Users Guide

2. Enable STP BPDU guard in INTERFACE mode.
spanning-tree bpduguard enable
BPDU guard violation causes the system to perform the following actions in the port channel:
The interface and all member ports are disabled in the hardware.
When the port is added to the port channel that is in the Error Disable state, the new member port is disabled in the
hardware.
When the port is removed from the port channel that is in the Error Disable state, the system clears the Error_Disabled
state on the physical port and enables it in the hardware.
To clear the Error Disabled state:
Use the shutdown command on the interface.
Use the spanning-tree bpduguard disable command to disable the BPDU guard on the interface.
Use the spanning-tree disable command to disable STP on the interface.
3. Set the guard types to avoid loops in INTERFACE mode.
spanning-tree guard {loop | root | none}
loop Set the guard type to loop.
root Set the guard type to root.
none Set the guard type to none.
Port enabled with loop guard conditions
Loop guard is supported on any STP-enabled port or port-channel interface.
You cannot enable root guard and loop guard at the same time on an STP port. The loop guard configuration overwrites
an existing root guard configuration and vice versa.
Enabling BPDU guard and loop guard at the same time on a port results in a port that remains in blocking state and
prevents traffic from flowing through it. For example, when you configure both Portfast BPDU guard and loop guard:
If a BPDU is received from a remote device, BPDU guard places the port in the Err-Disabled Blocking state and no
traffic forwards on the port.
If no BPDU is received from a remote device which was sending BPDUs, loop guard places the port in the Loop-
Inconsistent Blocking state and no traffic forwards on the port.
When used in a Rapid-PVST network, STP loop guard performs per-port or per port-channel at a VLAN level. If no
BPDUs are received on a port-channel interface, the port or port-channel transitions to a Loop-Inconsistent or Blocking
state only for this VLAN.
BPDU filter
os10(conf-if-eth1/1/7)# spanning-tree bpdufilter enable
os10(conf-if-eth1/1/7)# do show spanning-tree interface ethernet 1/1/7
ethernet1/1/7 of vlan 1 is Designated Forwarding
Edge port: No (default)
Link type: point-to-point (auto)
Boundary: No, Bpdu-filter: Enable, Bpdu-Guard: Disable, Shutdown-on-Bpdu-Guard-
violation: No
Root-Guard: Disable, Loop-Guard: Disable
Bpdus (MRecords) Sent: 6, Received: 6410
Interface Designated
Name PortID Prio Cost Sts Cost Bridge ID PortID
-----------------------------------------------------------------------------------------
--
ethernet1/1/7 128.56 128 500 FWD 500 32769 90b1.1cf4.a625 128.56
BPDU guard
os10(config)# interface ethernet 1/1/7
os10(conf-if-eth1/1/7)# spanning-tree bpduguard enable
os10(conf-if-eth1/1/7)# do show spanning-tree interface ethernet 1/1/7
ethernet1/1/7 of vlan 1 is Designated Forwarding
Edge port: No (default)
Link type: point-to-point (auto)
Boundary: No, Bpdu-filter: Enable, Bpdu-Guard: Enable, Shutdown-on-Bpdu-Guard-violation:
Yes
Root-Guard: Disable, Loop-Guard: Disable
Bpdus (MRecords) Sent: 6, Received: 6410
Layer 2
597