Reference Guide
Spanning-tree extensions
STP extensions ensure ecient network convergence by securely enforcing the active network topology. OS10 supports BPDU ltering,
BPDU guard, loop guard, and root guard STP extensions.
BPDU ltering Protects the network from unexpected ooding of BPDUs from an erroneous device. Enabling BPDU Filtering
instructs the hardware to drop BPDUs and prevents ooding from reaching the CPU. BPDU ltering is enabled by
default on Edge ports. All BPDUs received on the Edge port are dropped. If you explicitly congure BPDU ltering
on a port, that port drops all BPDUs that it receives.
BPDU guard Blocks the L2 bridged ports and LAG ports connected to end hosts and servers from receiving any BPDUs. When
you enable BPDU guard, it places a port (bridge or LAG) in an Error_Disable or Blocking state if the port receives
any BPDU frames. In a LAG, all member ports (including new members) are placed in an Blocking state. The
network trac drops but the port continues to forward BPDUs to the CPU that are later dropped. To prevent
further reception of BPDUs, congure a port to shut down using the
shutdown command. The port can only
resume operation from the Shutdown state after manual intervention.
Root guard Avoids bridging loops and preserves the root bridge position during network transitions. STP selects the root bridge
with the lowest priority value. During network transitions, another bridge with a lower priority may attempt to
become the root bridge and cause unpredictable network behavior. Congure the spanning-tree guard
root command to avoid such an attempt and preserves the position of the root bridge. Root guard is enabled on
ports that are designated ports. The root guard conguration applies to all VLANs congured on the port.
Loop guard Prevents L2 forwarding loops caused by a hardware failure (cable failure or an interface fault). When a hardware
failure occurs, a participating spanning tree link becomes unidirectional and a port stops receiving BPDUs. When a
blocked port stops receiving BPDUs, it transitions to a Forwarding state causing spanning tree loops in the
network. You can enable loop guard on a port that transitions to the Loop-Inconsistent state until it receives
BPDUs using the
spanning-tree guard loop command. After BPDUs are received, the port moves out of
the Loop-Inconsistent (or blocking) state and transitions to an appropriate state determined by STP. Enabling loop
guard on a per port basis enables it on all VLANs congured on the port. If you disable loop guard on a port, it is
moved to the Listening state.
If you enable BPDU lter and BPDU guard on the same port, the BPDU lter conguration takes precedence. Root guard and loop guard
are mutually exclusive. Conguring one overwrites the other from the active conguration.
• Enable spanning-tree BPDU lter in INTERFACE mode. Use the spanning-tree bpdufilter disable command to disable the
BPDU lter on the interface.
spanning-tree bpdufilter enable
• Enable spanning-tree BPDU guard in INTERFACE mode.
spanning-tree bpduguard enable
• Use the shutdown command to shut down the port channel interface, all member ports that are disabled in the hardware.
• Use the spanning-tree bpduguard disable command to add a physical port to a port-channel already in the Error Disable
state, the new member port is also disabled in the hardware.
• Set the guard types to avoid loops in INTERFACE mode.
spanning-tree guard {loop | root | none}
• loop — Set the guard type to loop.
• none — Set the guard type to none.
• root — Set the guard type to root.
BPDU lter
OS10(conf-if-eth1/1/4)# spanning-tree bpdufilter enable
OS10(conf-if-eth1/1/4)# do show spanning-tree interface ethernet 1/1/4
ethernet1/1/4 of vlan1 is designated Blocking
Edge port:no (default) port guard :none (default)
Link type is point-to-point (auto)
Boundary: NO bpdu filter : Enable bpdu guard : bpduguard shutdown-on-
Layer 2
201