Configuring BPDU Guard

This chapter contains the following sections:

Information About Bridge Protocol Data Unit Guard Feature

The Bridge Protocol Data Unit (BPDU) Guard feature is one of the Spanning Tree Protocol (STP) enhancements. This feature enhances switch network reliability, manageability, and security.

STP ensures a loop-free topology for any Ethernet LAN. STP prevents loops and broadcast radiation. We recommend that you enable BPDU Guard on access ports so that any end user devices on these ports that have BPDU Guard enabled cannot influence the topology. Any malfunctioning device that is connected to a vEthernet port can flood the Layer 2 network with unwanted BPDU that causes STP to break down. When you enable BPDU Guard feature on the access-ports, it shuts down the port that receives a BPDU. To bring up a port disabled by BDPU guard, you must remove the device and then restart the port by entering the shut/no shut command described later in this document.

Prerequisites for BPDU Guard

BPDU Gaurd has the following prerequisite:

  • To configure BPDU Guard, you must install the Advanced Edition license on the Cisco Nexus 1000V switch.

Enabling or Disabling BPDU Guard Feature Globally

Procedure

     Command or ActionPurpose
    Step 1 switch# configure terminal  

    Enters global configuration mode.

     
    Step 2switch(config)# [no] spanning-tree port type edge bpduguard default  

    Globally enables or disables the BPDU Guard.

     
    Step 3switch(config)# show spanning-tree bpduguard info   (Optional)

    Displays the BPDU Guard state.

     
    Step 4switch(config)# show switch edition   (Optional)

    Displays the features that requires the Advanced Edition license on the Cisco Nexus 1000V switch.

     

    This example shows how to enable BPDU Guard globally: 

    switch# configure terminal
switch(config)# spanning-tree port type edge bpduguard default 
switch(config)# show spanning-tree bpduguard info 
Global spanning-tree bpduguard status: Enabled

switch(config)# show switch edition
Switch Edition: ADVANCED (3.0)

Feature Status
Name            State           Licensed    In version
--------------------------------------------------------
cts             disabled        Y           1.0
dhcp-snooping   disabled        Y           1.0
vxlan-gateway   disabled        Y           1.0
bgp             enabled         Y           3.0
bpduguard							enabled									Y											3.0

License Status
Edition      Available  In Use     Expiry Date
----------------------------------------------
Advanced     30         2          Never

Scale Support
Edition      Modules      Virtual Ports
---------------------------------------
Essential    128          4096
Advanced     256          12288

    Enabling or Disabling BPDU Guard Mode on Port Profile

    You can enable or disable BPDU Guard for a specific port profile. Configuring BPDU Gguard for a specific port profile will overwrite global configuration for the vEthernet ports that inherits the port profile. If you disable BPDU Guard globally, you can enable it for a specific port profile to overwrite the global configuration mode. The vEthernet ports under that port profile can receive BPDU packets without going to an error-disabled mode. Similarly, if you enable BPDU Guard is enabled globally, you can disable it for a specific port profile.

    Note

    This port profile configuration overwrites the global configuration.

    Procedure
       Command or ActionPurpose
      Step 1 switch# configure terminal  

      Enters global configuration mode.

       
      Step 2switch(config)# port-profile profile_id  

      Enters port-profile configuration mode.

       
      Step 3switch(config-port-prof)# spanning-tree bpduguard{enable | disable}  
      Enables or disables BPDU Guard for the particular vlan ID.
      Note   

      You can remove the BPDU configuration from the port profile by using theno spanning-tree bpduguard command.

       
      Step 4switch(config-port-prof)# end  

      Exits port profile configuration mode.

       
      Step 5switch(config)# show interface virtual spanning-tree bpduguard status   (Optional)
      Displays the vEthernet ports and the BPDU Guard status for all interfaces.
      Note   

      If a vEthernet port is inheriting global BPDU Guard settings, it does not display the status.

       
      Step 6switch(config)# show interface virtual spanning-tree bpduguard status module module_no   (Optional)

      Displays the vEthernet ports and BPDU Guard status for a specific module.

       

      This example shows how to enable BPDU Guard on a VLAN port profile: 

      switch# configure terminal
switch(config)# port-profile VLAN-1238
switch(config-port-prof)# spanning-tree bpduguard enable
switch(config-port-prof)# end
switch(config)# show interface virtual spanning-tree bpduguard status 
Veth77      Enabled     
Veth770     -           
Veth771     -           
Veth772     -           
Veth773     -           
Veth774     Disabled    
Veth775     -           
Veth776     -           
Veth777     Enabled     
Veth778     -           
Veth779     Enabled

      Enabling or Disabling BPDU Guard on a vEthernet Port

      You can enable or disable the BPDU Guard for a specific port. Configuring BPDU Guard for a specific port overrides global and port profile configurations. If you disable BPDU Guard globally or at a port profile level, you can enable it for a specific port to override you disable global or port profile configurations. The port can receive BPDU packets without going to an error-disabled mode. Similarly, if you enable BPDU Guard globally or at a port profile level, you can disable it for a specific port.

