Cisco Systems 2940 Enabling BPDU Guard (Optional), Enabling BPDU Filtering (Optional)

12-11

Catalyst 2940 Switch Software Configuration Guide

78-15507-02

Chapter12 Configuring Optiona l Spa nning-Tree Features Configuring Optional Spanning-Tree Features

Enabling BPDU Guard (Optional)

When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port

Fast-operational state), spanning tree shuts down Port Fast-enabled ports that receive BPDUs.

In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPD U on a Po rt

Fast-enabled port signals an invalid configuration, such as the connection of an unauthorize d device, and

the BPDU guard feature puts the port in the error-disabled state. The BPDU guard feature provides a

secure response to invalid configurations because you must manually put the port back in service. Use

the BPDU guard feature in a service-provider network to prevent an acce ss port fro m participatin g in the

spanning tree.

Caution Configure Port Fast only on ports that connect to end stations; othe rwi se, a n acci dent al topol ogy l oo p

could cause a data packet loop and disrupt switch and network operation.

You can also use the spanning-tree bpduguard enable interface configuration command to enable

BPDU guard on any port without also enabling the Port Fast fe atu r e. When th e po r t re ce ives a BPDU, it

is put in the error-disabled state.

Beginning in privileged EXEC mode, follow these steps to globally en able the BPDU g uard feature. This

procedure is optional:

To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration

command.

You can override the setting of the no spanning-tre e portfast bpduguard default global configuration

command by using the spanning-tree bpduguard enable interface configuration command.

Enabling BPDU Filtering (Optional)

When you globally enable BPDU filtering on Port Fast-enabled ports, it prevents ports that are in a Port

Fast-operational state from sending or receiving BPDUs. The ports still send a few BPDUs at link-up

before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a

switch so that hosts connected to these ports do not receive BPDUs. If a BPDU is received on a Port

Fast-enabled port, the port loses its Port Fast-operational status, and BPDU filtering is disabled.

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 spanning-tree portfast bpduguard default Globally enable BPDU guard.

By default, BPDU guard is disabled.

Step3 interface interface-id Enter interface configuration mode, and specify the interface

connected to an end station.

Step4 spanning-tree portfast Enable the Port Fast feature.

Step5 end Return to privileged EXEC mode.

Step6 show running-config Verify your entries.

Step7 copy running-config startup-config (Optional) Save your entries in the configuration file.