Reply
New Member
Posts: 2
Registered: ‎02-25-2014
Kudos: 2
Accepted Solution

BPDU Guard Effect

I am running an ES48-500W with firmware 1.5.0 and I am trying to get BPDU Guard Effect enabled on the interfaces of STP under CST Port.  Mine says diabled and I have found no where it talks about enabling this feature on the ports.  I have BPDU Guard enabled under CST, but I can't get it enabled on the individual interfaces.  Can anyone help me?  Thanks.


Accepted Solutions
Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 352
Solutions: 289

Re: BPDU Guard Effect

Neither do I... Thanks for reporting the issue and I'll put it in the internal bug tracking system.

View solution in original post

New Member
Posts: 28
Registered: ‎09-15-2016
Kudos: 10
Solutions: 2

Re: BPDU Guard Effect

 Update on this! I got it working!

 

BPDUGuard only applies to EdgePorts. -- Keep in mind that if a port is set to Auto-Edge, it will be an EdgePort UNTIL a BPDU is recieved on the port. At that point it becomes a regular port. When the port becomes a regular port, BPDUGuard DOES NOT APPLY TO THE PORT. <--- This is SUPER important!! If you are going to use BPDUGuard make SURE your Access Ports have the following config at LEAST:

 

interface 0/1

spanning-tree edgeport   --- Enables PortFast on the port
switchport access vlan X  --- Says that when the port is in access mode use this vlan
switchport mode access ---- Turns off DTP

 

 

Here is a bit more PoC:

 

1) Cisco 3560 (port fa0/24) is in trunk mode connected to UBNT port 0/1, and 0/1 is set to Auto-Edge

 

(USIL01-CNFF-SW1) #show running-config | include spann

spanning-tree bpduguard
!!! <output omitted> !!!

(USIL01-CNFF-SW1) #show running-config interface 0/1

!Current Configuration:
!
interface  0/1
switchport mode access
switchport access vlan 5
exit

(USIL01-CNFF-SW1) #show spanning-tree interface 0/1

Hello Time..................................... Not Configured
Port Mode...................................... Enabled
BPDU Guard Effect.............................. Disabled
Root Guard..................................... False
Loop Guard..................................... False
TCN Guard...................................... False
BPDU Filter Mode............................... Disabled
BPDU Flood Mode................................ Disabled
Auto Edge...................................... TRUE
Port Up Time Since Counters Last Cleared....... 0 day 0 hr 0 min 28 sec
STP BPDUs Transmitted.......................... 0
STP BPDUs Received............................. 0
RSTP BPDUs Transmitted......................... 0
RSTP BPDUs Received............................ 0
MSTP BPDUs Transmitted......................... 16
MSTP BPDUs Received............................ 176

As you can see from the output, the port is enabled but the BPDUGuard Effect is not true...

 

2) Same situation as above, but 0/1 is set to EdgePort explicitly

(USIL01-CNFF-SW1) #show running-config interface 0/1

!Current Configuration:
!
interface  0/1
spanning-tree edgeport
switchport mode access
switchport access vlan 5
exit

(USIL01-CNFF-SW1) #show spanning-tree interface 0/1

Hello Time..................................... Not Configured
Port Mode...................................... Enabled
BPDU Guard Effect.............................. Enabled
Root Guard..................................... False
Loop Guard..................................... False
TCN Guard...................................... False
BPDU Filter Mode............................... Disabled
BPDU Flood Mode................................ Disabled
Auto Edge...................................... TRUE
Port Up Time Since Counters Last Cleared....... 0 day 0 hr 0 min 10 sec
STP BPDUs Transmitted.......................... 0
STP BPDUs Received............................. 0
RSTP BPDUs Transmitted......................... 0
RSTP BPDUs Received............................ 0
MSTP BPDUs Transmitted......................... 16
MSTP BPDUs Received............................ 249

 

 

 

View solution in original post


All Replies
Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 352
Solutions: 289

Re: BPDU Guard Effect

Neither do I... Thanks for reporting the issue and I'll put it in the internal bug tracking system.

Emerging Member
Posts: 48
Registered: ‎01-30-2017
Kudos: 1

Re: BPDU Guard Effect

Hi,

what about BPDU-Guard on v1.7 ? It seems like it isn't fixed yet, or am I wrong ?

I can't find a way to enable it on my edgeports ? Any suggestions ?

