【old】BPDUガード/BPDUフィルター

※noteから引っ越してきた記事

ええ加減はっきり覚えたい。

BPDUガード

画像

設定

Switch7(config)#int gi1/3
Switch7(config-if)#span bpduguard enable

span portfast bpduguard defaultでグローバルに設定することもできる。

errdisable

Switch7#
*Oct 11 12:20:42.446: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/3 with BPDU Guard enabled. Disabling port.
Switch7#
*Oct 11 12:20:42.449: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/3, putting Gi1/3 in err-disable state
*Oct 11 12:20:43.504: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/3, changed state to down
Switch7#
*Oct 11 12:20:44.802: %LINK-3-UPDOWN: Interface GigabitEthernet1/3, changed state to down

Switch7#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
<略>
GigabitEthernet1/3     unassigned      YES unset  down                  down
<略>

復旧(してない)

Switch7(config)#errdisable recovery cause bpduguard
~約5分後~
Switch7(config)#
*Oct 11 12:27:58.602: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Gi1/3
*Oct 11 12:27:59.336: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/3 with BPDU Guard enabled. Disabling port.
*Oct 11 12:27:59.339: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/3, putting Gi1/3 in err-disable state

Switch7#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
<略>
GigabitEthernet1/3     unassigned      YES unset  down                  down
<略>

予めerrdisable recoveryを設定しておく必要はなかった。
ただ、SWの接続は続いているのでrecoveryを上書きする形でerrdisableになる。

errdisable recovery cause [XXX]

備忘録

Switch7(config)#errdisable recovery cause ?
  all                   Enable timer to recover from all error causes
  arp-inspection        Enable timer to recover from arp inspection error
                        disable state
  bpduguard             Enable timer to recover from BPDU Guard error
  channel-misconfig     Enable timer to recover from channel misconfig error
                        (STP)
  dhcp-rate-limit       Enable timer to recover from dhcp-rate-limit error
  dtp-flap              Enable timer to recover from dtp-flap error
  gbic-invalid          Enable timer to recover from invalid GBIC error
  inline-power          Enable timer to recover from inline-power error
  l2ptguard             Enable timer to recover from l2protocol-tunnel error
  link-flap             Enable timer to recover from link-flap error
  link-monitor-failure  Enable timer to recover from link monitoring failure
  loopback              Enable timer to recover from loopback error
  mac-limit             Enable timer to recover from mac limit disable state
  oam-remote-failure    Enable timer to recover from OAM detected remote
                        failure
  pagp-flap             Enable timer to recover from pagp-flap error
  port-mode-failure     Enable timer to recover from port mode change failure
  pppoe-ia-rate-limit   Enable timer to recover from PPPoE IA rate-limit error
  psecure-violation     Enable timer to recover from psecure violation error
  psp                   Enable timer to recover from psp
  security-violation    Enable timer to recover from 802.1x violation error
  sfp-config-mismatch   Enable timer to recover from SFP config mismatch error
  storm-control         Enable timer to recover from storm-control error
  udld                  Enable timer to recover from udld error
  unicast-flood         Enable timer to recover from unicast flood error
  vmps                  Enable timer to recover from vmps shutdown error

BPDUフィルター

画像

設定

ラグはあるものの、Gi0/0はBPDUフィルタが設定されるとBPDUを送信しなくなった。
bpduguard同様、span portfast bpdufilter defaultでグローバルに設定も可能。

Switch#debug span bpdu
Switch#
*Oct 11 12:57:00.962: RSTP(1): sending BPDU out Gi0/0
*Oct 11 12:57:00.970: RSTP(1): sending BPDU out Gi0/1
*Oct 11 12:57:00.980: RSTP(1): sending BPDU out Gi0/2
*Oct 11 12:57:00.992: RSTP(1): sending BPDU out Gi0/3
*Oct 11 12:57:01.007: RSTP(1): sending BPDU out Gi1/0
*Oct 11 12:57:01.021: RSTP(1): sending BPDU out Gi1/1
*Oct 11 12:57:01.038: RSTP(1): sending BPDU out Gi1/2
*Oct 11 12:57:01.052: RSTP(1): sending BPDU out Gi1/3
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#
Switch(config)#int gi0/0
Switch(config-if)#
*Oct 11 12:57:18.663: RSTP(1): sending BPDU out Gi0/0
*Oct 11 12:57:18.672: RSTP(1): sending BPDU out Gi0/1
*Oct 11 12:57:18.688: RSTP(1): sending BPDU out Gi0/2
*Oct 11 12:57:18.700: RSTP(1): sending BPDU out Gi0/3
*Oct 11 12:57:18.711: RSTP(1): sending BPDU out Gi1/0
*Oct 11 12:57:18.725: RSTP(1): sending BPDU out Gi1/1
*Oct 11 12:57:18.739: RSTP(1): sending BPDU out Gi1/2
*Oct 11 12:57:18.750: RSTP(1): sending BPDU out Gi1/3
Switch(config-if)#span bpdufilter enable
Switch(config-if)#
*Oct 11 12:57:21.393: RSTP(1): sending BPDU out Gi0/0
*Oct 11 12:57:21.409: RSTP(1): sending BPDU out Gi0/1
*Oct 11 12:57:21.424: RSTP(1): sending BPDU out Gi0/2
*Oct 11 12:57:21.441: RSTP(1): sending BPDU out Gi0/3
*Oct 11 12:57:21.457: RSTP(1): sending BPDU out Gi1/0
*Oct 11 12:57:21.475: RSTP(1): sending BPDU out Gi1/1
*Oct 11 12:57:21.487: RSTP(1): sending BPDU out Gi1/2
*Oct 11 12:57:21.494: RSTP(1): sending BPDU out Gi1/3
Switch(config-if)#
*Oct 11 12:57:24.094: RSTP(1): sending BPDU out Gi0/1
*Oct 11 12:57:24.101: RSTP(1): sending BPDU out Gi0/2
*Oct 11 12:57:24.111: RSTP(1): sending BPDU out Gi0/3
*Oct 11 12:57:24.116: RSTP(1): sending BPDU out Gi1/0
*Oct 11 12:57:24.122: RSTP(1): sending BPDU out Gi1/1
*Oct 11 12:57:24.126: RSTP(1): sending BPDU out Gi1/2
*Oct 11 12:57:24.137: RSTP(1): sending BPDU out Gi1/3
Switch(config-if)#end
画像

復旧(した)

BPDUフィルターを設定し、BPDUを送信しないようにすることでerrdisable recoveryが働き復旧。

Switch7#
*Oct 11 12:53:03.954: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Gi1/3
Switch7#
*Oct 11 12:53:06.116: %LINK-3-UPDOWN: Interface GigabitEthernet1/3, changed state to up
*Oct 11 12:53:07.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/3, changed state to up
Switch7#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
<略>
GigabitEthernet1/3     unassigned      YES unset  up                    up
<略>

まとめ

BPDUガード:BPDUを受信するとerrdisableに
BPDUフィルタ:BPDUを受信できないし送信しない
errdisable recovery: デフォルトは300s

実際に設定してみると違いがはっきりよくわかる。

1.1 Switched Campus