Configuring BPDU Guard

There is always the need to prevent employees from plugging random switches into the network. This lab will discuss and demonstrate the configuration and verification of Spanning Tree BPDU Guard.

Real World Application & Core Knowledge

So what happens when an end user on your network gets the smart idea of plugging a mini switch into multiple wall jacks that are connected to two different switches? A simple answer would be a fancy light show in the wiring closet but the technical answer would be a layer two switching loop which would near instantaneously result in a broadcast storm bringing the network speed to a screeching halt.

As a network engineer it is common in many work places to enforce a policy to prevent end users from plugging their own mini switch or even a larger 24 port switch into the network just to have more ports in their office which only has a single jack or two to begin with.

BPDU Guard is a basic feature that will automatically shut down a port when BPDU’s are received on that particular port. It is common to configure PortFast and BPDU Guard on host access ports.

BPDU Guard works also when you loop a switch using a hub as the switch will notice its own BPDU’s and shutdown its own port if it has BPDU Guard enabled on it.

When BPDU Guard shuts down a port due to BPDU’s being received on the port, the port will be placed into a shutdown state known as “ERR-Disabled”. To reset this, navigate to the interface and bounce the interface (shutdown the interface then bring it back up).

You can also configure BPDU Guard as a default setting for spanning-tree on all ports similar to portfast default configuration as discussed and demonstrated in the previous lab.

Note that the NM-16ESW only supports platform wide bpduguard configuration via the spanning-tree portfast bpduguard command. It does not support spanning-tree bpduguard default feature or interface based bpduguard configuration. With that being said you will not be able to complete this lab using GNS3.

In this lab you’ll familiarize yourself with the following commands;

Command Description
spanning-tree bpduguard enable This command is executed in interface configuration mode and enables BPDU Guard on that specific interface.
spanning-tree bpduguard disable This command is executed in interface configuration mode and is used disable BPDU Guard which can be enabled by default by using the command above.
show interface interfacename#/# This command is executed in user, privileged or configuration mode with the use of “do” to view the current interface status.
show interface status This command is executed in user, privileged or configuration mode with the use of “do” to view the current interface status of all ports on the switch.

Lab Prerequisites

  • If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; SW1 and SW2.
  • Establish a console session with devices SW1 and SW2 than configure the devices respected hostname(s).
  • Configure interface Fa0/10 on SW1 and SW2 as an access port for VLAN 10.

Lab Objectives

  • On SW1 and SW2 verify that interface Fa0/10 is up/up.
  • Configure BPDU Guard on SW1 interface Fa0/10 then verify the port status again on SW1.
  • Remove the interface BPDU Guard configuration from SW1 interface Fa0/10 and configure system default portfast and bpduguard, verify the configuration.

 

The instructional section of this lab is demonstrated using two Cisco Catalyst 3560 Series switches.

Lab Instruction

Step 1. – On SW1 and SW2 verify that interface Fa0/10 is up/up.

You can use show ip interface brief FastEthernet 0/10 or show interface fa0/10 to verify the interface status as shown below;

SW1#show ip interface brief FastEthernet 0/10
Interface           IP-Address   OK? Method Status      Protocol  
FastEthernet0/10    unassigned   YES unset  up          up      
SW1#

SW2 verification shown below using the show interface fa0/10 command;

SW2#show interface fa0/10
FastEthernet0/10 is up, line protocol is up (connected) 
  Hardware is Fast Ethernet, address is 001c.57d8.900c (bia 001c.57d8.900c)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 4 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     49720 packets input, 3684013 bytes, 0 no buffer
     Received 48602 broadcasts (48602 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 48602 multicast, 0 pause input
     0 input packets with dribble condition detected
     3118 packets output, 381783 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
SW2#

Step 2. – Shutdown interface Fa0/10 on SW2 then configure BPDU Guard on SW1 interface Fa0/10; afterward, enable interface Fa0/10 on SW2 then verify the port status again on SW1.

SW2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#interface fa0/10
SW2(config-if)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/10, changed state to 
administratively down
SW2(config-if)#

SW1 BPDU Guard interface configuration shown below;

SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface fa0/10
SW1(config-if)#spanning-tree bpduguard enable
SW1(config-if)#end
SW1#

Now enable Interface Fa0/10 on SW2

SW2(config-if)#no shutdown
SW2(config-if)#
%LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to down
SW2(config-if)#

If you jump over to SW1 now you’ll see the following SYSLog message due to the fact SW2 is sending SW1 a BPDU on Fa0/10;

SW1#
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/10 with BPDU Guard
enabled. Disabling port.
SW1#
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/10, putting Fa0/10 in
err-disable state
SW1#

Now verify the interface status on SW1 as shown below;

SW1#show interfaces fa0/10
FastEthernet0/10 is down, line protocol is down (err-disabled) 
  Hardware is Fast Ethernet, address is 0014.f2d2.418c (bia 0014.f2d2.418c)
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:02:43, output 00:08:44, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     3303 packets input, 403853 bytes, 0 no buffer
     Received 2097 broadcasts (2097 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 2097 multicast, 0 pause input
     0 input packets with dribble condition detected
     55416 packets output, 4095765 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
SW1#

As you can see Fa0/10 is now in ERR-Disabled state due to BPDU Guard shutting down the port automatically once it received a BPDU from SW2.

Step 3. – Remove the interface BPDU Guard configuration from SW1 interface Fa0/10 and configure system default portfast and bpduguard, verify the configuration. 

SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface fa0/10
SW1(config-if)#no spanning-tree bpduguard enable
SW1(config-if)#exit
SW1(config)#spanning-tree portfast bpduguard default
SW1(config)#end
SW1#
%SYS-5-CONFIG_I: Configured from console by console
SW1#

To verify this configuration you can use the show spanning-tree summary command in privileged mode or a configuration mode by using the do command prefix as shown below;

SW1(config)#do show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: none
Extended system ID           is enabled
Portfast Default             is enabled
PortFast BPDU Guard Default  is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
Total                        0         0        0          0          0
SW1(config)#
◄ Previous Lab
Next Lab ►