Best regards,

Chris

Emerging Member
Posts: 48
Registered: ‎01-30-2017
Kudos: 1

Re: BPDU Guard Effect

Hi,

no one answered yet, so I need to ask again: Is there any way to enable BPDU-Guard on Access ports now ?

Best regards,
Chris

Senior Member
Posts: 2,710
Registered: ‎02-24-2015
Kudos: 159
Solutions: 4

Re: BPDU Guard Effect

Same question here, how ???
It still says,
BPDU Guard Effect disabled
New Member
Posts: 12
Registered: ‎06-15-2017

Re: BPDU Guard Effect

As far as I understand, BPDUguard is enabled but the linked field show disabled while no BPDUs were received.

The online help states this:


BPDU Filter
When enabled, this feature filters the BPDU traffic on the edge ports. Edge ports do not need to participate in the spanning tree, so BPDU filtering allows BPDU packets received on edge ports to be dropped.

this Option is enabled in my ES-8 with Firmware 1.7

 

The underlying Option is described as following:


BPDU Guard Effect
Shows the status of BPDU Guard Effect on the interface. When enabled, BPDU Guard Effect can disable edge ports that receive BPDU packets. This prevents a new device from entering the existing STP topology. Thus devices that were originally not a part of STP are not allowed to influence the STP topology.

Similar to the Cisco Catalyst family, there is one BPDU Guard an the linked show command. Other vendors also use a different vocabular...

 

Cisco uses PortFast, while Ubiquiti or Dell (when I'm right) use the term 'EdgePort' for the exact same feature.

New Member
Posts: 28
Registered: ‎09-15-2016
Kudos: 10
Solutions: 2

Re: BPDU Guard Effect


@CopperWorm10G wrote:

As far as I understand, BPDUguard is enabled but the linked field show disabled while no BPDUs were received.

The online help states this:


BPDU Filter
When enabled, this feature filters the BPDU traffic on the edge ports. Edge ports do not need to participate in the spanning tree, so BPDU filtering allows BPDU packets received on edge ports to be dropped.

this Option is enabled in my ES-8 with Firmware 1.7

 

The underlying Option is described as following:


BPDU Guard Effect
Shows the status of BPDU Guard Effect on the interface. When enabled, BPDU Guard Effect can disable edge ports that receive BPDU packets. This prevents a new device from entering the existing STP topology. Thus devices that were originally not a part of STP are not allowed to influence the STP topology.

Similar to the Cisco Catalyst family, there is one BPDU Guard an the linked show command. Other vendors also use a different vocabular...

 

Cisco uses PortFast, while Ubiquiti or Dell (when I'm right) use the term 'EdgePort' for the exact same feature.


Pardon my interjection here...

I would just like to say that this is not accurate.

I have a test enviornment with a ES-8-150W running v1.7 that is uplinked to a Cisco 3560.

 

ES-0/1 ------ Cisco-fa0/24

On the EdgeSwitch I have the following configuration

(Switch)# show run
!
<output omitted>
!
spanning-tree bpduguard
!
<output Omitted>
!
interface 0/1
switchport mode access
switchport access vlan 11
exit
!

One the Cisco I have the following Config:

USIL01-TEMP-SW1(config)#do show run | b span
spanning-tree mode mst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 24576
!
!
!
<Output Omitted>
!
interface FastEthernet0/24
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 5
 switchport mode trunk
!

 

 

Here is what I see on the EdgeSwitch

(USIL01-CNFF-SW1) #show spanning-tree mst port detailed 0 0/1

Port Identifier................................ 80:01
Port Priority.................................. 128
Port Forwarding State.......................... Forwarding
Port Role...................................... Root
Auto-calculate Port Path Cost.................. Enabled
Port Path Cost................................. 200000
Auto-Calculate External Port Path Cost......... Enabled
External Port Path Cost........................ 200000
Designated Root................................ 80:00:00:16:46:AA:DC:80
Designated Port Cost........................... 0
Designated Bridge.............................. 80:00:00:16:46:AA:DC:80
Designated Port Identifier..................... 80:1A
Topology Change Acknowledge.................... False
Hello Time..................................... 2
Edge Port...................................... False
Edge Port Status............................... False
Point to Point MAC Status...................... TRUE
CST Regional Root.............................. 80:00:00:16:46:AA:DC:80
CST Internal Root Path Cost.................... 0
Loop Inconsistent State........................ False
Transitions Into Loop Inconsistent State....... 0
Transitions Out Of Loop Inconsistent State..... 0

