BPDU protection is a security feature designed to protect the active STP topology by preventing spoofed BPDU packets from entering the STP domain. In a typical implementation, BPDU protection would be applied to edge ports connected to end user devices that do not run STP. If STP BPDU packets are received on a protected port, the feature will disable that port and alert the network manager via an SNMP trap as shown in BPDU protection enabled at the network edge.
The following commands allow you to configure BPDU protection on VLANs for which the port is a member.
Syntax:
Syntax:
Configures the duration of time when protected ports receiving unauthorized BPDUs will remain disabled. The default value of 0 (zero) sets an infinite timeout (that is, ports that are disabled by
bpdu-protection
are not, by default, re-enabled automatically).For an example of using this command, see Re-enabling a port blocked by BPDU protection.
Syntax:
|
|
CAUTION: This command should only be used to guard edge ports that are not expected to participate in STP operations. Once BPDU protection is enabled, it will disable the port as soon as any BPDU packet is received on that interface. |
|
|
Syntax:
Displays a summary listing of ports with BPDU protection enabled. To display detailed per-port status information, enter the specific port number(s). BPDU protected ports are displayed as separate entries of the spanning tree category within the configuration file.
Displaying BPDU protection status for specific ports
HP Switch#: show spanning-tree bpdu-protection 23-24 Status and Counters - STP BPDU Protection Information BPDU Protection Timeout (sec) : 0 BPDU Protected Ports : 23-24 Port Type Protection State Errant BPDUs ------ --------- ---------- ----------------- ------------ 23 100/1000T Yes Bpdu Error 1 24 100/1000T Yes 0