spanning-tree bpdu-guard

Syntax

spanning-tree bpdu-guard

no spanning-tree bpdu-guard

Description

Enables the BPDU guard on the switch interface. When BPDU guard is enabled, interfaces receiving MSTP BPDUs remain disabled.

BPDU protection is a security feature designed to protect the active MSTP topology by preventing spoofed BPDU packets from entering the MSTP domain. In a typical implementation, BPDU protection would be applied to edge ports connected to end user devices that do not run MSTP. If MSTP BPDU packets are received on a protected port, this feature disables that port and alerts the network manager via an SNMP trap.

Occasionally a hardware or software failure can cause MSTP to fail, creating forwarding loops that can cause network failures where unidirectional links are used. The non-designated port transitions in a faulty manner because the port is no longer receiving MSTP BPDUs.

The no form of the command sets the BPDU guard status to the default of disabled on the interface.

Command context

config-if

Authority

Administrators or local user group members with execution rights for this command.

Examples

Enabling the BPDU guard on interface 1/1/1:

switch(config)# interface 1/1/1
switch(config-if)# spanning-tree bpdu-guard

Disabling BPDU guard on interface 1/1/1:

switch(config)# interface 1/1/1
switch(config-if)# no spanning-tree bpdu-guard