(USIL01-CNFF-SW1) #show spanning-tree interface 0/1

Hello Time..................................... Not Configured
Port Mode...................................... Enabled
BPDU Guard Effect.............................. Disabled
Root Guard..................................... False
Loop Guard..................................... False
TCN Guard...................................... False
BPDU Filter Mode............................... Disabled
BPDU Flood Mode................................ Disabled
Auto Edge...................................... TRUE
Port Up Time Since Counters Last Cleared....... 0 day 0 hr 8 min 12 sec
STP BPDUs Transmitted.......................... 0
STP BPDUs Received............................. 0
RSTP BPDUs Transmitted......................... 0
RSTP BPDUs Received............................ 0
MSTP BPDUs Transmitted......................... 13
MSTP BPDUs Received............................ 293

So I think it's safe to say the BPDUGuard doesn't work....

New Member
Posts: 28
Registered: ‎09-15-2016
Kudos: 10
Solutions: 2

Re: BPDU Guard Effect

Just upgraded ES-8-150W to v1.7.1 and issue persists.

New Member
Posts: 28
Registered: ‎09-15-2016
Kudos: 10
Solutions: 2

Re: BPDU Guard Effect

 Update on this! I got it working!

 

BPDUGuard only applies to EdgePorts. -- Keep in mind that if a port is set to Auto-Edge, it will be an EdgePort UNTIL a BPDU is recieved on the port. At that point it becomes a regular port. When the port becomes a regular port, BPDUGuard DOES NOT APPLY TO THE PORT. <--- This is SUPER important!! If you are going to use BPDUGuard make SURE your Access Ports have the following config at LEAST:

 

interface 0/1

spanning-tree edgeport   --- Enables PortFast on the port
switchport access vlan X  --- Says that when the port is in access mode use this vlan
switchport mode access ---- Turns off DTP

 

 

Here is a bit more PoC:

 

1) Cisco 3560 (port fa0/24) is in trunk mode connected to UBNT port 0/1, and 0/1 is set to Auto-Edge

 

(USIL01-CNFF-SW1) #show running-config | include spann

spanning-tree bpduguard
!!! <output omitted> !!!

(USIL01-CNFF-SW1) #show running-config interface 0/1

!Current Configuration:
!
interface  0/1
switchport mode access
switchport access vlan 5
exit

(USIL01-CNFF-SW1) #show spanning-tree interface 0/1

Hello Time..................................... Not Configured
Port Mode...................................... Enabled
BPDU Guard Effect.............................. Disabled
Root Guard..................................... False
Loop Guard..................................... False
TCN Guard...................................... False
BPDU Filter Mode............................... Disabled
BPDU Flood Mode................................ Disabled
Auto Edge...................................... TRUE
Port Up Time Since Counters Last Cleared....... 0 day 0 hr 0 min 28 sec
STP BPDUs Transmitted.......................... 0
STP BPDUs Received............................. 0
RSTP BPDUs Transmitted......................... 0
RSTP BPDUs Received............................ 0
MSTP BPDUs Transmitted......................... 16
MSTP BPDUs Received............................ 176

As you can see from the output, the port is enabled but the BPDUGuard Effect is not true...

 

2) Same situation as above, but 0/1 is set to EdgePort explicitly

(USIL01-CNFF-SW1) #show running-config interface 0/1

!Current Configuration:
!
interface  0/1
spanning-tree edgeport
switchport mode access
switchport access vlan 5
exit

(USIL01-CNFF-SW1) #show spanning-tree interface 0/1

Hello Time..................................... Not Configured
Port Mode...................................... Enabled
BPDU Guard Effect.............................. Enabled
Root Guard..................................... False
Loop Guard..................................... False
TCN Guard...................................... False
BPDU Filter Mode............................... Disabled
BPDU Flood Mode................................ Disabled
Auto Edge...................................... TRUE
Port Up Time Since Counters Last Cleared....... 0 day 0 hr 0 min 10 sec
STP BPDUs Transmitted.......................... 0
STP BPDUs Received............................. 0
RSTP BPDUs Transmitted......................... 0
RSTP BPDUs Received............................ 0
MSTP BPDUs Transmitted......................... 16
MSTP BPDUs Received............................ 249

 

 

 

New Member
Posts: 12
Registered: ‎06-15-2017

Re: BPDU Guard Effect

Oh those Auto Negotiations....yeah, they can mess up everything. Smilewinkgrin

Reply