BPDU Guard
The Bridge Protocol Data Unit (BPDU) Guard feature protects against misconfiguration of edge ports. When port fast is configured on an interface, MSTP considers that interface to be an edge port and removes it from consideration when calculating the spanning tree. When BPDU Guard feature is configured, MSTP additionally shuts down the interface using error-disable if an MSTP BPDU is received. You must configure the port fast on an interface to enable the MSTP BPDU Guard feature.
Port Fast
The Port Fast feature manage the ports at the edge of the switched Ethernet network. For devices that only have one link to the switched network (typically host devices), there is no need to run MSTP, as there is only one available path. Furthermore, it is undesirable to trigger topology changes (and resultant MAC flushes) when the single link fails or is restored, as there is no alternative path.
By default, MSTP monitors ports where no BPDUs are received, and after a timeout, places them into edge mode whereby they do not participate in MSTP. However, this process can be speeded up (and convergence of the whole network thereby improved) by explicitly configuring edge ports as port fast.
 Note |
MSTP functionality is not supported. BPDU guard feature will error-disable the port on receiving BPDU packets and also, the system will not process the BPDU packet further because the feature does not provide any further BPDU packet processing. |
if the port is error-disabled due Spanning-Tree BPDU guard, use the commands: error-disable recovery cause and clear error-disable interface name to recover.
Configuration
This section describes how you can configure BPDU Guard.
Router# configure
Router(config)# l2vpn bridge group bg1
Router(config-l2vpn-bg)# bridge-domain bd1
Router(config-l2vpn-bg-bd)# int TenGigE 0/0/0/7
Router(config-l2vpn-bg-bd-ac)# root
Router(config)# spanning-tree mst m0
Router(config-mstp)# interface tenGigE 0/0/0/7
Router(config-mstp-if)# portfast bpduguard
Router(config-mstp-if)# root
Router(config)# int tenGigE 0/0/0/7 l2transport
Router(config-if-l2)# commit
Running Configuration
!
Configure
l2vpn
bridge group bg1
bridge-domain bd1
interface TenGigE0/0/0/7
!
spanning-tree mst m0
interface TenGigE0/0/0/7
portfast bpduguard
!
interface TenGigE0/0/0/7
l2transport
!
Verification
Verify that you have configured BPDU Guard.
/* Verify the MSTP BPDU Guard configuration */
Router# show interfaces tenGigE 0/0/0/7
Wed Nov 9 09:23:56.268 UTC
TenGigE0/0/0/7 is error disabled, line protocol is administratively down
Interface state transitions: 2
Hardware is TenGigE, address is 7cad.7425.c8c8 (bia 7cad.7425.c8c8)
Layer 2 Transport Mode
MTU 1514 bytes, BW 10000000 Kbit (Max: 10000000 Kbit)
reliability 255/255, txload 0/255, rxload 0/255
Encapsulation ARPA,
Full-duplex, 10000Mb/s, link type is force-up
output flow control is off, input flow control is off
Carrier delay (up) is 10 msec
loopback not set,
Last link flapped 00:00:49
Last input 00:00:40, output 00:00:40
Last clearing of "show interface" counters never
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38752 packets input, 4611429 bytes, 0 total input drops
1 drops for unrecognized upper-level protocol
Received 1 broadcast packets, 38751 multicast packets
0 runts, 0 giants, 0 throttles, 0 parity
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
Feedback