      Note

      This vEthernet port configuration overrides the global and port-profile level configuration.

      Procedure
         Command or ActionPurpose
        Step 1 switch# configure terminal  

        Enters global configuration mode.

         
        Step 2switch(config)# interface vethernet port  

        Enters port \configuration mode.

         
        Step 3switch(config-if)# spanning-tree bpduguard{enable | disable}  

        Enables or disables BPDU Guard for the particular vEthernet port.

        Note   

        You can remove the BPDU configuration from the port profile by using the no spanning-tree bpduguard command.

         
        Step 4switch(config-if)# end  

        Exits the port configuration mode.

         
        Step 5switch(config)# show interface virtual spanning-tree bpduguard status   (Optional)
        Displays the vEthernet ports and the BPDU Guard status for all interfaces.
        Note   

        If a vEthernet port is inheriting global BPDU Guard settings, it does not display the status.

         

        This example shows how to enable BPDU Guard on a VLAN port profile: 

        switch# configure terminal
switch(config)# interface vethernet 77
switch(config-if)# spanning-tree bpduguard enable
switch(config-port-prof)# end
switch(config)# show interface virtual spanning-tree bpduguard status 
Veth77      Enabled     
Veth770     -           
Veth771     -           
Veth772     -           
Veth773     -           
Veth774     Disabled    
Veth775     -           
Veth776     -           
Veth777     Enabled     
Veth778     -           
Veth779     Enabled

        Bringing up a vEthernet Port

        Before You Begin

        • You are getting the Err_disable : BPDU guard violation ltl (port id) , ifindex(1c000030) error.

        • Ensure that the device that caused the port to shut down is removed from the network.

        Procedure
           Command or ActionPurpose
          Step 1 switch# configure terminal  

          Enters global configuration mode.

           
          Step 2switch(config)# interface vethernet vethernet port  

          Enters port configuration mode.

           
          Step 3switch(config-if)# shut  

          Shuts down the vEthernet administratively.

           
          Step 4switch(config-if)# no shut  

          Starts the vEthernet port.

           
          Step 5switch(config-if)#show interface vethernet port id   (Optional)

          Displays the vEthernet port information.

           
          This example shows how to bring up a vEthernet port: 
          switch# configure terminal
switch(config)# interface vethernet 4
switch(config-if)# shut 
switch(config-if)# 2014 May 19 02:13:09 switch ethpm[2808]: %ETHPORT-5-IF_DOWN_ADMIN_DOWN: 
Interface Vethernet4 is down (Administratively down)
no shut
2014 May 19 02:13:11 switch ethpm[2808]: %ETHPORT-5-IF_ADMIN_UP: Interface Vethernet4 is admin up .
switch(config-if)# 2014 May 19 02:13:11 switch ethpm[2808]: %ETHPORT-5-IF_UP: Interface 
Vethernet4 is up in mode access
end
switch# 
switch# 2014 May 19 02:13:13 switch vshd[32105]: %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured 
from vty by admin on 7.1.4.25@pts/0
switch# show interface vethernet 4
Vethernet4 is up
  Port description is OST-SUSE-2-E100-1, Network Adapter 2
  Hardware: Virtual, address: 0050.5681.4a36 (bia 0050.5681.4a36)
  Owner is VM "OST-SUSE-2-E100-1", adapter is Network Adapter 2
  Active on module 8
  VMware DVS port 11906
  Port-Profile is VLAN-1238
  MTU 1500 bytes
  Port mode is access
  5 minute input rate 1240 bits/second, 2 packets/second
  5 minute output rate 312 bits/second, 0 packets/second
  Rx
    6715801 Input Packets 6714907 Unicast Packets
    836 Multicast Packets 58 Broadcast Packets
    0 Jumbo Packets
    6997031276 Bytes
  Tx
    8113 Output Packets 0 Unicast Packets
    3296 Multicast Packets 4817 Broadcast Packets 426 Flood Packets
    0 Jumbo Packets
    780299 Bytes
    0 Input Packet Drops 0 Output Packet Drops

          Feature History for BPDU Guard

          Feature Name

          Release Name

          Description

          BPDU Guard 5.2(1)SV3(1.1) This feature was introduced.