Enabling and disabling BPDU protection

Syntax:


no spanning-tree port-list bpdu-protection

Enables or disables BPDU protection on specified port(s).

Syntax:


no spanning-tree port-list bpdu-protection-timeout timeout

Configures the duration in seconds when protected ports receiving unauthorized BPDUs will remain disabled. The default value of 0 (zero) sets an infinite timeout (that is, ports that are disabled by bpdu-protection are not, by default, re-enabled automatically).

Range: 0-65535 seconds

Default: 0

Syntax:


no spanning-tree trap errant-bpdu

Enables or disables the sending of errant BPDU traps.

CAUTION:

This command should only be used to guard edge ports that are not expected to participate in STP operations. Once BPDU protection is enabled, it will disable the port as soon as any BPDU packet is received on that interface.

Configuring BPDU protection

To configure BPDU protection on ports 1 to 10 with SNMP traps enabled, enter:

switch(config)# spanning-tree 1-10 bpdu protection
switch(config)# spanning-tree trap errant-bpdu

The following steps will then be set in progress:

  1. When an STP BPDU packet is received on ports 1-10, STP treats it as an unauthorized transmission attempt and shuts down the port that the BPDU came in on.

  2. An event message is logged and an SNMP notification trap is generated.

  3. The port remains disabled until re-enabled manually by a network administrator using the interface port-list enable command.

NOTE:

To re-enable the BPDU-protected ports automatically, configure a timeout period using the spanning-tree bpdu-protection-timeout command.