BPDU Guard

Answered Question
Aug 12th, 2010
User Badges:

I understand what BPDU accomplishes but I have a question about its initial configuration.  If BPDU is configured on all switchports how does that affect your initial configuration and rollout?  In other words, if you set up a new network and connect a downstream switch to a port on another switch what prevents that switch from shutting the port down due to the BPDUs received?  Is there a specific command required on the Trunk Link or should it NOT be configured on Trunk Links?


Thanks,


~cb

Correct Answer by Mohamed Sobair about 6 years 9 months ago

Yes, BPDUS sent from all switches , however disabling spanning tree for a particular vlan would disable a BPDU to be sent for that VLAN.



HTH

Mohamed

Correct Answer by Mohamed Sobair about 6 years 9 months ago

Hi,


I dont recommend setting it on a trunk link. This is a security feature prevents the Switch from recieving BPDU on a port by putting the port into errdisable state.


you should set it on edge ports where hosts are connected.



Sample config:


interface x/y

spanning-tree portfast

spanning-tree bpduguard enable



HTH

Mohamed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Mohamed Sobair Thu, 08/12/2010 - 13:24
User Badges:
  • Gold, 750 points or more

Hi,


I dont recommend setting it on a trunk link. This is a security feature prevents the Switch from recieving BPDU on a port by putting the port into errdisable state.


you should set it on edge ports where hosts are connected.



Sample config:


interface x/y

spanning-tree portfast

spanning-tree bpduguard enable



HTH

Mohamed

gdwingnuts Thu, 08/12/2010 - 13:42
User Badges:

So is BPDU data sent from switches that have it disabled?  Is it sent from all switches?


Thanks,


~cb

Correct Answer
Mohamed Sobair Thu, 08/12/2010 - 14:39
User Badges:
  • Gold, 750 points or more

Yes, BPDUS sent from all switches , however disabling spanning tree for a particular vlan would disable a BPDU to be sent for that VLAN.



HTH

Mohamed

shahhardik Fri, 08/13/2010 - 05:12
User Badges:

Hi Gdwingnuts,


Basically we use this feature for the security concern, so as to protect against any undesired switch to come in to action in our Network. so we only configure our all edge port with this BPDU gaurd feature as suggested by Sobir. Since Host doesn't sent BPDU's on regular interval as sent by all switches, it is not goint to disable or affect in any sense to our network. So it is a good practise to configure all our Host pointed port i.e. edge port with BPDU guard.


Though you should never configure your trunk link with this feature, as on receiving a BPDU for opposite end switch, it will automatically disable port which is configured in Trunk mode, preventing your trunk link to work as normal.



Regards,

Hardik

Actions

This Discussion