Enabling and disabling BPDU protection
Syntax:
no spanning-tree port-list bpdu-protection
Enables or disables BPDU protection on specified port(s).
Syntax:
no spanning-tree port-list bpdu-protection-timeout timeout
Configures the duration in seconds when protected ports receiving unauthorized BPDUs will remain disabled. The default value of 0 (zero) sets an infinite timeout (that is, ports that are disabled by
bpdu-protection
are not, by default, re-enabled automatically).
Range: 0-65535 seconds
Default: 0
Syntax:
no spanning-tree trap errant-bpdu
Enables or disables the sending of errant BPDU traps.
This command should only be used to guard edge ports that are not expected to participate in STP operations. Once BPDU protection is enabled, it will disable the port as soon as any BPDU packet is received on that interface.
Configuring BPDU protection
To configure BPDU protection on ports 1 to 10 with SNMP traps enabled, enter:
switch(config)# spanning-tree 1-10 bpdu protection switch(config)# spanning-tree trap errant-bpdu
The following steps will then be set in progress:
When an STP BPDU packet is received on ports 1-10, STP treats it as an unauthorized transmission attempt and shuts down the port that the BPDU came in on.
An event message is logged and an SNMP notification trap is generated.
The port remains disabled until re-enabled manually by a network administrator using the
interface
port-listenable
command.
To re-enable the BPDU-protected ports automatically, configure a timeout period using the
spanning-tree bpdu-protection-timeout
command.