Friday, 11 January 2019

What is Spanning-tree BPDU Guard and how to Configure BPDU guard?

Spanning-tree BPDU Guard is one of the features that help you protect your spanning-tree topology. 
BPDU Guard prevents loops if another switch is attached to a Portfast port. When BPDU Guard is enabled on an interface, it is put into an error-disable state basically shut down, if a BPDU is received on the interface. It can be enabled at either global configuration mode or at interface mode.

If any BDU is received on a port where BPDU Guard is enabled, that port immediately is put into the err-disable state and it must be either manually reenable or automatically recover through the error disable timeout function.

By default, BPDU Guard is disabled on all switch ports. You must use BPDU Guard on all switch ports where spanning-tree Portfast is enabled.

in this section, we are going to check BPDU Guard in two different way 

let's see the configuration:-

  1. configure the topology as per the diagram 
  2. configure portfast default 
  3. configure BPDU Guard 
  4. make sure switch 3 gig 1/0/3 does not become root in our network.

Switch#show spanning-tree vlan 1


Spanning tree enabled protocol ieee

Root ID Priority 32769

Address 0003.E47B.8B03

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 0003.E47B.8B03

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Gi1/0/1 Desg FWD 4 128.1 P2p

Gi1/0/2 Desg FWD 4 128.2 P2p

Switch(config)#spanning-tree portfast default

Switch(config)#spanning-tree portfast bpduguard default


( now our switch is configured with BPDU Guard, let's configure switch 3 and send superior BPDU to switch 2 (the root bridge) 

Switch(config)#spanning-tree vlan 1 priority 0

as we can see our root bridge (switch 2) put switch 3 in the err-disable state.

let see another configuration :

  • configure the topology as per the diagram.
  • configure the link between the switches.
  • configure switch 2 fa 0/1 as L3 port in order to test STP BPDU guard.
  • configure BPDU guard and Portfast on switch 1.

SW-2(config)#interface fastEthernet 0/1
SW-2(config-if)#no switchport
SW-2(config-if)#ip address

SW-1(config)#vlan 10
SW-1(config-vlan)#name sales


SW-1(config)#interface fastEthernet 0/1
SW-1(config-if)#switchport mode access
SW-1(config-if)#switchport access vlan 10
SW-1(config-if)#spanning-tree portfast
SW-1(config-if)#spanning-tree bpduguard enable

(we are going to change the SW-1 fa0/1 interface L2 to verify BPDU guard)

%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with BPDU Guard enabled. Disabling port. 







1 comment:

Wesley said...

Look like some images aren't loading :(
Nevertheless, the guide is great

What are Types of hackers? free cybersecurity course.

 Types of hackers Who is a Hacker?  A hacker is basically a person who has highly skilled in information technology. Hacker uses their t...