nabeel92
asked on
spanning tree bpdu guard command
I'm having this issue where I have a P2P link between two sites. The moment I would unplug cable from the existing port on one side to another port (say in a router), what happens is that the ISP switch detects a change in MAC address at their end and consequently disables their port (as per them, its a security measure). This is annoying as I can't even do my testing. What I have done is that currently one end of the link terminates into a Cisco Gigbit switch 2960 G. I've enabled BPDU guard command and it works fine. Now, i want to terminate this into an HWIC-4ESW card on a 2800 series router. Can I issue the same command on my router's int f0/0/0 so that it stops sending any BPDUs to the ISP switch, otherwise ISP is going to shut down the port at their end and I loose connectivity.
Given below is the current config of the switchport for bpdu. Can I do anything like this on HWIC-4ESW interface of the router so that it stops sending any BPDUs ?
LANSwitch1#sh running-config interface gigabitEthernet 0/20
Building configuration...
Current configuration : 133 bytes
!
interface GigabitEthernet0/20
description CrossConnect-AAPT
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end
Given below is the current config of the switchport for bpdu. Can I do anything like this on HWIC-4ESW interface of the router so that it stops sending any BPDUs ?
LANSwitch1#sh running-config interface gigabitEthernet 0/20
Building configuration...
Current configuration : 133 bytes
!
interface GigabitEthernet0/20
description CrossConnect-AAPT
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end
ASKER
Thanks for clarifying the concept !
The only catch is that the device with that MAC address cannot be on the same network as router interface >> They both are on the same network but I think If i shut down that original switchport (whose MAC address is registered with ISP) and use that MAC instead on the router interface, then I think i wont be running into any problem ?
The only catch is that the device with that MAC address cannot be on the same network as router interface >> They both are on the same network but I think If i shut down that original switchport (whose MAC address is registered with ISP) and use that MAC instead on the router interface, then I think i wont be running into any problem ?
Switches (layer 2) do not use the MAC address of an interface when they create frames. They use the "base mac address" (an address assigned to the chassis).
If your ISP is locking you down to one specific MAC address, connecting a switch to the provider is problematic since any MAC address received by the switch could go to the ISP interface.
If you could provide a bit more information about your network topology and what you're trying to accomplish it would allow me to suggest the best solution.
If your ISP is locking you down to one specific MAC address, connecting a switch to the provider is problematic since any MAC address received by the switch could go to the ISP interface.
If you could provide a bit more information about your network topology and what you're trying to accomplish it would allow me to suggest the best solution.
ASKER
Site 1 Rtr ------- ISP Switch ------- LAN Switch (My switch on site 2) ------- Site 2 Router
Basically what's happening is that when i terminate this cross connect between the two sites into this LAN switch, that switchport doesn't detect any settings and changes to its default of 100 mb/half duplex. Previously, It used to go directly into the router and worked in Full Duplex. That's why I want to make the change.
I was working at it the other day. ISP switch connection was plugged into LAn switch port # 20. The moment I unplugged it from there and plugged it into switch port # 19, the port went off. I then had to call their WAN Support who confirmed that port is disabled due to the change in MAC. Later, they shut/noshut it to bring it back up. I played around couple of more time but same thing happened that change in port would result in port getting shutdown. So i guess they maybe looking at the individual port MAC and not the chassis MAC address ?
Now, I'm thinking to terminate the cable from ISP switch directly into the router and shutdown the switchport. For that, do I need to change the router's interface MAC address to that of Switchport 0/20 ?
Basically what's happening is that when i terminate this cross connect between the two sites into this LAN switch, that switchport doesn't detect any settings and changes to its default of 100 mb/half duplex. Previously, It used to go directly into the router and worked in Full Duplex. That's why I want to make the change.
