Specifications
11-3
Cisco MWR 2941 Mobile Wireless Edge Router Release 3.5 Software Configuration Guide, Cisco IOS Release 15.1(3)MR
OL-26895-01
Chapter 11 Configuring Optional Spanning-Tree Features
Understanding Optional Spanning-Tree Features
Fast-enabled STP ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port signals
an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature
puts the interface in the error-disabled state.
At the interface level, you enable BPDU guard on any STP port by using the spanning-tree bpduguard
enable interface configuration command without also enabling the Port Fast feature. When the STP port
receives a BPDU, it is put in the error-disabled state.
The BPDU guard feature provides a secure response to invalid configurations because you must
manually put the interface back in service. Use the BPDU guard feature in a service-provider network
to prevent an access port from participating in the spanning tree.
You can enable the BPDU guard feature for the entire router or for an interface.
Understanding BPDU Filtering
The BPDU filtering feature can be globally enabled on the router or can be enabled per interface, but the
feature operates with some differences.
At the global level, you can enable BPDU filtering on Port Fast-enabled STP ports by using the
spanning-tree portfast bpdufilter default global configuration command. This command prevents
interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still
send a few BPDUs at link-up before the router begins to filter outbound BPDUs. You should globally
enable BPDU filtering on a switch so that hosts connected to these ports do not receive BPDUs. If a
BPDU is received on a Port Fast-enabled STP port, the interface loses its Port Fast-operational status,
and BPDU filtering is disabled.
At the interface level, you can enable BPDU filtering on any STP port by using the spanning-tree
bpdufilter enable interface configuration command without also enabling the Port Fast feature. This
command prevents the interface from sending or receiving BPDUs.
Caution Enabling BPDU filtering on an STP port is the same as disabling spanning tree on it and can result in
spanning-tree loops.
You can enable the BPDU filtering feature for the entire router or for an STP port.
Understanding Root Guard
The Layer 2 network of a service provider (SP) can include many connections to switches that are not
owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer
switch as the root switch, as shown in Figure 11-2. You can avoid this situation by enabling root guard
on SP switch interfaces that connect to switches in your customer’s network. If spanning-tree
calculations cause an interface in the customer network to be selected as the root port, root guard then
places the interface in the root-inconsistent (blocked) state to prevent the customer’s switch from
becoming the root switch or being in the path to the root.
If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent
state), and spanning tree selects a new root switch. The customer’s switch does not become the root
switch and is not in the path to the root.