Cisco Systems DOC-7814982 Understanding BPDU Guard, Understanding BPDU Filtering

13-3

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 13 Configuring Optional Spanning-Tree Fea tures Understanding Optional Spanning-Tree Features

Understanding BPDU Guard

The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the

featu re oper ate s with some di fference s.

At the global level, you can enable B P DU guard on Port Fast-en abled ports by using the spanning-t ree

portfast bpduguard def ault global conf iguration command. Spanning tree shuts down ports that are in

a Port Fast-opera tional state. In a valid configuration , Port Fast-ena bled ports do not receive BPDUs.

Receiving a BPDU on a Por t Fast-e nabl ed por t signa ls an i nvalid configuration , su ch as the co nnec tion

of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state.

At the inte rface level, you can enable BPD U guard on any port by using th e spanning-tr ee bpduguard

enable interface configuration command without also enabling the Port Fast feature. When the port

receives a BPDU, it is put in the error-disabled state.

The BPDU guard feat ure pr ovides a secur e response t o invalid configurations becau se you must

manual ly put the por t back in service. U se the BPDU guard feat ure in a se rvice- provider ne twork to

prevent an access port from participating in the spanning tree.

If your swit ch i s runni ng PVST or MST P, you can e nabl e the BPD U gua rd fea ture for th e ent ire sw itch

or for an interface .The MSTP i s available only if you have the EI insta lled on your switch.

The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but

the feature operates with some differences.

At the global level, you can enable BPDU filtering on Port Fast-enabled ports by using the

spanning-tree portfast bpdufilter default global co nfigurat ion comm a nd. Thi s c om mand pr events

ports that are in a Port Fast-operational state from sending or receiving BPDUs. The ports still send a

few BPDUs at l ink -up bef ore the swit ch begins t o filter out bo und BPD Us . You shoul d g loba lly e na ble

BPDU filtering on a switch so that hosts connected to these ports do not receive BPDUs. If a BPDU is

received on a Port Fast- enab led p ort, the port loses its Po rt Fast-ope rat iona l stat us, a nd B PDU filterin g

is disable d.

At the interface level, you can enable BPDU filtering on any port without also enabling the Port Fast

fea ture b y usi ng the spanning-tr ee bpduf ilter enable interf ace co nf igurati on command . This comma nd

prevents th e por t fr om sendi ng o r re ceiving BPD Us.

Caution Enabling BPDU filtering on an interface is the same as disablin g spanning tree on it and can result in

spanning-tree loops.

If your swit ch is running PVST or MS TP, you can en able the BPDU f iltering fe ature for the en tire switch

or for an interface .The MSTP i s avail able only if you have the EI inst alled on your switch.