Lab #8
Lab Objectives



On SW1 and SW2 verify that interface Fa0/10 is up/up.
Configure BPDU Guard on SW1 interface Fa0/10 then verify the port status again on
SW1.
Remove the interface BPDU Guard configuration from SW1 interface Fa0/10 and
configure system default portfast and bpduguard, verify the configuration.
Lab Instruction
Step 1. – On SW1 and SW2 verify that interface Fa0/10 is up/up.
You can use show ip interface brief FastEthernet 0/10 or show interface fa0/10 to verify the
interface status as shown below;
SW1#show ip interface brief FastEthernet 0/10
Interface
IP-Address
OK? Method Status
FastEthernet0/10
unassigned
YES unset up
SW1#
Protocol
up
SW2 verification shown below using the show interface fa0/10 command;
SW2#show interface fa0/10
FastEthernet0/10 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 001c.57d8.900c (bia 001c.57d8.900c)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 4 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
49720 packets input, 3684013 bytes, 0 no buffer
Received 48602 broadcasts (48602 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 48602 multicast, 0 pause input
0 input packets with dribble condition detected
3118 packets output, 381783 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
SW2#
Step 2. – Shutdown interface Fa0/10 on SW2 then configure BPDU Guard on SW1 interface
Fa0/10; afterward, enable interface Fa0/10 on SW2 then verify the port status again on SW1.
SW2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#interface fa0/10
SW2(config-if)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/10, changed state to
administratively down
SW2(config-if)#
SW1 BPDU Guard interface configuration shown below;
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#interface fa0/10
SW1(config-if)#spanning-tree bpduguard enable
SW1(config-if)#end
SW1#
Now enable Interface Fa0/10 on SW2
SW2(config-if)#no shutdown
SW2(config-if)#
%LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to down
SW2(config-if)#
If you jump over to SW1 now you’ll see the following SYSLog message due to the fact SW2 is
sending SW1 a BPDU on Fa0/10;
SW1#
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/10 with BPDU Guard
enabled. Disabling port.
SW1#
%PM-4-ERR_DISABLE: bpduguard error detected on Fa0/10, putting Fa0/10 in
err-disable state
SW1#
Now verify the interface status on SW1 as shown below;
SW1#show interfaces fa0/10
FastEthernet0/10 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 0014.f2d2.418c (bia 0014.f2d2.418c)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:02:43, output 00:08:44, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
3303 packets input, 403853 bytes, 0 no buffer
Received 2097 broadcasts (2097 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 2097 multicast, 0 pause input
0 input packets with dribble condition detected
55416 packets output, 4095765 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
SW1#
As you can see Fa0/10 is now in ERR-Disabled state due to BPDU Guard shutting down the port
automatically once it received a BPDU from SW2.
Step 3. – Remove the interface BPDU Guard configuration from SW1 interface Fa0/10 and
configure system default portfast and bpduguard, verify the configuration.
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#interface fa0/10
SW1(config-if)#no spanning-tree bpduguard enable
SW1(config-if)#exit
SW1(config)#spanning-tree portfast bpduguard default
SW1(config)#end
SW1#
%SYS-5-CONFIG_I: Configured from console by console
SW1#
To verify this configuration you can use the show spanning-tree summary command in
privileged mode or a configuration mode by using the do command prefix as shown below;
SW1(config)#do show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: none
Extended system ID
is enabled
Portfast Default
is enabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default
is disabled
EtherChannel misconfig guard is enabled
UplinkFast
is disabled
BackboneFast
is disabled
Configured Pathcost method used is short
Name
Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ---------Total
0
0
0
0
0
SW1(config)#