stp-bdpuguard and MSTP not working

  • 1
  • Question
  • Updated 5 months ago
Hi all, 

I am doing a demo of an ICX 7150 and just configured it for MSTP.  I set a port to stp-bpduguard and intentionally hooked up a cisco switch to that port, but bpduguard does not seem to trigger.  Am I doing something wrong here?
Photo of Robert Placencia

Robert Placencia

  • 5 Posts
  • 0 Reply Likes

Posted 5 months ago

  • 1
Photo of NETWizz

NETWizz

  • 158 Posts
  • 41 Reply Likes
You are not doing anything wrong.  Cisco's BPDUguard is proprietary and does not recognize ICX BPDUs just like CDP does not recognize FDP packets.
Photo of Robert Placencia

Robert Placencia

  • 5 Posts
  • 0 Reply Likes
Hmm...  The Cisco device immediately err-disabled the port.  So does this mean there is no bpdu guard protection if a Cisco device is hooked up?
Photo of NETWizz

NETWizz

  • 130 Posts
  • 30 Reply Likes
Here is probably what is going on.  I am speaking from experience (a bad experience in 2017 resulting in 10 to 15 minutes downtime...) as I troubleshooted... ;-)


If you have a Cisco device running BPDUguard on an interface, and it receives a recognized BPDU, it will put the port into an err-disabled state.

On a Cisco Device, that may look something like:

interface GigabitEthernet 1/0/48
spanning-tree bpduguard enable
!

That interface will go into err-disabled when it sees another "recognized" BPDU (i.e. a BPDU from another Cisco switch).

If, however, you connect an ICX switch to that G 1/0/48 port, the BPDU from the ICX will NOT shut-down the port because it is not a recognized BPDU by Cisco.


*****

Now here is where it gets fun...

Let's say you connect another, different Cisco device to that ICX device (within the same VLAN) as the ICX interface connecting to G 1/0/48 on the Cisco above.

Topology:  Cisco Device => ICX Device => Cisco Device with BPDUguard

The ICX not recognizing the Cisco BPDU does exactly what it is designed to do and switches the Frame (Frame is the PDU for Layer-2, where the PDU for Layer-3 is the "packet").  Once the ICX device forwards a BPDU from one Cisco into the G 1/0/48 interface on another Cisco, the Cisco port that received the BPDUguard puts that interface into err-disabled.


*****

General rule of thumb:


Do NOT mix ICX and Cisco within the same Layer-2 when it can be avoided.  It is MUCH better to separate these via Layer-3 because things like BPDUs and neighboring protocols do not work very well together.

For example, ICX uses FDP as its discovery protocol.  A Cisco device does not know what to do with an FDP Frame, so it just forward the frame as if it were any other unknown frame.  When they hit other ICX devices, you can no longer use FDP to meaningfully map your network.


Although these are minor issues, the most cost-effective solution to your ultimate problem is to build an ICX network.  The ICX-7150 series are excellent workhorse switches.  I would recommend getting the PoE+ variety to better future-proof your build.  If you want a great Layer-3 switch for the connection of a bunch of ICX-7150 switches, the ICX-7450 or ICX-7750
Photo of Robert Placencia

Robert Placencia

  • 5 Posts
  • 0 Reply Likes
disregard.  Got it working.

Photo of NETWizz

NETWizz

  • 134 Posts
  • 34 Reply Likes
Awesome.  I am guessing you turned off BPDUguard??? ;-)
Photo of Robert Placencia

Robert Placencia

  • 5 Posts
  • 0 Reply Likes
I had already done that on the Cisco side.  Honestly not sure what fixed it.  I just defaulted the config on the Cisco side port, then add the access vlan back on it.
Photo of Jon Maiman

Jon Maiman, Employee

  • 9 Posts
  • 4 Reply Likes
ICX's can be configured to interop with the various flavors of Cisco PVST so that spanning tree will have a consistent state in both the Ruckus (Brocade/Foundry) portion of the network and the Cisco portion of the network.   I have implemented this many times.   Besides the different BPDU frame formats, PVST typically transmits the BPDU's on an untagged native VLAN (default VLAN is 1).    So the ICX also needs to be configured to have the native VLAN be untagged (dual-mode in older FastIron code).

--Jon