SmartSwitch 2000 2nd Generation
SmartSwitch 6000 2nd Generation
SmartSwitch 6000 3rd Generation
What is SpanGuard
Which products support SpanGuard
SpanGuard (originally known as Secure Span) is a feature which shuts down a network port if it receives a BPDU. This feature may be activated on network edge ports, for the purpose of preventing "rogue" STA-aware devices from disrupting the existing Spanning Tree.
When SpanGuard is enabled (this is a global option, disabled by default), reception of a BPDU (except loopback) by a port which has the STA adminEdge option enabled will cause the port to be locked and its state set to Blocking. By default, this condition will last for five minutes after reception of the last BPDU.
Enterasys devices which support this feature:
- Matrix N-Series DFE, firmware 4.00.50 and higher
- Matrix C1, firmware 2.00.14 and higher
- Matrix E1, firmware 3.00.14 and higher
- SecureStack A2, firmware 1.03.17 and higher
- SecureStack B2, firmware 3.01.16 and higher
- SecureStack C2, firmware 4.00.24 and higher
- SmartSwitch 2000/6000 2nd/3rd Generation, firmware 5.06.04 and higher
For the other products, adminEdge is enabled by default (i.e. "adminedge true"), and must be disabled for individual Uplink ports. If this is not done, SpanGuard will block uplink ports when enabled, as BPDUs are received.
After adjusting adminEdge and enabling SpanGuard ('set spantree spanguard enable'), it is highly recommended to review the status of your ports ('show spantree spanguardlock *.*.*'). The resulting display should show all ports as unlocked. Otherwise, either an uplink port has been set as "adminEdge true" in error, or a BPDU-ingressing edge port warrants further investigation.
Self-loopback-protection is already being handled as a separate function, possibly as a result of the action of 802.1w. The reception of foreign, unexpected BPDUs from beyond the edge of the defined Spanning Tree is truly a different issue, and is addressed by the SpanGuard feature.