Enabling BPDU Guard
When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port Fast-operational state), spanning tree shuts down Port Fast-enabled ports that receive BPDUs.
In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port signals an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the port back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.
Caution Configure Port Fast only on ports that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation.
You can also use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any port without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state.
You can enable the BPDU guard feature if your switch is running PVST or MSTP. The MSTP is available only if you have the enhanced software image installed on your switch.
Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU guard feature on the switch:
Command | Purpose |
configure terminal | Enter global configuration mode. |
spanning-tree portfast bpduguard default | Globally enable BPDU guard on the switch. By default, BPDU guard is disabled. |
interface interface-id | Enter interface configuration mode, and specify the interface connected to an end station. |
spanning-tree portfast | Enable the Port Fast feature. |
end | Return to privileged EXEC mode. |
Catalyst 2950 Desktop Switch Software Configuration Guide g |
Command | Purpose | ||
Step 6 | show running-config | Verify your entries. | |
Step 7 | copy running-config startup-config | (Optional) Save your entries in the configuration file. | |
To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration command. | |||
You can override the setting of the no spanning-tree portfast bpduguard default global configuration command by using the spanning-tree bpduguard enable interface configuration command. | |||
Enabling BPDU Filtering | |||
When you globally enable BPDU filtering on Port Fast-enabled ports, it prevents ports that are in a Port Fast-operational state from sending or receiving BPDUs. The ports still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these ports do not receive BPDUs. If a BPDU is received on a Port Fast-enabled port, the port loses its Port Fast-operational status, and BPDU filtering is disabled. | |||
Caution | Configure Port Fast only on ports that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation. | ||
You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any port without also enabling the Port Fast feature. This command prevents the port from sending or receiving BPDUs. | |||
A | |||
Caution | Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops. | ||
You can enable the BPDU filtering feature if your switch is running PVST or MSTP. The MSTP is available only if you have the enhanced software image installed on your switch. | |||
Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature on the switch: | |||
Command | Purpose | ||
Step 1 | configure terminal | Enter global configuration mode. | |
Step 2 | Globally enable BPDU filtering on the switch. | ||
By default, BPDU filtering is disabled. | |||
Step 3 | interface interface-id | Enter interface configuration mode, and specify the interface connected to an end station. | |
Step 4 | spanning-tree portfast | Enable the Port Fast feature. | |
Step 5 | end | Return to privileged EXEC mode. | |
Step 6 | show running-config | Verify your entries. | |
Step 7 | copy running-config startup-config | (Optional) Save your entries in the configuration file. | |
To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration command.
You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command.
Continue reading here: Enabling Root Guard
fonte: https://www.ccexpert.us/global-configuration/enabling-bpdu-guard.html
0 comentários:
Postar um comentário