Configure BPDU Guard

Configure BPDU Guard to block the root selection process or to prevent BPDU flooding from unknown devices.

Procedure

Enter GigabitEthernet Interface Configuration mode:

enable

configure terminal

interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

Note

If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.
Enable BPDU Guard for the port:

spanning-tree bpduguard enable
Optional: Configure the timer for port-state recovery:

spanning-tree bpduguard timeout <0, 10–65535>
Optional: Enable BPDU Guard on an additional port or group of ports:

spanning-tree bpduguard port {slot/port[/sub-port][-slot/port[/subport]][,...]} enable
Optional: Configure the timer for port-state recovery for an additional port or group of ports:

spanning-tree bpduguard port {slot/port[/sub-port][-slot/port[/subport]][,...]} timeout <0–65535>
Verify the configuration:

show spanning-tree bpduguard [GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}] [{slot/port[/sub-port][-slot/port[/subport]][,...]}]

Example

Enable BPDU Guard on port 1/8, and specify a timer value of 200 seconds. Verify the configuration.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 1/8
Switch:1(config-if)#spanning-tree bpduguard enable
Switch:1(config-if)#spanning-tree bpduguard timeout 200
Switch:1(config-if)#show spanning-tree bpduguard 1/8

===============================================================================
                                   Bpdu Guard 
===============================================================================
Port      PORT         PORT                TIMER   BPDUGUARD    BPDUGUARD 
NUM MLTID ADMIN_STATE  OPER_STATE TIMEOUT  COUNT   ADMIN_STATE  ORIGIN
-------------------------------------------------------------------------------
1/8       Up            Up        200        0       Enabled    CONFIG

Variable Definitions

Use the data in the following table to use the spanning-tree bpduguard commands.


Variable	Value
enable	Enables BPDU Guard on the port. The default is disabled.
port {slot/port[/sub-port][-slot/port[/sub-port]][,...]}	Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.
timeout `<0, 10-65535>`	Specifies the value to use for port-state recovery. After a BPDU guard disables a port, the port remains in the disabled state until this timer expires. You can configure a value from 10 to 65535. The default is 120 seconds. If you configure the value to 0, the expiry is infinity.

Use the data in the following table to use the show spanning-tree bpduguard command.


Variable	Value
{slot/port[/sub-port][-slot/port[/sub-port]][,...]}	Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.