Should I enable BPDU guard when connection to host machine?

  • 1
  • Question
  • Updated 1 year ago

I am using vlan-aware mode  which will going to connect host at port swp1.  Since it will no need to exchange spanning tree and avoid mistake when connecting another switch into this port.

So I would like to enable BPDU guard. 

1. Does following config is correct?

auto bridge
iface bridge
    alias bridge01
    bridge-ports swp1
    bridge-vids 10 20 30 40 50 100-200
    bridge-vlan-aware yes
    mstpctl-treeprio 32768

auto swp1
        iface swp1
        mstpctl-portadminedge yes
       mstpctl-bpduguard yes

2. With example from manual

which it including enable "mstpctl-portadminedge yes".  As I understand it is similar to portfast setup.   Why it will including it for safe learning time of spanning tree?

Photo of machiasiaweb


  • 900 Points 500 badge 2x thumb

Posted 1 year ago

  • 1
Photo of Jason Guy

Jason Guy, Employee

  • 1,572 Points 1k badge 2x thumb
1) Yes, the config looks fine for the bridge.
2) The reason it is safe to run a host connection as an edge port is most hosts don't run spanning tree, and do not route or bridge packets. Therefore edge ports move into forwarding faster in terms of STP. The bpdu guard is configured to prevent a situation where a host is accidentally configured with a bridge. The switch port is set DOWN upon reception of a BPDU, to prevent a spanning tree loop.