Configure BPDU Guard

Configure BPDU Guard to block the root selection process or to prevent BPDU flooding from unknown devices.

About this task

To configure multiple ports simultaneously, select more than one port in the Device Physical View tab. The system displays BPDU Guard tab as a table-based tab.

Procedure

  1. In the Device Physical View tab, select a port.
  2. In the navigation pane, expand the following folders: Configuration > Edit > Port.
  3. Click General.
  4. Click the Interface tab.
  5. Select BpduGuardAdminEnabled to enable BPDU Guard for the port.
  6. Optional: Type a value in BpduGuardTimeout to configure the timer for port-state recovery
  7. Click Apply.

Interface Field Descriptions

Use the data in the following table to use the Interface tab.

Name

Description

Index

Displays the index of the port, written in the slot/port[/sub-port] format.

Name

Configures the name of the port.

Descr

Displays the description of the port. A textual string containing information about the interface.

Type

Displays the type of connector plugged in the port.

Mtu

Displays the Maximum Transmission Unit (MTU) for the port. The size of the largest datagram which can be sent or received on the interface, specified in octets. For interfaces that are used for transmitting network datagrams, this is the size of the largest network datagram that can be sent on the interface.

PhysAddress

Displays the physical address of the port. The address of the interface at the protocol layer immediately `below' the network layer in the protocol stack. For interfaces which do not have such an address (e.g., a serial line), this object should contain an octet string of zero length.

VendorDescr

Displays the vendor of the connector plugged in the port.

DisplayFormat

Identifies the slot and port numbers (slot/port). If the port is channelized, the format also includes the sub-port in the format slot/port/sub-port

AdminStatus

Configures the port as enabled (up) or disabled (down) or testing. The testing state indicates that no operational packets can be passed.

OperStatus

Displays the current status of the port. The status includes enabled (up) or disabled (down) or testing. The testing state indicates that no operational packets can be passed.

LicenseControlStatus

Note:

Exception: only supported on VSP 7200 Series.

Shows the port license status.

ShutdownReason

Indicates the reason for a port state change.

LastChange

Displays the timestamp of the last change.

LinkTrap

Enable or disable link trapping.

AutoNegotiate

Enables or disables Auto-Negotiation for this port.

The default Auto-Negotiation behavior depends on the switch model and transceiver type.

AutoNegAd

Specifies the port speed and duplex abilities to advertise during link negotiation.

Supported speeds and duplex modes vary, depending on your hardware.

The abilities specified in this object are only used when auto-negotiation is enabled on the port. If all bits in this object are disabled, and auto-negotiation is enabled on the port, then the physical link process on the port will be disabled (if hardware supports this ability).

Any change to this configuration restarts the auto-negotiation process, which has the same effect as physically unplugging and reattaching the cable attached to the port.

If you select default, all capabilities supported by the hardware are advertised.

AdminDuplex

Configures the administrative duplex setting for the port.

OperDuplex

Indicates the operational duplex setting for the port.

AdminSpeed

Configures the administrative speed for the port.

Important:

If Auto-Negotiation is disabled and you change the administrative speed on a port that results in a configuration mismatch in speed between two ports, VSP 4450 Series and VSP 4900 Series switches can show an incorrect operational status of "up" for the mismatched ports.

OperSpeed

Indicates the operational speed for the port.

QoSLevel

Selects the Quality of Service (QoS) level for this port. The default is level1.

DiffServ

Enables the Differentiated Service feature for this port. The default is disabled.

Layer3Trust

Configures if the system should trust Layer 3 packets coming from access links or core links only. The default is core.

Layer2Override8021p

Specifies whether Layer 2 802.1p override is enabled (selected) or disabled (cleared) on the port. The default is disabled (clear).

MltId

Shows the MLT ID associated with this port. The default is 0.

Locked

Shows if the port is locked. The default is unlocked.

UnknownMacDiscard

Discards packets that have an unknown source MAC address, and prevents other ports from sending packets with that same MAC address as the destination MAC address. The default is disabled.

DirectBroadcastEnable

Specifies if this interface forwards direct broadcast traffic.

OperRouting

Shows the routing status of the port.

HighSecureEnable

Enables or disables the high secure feature for this port.

RmonEnable

Enables or disables Remote Monitoring (RMON) on the interface. The default is disabled.

FlexUniEnable

Enables Flex UNI on the port. The default is disabled.

