FortiSwitch
  • FortiSwitch Terminology
  • FortiLink Architecture
  • Spanning Tree
    • Loop Protection
    • BPDU Guard
    • Root Guard
  • Security Features
    • Storm Control
    • DHCP Snooping
    • IP Source Guard (IPSG)
    • Dynamic ARP inspection (DAI)
    • Loop Guard
    • Quarantine
    • MAC limit
    • 802.1X
  • Advanced Features
    • Access VLANs
    • IGMP Snooping
    • MCLAG
    • Flap Guard
  • Command Cheatsheet
  • Packet Capture
  • QoS
  • Best Practices / Security
  • Monitoring
  • Firmware Upgrade
  • Other Topics
  • Protocols
    • FortiLink
    • LLDP
    • CAPWAP
    • MCLAG Control
    • Other
  • Fortigate Built-In switch
Powered by GitBook
On this page

Was this helpful?

  1. Spanning Tree

BPDU Guard

BPDU Guard, will block a port as soon as it detects Spanning Tree packets (BPDU). This means in practice, when a managed switch with Spanning-Tree protocol is connected, and it's not a FortiSwitch, it will shutdown the port. Clients should not send spanning-tree packets.

It's a per port setting and can be enabled in the GUI:

In the CLI it's possible to change the bpdu-guard timeout from the default 5min value to another:

config switch-controller managed-switch
    edit <switch-id>
        config ports
            edit <port>
                set stp-bpdu-guard enabled
                set stp-bpdu-guard-timeout <mins>
            next
        end
    next
end

Display BPDU Guard status for each switch

G60E # diagnose switch-controller switch-info bpdu-guard-status  S448EFTF23007146
Vdom: root
Managed Switch : S448EFTF23001234 0


  Portname             State      Status       Timeout(m)    Count    Last-Event
  _________________   _______    _________    ___________    _____   __________________

  port2              disabled       -              -             -            -
  port3              disabled       -              -             -            -
  port4              disabled       -              -             -            -
  port5              disabled       -              -             -            -
  port6              disabled       -              -             -            -
  port7              disabled       -              -             -            -
  port8              disabled       -              -             -            -
  port9              disabled       -              -             -            -
  port10             disabled       -              -             -            -
  port11             disabled       -              -             -            -
  port12             disabled       -              -             -            -
  port13             enabled      Triggered        5             2     2023-10-15 14:41:04
  port14             enabled        -              5             0            -
  port15             enabled        -              5             0            -

Reset BPDU Guard: 

FG60E # execute switch-controller switch-action bpdu-guard reset <switch-id> <port>

Log Entries:

PreviousLoop ProtectionNextRoot Guard

Last updated 1 year ago

Was this helpful?