Configure Portfast and bpduguard

Portfast and bpduguard configuration switch (config) # interface range f0/1-5 switch (config-if-range) # spanning-tree portfastswitch (config-if-range) # spanning-tree bpduguard enableBPDU Guard enables PortFast ports to enter the err-disable state when receiving BPDU to avoid bridging loops, it can be configured globally or in the interface (disabled by default). You can use the errdisable recovery cause bpduguard command to enable automatic port recovery. Different from BPDU protection, www.2cto.com has different functions when BPDU Filter is configured in global/interface mode. When PortFast port mode is enabled, the switch does not send any BPDU, in addition, all received BPDU are discarded. When the global mode is enabled, the port discards the PortFast status and the BPDU filtering feature when it receives any BPDU, change back to the normal STP operation. The BPDU Filter feature is disabled by default. When both bpduguard and bpdufilter are enabled, bpdufilter has a higher priority and bpduguard fails. LOOP Guard is mainly used to avoid the situation where the blocked port is mistakenly transitioned to the forwarding status, resulting in a bridge LOOP. When the switch stops receiving BPDU on a non-designated port with the loopguard feature enabled, the switch will cause the port to enter the STP "inconsistentports" blocking status. When the inconsistent port receives the BPDU again, the port will be automatically filtered to the STP status based on the BPDU. Run the sh spanning-tree inconsistentports command to view the inconsistent port status. The loopguard feature is enabled by default. The function of www.2cto.com bpdu guard is to set the port to Error-Disabled immediately when it receives any BPDU. We know that when the STP function of the switch is enabled, all ports are involved in STP by default, and BPDU are sent and accepted. When bpdu guard is enabled, under normal circumstances, A downstream port does not receive any BPDU, because both the PC and the non-network administrator do not support STP, so it does not send and receive BPDU. If a self-loop exists under this port, the BPDU sent by the port will be received by itself after the loop is switched to the non-network administrator, at this time, bpdu guard will immediately set it to Error-Disabled. This port is equivalent to being closed and will not forward any data, thus cutting off the loop and protecting the entire network. The BPDU Guard feature can be enabled globally or based on interfaces. The two methods are slightly different. when the Port with the Port Fast feature enabled receives the BPDU, The BPDU Guard closes the Port so that the Port is in the err-disable state, in this case, you must manually restore the port to normal. Configure BPDU Guard: Switch (config) # spanning-tree portfast bpduguard default/--- enable BPDUguard on the port with the PortFast feature enabled ---/Switch (config-if) # spanning-tree bpduguard enable/--- enable BPDUguard without enabling the PortFast feature ---/BPDU Filtering feature is very similar to the BPDU Guard feature. the use of BPDU Filtering prevents the switch from sending BPDU to the host on a Port with the Port Fast feature enabled. If the BPDU Filtering is configured globally, when a Port Fast receives the BPDU, the switch will disable the Port Fast and BPDU Filtering features and change the Port back to the normal STP status. if you enable BPDU Filtering on a separate Port Fast Port, this Port does not send any BPDU and ignores all received BPDU. www.2cto.com note that if BPDUFiltering is configured on the port connected to another switch (not the port of the connected host), the Layer 2 loop (Prevent from sending and stopping ing BPDU) may occur ). in addition, if the BPDU Guard feature is configured on the same port with the BPDU Filtering Enabled, The BPDU Guard does not work, and the function is BPDU Filtering. configure BPDU Filtering: Switch (config) # spanning-t Ree portfast bpdufilter default/--- enable BPDU Filtering on the Port with the Port Fast feature enabled ---/Switch (config-if) # spanning-tree bpdufilter enable/--- enable BPDU Filtering without enabling the Port Fast feature ---/ROOT GuardRoot Guard: prevents new switches (with a lower ROOT bridge ID) it affects a stable (root bridge already exists) Switching Network and prevents unauthorized switches from becoming the root bridge. Working principle: When a port starts this feature and receives a BPDU packet with a higher priority than the root bridge, it immediately blocks the port, make it impossible to form a loop. This port feature is dynamic. If you do not receive a better package, the port will change to the forwarding status. ROOT Guard is performed on the specified port of the DP (designated port), and the port will not change. It will only be DP, which can prevent the newly added switch from becoming root, this port is changed to permanent DP (show spann inconsistentport). If the newly added switch wants to become root, its port cannot work, until the new vswitch completes the RP. Loop GuardLoop Guard: prevents a blocked port from being forwarded because the link is abnormal (two-way communication is not allowed) after it fails to receive the BPDU, loop-inconsistent blocking state is blocked even if BPDU is not received (root guard is automatically disabled when loop guard is enabled); Loop guard is enabled on the RP interface or alternative port: Switch (config-if) # spanning-tree guard loop global enabling: Switch (config) # spantree global-default loopguard enable if loop guard is enabled on a port with root guard enabled, loop guard will disable the root guard function.