Understanding Bpdu Guard; Understanding Bpdu Filtering - Cisco nexus 5000 series Cli Configuration Manual

Chapter 1 Configuring STP Extensions
S e n d f e e d b a c k t o n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m
Bridge Assurance is enabled by default and can only be disabled globally. Also, Bridge Assurance can
be enabled only on spanning tree network ports that are point-to-point links. Finally, both ends of the
link must have Bridge Assurance enabled.
With Bridge Assurance enabled, BPDUs are sent out on all operational network ports, including
alternate and backup ports, for each hello time period. If the port does not receive a BPDU for a specified
period, the port moves into the blocking state and is not used in the root port calculation. Once that port
receives a BPDU, it resumes the normal spanning tree transitions.

Understanding BPDU Guard

Enabling BPDU Guard shuts down that interface if a BPDU is received.
You can configure BPDU Guard at the interface level. When configured at the interface level, BPDU
Guard shuts the port down as soon as the port receives a BPDU, regardless of the port type configuration.
When you configure BPDU Guard globally, it is effective only on operational spanning tree edge ports.
In a valid configuration, LAN edge interfaces do not receive BPDUs. A BPDU that is received by an
edge LAN interface signals an invalid configuration, such as the connection of an unauthorized host or
switch. BPDU Guard, when enabled globally, shuts down all spanning tree edge ports when they receive
a BPDU.
BPDU Guard provides a secure response to invalid configurations, because you must manually put the
LAN interface back in service after an invalid configuration.
When enabled globally, BPDU Guard applies to all operational spanning tree edge interfaces.
Note

Understanding BPDU Filtering

You can use BPDU Filtering to prevent the switch from sending or even receiving BPDUs on specified
ports.
When configured globally, BPDU Filtering applies to all operational spanning tree edge ports. You
should connect edge ports only to hosts, which typically drop BPDUs. If an operational spanning tree
edge port receives a BPDU, it immediately returns to a normal spanning tree port type and moves
through the regular transitions. In that case, BPDU Filtering is disabled on this port, and spanning tree
resumes sending BPDUs on this port.
In addition, you can configure BPDU Filtering by the individual interface. When you explicitly
configure BPDU Filtering on a port, that port does not send any BPDUs and drops all BPDUs that it
receives. You can effectively override the global BPDU Filtering setting on individual ports by
configuring the specific interface. This BPDU Filtering command on the interface applies to the entire
interface, whether the interface is trunking or not.
Use care when configuring BPDU Filtering per interface. If you explicitly configuring BPDU Filtering
Caution
on a port that is not connected to a host, it can result in bridging loops because the port will ignore any
BPDU that it receives and go to forwarding.
If the port configuration is not set to default BPDU Filtering, then the edge configuration will not affect
BPDU Filtering.
OL-16597-01
Table 1-1 lists all the BPDU Filtering combinations.
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
Information About STP Extensions
1-3