The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
The Bridge Protocol Data Unit (BPDU) Guard feature is one of the Spanning Tree Protocol (STP) enhancements. This feature enhances switch network reliability, manageability, and security.
STP ensures a loop-free topology for any Ethernet LAN. STP prevents loops and broadcast radiation. We recommend that you enable BPDU Guard on access ports so that any end user devices on these ports that have BPDU Guard enabled cannot influence the topology. Any malfunctioning device that is connected to a vEthernet port can flood the Layer 2 network with unwanted BPDU that causes STP to break down. When you enable BPDU Guard feature on the access-ports, it shuts down the port that receives a BPDU. To bring up a port disabled by BDPU guard, you must remove the device and then restart the port by entering the shut/no shut command described later in this document.
BPDU Gaurd has the following prerequisite:
This example shows how to enable BPDU Guard globally:
switch# configure terminal switch(config)# spanning-tree port type edge bpduguard default switch(config)# show spanning-tree bpduguard info Global spanning-tree bpduguard status: Enabled switch(config)# show switch edition Switch Edition: ADVANCED (3.0) Feature Status Name State Licensed In version -------------------------------------------------------- cts disabled Y 1.0 dhcp-snooping disabled Y 1.0 vxlan-gateway disabled Y 1.0 bgp enabled Y 3.0 bpduguard enabled Y 3.0 License Status Edition Available In Use Expiry Date ---------------------------------------------- Advanced 30 2 Never Scale Support Edition Modules Virtual Ports --------------------------------------- Essential 128 4096 Advanced 256 12288
Note | This port profile configuration overwrites the global configuration. |
This example shows how to enable BPDU Guard on a VLAN port profile:
switch# configure terminal switch(config)# port-profile VLAN-1238 switch(config-port-prof)# spanning-tree bpduguard enable switch(config-port-prof)# end switch(config)# show interface virtual spanning-tree bpduguard status Veth77 Enabled Veth770 - Veth771 - Veth772 - Veth773 - Veth774 Disabled Veth775 - Veth776 - Veth777 Enabled Veth778 - Veth779 Enabled
Note | This vEthernet port configuration overrides the global and port-profile level configuration. |
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | switch# configure terminal |
Enters global configuration mode. | ||
Step 2 | switch(config)# interface vethernet port |
Enters port \configuration mode. | ||
Step 3 | switch(config-if)# spanning-tree bpduguard{enable | disable} |
Enables or disables BPDU Guard for the particular vEthernet port.
| ||
Step 4 | switch(config-if)# end |
Exits the port configuration mode. | ||
Step 5 | switch(config)# show interface virtual spanning-tree bpduguard status | (Optional)
|
This example shows how to enable BPDU Guard on a VLAN port profile:
switch# configure terminal switch(config)# interface vethernet 77 switch(config-if)# spanning-tree bpduguard enable switch(config-port-prof)# end switch(config)# show interface virtual spanning-tree bpduguard status Veth77 Enabled Veth770 - Veth771 - Veth772 - Veth773 - Veth774 Disabled Veth775 - Veth776 - Veth777 Enabled Veth778 - Veth779 Enabled
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal |
Enters global configuration mode. |
Step 2 | switch(config)# interface vethernet vethernet port |
Enters port configuration mode. |
Step 3 | switch(config-if)# shut |
Shuts down the vEthernet administratively. |
Step 4 | switch(config-if)# no shut |
Starts the vEthernet port. |
Step 5 | switch(config-if)#show interface vethernet port id | (Optional)
Displays the vEthernet port information. |
switch# configure terminal switch(config)# interface vethernet 4 switch(config-if)# shut switch(config-if)# 2014 May 19 02:13:09 switch ethpm[2808]: %ETHPORT-5-IF_DOWN_ADMIN_DOWN: Interface Vethernet4 is down (Administratively down) no shut 2014 May 19 02:13:11 switch ethpm[2808]: %ETHPORT-5-IF_ADMIN_UP: Interface Vethernet4 is admin up . switch(config-if)# 2014 May 19 02:13:11 switch ethpm[2808]: %ETHPORT-5-IF_UP: Interface Vethernet4 is up in mode access end switch# switch# 2014 May 19 02:13:13 switch vshd[32105]: %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on 7.1.4.25@pts/0 switch# show interface vethernet 4 Vethernet4 is up Port description is OST-SUSE-2-E100-1, Network Adapter 2 Hardware: Virtual, address: 0050.5681.4a36 (bia 0050.5681.4a36) Owner is VM "OST-SUSE-2-E100-1", adapter is Network Adapter 2 Active on module 8 VMware DVS port 11906 Port-Profile is VLAN-1238 MTU 1500 bytes Port mode is access 5 minute input rate 1240 bits/second, 2 packets/second 5 minute output rate 312 bits/second, 0 packets/second Rx 6715801 Input Packets 6714907 Unicast Packets 836 Multicast Packets 58 Broadcast Packets 0 Jumbo Packets 6997031276 Bytes Tx 8113 Output Packets 0 Unicast Packets 3296 Multicast Packets 4817 Broadcast Packets 426 Flood Packets 0 Jumbo Packets 780299 Bytes 0 Input Packet Drops 0 Output Packet Drops
Feature Name |
Release Name |
Description |
BPDU Guard | 5.2(1)SV3(1.1) | This feature was introduced. |