Configure BPDU Guard

About this task

Configure BPDU Guard to block the root selection process or to prevent BPDU flooding from unknown devices.

To configure multiple ports simultaneously, select more than one port in the Device Physical View tab. The system displays the BPDU Guard tab as a table-based tab.

Procedure

  1. In the Device Physical View tab, select a port.
  2. In the navigation pane, expand Configuration > Edit > Port.
  3. Select General.
  4. Select the Interface tab.
  5. Select BpduGuardAdminEnabled to enable BPDU Guard for the port.
  6. Optional: Type a value in BpduGuardTimeout to configure the timer for port-state recovery
  7. Select Apply.

Interface Field Descriptions

Use the data in the following table to use the Interface tab.

Name

Description

Index

Displays the index of the port, written in the slot/port[/sub-port] format.

Name

Configures the name of the port.

Descr

Displays the description of the port. A textual string containing information about the interface.

Type

Displays the type of connector plugged in the port.

Mtu

Displays the Maximum Transmission Unit (MTU) for the port. The size of the largest datagram which can be sent or received on the interface, specified in octets. For interfaces that are used for transmitting network datagrams, this is the size of the largest network datagram that can be sent on the interface.

PhysAddress

Displays the physical address of the port. The address of the interface at the protocol layer immediately below the network layer in the protocol stack. For interfaces which do not have such an address, for example, a serial line, this object should contain an octet string of zero length.

VendorDescr

Displays the vendor of the connector plugged in the port.

DisplayFormat

Identifies the slot and port numbers (slot/port). If the port is channelized, the format also includes the sub-port in the format slot/port/sub-port

AdminStatus

Configures the port as enabled (up) or disabled (down) or testing. The testing state indicates that no operational packets can be passed.

OperStatus

Displays the current status of the port. The status includes enabled (up) or disabled (down) or testing. The testing state indicates that no operational packets can be passed.

ShutdownReason

Indicates the reason for a port state change.

LastChange

Displays the timestamp of the last change.

LinkTrap

Enable or disable link trapping.

AutoNegotiate

Enables or disables Auto-Negotiation for this port.

The default Auto-Negotiation behavior depends on the switch model and transceiver type.

AutoNegAd

Specifies the port speed and duplex abilities to advertise during link negotiation.

Supported speeds and duplex modes vary, depending on your hardware.

The abilities specified in this object are only used when auto-negotiation is enabled on the port. If all bits in this object are disabled, and auto-negotiation is enabled on the port, then the physical link process on the port will be disabled (if hardware supports this ability).

Any change to this configuration restarts the auto-negotiation process, which has the same effect as physically unplugging and reattaching the cable attached to the port.

If you select default, all capabilities supported by the hardware are advertised.

AdminDuplex

Configures the administrative duplex setting for the port.

OperDuplex

Indicates the operational duplex setting for the port.

AdminSpeed

Configures the administrative speed for the port.

OperSpeed

Indicates the operational speed for the port.

QoSLevel

Selects the Quality of Service (QoS) level for this port. The default is level1.

DiffServ

Enables the Differentiated Service feature for this port. The default is disabled.

Layer3Trust

Configures if the system should trust Layer 3 packets coming from access links or core links only. The default is core.

Layer2Override8021p

Specifies whether Layer 2 802.1p override is enabled (selected) or disabled (cleared) on the port. The default is disabled (clear).

MltId

Shows the MLT ID associated with this port. The default is 0.

Locked

Shows if the port is locked. The default is unlocked.

UnknownMacDiscard

Discards packets that have an unknown source MAC address, and prevents other ports from sending packets with that same MAC address as the destination MAC address. The default is disabled.

DirectBroadcastEnable

Specifies that an Isolated Routing Port (IRP) can forward directed broadcast traffic. A directed broadcast is a frame sent to the subnet broadcast address on a remote IP subnet. By disabling or suppressing directed broadcast on an interface, all frames sent to the subnet broadcast address for a local router interface are dropped. Disabling this function protects a host from possible denial of service (DoS) attacks.

With the feature enabled, the Control Processor (CP) does not receive a copy of the directed broadcast. As a result, the system does not respond to a subnet broadcast ping sent from a remote subnet.

The default is disabled.

OperRouting

Shows the routing status of the port.

HighSecureEnable

Enables or disables the high secure feature for this port.

RmonEnable

Enables or disables Remote Monitoring (RMON) on the interface. The default is disabled.

FlexUniEnable

Enables Flex UNI on the port. The default is disabled.

EgressRateLimitState

Enables or disables egress port-based shaping to bind the maximum rate at which traffic leaves the port. The default is disabled.

EgressRateLimit

Specifies the egress rate limit in Kbps. You cannot configure the egress shaper rate to exceed the port capability.

If you configure this value to 0, shaping is disabled on the port.

TxFlowControl

Configures if the port sends pause frames. By default, an interface does not send pause frames.

You must also enable the flow control feature globally before an interface can send pause frames.

TxFlowControlOperState

Shows the operational state of flow control.

BpduGuardTimerCount

Shows the time, starting at 0, since the port became disabled. When the BpduGuardTimerCount reaches the BpduGuardTimeout value, the port is enabled. Displays in 1/100 seconds.

BpduGuardTimeout

Specifies the value to use for port-state recovery. After a BPDU guard disables a port, the port remains in the disabled state until this timer expires.

The default is 120 seconds. If you configure the value to 0, the expiry is infinity.

BpduGuardAdminEnabled

Enables BPDU Guard on the port. The default is disabled.

ForwardErrorCorrection

Configures one of the following options for Forward Error Correction (FEC) on the port:

  • CL 91

  • CL 108

  • CL 74

  • disable

  • auto

The disable option disables this configuration on the port.

ForwardErrorCorrectionApplicability

Displays whether FEC is applicable on the interface.

OperAutoNegotiate

Shows the operational state of Auto-Negotiation.

OperForwardErrorCorrection

Shows the negotiated operational FEC clause.

If the value is off, the port supports FEC and is up but not configured for FEC. If the value is notApplicable, the port does not support FEC. If the value is unknown, the port supports FEC but is down.

Action

Performs one of the following actions on the port

  • none - none of the following actions

  • flushMacFdb - flush the MAC forwarding table

  • flushArp - flush the ARP table

  • flushIp - flush the IP route table

  • flushAll - flush all tables

  • triggerRipUpdate — manually triggers a RIP update

The default is none.

Result

Displays the result of the selected action. The default is none.

AutoSense

Enables or disables Auto-sense on the specific port. The default value is disabled for existing configurations but enabled for new Zero Touch Fabric Configuration deployments.

AutoSenseKeepAutoConfig

Retains the Auto-sense configuration if you disable Auto-sense on the port. The dynamic configuration becomes a manual configuration and is visible in the show running-config output.

CustomAutoNegAdOrigin

Specifies the origin of Custom Auto Negotiation Advertisements (CANA) configuration on the port. The supported values are:

  • config - Set by the user.

  • radius - Set by the Remote Authentication Dial-In User Service (RADIUS) attribute.

BpduGuardOrigin

Specifies the origin of BPDU Guard configuration on the port. The supported values are:

  • config - Set by the user.

  • radius - Set by the Remote Authentication Dial-In User Service (RADIUS) attribute.

AutoSenseState

Displays the Auto-sense port state.

LinkDebounce

Specifies the extended debounce timer on the port. The value 0 milliseconds disables debounce time. The default value is 1000.

AutoSenseDataIsid

Specifies the Auto-sense data I-SID per port.

AutoSenseWaitInterval Specifies the Auto-sense Wait Interval for the port. The default is 35.