

> Is it possible for a BPDU guard enabled switch port to get disabled
> without connecting any other device than the IP Phone and a PC ? I had
> to do a shut and no shut to bring it up !

I've run into this - Virtualbox uses Windows bridging to handle
networking which runs spanning-tree. Google shows the answer as:

"You can prevent the Bridge from forwarding packets by editing the
registry. In your favorite registry editor, navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BridgeMP

Create a new DWORD value and name it DisableForwarding. Double click the
new entry and set its value to 1. You'll need to reboot to apply the
change. You can disable the Spanning Tree Algorithm in a similar manner,
by creating a DWORD value in the same key called DisableSTA and setting
its value to 1."

http://articles.techrepublic.com.com/5100-22_11-5569815.html via
http://forums.virtualbox.org/viewtopic.php?f=6&t=6264&start=0.

Rgds,




- I.
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


ltd at cisco

Nov 4, 2009, 3:11 AM

Post #5 of 5 (1267 views)
Permalink
Re: BPDU Guard issue [In reply to]
On 03/11/2009, at 5:25 PM, Stanly Johns wrote:

> Is it possible for a BPDU guard enabled switch port to get disabled
> without
> connecting any other device than the IP Phone and a PC ? I had to do
> a shut
> and no shut to bring it up !
> The logs are as follows. your inputs are highly appreciated.

you had a loop on a portfast port, BPDU guard prevented that from
causing it to melt your network down.
you should be thankful.

i've seen loops caused by all sorts of things. some virtualization
software does it. some vendors' iLO ports can be bridged with a non-
iLO port, and some teaming/"failsafe" NIC drivers can do it.

my suggestion is to find out the root cause and fix that.


cheers,

lincoln.


_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.