BPDU Guard

When BPDU Guard is enabled and a switch port receives a BPDU it stops forwarding and disables itself. It is common to enable this on a access port, usually in addition to portfast. In theory a user should never generate legitimate BPDUs therefore this mechanism helps prevent malicious alteration of the STP topology, it also acts as a protection should the port be cabled to anther switch by accident causing a bridging loop.

interface gig0/1 spanning-tree bpdugaurd enable

A port that has been disabled because of a violation shows a status of err-disable (show int status). The interface needs to be bounced to bring it back up.
You can also configure the switch to automatically bring an interface out of err-disable

(config)# errdisable recovery cause bpduguard (config)# errdisable recovery interval 30

Show Comments

Get the latest posts delivered right to your inbox.