BPDU Guard
BPDU Guard is used to protect STP topology from BPDU attacks.
BPDU Guard must be enabled on a port that should never receive a BPDU from its connected device.
End devices like workstations, server, printers etc. are not supposed to generate BPDUs, because BPDU messages are exchanged by network switches.
If someone plugs switch/hub from switchport then BPDUs will be exchanged and can cause issue in our network.
If someone plugs switch/hub from switchport then BPDUs will be exchanged and can cause issue in our network.
When a BPDU Guard enabled port receive BPDU from the connected device, BPDU Guard disables the port and the port state is changed to Err disable state.
Global Config
switch(config)#spanning-tree portfast edge bpduguard default
To remove, use no command
Interface Config
switch(config-if)#spanning-tree bpduguard enable
To disable use disable at the end
BPDU Filter
BPDU filter is a feature used to filter sending or receiving BPDUs on a switchport.
When BPDU Filter is enabled globally and If any BPDUs are received on switchports, the PortFast feature is disabled and the port will become a normal STP port.
When BPDU Filter is enabled globally and If any BPDUs are received on switchports, the PortFast feature is disabled and the port will become a normal STP port.
When BPDU Filter is enabled at an Interface, BPDU Filter will not send out BPDUs and avoid the processing of received BPDUs. This will completely disable the Spanning Tree Protocol (STP) on that interface.
Global Config
switch(config)#spanning-tree portfast edge bpdufilter defaultTo remove, use no command
Interface Config
switch(config-if)#spanning-tree bpdufilter enable.
To disable use disable at the end
No comments:
Post a Comment