Switchport security (bpduguard & bpdufilter)

Unanswered Question
Mar 12th, 2008

Can someone confirm how I think bpduguard works? I think it stops the potential for loops on a switchport that's configured with portfast by either shutting the port down, or sending an snmp trap(depending on which you choose)when it receives a bpdu on that interface...most likely caused by someone plugging in a switch on the other end.

Would this be a correct assessment?

Also, I know that you can set switch port security as well by way of the following commands:

>switchport port-security maximum [1]

>switchport port-security mac-address sticky

>switchport port-security violation [shutdown]

Can someone explain the second line, specifically the 'sticky' command? So... if you only allow one mac-address by way of the first command, does the second command say that it will dynamically learn the mac-address and keep that address in it's memory by way of the 'sticky' command?

What happens if you plug a different legimate PC into that port if that's what it means?

Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
branfarm1 Wed, 03/12/2008 - 13:01

Hi there. You are correct on both cases. When configured on a port, BPDU Guard will disable the interface/send an snmp trap if it receives a BPDU.

On the switchport port-security mac-address sticky, that port will learn the mac-address of the first device plugged into it and will apply the port-security settings based on that mac-address. So, depending on how you have your port-security violation parameters setup, plugging in a different device with a different mac-address will trigger the violation. To clear the learned address and allow a new one to be learned use the 'clear port-security sticky interface' command.

Hope that helps!

Jon Marshall Wed, 03/12/2008 - 13:07


Bpduguard can be configured in one of 2 ways

1) globally on the switch with the command

Router(config)# spanning-tree portfast bpduguard default

In this configuration bpduguard only affects ports that are configured in portfast mode. Any port configured as portfast that receives a BPDU is disabled.

2) On an interface level. In this configuration bpduguard will shut down the port if the port receives a BPDU regardless of whether it is configured to be portfast or not.

Switchport sticky allows dynamically learned mac-addresses to be written into the running config. If you then save that config ie. "copy run start" or "wr mem", when the switch reboots it will still use that dynamically learned mac-address on the port.



steve.kirk Thu, 05/29/2008 - 07:32


EDIT: Sorry I didn't see the repliesat first!

I just want to confirm I am correct in thinking that with the switchport port-security sticky command, in order for the MAC addresses learnt on a port to be stored and survive a switch reload, you MUST save the running config?

The changes to the configuration that the sticky mac address causes doesn't seem to update the 'last configuration change' banner displayed when you issue the 'show run' command, which makes it hard to see if there have been any changes you might need to save.




This Discussion