Evil_TTL> show | s

BPDU Guard

Category:Cisco Systems -> Security

BPDU – Bridge Protocol Data Units are messages which are exchanged between switches. These messages carry service data. Inside BPDU packets there are many fields, the descriptions of which you can easily find on the web. The main reason we use BPDU Guard on an access interface is that so noone could poison the network topology by sending in “modified” BPDU messages with the purpose to change, for e.g. a root switch in the network, causing massive L2 STP (Spanning Tree Protocol) topology modification against new unauthorized root device respectively.

To secure the network against this kind of attack, apply the following configuration to any access port of any access layer switch:

interface range gi0/24
-tree portfast
-tree bpduguard enable
// Will turn the port off if a BPDU message received. Manual "shut"/"no shut" required to bring the interface back to life.
errdisable recovery cause bpduguard
// Will turn the port back on in 300 seconds automatically in case of positive alarm.
errdisable recovery interval 400
// Will modify the default 300 seconds time to 400 seconds. 

Modify the configuration to conform to your internal security policy.

By privilege15