I was working at it the other day. ISP switch connection was plugged into LAn switch port # 20. The moment I unplugged it from there and plugged it into switch port # 19, the port went off. I then had to call their WAN Support who confirmed that port is disabled due to the change in MAC. Later, they shut/noshut it to bring it back up. I played around couple of more time but same thing happened that change in port would result in port getting shutdown. So i guess they maybe looking at the individual port MAC and not the chassis MAC address ?
Now, I'm thinking to terminate the cable from ISP switch directly into the router and shutdown the switchport. For that, do I need to change the router's interface MAC address to that of Switchport 0/20 ?
Why connect the ISP switch to your switch at Site 2? Connect it directly to the router like you have at Site 1.
ASKER
Exactly ...
Reason is because there were not enough spare ports available on Router 1 .. Now i have put in a second HWIC-4ESW card so I dont have to terminate into the switch. But when i tried to do it last time, the MAC detection features at ISP blocked the link.
Reason is because there were not enough spare ports available on Router 1 .. Now i have put in a second HWIC-4ESW card so I dont have to terminate into the switch. But when i tried to do it last time, the MAC detection features at ISP blocked the link.
Ahhh... Okay. Then here's what you need to do. Because you can only have one MAC address show up at the ISP device, you'll need to create a VLAN for that connection. And turn off any traffic that would be sourced by the switch. Then create a trunk to the router for all the other devices.
Switch:
vlan 10
name internet
vlan 20
name office
int range g0/1 -22
switchport mode access
switchport access vlan 20
int g0/23
description Link to Router
switchport mode trunk
int g0/24
description Link to ISP
switchport mode access
switchport access vlan 10
no cdp enable
spanning-tree portfast
spanning-tree bpdu-filter
Router
int f0/0.10
encap dot1q 10
ip address 192.168.10.1 255.255.255.0
int f0/0.20
encap dot1q 20
ip address 192.168.20.1 255.255.255.0
ASKER
Ok, given below is the status of the switchport which is half duplex.
Port Name Status Vlan Duplex Speed Type
Gi0/20 CrossConnect-AAPT connected 1 a-half a-100 10/100/1000BaseTX
LANSwitch1#sh running-config interface gigabitEthernet 0/20
Building configuration...
Current configuration : 133 bytes
!
interface GigabitEthernet0/20
description CrossConnect-AAPT
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end
I can see the trunk link between router and switch, that bit is fine.
On the router, I've already configured
r2_core#sh running-config interface gigabitEthernet 0/0.1
Building configuration...
Current configuration : 108 bytes
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 172.16.0.66 255.255.255.248
end
I'm using vlan 1 between the two links. Do I need to it or is it fine ?
The only difference I see is that I change the port type on interface gig 0/20 to access and that's it ?
Port Name Status Vlan Duplex Speed Type
Gi0/20 CrossConnect-AAPT connected 1 a-half a-100 10/100/1000BaseTX
LANSwitch1#sh running-config interface gigabitEthernet 0/20
Building configuration...
Current configuration : 133 bytes
!
interface GigabitEthernet0/20
description CrossConnect-AAPT
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end
I can see the trunk link between router and switch, that bit is fine.
On the router, I've already configured
r2_core#sh running-config interface gigabitEthernet 0/0.1
Building configuration...
Current configuration : 108 bytes
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 172.16.0.66 255.255.255.248
end
I'm using vlan 1 between the two links. Do I need to it or is it fine ?
The only difference I see is that I change the port type on interface gig 0/20 to access and that's it ?
ASKER
Just making sure if this is what I'll do before I make this change on live environment right now ;)
The link to the ISP has to be in a different VLAN than everything else on the switch. You also have to disable CDP.
ASKER
Ok, then ill use vlan 5 which is not being used and see how it goes ! I'll just update u ...
