BPDU Guard Block on port that doesn't have BPDU Guard enabled
I just installed a new stack of MS350's running 10.40 that has a couple Cisco 2960's trunked off of it. On the Meraki side of the trunks I usually set Root Guard to enabled. When I do that the port shows BPDU Guard activated. I even have tried to set the port to disable STP Guard but I still get the bpdu guard activated error. I have tried cycling ports on both sides but no luck. Is this an issue with 10.40?
Yep, It's doesn't really look like a spanning tree problem. The 2960's were set to mst and while the Meraki side is showing its discarding packets because of BPDU Guard the Cisco side of the link is up and it shows the Meraki as the STP root. What it looked like to me is that even though I was disabling BPDU Guard on the port it wasn't actually disabling it. I called support and they had me try a few things and what seemed to work is physically reseating the cable on the Meraki end after disabling BPDU Guard.
My process when I configure a new switch or stack has always been to set all the ports except for the uplink to disabled, change them to access, and set BPDU guard to enabled. That way when I start configuring the access ports I just have to set the VLAN and enable them. I hadn't had an issue until yesterday. I should have thought to try the cycle port option, I tried to disable and re-enable the port with no luck.
I'll just provide a counter position to @PhilipDAth's statement there. IMHO BPDU Guard is absolutely critical to any campus network. Guaranteed if you leave yourself unprotected someone somewhere is going to loop that port on you one day, and that day will be a bad day. I speak from experience.
Having said that, do completely agree that root guard and loop guard are useless in nearly every situation. The use cases where root guard actually provides a benefit are few and far between, and I much prefer UDLD to loop guard.