Users Guide

Layer 2 Switching Commands 808

spanning-tree bpdu-protection

Use the spanning-tree bpdu-protection command in Global Configuration

mode to enable BPDU guard on a switch. Use the no form of this command

to resume the default status of BPDU guard function.

Syntax

spanning-tree bpdu-protection

no spanning-tree bpdu-protection

Default Configuration

BPDU guard is not enabled.

Command Mode

Global Configuration mode

User Guidelines

The administrator should ensure that interfaces on which BDPU guard is

enabled are configured as edge ports. To configure an interface as an edge

port, use the spanning-tree portfast command.

An edge port is generally connected to a user terminal (such as a desktop

computer) or file server directly and is configured as an edge port to

implement a fast transition to the forwarding state. When the port receives a

BPDU packet, the system sets it to non-edge port and recalculates the

spanning tree topology, which may cause network topology flapping. In

normal cases, edge ports do not receive any BPDU packets. However, an

attacker may forge BPDU packets to maliciously disrupt the switch and cause

network flapping.

Dell spanning-tree provides a BPDU guard function against such attacks. If

an interface enabled for BPDU guard receives a BPDU packet, the interface is

diagnostically disabled and a message is written to the log. The port may be

re-enabled using the no shutdown command after disconnecting the

offending device from the interface.

Example

The following example enables BPDU protection.