beautypg.com

Bpdu guard, Enabling bpdu guard – Brocade Multi-Service IronWare Switching Configuration Guide (Supporting R05.6.00) User Manual

Page 355

background image

Multi-Service IronWare Switching Configuration Guide

325

53-1003036-02

IEEE 802.1D Spanning Tree Protocol (STP)

12

BPDU Guard

STP protection provides the ability to prohibit an end station from initiating or participating in an
STP topology. The Bridge Protocol Data Units (BPDU) Guard is used to keep all active network
topologies predictable.

NOTE

The feature is also available for MSTP and RSTP.

STP detects and eliminates logical loops in a redundant network by selectively blocking some data
paths and allowing only some data paths to forward traffic.

In an STP environment, switches, end stations, and other Layer 2 devices use BPDUs to exchange
information that STP will use to determine the best path for data flow. When a Layer 2 device is
powered ON and connected to the network, or when a Layer 2 device goes down, it sends out an
BPDU, triggering a topology change.

In some instances, it is unnecessary for a connected device, such as an end station, to initiate or
participate in a topology change. In this case, you can enable the BPDU Guard feature on the
Brocade port to which the end station is connected. The BPDU Guard feature disables the
connected device's ability to initiate or participate in an topology change, by dropping all BPDUs
received from the connected device.

As an extended security measure, the administrator can disable a port if a BPDU is received on a
port where BPDU Guard is configured. A Syslog message and SNMP trap are triggered when the
port is disabled.

You can re-enable the disabled port from the CLI; however, make sure the offending BPDUs have
stopped before re-enabling the port. Otherwise, the port will be disabled again the moment a new
BPDU is received.

NOTE

BPDU Guard should be configured only on the primary port of a LAG. If a port configured with BPDU
guard is made a secondary port, the LAG deployment will be vetoed.

Enabling BPDU Guard

You can enable BPDU Guard on a per-port basis.

To prevent an end station from initiating or participating in topology changes, enter the following
command at the interface level of the CLI.

Brocade(config) interface ethe 2/1

Brocade(config-if-e1000-2/1)# spanning-tree protect

Syntax: [no] spanning-tree protect

This command causes the port to drop BPDUs sent from the device on the other end of the link.

Enter the no form of the command to disable BPDU Guard on the port and remove the
spanning-tree protect do-disable feature if they are configured.

See also other documents in the category Brocade Computer Accessories: