Cisco Systems 2960 Enabling BPDU Guard

17-11

Catalyst 2960 Switch SoftwareConfiguration Guide

78-16881-01

Chapter17 Configuring Optiona l Spanning-Tree Features

Configuring Optional Spanning-Tree Features

Note You can use the spanning-tree portfast default global configuration command to globally enable the

Port Fast feature on all nontrunking ports.

To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration

command.

Enabling BPDU Guard

When you globally enable BPDU guard on interfaces that are Port Fast-enabled (the interfaces are in a

Port Fast-operational state), spanning tree shuts down Port Fast-enabled interfaces that receive BPDUs.

In a valid configuration, Port Fast-enabled interfaces do not receive BPDUs. Receiving a BPDU on a

Port Fast-enabled interface signals an invalid configuration, such as the connection of an unauthorized

device, and the BPDU guard feature puts the interface in the error-disabled state. The BPDU guard

feature provides a secure response to invalid configurations because you must manually put the interface

back in service. Use the BPDU guard feature in a service-provider network to prevent an access port

from participating in the spanning tree.

Caution Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology

loop could cause a data packet loop and disrupt switch and network operation.

You also can use the spanning-tree bpduguard enable interface configuration command to enable

BPDU guard on any interface without also enabling the Port Fast feature. When the interface receives a

BPDU, it is put in the error-disabled state.

You can enable the BPDU guard feature if your switch is running PVST+, rapid PVST+, or MSTP.

Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU guard feature. This

procedure is optional.

To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration

command.

You can override the setting of the no spanning-tree portfast bpduguard default global configuration

command by using the spanning-tree bpduguard enable interface configuration command.

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 spanning-tree portfast bpduguard default Globally enable BPDU guard.

By default, BPDU guard is disabled.

Step3 interface interface-id Specify the interface connected to an end station, and enter

interface configuration mode.

Step4 spanning-tree portfast Enable the Port Fast feature.

Step5 end Return to privileged EXEC mode.

Step6 show running-config Verify your entries.

Step7 copy running-config startup-config (Optional) Save your entries in the configuration file.