BPDU Guard

• Prevents connection of "rogue switches"
• … or any device that generates BPDU (Wireless AP)
• Global or per-port configuration
• Global depends on portfast
• Cmd: spanning-tree porfast bpduguard default
• Per-port is unconditional
• Cmd: spanning-tree bpduguard enable
• When triggered
• Port is err-disabled when head incoming BPDU
• Can recovery by command:
errdisable recovery interval 30
errdisable recovery cause bpduguard




• Config BPDU guard.
• Mode Interface:







• Cho topology:
• Chay spanning-tree all IOU
• IOU2 root spanning-tree vlan 10


• Config BPDU guard on interface e0/1 IOU1.
IOU1#
interface Ethernet0/1
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard enable


IOU1#show span int e0/1 detail
 Port 2 (Ethernet0/1) of VLAN0010 is designated forwarding
   Port path cost 100, Port priority 128, Port Identifier 128.2.
   Designated root has priority 20490, address aabb.cc00.0200
   Designated bridge has priority 24586, address aabb.cc00.0100
   Designated port id is 128.2, designated path cost 100
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is shared by default
   Bpdu guard is enabled
   BPDU: sent 102, received 0


• Tien hanh "no shut" interface e0/0 IOU3. => IOU1 nhan BPDU tu interface e0/1
IOU1#    
*Jan 26 14:34:01.275: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Et0/1 with BPDU Guard enabled. Disabling port.
*Jan 26 14:34:01.275: %PM-4-ERR_DISABLE: bpduguard error detected on Et0/1, putting Et0/1 in err-disable state
*Jan 26 14:34:01.276: STP: VLAN0010 sent Topology Change Notice on Et0/0
*Jan 26 14:34:01.276: STP[10]: Generating TC trap for port Ethernet0/1
*Jan 26 14:34:02.277: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to down
*Jan 26 14:34:03.280: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to down



IOU1#show span int e0/1 de no spanning tree info available for Ethernet0/1 IOU1#



• IOU1 nhan BPDU tu interface e0/1 enable bpduguard --> interface err-disable state
De enable port up khi interface khong nhan duojc BPDU ta cau hinh cmd:


IOU1(config)#do show run | se errdisable
errdisable recovery interval 30
errdisable recovery cause bpduguard


IOU3(config)#int e0/0
IOU3(config-if)#shut


*Jan 26 14:41:45.264: %SYS-5-CONFIG_I: Configured from console by console
IOU1#
*Jan 26 14:42:14.268: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Et0/1
*Jan 26 14:42:14.268: set portid: VLAN0010 Et0/1: new port id 8002
*Jan 26 14:42:14.268: STP: VLAN0010 Et0/1 -> listening
*Jan 26 14:42:16.268: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
*Jan 26 14:42:17.272: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up


• Mode Global:
• Cấu hình bằng command:
spanning-tree porfast bpduguard default
• Enable bpduguard trên nhưng interface operating portfast.


• Nguyên tắc hoạt động ở mode global giống với mode interface + portfast:

• Như hình vẽ, khi port enable -> chưa có gói tin BPDU -> portfast hoạt động -> port chuyển từ trạng thái disable sang forwarding.
• Khi thấy có gói tin BPDU nhận vào gặp bpduguard -> port chuyển sang trạng thái err-disable.
-> Nói chung là hoạt động bình thường.