STP BPDU Guard 　・If the port received BPDUs, immediately it changes its port into err-disabled status.

Verification SW3 ・e1/0-1 create Port-Chanel ・L3 routed port IP address: 169.254.24.2 /24 SW4 ・e1/0-1 create Port-Chanel ・switchport mode access vlan 10 ・enbale bpduguard ・errdisable recovery cause bpduguard ・errdisable recovery interval 120 SW3#sh etherchannel summary (omit) Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 34 Po34(RU) LACP Et1/0(P) Et1/1(P) SW4#sh etherchannel summary (omit) Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 34 Po34(SU) LACP Et1/0(P) Et1/1(P) SW4#sh span vlan 10 (omit) Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Root FWD 100 128.1 Shr Et0/1 Altn BLK 100 128.2 Shr Po34 Desg FWD 56 128.65 Shr SW4#sh span vlan 10 int po 34 detail Port 65 (Port-channel34) of VLAN0010 is designated forwarding Port path cost 56, Port priority 128, Port Identifier 128.65. Designated root has priority 4106, address aabb.cc00.0100 Designated bridge has priority 8202, address aabb.cc00.0400 Designated port id is 128.65, designated path cost 200 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is shared by default Bpdu guard is enabled BPDU: sent 305, received 0 SW4#sh span vlan 10 int e1/0 detail Port 65 (Port-channel34) of VLAN0010 is designated forwarding Port path cost 56, Port priority 128, Port Identifier 128.65. Designated root has priority 4106, address aabb.cc00.0100 Designated bridge has priority 8202, address aabb.cc00.0400 Designated port id is 128.65, designated path cost 200 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is shared by default Bpdu guard is enabled BPDU: sent 361, received 0 SW4#sh span vlan 10 int e1/1 detail Port 65 (Port-channel34) of VLAN0010 is designated forwarding Port path cost 56, Port priority 128, Port Identifier 128.65. Designated root has priority 4106, address aabb.cc00.0100 Designated bridge has priority 8202, address aabb.cc00.0400 Designated port id is 128.65, designated path cost 200 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is shared by default Bpdu guard is enabled BPDU: sent 363, received 0

SW3 doesn't send BPDUs on po34, because it's an L3 Routed-port.

Changing e1/0, e1/1 on SW2 to an access port . SW3(config)#no int po34 SW3(config)#default int range e1/0-1 SW3(config)#int range e1/0-1 SW3(config-if-range)#channel-group 34 mode active Creating a port-channel interface Port-channel 34 SW3(config-if-range)#no shut

SW3 sends BPDUs on e0/0.

SW4#show int po34 status Port Name Status Vlan Duplex Speed Type Po34 err-disabled 10 auto auto

SW4#show int po34 status err-disabled Port Name Status Reason Err-disabled Vlans Po34 err-disabled bpduguard

SW4# %PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Et1/0 in err-disable state %PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Et1/1 in err-disable state %PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Po34 in err-disable state

After two minutes (errdisable recovery interval 120), this port tries to recover.

However Its port receives BPDUs so that It changes into err-disabled status again.

%PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Po34 %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Et1/0 %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Et1/1 %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up %LINK-3-UPDOWN: Interface Ethernet1/1, changed state to up (omit) %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to up (omit) %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Po34 with BPDU Guard enabled. Disabling port. %PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Et1/0 in err-disable state %PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Et1/1 in err-disable state %PM-4-ERR_DISABLE: bpduguard error detected on Po34, putting Po34 in err-disable state %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/1, changed state to down %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to down %LINK-3-UPDOWN: Interface Ethernet1/1, changed state to down SW4#sh errdisable recovery ErrDisable Reason Timer Status ----------------- -------------- arp-inspection Disabled bpduguard Enabled channel-misconfig (STP) Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled l2ptguard Disabled link-flap Disabled mac-limit Disabled link-monitor-failure Disabled loopback Disabled oam-remote-failure Disabled pagp-flap Disabled port-mode-failure Disabled pppoe-ia-rate-limit Disabled psecure-violation Disabled security-violation Disabled sfp-config-mismatch Disabled storm-control Disabled udld Disabled Interface Errdisable reason Time left(sec) --------- ----------------- -------------- unicast-flood Disabled vmps Disabled psp Disabled dual-active-recovery Disabled evc-lite input mapping fa Disabled Recovery command: "clear Disabled Timer interval: 120 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(sec) --------- ----------------- -------------- Et1/0 bpduguard 83 Et1/1 bpduguard 83 Po34 bpduguard 83

#STP #BPDUGuard