Wired Networks

How to enable BPDU guard function on MAS ?

Question: How to enable BPDU guard function on MAS ?

 

  1. BPDU guard function is to prevent receiving (and processing) of BPDUs that may cause instability to spanning tree by triggering unnecessary spanning tree (STP) calculation.
  2. Interface(s) with BPDU guard configured will be shut down when a BPDU is received

 
BPDU guard can be configured using spanning tree profile (mstp or pvst) similar to other spanning tree related features such as root guard, loop guard, then applied to the interface(s). Find below.
 
(Aruba3500) (config) #interface-profile mstp-profile <name>
(Aruba3500) (Interface MSTP "name") # bpduguard
(Aruba3500) (config) #interface gigabitethernet x/x/x
(Aruba3500) (gigabitethernet “x/x/x”) #mstp-profile <name>
 
If the interface(s) had been shut down due to DPBU guard, it can be automatically recovered through auto-recovery-time option. In addition, manual recovery is also possible by using clear port error-recovery command
 
(ArubaS3500) # clear port error-recovery
 
show port-error-recovery
Layer-2 Interface Error Information
-----------------------------------
Interface  Error                     Error seen time            Recovery time
---------  -----                     ---------------            -------------
GE1/0/47   Shutdown (BPDU received)  2012-12-11 11:09:07 (PST)  No Auto Recovery
 
 
show log security 10
Dec 11 11:09:07 :128008:  <ERRS> |l2m|  BPDU received on gigabitethernet1/0/47, shutting down the interface

 
show interface gigabitethernet 1/0/47.
GE1/0/47 is administratively Up, Link is Down, Line protocol is Down
MTU 1514 bytes
Link flaps: 1
Flags: Trunk, Trusted
Port shutdown reason : BPDU received
Link status last changed:       0d 00:00:00 ago
Last update of counters:        0d 00:00:00 ago
 
Note: BPDU guard ideally should be enabled on the edge ports to prevent STP attack from an user

Version History
Revision #:
1 of 1
Last update:
‎08-14-2014 12:03 PM
 
Labels (1)
Contributors
Comments

 

Note that error recovery timers will not auto-recover a downed port if it is moved into an interface group that does not have BPDUguard enabled, so it must be done manually.  This is a gotcha -- if you configure your default interface group (apply-to ALL) with BPDUguard, and then try to move a trunk port (without bpduguard) from one trunk group to another, it will go down because it will fall into the default group for a short time while you are moving it.  To avoid getting stranded, apply interface-specific commands to the interface while you are moving it.

 

 

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.