BPDU Guard Block on port that doesn't have BPDU Guard enabled

jwwork
Getting noticed

BPDU Guard Block on port that doesn't have BPDU Guard enabled

I just installed a new stack of MS350's running 10.40 that has a couple Cisco 2960's trunked off of it.  On the Meraki side of the trunks I usually set Root Guard to enabled.  When I do that the port shows BPDU Guard activated.  I even have tried to set the port to disable STP Guard but I still get the bpdu guard activated error.  I have tried cycling ports on both sides but no luck.  Is this an issue with 10.40?

7 REPLIES 7
jdsilva
Kind of a big deal

Has the config sync'd with the dashboard? It's not the "uplink" port that's triggering is it?

PhilipDAth
Kind of a big deal
Kind of a big deal

Have you given your stack of MS350's a lower spanning tree prirority (such as 0) than the 2960's?

 

And ideally, have you configured the 2960's to use MST?

spanning-tree mode mst

 

Yep,  It's doesn't really look like a spanning tree problem.  The 2960's were set to mst and while the Meraki side is showing its discarding packets because of BPDU Guard the Cisco side of the link is up and it shows the Meraki as the STP root.  What it looked like to me is that even though I was disabling BPDU Guard on the port it wasn't actually disabling it.  I called support and they had me try a few things and what seemed to work is physically reseating the cable on the Meraki end after disabling BPDU Guard.

PhilipDAth
Kind of a big deal
Kind of a big deal

I've had issues in the past where I needed to use the "cycle port" option to properly make a config take.

 

I've not used this specific feature before though.  I have been burnt by using spanning tree protection features like this too many times in the past - so I don't use them at all now.

Over all, I have seen more issues caused by spanning tree protection features that I have seen from spanning tree mis-configurations that they were trying to protect against.

My process when I configure a new switch or stack has always been to set all the ports except for the uplink to disabled, change them to access, and set BPDU guard to enabled.  That way when I start configuring the access ports I just have to set the VLAN and enable them.  I hadn't had an issue until yesterday.  I should have thought to try the cycle port option, I tried to disable and re-enable the port with no luck.

jdsilva
Kind of a big deal

I'll just provide a counter position to @PhilipDAth's statement there. IMHO BPDU Guard is absolutely critical to any campus network. Guaranteed if you leave yourself unprotected someone somewhere is going to loop that port on you one day, and that day will be a bad day. I speak from experience. 

 

Having said that, do completely agree that root guard and loop guard are useless in nearly every situation. The use cases where root guard actually provides a benefit are few and far between, and I much prefer UDLD to loop guard. 

 

 

jwwork
Getting noticed

I agree, I enable BPDU Guard on every access port without exception.  I was having an issue where it wouldn't disable on a switch to switch trunk which I had not seen before.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels