Table of Contents
Advertisement
Chapter 20
Configuring Optional Spanning-Tree Features
Understanding BPDU Guard
The BPDU guard feature can be globally enabled on the switch or can be enabled per port, but the feature
operates with some differences.
At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree
portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in
a Port Fast-operational state if any BPDU is received on them. In a valid configuration, Port Fast-enabled
ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid
configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the
port in the error-disabled state. When this happens, the switch shuts down the entire port on which the
violation occurred.
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown
vlan global configuration command to shut down just the offending VLAN on the port where the
violation occurred.
At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard
enable interface configuration command without also enabling the Port Fast feature. When the port
receives a BPDU, it is put in the error-disabled state.
The BPDU guard feature provides a secure response to invalid configurations because you must
manually put the interface back in service. Use the BPDU guard feature in a service-provider network
to prevent an access port from participating in the spanning tree.
Understanding BPDU Filtering
The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but
the feature operates with some differences.
At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the
spanning-tree portfast bpdufilter default global configuration command. This command prevents
interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still
send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally
enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If
a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status,
and BPDU filtering is disabled.
At the interface level, you can enable BPDU filtering on any interface by using the spanning-tree
bpdufilter enable interface configuration command without also enabling the Port Fast feature. This
command prevents the interface from sending or receiving BPDUs.
Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in
Caution
spanning-tree loops.
You can enable the BPDU filtering feature for the entire switch or for an interface.
OL-13270-06
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
Understanding Optional Spanning-Tree Features
20-3
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
