Spanning-tree BPDU Guard and Configuration

Spanning-tree BPDU Guard is one of the features that help you protect your spanning-tree topology

BPDU Guard prevents loops if another switch is attached to a Portfast port. When BPDU Guard is enable on an interface, it is put into an error-disable state basically shutdown, if a BPDU is received on the interface. It can be enabled at either global configuration mode or at interface mode.

If any BDU is received on a port where BPDU Guard is enable, that port immediately is put into the err-disable state and it must be either manually reenable or automatically recover through the error disable timeout function.

By default, BPDU Guard is disabled on all switch port. You must use BPDU Guard on all switch ports where spanning tree Portfast is enable.

let see the configuration:-

Toology:

Goal:

• configure the topology as per the diagram.
• configure the link between the switches.
• configure switch 2 fa 0/1 as L3 port in order to test STP BPDU guard.
• configure BPDU guard and Portfast on switch 1.

SW-2(config)#interface fastEthernet 0/1
SW-2(config-if)#no switchport
SW-2(config-if)#ip address 192.168.1.1 255.255.255.0
SW-2(config-if)#exit

SW-1(config)#vlan 10
SW-1(config-vlan)#name sales

SW-1(config-vlan)#exit


SW-1(config)#interface fastEthernet 0/1
SW-1(config-if)#switchport mode access
SW-1(config-if)#switchport access vlan 10
SW-1(config-if)#spanning-tree portfast
SW-1(config-if)#spanning-tree bpduguard enable
SW-1(config-if)#exit

(we are going change the sw-1 fa0/1 interface L2 to verify BPDU guard)

SW-2(config)#int fastEthernet 0/1
SW-2(config-if)#switchport

SW-1#


%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with BPDU Guard enabled. Disabling port.