SpanGuard feature on Enterasys Products

  • 1.  SpanGuard feature on Enterasys Products

    Posted 09-04-2013 23:03
    Article ID: 5258

    Matrix C1
    Matrix E1
    SecureStack A2
    SecureStack B2
    SecureStack C2
    SmartSwitch 2000 2nd Generation
    SmartSwitch 6000 2nd Generation
    SmartSwitch 6000 3rd Generation

    Spanning Tree

    What is SpanGuard
    Which products support SpanGuard

    SpanGuard (originally known as Secure Span) is a feature which shuts down a network port if it receives a BPDU. This feature may be activated on network edge ports, for the purpose of preventing "rogue" STA-aware devices from disrupting the existing Spanning Tree.

    When SpanGuard is enabled (this is a global option, disabled by default), reception of a BPDU (except loopback) by a port which has the STA adminEdge option enabled will cause the port to be locked and its state set to Blocking. By default, this condition will last for five minutes after reception of the last BPDU.

    Enterasys devices which support this feature:

    • Matrix N-Series DFE, firmware 4.00.50 and higher
    • Matrix C1, firmware 2.00.14 and higher
    • Matrix E1, firmware 3.00.14 and higher
    • SecureStack A2, firmware 1.03.17 and higher
    • SecureStack B2, firmware 3.01.16 and higher
    • SecureStack C2, firmware 4.00.24 and higher
    • SmartSwitch 2000/6000 2nd/3rd Generation, firmware 5.06.04 and higher
    For the DFE, C1, and E1 (see 5756 for the SecureStack defaults); adminEdge is disabled (i.e. "adminedge false") by default, and must be enabled for individual User ports. If this is not done, SpanGuard will not function when enabled.
    For the other products, adminEdge is enabled by default (i.e. "adminedge true"), and must be disabled for individual Uplink ports. If this is not done, SpanGuard will block uplink ports when enabled, as BPDUs are received.

    After adjusting adminEdge and enabling SpanGuard ('set spantree spanguard enable'), it is highly recommended to review the status of your ports ('show spantree spanguardlock *.*.*'). The resulting display should show all ports as unlocked. Otherwise, either an uplink port has been set as "adminEdge true" in error, or a BPDU-ingressing edge port warrants further investigation.

    Self-loopback-protection is already being handled as a separate function, possibly as a result of the action of 802.1w. The reception of foreign, unexpected BPDUs from beyond the edge of the defined Spanning Tree is truly a different issue, and is addressed by the SpanGuard feature.