Cisco Systems 2960 Manual De Usuario
18-14
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 18 Configuring Optional Spanning-Tree Features
Configuring Optional Spanning-Tree Features
Enabling BPDU Guard
When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port
Fast-operational state), spanning tree continues to run on the ports. They remain up unless they receive
a BPDU.
Fast-operational state), spanning tree continues to run on the ports. They remain up unless they receive
a BPDU.
In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port
Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and
the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts
down the entire port on which the violation occurred.
Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and
the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts
down the entire port on which the violation occurred.
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown
vlan global configuration command to shut down just the offending VLAN on the port where the
violation occurred.
vlan global configuration command to shut down just the offending VLAN on the port where the
violation occurred.
The BPDU guard feature provides a secure response to invalid configurations because you must
manually put the port back in service. Use the BPDU guard feature in a service-provider network to
prevent an access port from participating in the spanning tree.
manually put the port back in service. Use the BPDU guard feature in a service-provider network to
prevent an access port from participating in the spanning tree.
Caution
Configure Port Fast only on ports that connect to end stations; otherwise, an accidental topology loop
could cause a data packet loop and disrupt switch and network operation.
could cause a data packet loop and disrupt switch and network operation.
You also can use the spanning-tree bpduguard enable interface configuration command to enable
BPDU guard on any port without also enabling the Port Fast feature. When the port receives a BPDU, it
is put it in the error-disabled state.
BPDU guard on any port without also enabling the Port Fast feature. When the port receives a BPDU, it
is put it in the error-disabled state.
You can enable the BPDU guard feature if your switch is running PVST+, rapid PVST+, or MSTP.
Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU guard feature. This
procedure is optional.
procedure is optional.
To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration
command.
command.
You can override the setting of the no spanning-tree portfast bpduguard default global configuration
command by using the spanning-tree bpduguard enable interface configuration command.
command by using the spanning-tree bpduguard enable interface configuration command.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
spanning-tree portfast bpduguard default
Globally enable BPDU guard.
By default, BPDU guard is disabled.
Step 3
interface interface-id
Specify the interface connected to an end station, and enter
interface configuration mode.
interface configuration mode.
Step 4
spanning-tree portfast
Enable the Port Fast feature.
Step 5
end
Return to privileged EXEC mode.
Step 6
show running-config
Verify your entries.
Step 7
copy running-config startup-config
(Optional) Save your entries in the configuration file.