Showing results for 
Search instead for 
Did you mean: 

stp-bdpuguard and MSTP not working

New Contributor II
Hi all, 

I am doing a demo of an ICX 7150 and just configured it for MSTP.  I set a port to stp-bpduguard and intentionally hooked up a cisco switch to that port, but bpduguard does not seem to trigger.  Am I doing something wrong here?

Contributor III
You are not doing anything wrong.  Cisco's BPDUguard is proprietary and does not recognize ICX BPDUs just like CDP does not recognize FDP packets.

New Contributor II
Hmm...  The Cisco device immediately err-disabled the port.  So does this mean there is no bpdu guard protection if a Cisco device is hooked up?

Here is probably what is going on.  I am speaking from experience (a bad experience in 2017 resulting in 10 to 15 minutes downtime...) as I troubleshooted... 😉

If you have a Cisco device running BPDUguard on an interface, and it receives a recognized BPDU, it will put the port into an err-disabled state.

On a Cisco Device, that may look something like:

interface GigabitEthernet 1/0/48
spanning-tree bpduguard enable

That interface will go into err-disabled when it sees another "recognized" BPDU (i.e. a BPDU from another Cisco switch).

If, however, you connect an ICX switch to that G 1/0/48 port, the BPDU from the ICX will NOT shut-down the port because it is not a recognized BPDU by Cisco.


Now here is where it gets fun...

Let's say you connect another, different Cisco device to that ICX device (within the same VLAN) as the ICX interface connecting to G 1/0/48 on the Cisco above.

Topology:  Cisco Device => ICX Device => Cisco Device with BPDUguard

The ICX not recognizing the Cisco BPDU does exactly what it is designed to do and switches the Frame (Frame is the PDU for Layer-2, where the PDU for Layer-3 is the "packet").  Once the ICX device forwards a BPDU from one Cisco into the G 1/0/48 interface on another Cisco, the Cisco port that received the BPDUguard puts that interface into err-disabled.


General rule of thumb:

Do NOT mix ICX and Cisco within the same Layer-2 when it can be avoided.  It is MUCH better to separate these via Layer-3 because things like BPDUs and neighboring protocols do not work very well together.

For example, ICX uses FDP as its discovery protocol.  A Cisco device does not know what to do with an FDP Frame, so it just forward the frame as if it were any other unknown frame.  When they hit other ICX devices, you can no longer use FDP to meaningfully map your network.

Although these are minor issues, the most cost-effective solution to your ultimate problem is to build an ICX network.  The ICX-7150 series are excellent workhorse switches.  I would recommend getting the PoE+ variety to better future-proof your build.  If you want a great Layer-3 switch for the connection of a bunch of ICX-7150 switches, the ICX-7450 or ICX-7750

New Contributor II
disregard.  Got it working.