Which command is used to enable BPDU Guard globally on all PortFast-enabled ports in a Cisco switch?
spanning-tree bpduguard enable
spanning-tree portfast bpduguard default
bpduguard enable
switchport bpduguard enable
The correct command to enable BPDU Guard globally on all PortFast-enabled ports in a Cisco switch is:
spanning-tree portfast bpduguard default
Detailed Explanation
Understanding BPDU Guard
Before delving into the specific command, it’s essential to understand what BPDU Guard is and why it is used in network environments. BPDU Guard (Bridge Protocol Data Unit Guard) is a security feature in Cisco switches that prevents potential network issues caused by rogue or misconfigured switches. It operates by monitoring access ports that have been configured with the PortFast feature.
PortFast is typically enabled on ports where end devices like computers, printers, or servers are connected. This feature allows these ports to bypass the usual Spanning Tree Protocol (STP) states, such as listening and learning, and move directly into the forwarding state. This rapid transition reduces the time it takes for a device to become fully operational on the network. However, if a switch or device capable of generating BPDUs is connected to a PortFast-enabled port, it could lead to unintended network topology changes, which could cause loops or disruptions.
BPDU Guard addresses this risk by immediately disabling any PortFast-enabled port that receives a BPDU. When BPDU Guard is triggered, the port is placed into an errdisable
state, effectively shutting it down until an administrator manually intervenes. This action prevents potential loops and unauthorized switches from affecting the network.
Global vs. Interface-Level Configuration
There are two ways to enable BPDU Guard on a Cisco switch:
- Globally: Applies BPDU Guard to all ports on the switch that have PortFast enabled.
- Interface-Level: Applies BPDU Guard to a specific interface, regardless of whether PortFast is enabled.
When you enable BPDU Guard globally, you ensure that every port configured with PortFast will automatically have BPDU Guard active, providing a blanket of protection across the entire switch. This method is particularly useful in large networks where manually configuring BPDU Guard on each individual port would be time-consuming and prone to errors.
The Command: spanning-tree portfast bpduguard default
The command spanning-tree portfast bpduguard default
is used to enable BPDU Guard globally on all ports that are configured with the PortFast feature. When this command is executed, any port on the switch that has PortFast enabled will automatically have BPDU Guard activated. If a BPDU is received on any of these ports, the port will transition into the errdisable
state, preventing any potential issues.
Here’s a breakdown of the command:
spanning-tree
: This keyword invokes Spanning Tree Protocol-related commands. STP is a layer 2 protocol used to prevent network loops in Ethernet networks by creating a loop-free logical topology.portfast
: This sub-command is associated with the PortFast feature. It’s a Cisco enhancement to STP that allows ports to immediately transition to the forwarding state.bpduguard
: This keyword indicates that BPDU Guard is being configured. BPDU Guard is the security feature that prevents BPDUs from being received on PortFast-enabled ports.default
: This final keyword specifies that BPDU Guard should be applied globally to all ports with PortFast enabled.
Configuring BPDU Guard Globally
To enable BPDU Guard globally on a Cisco switch, you would use the following steps:
- Access Global Configuration Mode: First, you need to enter the global configuration mode on the Cisco switch.
Switch# configure terminal
- Enable BPDU Guard Globally: Once in global configuration mode, you can enable BPDU Guard on all PortFast-enabled ports using the command:
Switch(config)# spanning-tree portfast bpduguard default
- Verify the Configuration: After configuring BPDU Guard, it’s good practice to verify that it has been correctly applied.
Switch# show running-config | include bpduguard
This command will display any BPDU Guard-related configurations. If BPDU Guard has been enabled globally, the output should show the command
spanning-tree portfast bpduguard default
. - Test the Configuration: To ensure that BPDU Guard is working as expected, you can connect a device that generates BPDUs (like another switch) to a PortFast-enabled port. The port should immediately go into the
errdisable
state upon receiving a BPDU, indicating that BPDU Guard has been triggered.
What Happens When BPDU Guard is Triggered?
When BPDU Guard is triggered, the port that received the BPDU is placed into the errdisable
state. This means the port is effectively shut down, and no traffic will pass through it. The switch will log an error message indicating that BPDU Guard has been triggered. The port will remain in the errdisable
state until it is manually reset by an administrator.
To bring the port back online, the administrator must manually re-enable the port using the following command:
Switch(config)# interface [interface-id]
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
Alternatively, BPDU Guard can be configured to automatically recover from the errdisable
state after a set period using the errdisable recovery
command:
Switch(config)# errdisable recovery cause bpduguard
Switch(config)# errdisable recovery interval [seconds]
This configuration allows the port to automatically come back online after the specified interval, reducing the need for manual intervention.
Benefits of BPDU Guard
- Network Security: BPDU Guard helps secure the network by preventing unauthorized devices, like rogue switches, from affecting network topology.
- Operational Efficiency: When enabled globally, BPDU Guard provides a simple and effective way to enforce network security policies across all PortFast-enabled ports.
- Loop Prevention: By immediately shutting down ports that receive unexpected BPDUs, BPDU Guard helps prevent network loops that could degrade network performance.
- Ease of Management: Globally enabling BPDU Guard reduces the need for per-port configuration, simplifying network management, especially in large networks.
Conclusion
Enabling BPDU Guard globally using the spanning-tree portfast bpduguard default
command is a best practice in network environments where security and stability are paramount. This command ensures that any PortFast-enabled port is protected against rogue devices that might send BPDUs, thereby maintaining the integrity and performance of the network. By understanding and properly configuring BPDU Guard, network administrators can significantly reduce the risk of network disruptions caused by unauthorized or misconfigured switches.