Users Guide
2. Enable STP BPDU guard in INTERFACE mode.
spanning-tree bpduguard enable
BPDU guard violation causes the system to perform the following actions in the port channel:
● The interface and all member ports are disabled in the hardware.
● When the port is added to the port channel that is in the Error Disable state, the new member port is disabled in the
hardware.
● When the port is removed from the port channel that is in the Error Disable state, the system clears the Error_Disabled
state on the physical port and enables it in the hardware.
To clear the Error Disabled state:
● Use the shutdown command on the interface.
● Use the spanning-tree bpduguard disable command to disable the BPDU guard on the interface.
● Use the spanning-tree disable command to disable STP on the interface.
3. Set the guard types to avoid loops in INTERFACE mode.
spanning-tree guard {loop | root | none}
● loop — Set the guard type to loop.
● root — Set the guard type to root.
● none — Set the guard type to none.
Port enabled with loop guard conditions
● Loop guard is supported on any STP-enabled port or port-channel interface.
● You cannot enable root guard and loop guard at the same time on an STP port. The loop guard configuration overwrites
an existing root guard configuration and vice versa.
● Enabling BPDU guard and loop guard at the same time on a port results in a port that remains in blocking state and
prevents traffic from flowing through it. For example, when you configure both Portfast BPDU guard and loop guard:
○ If a BPDU is received from a remote device, BPDU guard places the port in the Err-Disabled Blocking state and no
traffic forwards on the port.
○ If no BPDU is received from a remote device which was sending BPDUs, loop guard places the port in the Loop-
Inconsistent Blocking state and no traffic forwards on the port.
● When used in a Rapid-PVST network, STP loop guard performs per-port or per port-channel at a VLAN level. If no
BPDUs are received on a port-channel interface, the port or port-channel transitions to a Loop-Inconsistent or Blocking
state only for this VLAN.
BPDU filter
os10(conf-if-eth1/1/7)# spanning-tree bpdufilter enable
os10(conf-if-eth1/1/7)# do show spanning-tree interface ethernet 1/1/7
ethernet1/1/7 of vlan 1 is Designated Forwarding
Edge port: No (default)
Link type: point-to-point (auto)
Boundary: No, Bpdu-filter: Enable, Bpdu-Guard: Disable, Shutdown-on-Bpdu-Guard-
violation: No
Root-Guard: Disable, Loop-Guard: Disable
Bpdus (MRecords) Sent: 6, Received: 6410
Interface Designated
Name PortID Prio Cost Sts Cost Bridge ID PortID
-----------------------------------------------------------------------------------------
--
ethernet1/1/7 128.56 128 500 FWD 500 32769 90b1.1cf4.a625 128.56
BPDU guard
os10(config)# interface ethernet 1/1/7
os10(conf-if-eth1/1/7)# spanning-tree bpduguard enable
os10(conf-if-eth1/1/7)# do show spanning-tree interface ethernet 1/1/7
ethernet1/1/7 of vlan 1 is Designated Forwarding
Edge port: No (default)
Link type: point-to-point (auto)
Boundary: No, Bpdu-filter: Enable, Bpdu-Guard: Enable, Shutdown-on-Bpdu-Guard-violation:
Yes
Root-Guard: Disable, Loop-Guard: Disable
Bpdus (MRecords) Sent: 6, Received: 6410
Layer 2
597