Friday 11 January 2019

What is Spanning-tree BPDU Guard and how to Configure BPDU guard?

Spanning-tree BPDU Guard is one of the features that help you protect your spanning-tree topology. 
BPDU Guard prevents loops if another switch is attached to a Portfast port. When BPDU Guard is enabled on an interface, it is put into an error-disable state basically shut down, if a BPDU is received on the interface. It can be enabled at either global configuration mode or at interface mode.






If any BDU is received on a port where BPDU Guard is enabled, that port immediately is put into the err-disable state and it must be either manually reenable or automatically recover through the error disable timeout function.


By default, BPDU Guard is disabled on all switch ports. You must use BPDU Guard on all switch ports where spanning-tree Portfast is enabled.


in this section, we are going to check BPDU Guard in two different way 


let's see the configuration:-





  1. configure the topology as per the diagram 
  2. configure portfast default 
  3. configure BPDU Guard 
  4. make sure switch 3 gig 1/0/3 does not become root in our network.
 


Switch#show spanning-tree vlan 1

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769

Address 0003.E47B.8B03

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec


Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 0003.E47B.8B03

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 20


Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Gi1/0/1 Desg FWD 4 128.1 P2p

Gi1/0/2 Desg FWD 4 128.2 P2p



Switch(config)#spanning-tree portfast default


Switch(config)#spanning-tree portfast bpduguard default







 







( now our switch is configured with BPDU Guard, let's configure switch 3 and send superior BPDU to switch 2 (the root bridge) 

Switch(config)#spanning-tree vlan 1 priority 0



as we can see our root bridge (switch 2) put switch 3 in the err-disable state.

let see another configuration :



Topology:
Goal:
  • configure the topology as per the diagram.
  • configure the link between the switches.
  • configure switch 2 fa 0/1 as L3 port in order to test STP BPDU guard.
  • configure BPDU guard and Portfast on switch 1.


SW-2(config)#interface fastEthernet 0/1
SW-2(config-if)#no switchport
SW-2(config-if)#ip address 192.168.1.1 255.255.255.0
SW-2(config-if)#exit

SW-1(config)#vlan 10
SW-1(config-vlan)#name sales

SW-1(config-vlan)#exit


SW-1(config)#interface fastEthernet 0/1
SW-1(config-if)#switchport mode access
SW-1(config-if)#switchport access vlan 10
SW-1(config-if)#spanning-tree portfast
SW-1(config-if)#spanning-tree bpduguard enable
SW-1(config-if)#exit

(we are going to change the SW-1 fa0/1 interface L2 to verify BPDU guard)




%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with BPDU Guard enabled. Disabling port. 






 


 


Instagram

Facebook


Twitter



LINKEDIN








at
Labels:

1 comment:

Wesley said...

Look like some images aren't loading :(
Nevertheless, the guide is great

2 December 2019 at 15:07

Post a Comment

Subscribe to: Post Comments (Atom)

What is DAI (Dynamic ARP Inspection)? | How to configure Dynamic ARP Inspection DAI? | cyber-attack prevention | ARP Poisoning prevention.

 Dynamic ARP Inspection  ARP (Address Resolution Protocol) it’s a communication protocol. Networking devices are used for discovering MAC ...