https://community.extremenetworks.com/t5/faqs/spanguard-feature-on-enterasys-products/m-p/47271#M448 Article ID: 5258 <BR /> <BR /> <B>Products</B><BR /> DFE<BR /> Matrix C1<BR /> Matrix E1<BR /> SecureStack A2<BR /> SecureStack B2<BR /> SecureStack C2<BR /> SmartSwitch 2000 2nd Generation<BR /> SmartSwitch 6000 2nd Generation<BR /> SmartSwitch 6000 3rd Generation <BR /> <BR /> <B>Protocols/Features</B><BR /> SpanGuard<BR /> Spanning Tree <BR /> <BR /> <B>Goals</B><BR /> What is SpanGuard<BR /> Which products support SpanGuard <BR /> <BR /> <B>Solution</B><BR /> SpanGuard (originally known as Secure Span) is a feature which shuts down a network port if it receives a BPDU. This feature may be activated on network edge ports, for the purpose of preventing "rogue" STA-aware devices from disrupting the existing Spanning Tree. <BR /> <BR /> When SpanGuard is enabled (this is a global option, disabled by default), reception of a BPDU (except loopback) by a port which has the STA adminEdge option enabled will cause the port to be locked and its state set to Blocking. By default, this condition will last for five minutes after reception of the last BPDU. <BR /> <BR /> Enterasys devices which support this feature: <BR /> <BR /> <UL> <LI>Matrix N-Series DFE, firmware 4.00.50 and higher </LI><LI>Matrix C1, firmware 2.00.14 and higher </LI><LI>Matrix E1, firmware 3.00.14 and higher </LI><LI>SecureStack A2, firmware 1.03.17 and higher </LI><LI>SecureStack B2, firmware 3.01.16 and higher </LI><LI>SecureStack C2, firmware 4.00.24 and higher </LI><LI>SmartSwitch 2000/6000 2nd/3rd Generation, firmware 5.06.04 and higher</LI></UL> For the DFE, C1, and E1 (see <A href="http://bit.ly/1t5oi8k" target="_blank" rel="nofollow noreferrer noopener">5756</A> for the SecureStack defaults); adminEdge is disabled (i.e. "adminedge false") by default, and must be enabled for individual User ports. If this is not done, SpanGuard will not function when enabled.<BR /> For the other products, adminEdge is enabled by default (i.e. "adminedge true"), and must be disabled for individual Uplink ports. If this is not done, SpanGuard will <I>block uplink ports</I> when enabled, as BPDUs are received. <BR /> <BR /> After adjusting adminEdge and enabling SpanGuard ('set spantree spanguard enable'), it is highly recommended to review the status of your ports ('show spantree spanguardlock *.*.*'). The resulting display should show all ports as unlocked. Otherwise, either an uplink port has been set as "adminEdge true" in error, or a BPDU-ingressing edge port warrants further investigation. <BR /> <BR /> Self-loopback-protection is already being handled as a separate function, possibly as a result of the action of 802.1w. The reception of foreign, unexpected BPDUs from beyond the edge of the defined Spanning Tree is truly a different issue, and is addressed by the SpanGuard feature. Thu, 05 Sep 2013 06:03:00 GMT FAQ_User 2013-09-05T06:03:00Z https://community.extremenetworks.com/t5/faqs/spanguard-feature-on-enterasys-products/m-p/47271#M448 Article ID: 5258 <BR /> <BR /> <B>Products</B><BR /> DFE<BR /> Matrix C1<BR /> Matrix E1<BR /> SecureStack A2<BR /> SecureStack B2<BR /> SecureStack C2<BR /> SmartSwitch 2000 2nd Generation<BR /> SmartSwitch 6000 2nd Generation<BR /> SmartSwitch 6000 3rd Generation <BR /> <BR /> <B>Protocols/Features</B><BR /> SpanGuard<BR /> Spanning Tree <BR /> <BR /> <B>Goals</B><BR /> What is SpanGuard<BR /> Which products support SpanGuard <BR /> <BR /> <B>Solution</B><BR /> SpanGuard (originally known as Secure Span) is a feature which shuts down a network port if it receives a BPDU. This feature may be activated on network edge ports, for the purpose of preventing "rogue" STA-aware devices from disrupting the existing Spanning Tree. <BR /> <BR /> When SpanGuard is enabled (this is a global option, disabled by default), reception of a BPDU (except loopback) by a port which has the STA adminEdge option enabled will cause the port to be locked and its state set to Blocking. By default, this condition will last for five minutes after reception of the last BPDU. <BR /> <BR /> Enterasys devices which support this feature: <BR /> <BR /> <UL> <LI>Matrix N-Series DFE, firmware 4.00.50 and higher </LI><LI>Matrix C1, firmware 2.00.14 and higher </LI><LI>Matrix E1, firmware 3.00.14 and higher </LI><LI>SecureStack A2, firmware 1.03.17 and higher </LI><LI>SecureStack B2, firmware 3.01.16 and higher </LI><LI>SecureStack C2, firmware 4.00.24 and higher </LI><LI>SmartSwitch 2000/6000 2nd/3rd Generation, firmware 5.06.04 and higher</LI></UL> For the DFE, C1, and E1 (see <A href="http://bit.ly/1t5oi8k" target="_blank" rel="nofollow noreferrer noopener">5756</A> for the SecureStack defaults); adminEdge is disabled (i.e. "adminedge false") by default, and must be enabled for individual User ports. If this is not done, SpanGuard will not function when enabled.<BR /> For the other products, adminEdge is enabled by default (i.e. "adminedge true"), and must be disabled for individual Uplink ports. If this is not done, SpanGuard will <I>block uplink ports</I> when enabled, as BPDUs are received. <BR /> <BR /> After adjusting adminEdge and enabling SpanGuard ('set spantree spanguard enable'), it is highly recommended to review the status of your ports ('show spantree spanguardlock *.*.*'). The resulting display should show all ports as unlocked. Otherwise, either an uplink port has been set as "adminEdge true" in error, or a BPDU-ingressing edge port warrants further investigation. <BR /> <BR /> Self-loopback-protection is already being handled as a separate function, possibly as a result of the action of 802.1w. The reception of foreign, unexpected BPDUs from beyond the edge of the defined Spanning Tree is truly a different issue, and is addressed by the SpanGuard feature. Thu, 05 Sep 2013 06:03:00 GMT https://community.extremenetworks.com/t5/faqs/spanguard-feature-on-enterasys-products/m-p/47271#M448 FAQ_User 2013-09-05T06:03:00Z