Filter
Top Products
13-3
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 13 Configuring Optional Spanning-Tree Features
Understanding Optional Spanning-Tree Features
Understanding BPDU Guard
The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the
feature operates with some differences.
At the global level, you can enable BPDU guard on Port Fast-enabled ports by using the spanning-tree
portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in
a Port Fast-operational state. In a valid configuration, Port Fast-enabled ports do not receive BPDUs.
Receiving a BPDU on a Port Fast-enabled port signals an invalid configuration, such as the connection
of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state.
At the interface level, you can enable BPDU guard on any port by using the spanning-tree bpduguard
enable interface configuration command without also enabling the Port Fast feature. When the port
receives a BPDU, it is put in the error-disabled state.
The BPDU guard feature provides a secure response to invalid configurations because you must
manually put the port back in service. Use the BPDU guard feature in a service-provider network to
prevent an access port from participating in the spanning tree.
If your switch is running PVST or MSTP, you can enable the BPDU guard feature for the entire switch
or for an interface.The MSTP is available only if you have the EI installed on your switch.
Understanding BPDU Filtering
The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but
the feature operates with some differences.
At the global level, you can enable BPDU filtering on Port Fast-enabled ports by using the
spanning-tree portfast bpdufilter default global configuration command. This command prevents
ports that are in a Port Fast-operational state from sending or receiving BPDUs. The ports still send a
few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable
BPDU filtering on a switch so that hosts connected to these ports do not receive BPDUs. If a BPDU is
received on a Port Fast-enabled port, the port loses its Port Fast-operational status, and BPDU filtering
is disabled.
At the interface level, you can enable BPDU filtering on any port without also enabling the Port Fast
feature by using the spanning-tree bpdufilter enable interface configuration command. This command
prevents the port from sending or receiving BPDUs.
Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in
spanning-tree loops.
If your switch is running PVST or MSTP, you can enable the BPDU filtering feature for the entire switch
or for an interface.The MSTP is available only if you have the EI installed on your switch.