Leaflet
21
OL-11615-01
spanning tree. When enabled on a port, BPDU guard shutdowns the port as soon as a BPDU is received
in that port. In this way, BPDU guard helps prevent unauthorized access and the illegal injection of
forged BPDUs.
BPDU guard requires STP PortFast to be configured on the port first. STP PortFast causes a Layer 2 LAN
port configured as an access port to enter the forwarding state immediately, bypassing the listening and
learning states. PortFast can be used on Layer 2 access ports connected to a single workstation or server
to allow those devices to connect to the network immediately, instead of waiting for STP to converge.
BPDU can be configured per port, or globally. When configured globally, BPDU guard is effective only
on ports in the operational PortFast state.
To enable BPDU guard on a port of a system running Catalyst OS, use the set spantree bpdu-guard
command. You must first enable PortFast on the port.
Console> (enable) set spantree portfast
mod/port
enable
Console> (enable) set spantree bpdu-guard
mod/port
{enable | disable | default}
This example shows how to enable spanning tree BPDU guard on module 1, port 2:
Console> (enable) set spantree portfast 1/2 enable
Warning: Connecting layer 2 devices to a fast-start port can cause temporary spanning tree
loops. Use with caution.
Spantree port 1/2 fast start enabled.
Console> (enable)
Console> (enable) set spantree portfast bpdu-guard 1/2 enable
Spantree port 1/2 bpdu guard enabled.
Console> (enable)
For more information on the set spantree bpdu-guard command on the Catalyst 6500, refer to the
following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/cmd_ref/setsn
_su.htm#wp1243604
For more information on the set spantree bpdu-guard command on the Catalyst 4500, refer to the
following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/8_3/command/set_q
_s.htm#wp1072868
BPDU guard can be globally enabled on system running Catalyst OS by using the set spantree
global-default bpdu-guard command. When enabled globally, BPDU guard applies to all interfaces
that are in an operational PortFast state.
Console> (enable) set spantree global-default bpdu-guard {enable | disable}
This example shows how to enable the global BPDU guard state on the switch:
Console> (enable) set spantree global-default bpdu-guard enable
Spantree global-default bpdu-guard enabled on this switch.
Console> (enable)
For more information on the set spantree global-default bpdu-guard command on the Catalyst 6500,
refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/cmd_ref/setsn
_su.htm#wp1169655
For more information on the set spantree global-default bpdu-guard command on the Catalyst 4500,
refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/8_3/command/set_q_s.htm#wp1049757