BPDU GUARD

BPDU Guard is employed on interfaces that are PortFast-enabled. Under normal circumstances, a PortFast-enabled interface connects to a host device only and thus the interface should never receive a BPDU.

BPDU Guard is a basic feature that will automatically shut down a port when BPDU’s are received on that particular port. It is common to configure PortFast and BPDU Guard on host access ports. The BPDU Guard feature disables the connected device’s ability to initiate or participate in a topology change, by dropping all BPDUs received from the connected device.


When BPDU Guard shuts down a port due to BPDU’s being received on the port, the port will be placed into a shutdown state known as “ERR-Disabled”. To reset this, one can navigate to the interface and bounce the interface (shutdown the interface then bring it back up)

When a port only has a host device connected to it, we will enable portfast, which speeds up the port initialization process and put the port into forwarding state straight away. This eliminates 30 seconds of delay that would have been encountered if STP was not bypassed and the port went through the Listening and Learning states. Because host is a workstation, it sends no BPDUs and so disabling Spanning Tree on a port like this is not an issue.

 bpdu-guard-01

To enable BPDU Guard:
Switch(config)# interface fa0/11
Switch(config-if)# spanning-tree bpduguard enable

To take an interface out of an errdisable state, simply disable and re-enable the interface:
Switch(config)# interface fa0/11
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

 

Lab Scenario to demonstrate the BPDU Guard behavior :-

 

  • On SWITCH1 and SWITCH2 verify that interface Fa0/1 is up/up.
  • Configure BPDU Guard on SWITCH1      interface Fa0/1 then verify the port status again on SWITCH1.
  • Remove the interface BPDU Guard      configuration from SWITCH1      interface Fa0/1 and configure system default portfast and bpduguard,      verify the configuration.

Step 1. > On SWITCH1 and SWITCH2 verify that interface Fa0/1 is up/up.

You can use show ip interface brief FastEthernet 0/1 or show interface fa0/1 to verify the interface status as shown below;

SWITCH1#show ip interface brief FastEthernet 0/1
Interface                   IP-Address    OK?    Method      Status      Protocol
FastEthernet0/1     unassigned   YES    unset           up             up
SWITCH1#

SWITCH2 verification shown below using the show interface fa0/1 command;

SWITCH2#show interface fa0/1
FastEthernet0/1 is up, line protocol is up (connected) 
  Hardware is Fast Ethernet, address is 0015.f2d2.229d (bia 0015.f2d2.229d)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of “show interface” counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 4 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     49720 packets input, 3684013 bytes, 0 no buffer
     Received 48602 broadcasts (48602 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 48602 multicast, 0 pause input
     0 input packets with dribble condition detected
3118 packets output, 381783 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
SWITCH2#

 

Step 2. > Shutdown interface Fa0/1 on SWITCH2 then configure BPDU Guard on SWITCH1 interface Fa0/1; afterward, enable interface Fa0/1 on SWITCH2 then verify the port status again on SWITCH1.

SWITCH2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SWITCH2(config)#interface fa0/1
SWITCH2(config-if)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
SWITCH2(config-if)#

SWITCH1 BPDU Guard interface configuration shown below;

SWITCH1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SWITCH1(config)#interface fa0/1
SWITCH1(config-if)#spanning-tree bpduguard enable

Now enable Interface Fa0/1 on SWITCH2

SWITCH2(config-if)#no shutdown
SWITCH2(config-if)#
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
SWITCH2(config-if)#
If you jump over to SWITCH1 now you’ll see the following SYSLog message due to the fact SWITCH2 is sending SWITCH1 a BPDU on Fa0/1;

SWITCH1#
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/1 with BPDU Guard
enabled. Disabling port.
SWITCH1#
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/1, putting Fa0/1 in err-disable state
SWITCH1#

Now verify the interface status on SWITCH1 as shown below;

SWITCH1#show interfaces fa0/1
FastEthernet0/10 is down, line protocol is down (err-disabled) 
  Hardware is Fast Ethernet, address is 0015.f2d2.229c (bia 0015.f2d2.229c)
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:02:43, output 00:08:44, output hang never
  Last clearing of “show interface” counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     3303 packets input, 403853 bytes, 0 no buffer
     Received 2097 broadcasts (2097 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 2097 multicast, 0 pause input
     0 input packets with dribble condition detected
     55416 packets output, 4095765 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
SWITCH1#

Please follow and like us:
error

Tags: ,

Related Posts

Add Comment

Social Media Auto Publish Powered By : XYZScripts.com
Select your currency
USD United States (US) dollar

Checkout : E-STORE for latest release "CISCO IPS & IDS Interview Q&A " Dismiss