IngressRateLimit
Note:

Exception: not supported on 5420 Series, 5520 Series, VSP 4450 Series, VSP 7400 Series, or VSP 8600 Series.

Limits the traffic rate that the specific ingress port accepts.

IngressRatePeak

Configures the peak rate in Kbps. The default is 0.

IngressRateSvc

Configures the service rate in Kbps. The default is 0.

EgressRateLimitState

Enables or disables egress port-based shaping to bind the maximum rate at which traffic leaves the port. The default is disabled.

EgressRateLimit
Note:

Exception: not supported on VSP 7400 Series, VSP 8600 Series, or XA1400 Series.

Specifies the egress rate limit in Kbps. Different hardware platforms support different egress rate limits, depending on the port with the highest speed available on the platform. You cannot configure the egress shaper rate to exceed the port capability.

If you configure this value to 0, shaping is disabled on the port.

TxFlowControl
Note:

Exception: not supported on VSP 8600 Series

Configures if the port sends pause frames. By default, an interface does not send pause frames.

You must also enable the flow control feature globally before an interface can send pause frames.

TxFlowControlOperState

Shows the operational state of flow control.

BpduGuardTimerCount

Shows the time, starting at 0, since the port became disabled. When the BpduGuardTimerCount reaches the BpduGuardTimeout value, the port is enabled. Displays in 1/100 seconds.

BpduGuardTimeout

Specifies the value to use for port-state recovery. After a BPDU guard disables a port, the port remains in the disabled state until this timer expires.

You can configure a value of 0 or to 65535. The default is 120 seconds. If you configure the value to 0, the expiry is infinity.

BpduGuardAdminEnabled

Enables BPDU Guard on the port. The default is disabled.

ForwardErrorCorrection

Configures one of the following options for Forward Error Correction (FEC) on the port:

  • CL 91

  • CL 108

  • CL 74

  • disable

  • auto

The disable option disables this configuration on the port.

ForwardErrorCorrectionApplicability

Displays whether FEC is applicable on the interface.

OperAutoNegotiate

Shows the operational state of Auto-Negotiation.

OperForwardErrorCorrection

Shows the negotiated operational FEC clause.

If the value is off, the port supports FEC and is up but not configured for FEC. If the value is notApplicable, the port does not support FEC. If the value is unknown, the port supports FEC but is down.

IsPortShared

Indicates whether the port is combo or not.

  • portShared—Combo port.

  • portNotShared—Not a combo port.

PortActiveComponent

Specifies whether the copper port is active or fabric port is active if port is a combo port.

  • fixed port—Copper port is active.

  • gbic port—Fabric port is active.

Action

Performs one of the following actions on the port

  • none - none of the following actions

  • flushMacFdb - flush the MAC forwarding table

  • flushArp - flush the ARP table

  • flushIp - flush the IP route table

  • flushAll - flush all tables

  • triggerRipUpdate — manually triggers a RIP update

The default is none.

Result

Displays the result of the selected action. The default is none.

AutoSense

Note:

Exception: not supported on VSP 8600 Series and XA1400 Series.

Enables or disables Auto-sense on the specific port. The default value is disabled for existing configurations but enabled for new Zero Touch Fabric Configuration deployments.

AutoSenseKeepAutoConfig

Note:

Exception: not supported on VSP 8600 Series and XA1400 Series.

Retains the Auto-sense configuration if you disable Auto-sense on the port. The dynamic configuration becomes a manual configuration and is visible in the show running-config output.

CustomAutoNegAdOrigin

Specifies the origin of Custom Auto Negotiation Advertisements (CANA) configuration on the port. The supported values are:

  • config - Set by the user.

  • radius - Set by the Remote Authentication Dial-In User Service (RADIUS) attribute.

BpduGuardOrigin

Specifies the origin of BPDU Guard configuration on the port. The supported values are:

  • config - Set by the user.

  • radius - Set by the Remote Authentication Dial-In User Service (RADIUS) attribute.

AutoSenseState
Note:

Exception: not supported on VSP 8600 Series and XA1400 Series.

Displays the Auto-sense port state.

LinkDebounce

Note:

Exception: not supported on VSP 8600 Series and XA1400 Series.

Specifies the extended debounce timer on the port. The range is 0 to 300000 milliseconds. The value 0 milliseconds disables debounce time. The default value is 1000.

AutoSenseDataIsid
Note:

Exception: not supported on VSP 8600 Series and XA1400 Series.

Specifies the Auto-sense data I-SID per port. The range is 0 to 16777215.