ASKER
just tried it but no luck !
assigned gig 0/20 to vlan 19 (not used anywhere in the network). config for port is given below
interface GigabitEthernet0/20
description CrossConnect-AAPT
switchport access vlan 19
switchport mode access
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end
On the router, I defined
interface GigabitEthernet0/0.19
encapsulation dot1Q 19
ip address 172.16.0.66 255.255.255.248
end
Trunk is already established between the router and the switch !
assigned gig 0/20 to vlan 19 (not used anywhere in the network). config for port is given below
interface GigabitEthernet0/20
description CrossConnect-AAPT
switchport access vlan 19
switchport mode access
no cdp enable
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end
On the router, I defined
interface GigabitEthernet0/0.19
encapsulation dot1Q 19
ip address 172.16.0.66 255.255.255.248
end
Trunk is already established between the router and the switch !
ASKER
But that's fine since I plan to terminate this into the router directly. In that case, could you just confirm me if I just need to change the MAC of the router port to that of switchport gig 0/20 and it would be fine ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The switchport was still operating in half duplex mode when i tried the suggested configuration. The trunk is established. Given below is the output of show interface trunk. Trunk with my router is on interface gig 0/23.
LANSwitch1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/5 on 802.1q trunking 1
Gi0/22 on 802.1q trunking 1
Gi0/23 on 802.1q trunking 1
Gi0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/5 1-4094
Gi0/22 1-4094
Gi0/23 1-4094
Gi0/24 1-4094
Port Vlans allowed and active in management domain
Gi0/5 1,19,100,140,160,180,190
Gi0/22 1,19,100,140,160,180,190
Gi0/23 1,19,100,140,160,180,190
Gi0/24 1,19,100,140,160,180,190
Port Vlans in spanning tree forwarding state and not pruned
Gi0/5 1,19,100,140,160,180,190
Gi0/22 1,19,100,140,160,180,190
Gi0/23 1,19,100,140,160,180,190
Gi0/24 140
LANSwitch1#
LANSwitch1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/5 on 802.1q trunking 1
Gi0/22 on 802.1q trunking 1
Gi0/23 on 802.1q trunking 1
Gi0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/5 1-4094
Gi0/22 1-4094
Gi0/23 1-4094
Gi0/24 1-4094
Port Vlans allowed and active in management domain
Gi0/5 1,19,100,140,160,180,190
Gi0/22 1,19,100,140,160,180,190
Gi0/23 1,19,100,140,160,180,190
Gi0/24 1,19,100,140,160,180,190
Port Vlans in spanning tree forwarding state and not pruned
Gi0/5 1,19,100,140,160,180,190
Gi0/22 1,19,100,140,160,180,190
Gi0/23 1,19,100,140,160,180,190
Gi0/24 140
LANSwitch1#
Which interface is connected to the router?
ASKER
interface gig 0/23
So everything works now?
ASKER
well, everything was already working. I was under the impression that the configuration you suggested was to make the switchport gig 0/20 (from ISP switch to LAN Switch) work in full duplex mode as it's been working in half duplex. Anyhow, since this didnt change the port to full duplex so I will at some time later terminate the ISP switch cable directly into the router (after changing the MAC address of the router port) and hopefully will get full duplex link between ISP and my router.
Sorry, if there was any confusion from my end thru my words.
Sorry, if there was any confusion from my end thru my words.
ASKER
Simply excellent !
You'll only be able to get the link at full duplex if ISP equipment supports full duplex.
>Can I issue the same command on my router's int f0/0/0 so that it stops sending any BPDUs to the ISP switch, otherwise ISP is going to shut down the port at their end and I loose connectivity.
First off, BPDU guard makes your port shutdown if it sees a BPDU. BPDU filter is how you stop a BPDU from being transmitted. Second, this doesn't have anything to do with Spanning Tree. What you need to do is prevent a different MAC address from showing up at the ISP.
What you can do is change the MAC address of the router interface to that of the device that the ISP has currently registered.
mac-address xxxx.xxxx.xxxx
The only catch is that the device with that MAC address cannot be on the same network as router interface.