Article ID: 5258
Products
DFE
Matrix C1
Matrix E1
SecureStack A2
SecureStack B2
SecureStack C2
SmartSwitch 2000 2nd Generation
SmartSwitch 6000 2nd Generation
SmartSwitch 6000 3rd Generation
Protocols/Features
SpanGuard
Spanning Tree
Goals
What is SpanGuard
Which products support SpanGuard
Solution
SpanGuard (originally known as Secure Span) is a feature which shuts down a network port if it receives a BPDU. This feature may be activated on network edge ports, for the purpose of preventing "rogue" STA-aware devices from disrupting the existing Spanning Tree.
When SpanGuard is enabled (this is a global option, disabled by default), reception of a BPDU (except loopback) by a port which has the STA adminEdge option enabled will cause the port to be locked and its state set to Blocking. By default, this condition will last for five minutes after reception of the last BPDU.
Enterasys devices which support this feature:
- Matrix N-Series DFE, firmware 4.00.50 and higher
- Matrix C1, firmware 2.00.14 and higher
- Matrix E1, firmware 3.00.14 and higher
- SecureStack A2, firmware 1.03.17 and higher
- SecureStack B2, firmware 3.01.16 and higher
- SecureStack C2, firmware 4.00.24 and higher
- SmartSwitch 2000/6000 2nd/3rd Generation, firmware 5.06.04 and higher
For the DFE, C1, and E1 (see
5756 for the SecureStack defaults); adminEdge is disabled (i.e. "adminedge false") by default, and must be enabled for individual User ports. If this is not done, SpanGuard will not function when enabled.
For the other products, adminEdge is enabled by default (i.e. "adminedge true"), and must be disabled for individual Uplink ports. If this is not done, SpanGuard will
block uplink ports when enabled, as BPDUs are received.
After adjusting adminEdge and enabling SpanGuard ('set spantree spanguard enable'), it is highly recommended to review the status of your ports ('show spantree spanguardlock *.*.*'). The resulting display should show all ports as unlocked. Otherwise, either an uplink port has been set as "adminEdge true" in error, or a BPDU-ingressing edge port warrants further investigation.
Self-loopback-protection is already being handled as a separate function, possibly as a result of the action of 802.1w. The reception of foreign, unexpected BPDUs from beyond the edge of the defined Spanning Tree is truly a different issue, and is addressed by the SpanGuard feature.