BPDU Guard is a safety protocol that can compliment portfast. If a BPDU is received on an interface, rather than converting the interface to a spanning-tree supported one it will shut down the interface altogether via an errdisable
This helps prevent an unauthorised switch from joining the network and sending out BPDUs through a portfast enabled port.
BPDU Guard can be enabled globally using the command spanning-tree portfast bpduguard default in global configuration mode.
BPDU Guard can be enabled on a per interface basis with the command spanning-tree bpduguard enable or spanning-tree bpduguard disable in interface configuration mode
When a BPDU arrives on an interface that has BPDU Guard enabled, the switch will disable the port through the use of errdisable and generate a message:
10:17:02.020: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gigabit Ethernet1/0/12 with BPDU Guard enabled. Disabling port.
Without additional configuration this port will remain in an error disabled state until manually reactivated. The error recovery service can be enabled to restore the ports connection after a number of seconds.
In global configuration mode, enter the commands
errdisable recovery cause bpduguard errdisable recovery interval X
Replace X with the number of seconds between recovery attempts. If the recovery interval is not specified it will attempt to re-enable the port every 5 minutes or 300 seconds.
Leave a Reply