Plugged wlan access point - no link on switch (BPDU Guard disabled port)

Written by Claudio Kuenzler - 0 comments

Published on June 30th 2016 - Listed in Network

---

Just Plug'n'Play. Sure. 

For a small tech conference, I needed an additional WLAN access point and patched it (via a patch panel) to a Cisco Catalyst switch. The switch port quickly flashed once and went down again. First I thought a problem on the switch port so I tried the same on a different port. Same effect: The port flashed once, then went dark.

On the switch itself I detected the following entries:

SWITCH#sh log
[...]
Jun 29 14:28:51.864 MEST: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa2/0/47 with BPDU Guard enabled. Disabling port. (SWITCH)
Jun 29 14:28:51.873 MEST: %PM-4-ERR_DISABLE: bpduguard error detected on Fa2/0/47, putting Fa2/0/47 in err-disable state (SWITCH)
Jun 29 14:30:17.891 MEST: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa2/0/45 with BPDU Guard enabled. Disabling port. (SWITCH)
Jun 29 14:30:17.891 MEST: %PM-4-ERR_DISABLE: bpduguard error detected on Fa2/0/45, putting Fa2/0/45 in err-disable state (SWITCH)
Jun 29 14:32:37.906 MEST: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa1/0/46 with BPDU Guard enabled. Disabling port.
Jun 29 14:32:37.906 MEST: %PM-4-ERR_DISABLE: bpduguard error detected on Fa1/0/46, putting Fa1/0/46 in err-disable state

At least this tells me that the switch port isn't defect. Neither is the RJ45 cable. But that's something I haven't seen before.

After some research I came across this article, explaining the ERR-DISABLE feature. It seems that the switch detected that the patched device is a bridge (access point = bridge) so it disabled the port for security reasons.

SWITCH#show run interface Fa1/0/46
Building configuration...

Current configuration : 344 bytes
!
interface FastEthernet1/0/46
 description *** User Port VLAN 111 ***
 switchport access vlan 111
 switchport mode access
 no logging event link-status
 priority-queue out
 mls qos trust dscp
 no snmp trap link-status
 storm-control broadcast level 70.00
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
end

In order to temporarily allow this on this single port, the port needs to be reconfigured and the bpduguard feature disabled:

SWITCH#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SWITCH(config)#interface FastEthernet1/0/46
SWITCH(config-if)#no spanning-tree bpduguard enable
SWITCH(config-if)#exit
SWITCH(config)#exit

But that's not enough, because the port is still down due to the err-disable feature:

SWITCH#show interfaces Fa1/0/46
FastEthernet1/0/46 is down, line protocol is down (err-disabled)
  Hardware is Fast Ethernet, address is 0099.1234.5678 (bia 0099.1234.5678)
  Description: *** User Port VLAN 111 ***
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:30:05, output 00:30:06, output hang never
  Last clearing of "show interface" counters 5w5d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     900189 packets input, 81407154 bytes, 0 no buffer
     Received 446654 broadcasts (135913 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 135913 multicast, 0 pause input
     0 input packets with dribble condition detected
     3821572 packets output, 552713989 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

In order to re-enable the port, a shutdown followed by a no shut is necessary:

SWITCH#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SWITCH(config)#interface Fa1/0/46
SWITCH(config-if)#shut
SWITCH(config-if)#no shut
SWITCH(config-if)#exit
SWITCH(config)#exit
SWITCH#show interfaces Fa1/0/46
FastEthernet1/0/46 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 0099.1234.5678 (bia 0099.1234.5678)
  Description: *** User Port VLAN 111 ***
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:35:35, output 00:00:00, output hang never
  Last clearing of "show interface" counters 5w5d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 2 packets/sec
  5 minute output rate 2000 bits/sec, 2 packets/sec
     900282 packets input, 81423898 bytes, 0 no buffer
     Received 446735 broadcasts (135971 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 135971 multicast, 0 pause input
     0 input packets with dribble condition detected
     3821603 packets output, 552717323 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

Now the Access Point is working.

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.