This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SpanGuard feature on Enterasys Products

SpanGuard feature on Enterasys Products

FAQ_User
Extreme Employee

‎09-04-2013 11:03 PM

Article ID: 5258

Products
DFE
Matrix C1
Matrix E1
SecureStack A2
SecureStack B2
SecureStack C2
SmartSwitch 2000 2nd Generation
SmartSwitch 6000 2nd Generation
SmartSwitch 6000 3rd Generation

Protocols/Features
SpanGuard
Spanning Tree

Goals
What is SpanGuard
Which products support SpanGuard

Solution
SpanGuard (originally known as Secure Span) is a feature which shuts down a network port if it receives a BPDU. This feature may be activated on network edge ports, for the purpose of preventing "rogue" STA-aware devices from disrupting the existing Spanning Tree.

When SpanGuard is enabled (this is a global option, disabled by default), reception of a BPDU (except loopback) by a port which has the STA adminEdge option enabled will cause the port to be locked and its state set to Blocking. By default, this condition will last for five minutes after reception of the last BPDU.

Enterasys devices which support this feature:

  • Matrix N-Series DFE, firmware 4.00.50 and higher
  • Matrix C1, firmware 2.00.14 and higher
  • Matrix E1, firmware 3.00.14 and higher
  • SecureStack A2, firmware 1.03.17 and higher
  • SecureStack B2, firmware 3.01.16 and higher
  • SecureStack C2, firmware 4.00.24 and higher
  • SmartSwitch 2000/6000 2nd/3rd Generation, firmware 5.06.04 and higher
For the DFE, C1, and E1 (see 5756 for the SecureStack defaults); adminEdge is disabled (i.e. "adminedge false") by default, and must be enabled for individual User ports. If this is not done, SpanGuard will not function when enabled.
For the other products, adminEdge is enabled by default (i.e. "adminedge true"), and must be disabled for individual Uplink ports. If this is not done, SpanGuard will block uplink ports when enabled, as BPDUs are received.

After adjusting adminEdge and enabling SpanGuard ('set spantree spanguard enable'), it is highly recommended to review the status of your ports ('show spantree spanguardlock *.*.*'). The resulting display should show all ports as unlocked. Otherwise, either an uplink port has been set as "adminEdge true" in error, or a BPDU-ingressing edge port warrants further investigation.

Self-loopback-protection is already being handled as a separate function, possibly as a result of the action of 802.1w. The reception of foreign, unexpected BPDUs from beyond the edge of the defined Spanning Tree is truly a different issue, and is addressed by the SpanGuard feature.
0 Kudos
0 REPLIES 0
GTM-P2G8KFN