Why BPDU Guard Matters
A rogue switch plugged into an access port can elect itself as the new root bridge, causing the entire network to reconverge and black-hole traffic. BPDU Guard protects against this attack by monitoring access ports for unexpected BPDUs.
Scenario: Rogue Switch Plugged into Access Port
SW1 (Root)
│
┌──┴──┐
│ │
User Port (Gi1/0/10)
│
┌─────┴────┐
│ │
Host [ROGUE SWITCH] ← Someone plugged this in
│
└─ Sends BPDUs with Priority 0
(Election is automatic—rogue wins)
Result: TOPOLOGY CORRUPTS
- New root bridge is the rogue switch
- All traffic reconverges through it
- Packet loss, latency spikes
- Possible complete network outage
With BPDU Guard enabled on access ports:
[ROGUE SWITCH] connects to Gi1/0/10
↓
Rogue sends BPDU
↓
Switch detects BPDU on edge port
↓
Port immediately error-disabled
↓
Rogue switch isolated, network unaffected
↓
Network operator notified via syslog
Network protected in milliseconds.
BPDU Guard Behavior
BPDU Guard operates only on PortFast (edge) ports. When a BPDU is received on an edge port:
- Port transitions to error-disable state immediately
- Port stops forwarding traffic
- SNMP trap sent (if configured)
- Syslog message generated
- Port remains disabled until manually cleared or auto-recovery timer expires
The entire process is automatic—no configuration needed beyond enabling BPDU Guard.
Global BPDU Guard Configuration
Enable BPDU Guard globally to protect all PortFast ports:
SW1(config)# spanning-tree portfast default
SW1(config)# spanning-tree portfast bpduguard default
SW1(config)# end
Verify:
SW1# show running-config | include spanning-tree portfast
spanning-tree portfast default
spanning-tree portfast bpduguard default
Effect: All ports with PortFast enabled now error-disable if they receive BPDUs.
Check Summary:
SW1# show spanning-tree summary
Portstatus Summary
Root bridge for: VLAN0010
PortFast BPDU Guard: Enabled ← Global default active
PortFast Enabled: 47
Per-Interface BPDU Guard Configuration
For selective BPDU Guard (only on specific ports), configure per-interface:
SW1(config)# interface GigabitEthernet 1/0/1
SW1(config-if)# spanning-tree portfast
SW1(config-if)# spanning-tree bpduguard enable
SW1(config-if)# exit
Check status:
SW1# show spanning-tree interface Gi1/0/1 detail
Portfast: Enabled
BPDU Guard: Enabled
Disable on Specific Ports
If global BPDU Guard is enabled but you want to disable it on a specific port (e.g., a management console port that might need to receive BPDUs):
SW1(config)# interface GigabitEthernet 1/0/48
SW1(config-if)# spanning-tree bpduguard disable
SW1(config-if)# exit
Verify:
SW1# show spanning-tree interface Gi1/0/48 detail
BPDU Guard: Disabled
Errdisable Recovery
When a port is error-disabled by BPDU Guard, it remains offline until explicitly cleared. For automated recovery, configure errdisable recovery:
SW1(config)# errdisable recovery cause bpduguard
SW1(config)# errdisable recovery interval 60
SW1(config)# end
This tells the switch: "If a port error-disables due to BPDU Guard, automatically re-enable it after 60 seconds."
Parameters:
cause bpduguard: Trigger recovery for BPDU Guard errorsinterval 60: Wait 60 seconds before re-enabling (default is 300)
Verify:
SW1# show errdisable recovery
ErrDisable Reason Timer Status
----------------- ----- ------
bpduguard Enabled 60 sec(s)
When to Use Errdisable Recovery:
- Campus networks: Enable with 60-second interval. A rogue switch is usually unplugged within 60 seconds.
- Unattended closets: Enable with 300-second interval (5 minutes) for safer recovery.
- Data centers: Disable errdisable recovery if you want manual investigation before re-enabling (prevents silent failures).
When NOT to Use Errdisable Recovery:
- If you want to be alerted every time a port error-disables (requires manual intervention)
- If you're testing or lab-validating the protection
Lab Configuration: Full Example
Lab topology: Catalyst 9300 (SW1, SW2 Distribution; SW3, SW4 Access) with VLAN 10/20/30.
All Access Switches: Enable Portfast + BPDU Guard Globally
SW3(config)# spanning-tree mode rapid-pvst
SW3(config)# spanning-tree portfast default
SW3(config)# spanning-tree portfast bpduguard default
SW3(config)# errdisable recovery cause bpduguard
SW3(config)# errdisable recovery interval 60
! Disable PortFast on uplinks (must be done AFTER setting default)
SW3(config)# interface range GigabitEthernet 1/0/25-28
SW3(config-if-range)# no spanning-tree portfast
SW3(config-if-range)# exit
SW3(config)# end
Repeat for SW4.
Verification
SW3# show spanning-tree summary
Switch is in rapid-pvst+ mode
Root bridge for: VLAN0010
Portstatus Summary
Global Info
Root bridge for: VLAN0010
PortFast BPDU Guard: Enabled
PortFast Enabled: 24
All 24 user access ports have PortFast + BPDU Guard.
Check Specific Port
SW3# show spanning-tree interface Gi1/0/1 detail
Role: Designated
State: Forwarding
Priority: 128
Cost: 19
Portfast: Enabled
BPDU Guard: Enabled
Edge Port: Yes
Link type: Point-to-point
Real-World Scenario: Rogue Switch Detection
Scenario Setup
User plugs a Catalyst 2960 (with default priority 32768) into access port Gi1/0/10 of SW3.
Rogue Switch Configuration (On the Rogue)
Switch(config)# spanning-tree vlan 10 root primary ! Makes itself root
What Happens on SW3:
Immediate syslog message:
SW3#
%SPANTREE-2-BLOCK_PORTFAST_BPDU_GUARD: Received BPDU on port Gi1/0/10
with PortFast enabled. Disabling port.
Check port status:
SW3# show interfaces Gi1/0/10 status
Port Name Status Vlan
Gi1/0/10 User Access err-disabled 10
Check errdisable reasons:
SW3# show interfaces status err-disabled
Interface Error Disable Reason Time Disabled
Gi1/0/10 BPDU Guard (Portfast) 00:00:15
SW3# show errdisable interface
Interface Reason Status
Gi1/0/10 BPDU Guard (Portfast) Errdisabled
What the User Experiences
The user in that port loses connectivity immediately. No loops occur. Network remains stable.
IT Response
IT is notified (via syslog to central logging system). Options:
- Unplug the rogue switch. After 60 seconds, errdisable recovery auto-enables the port.
! 60 seconds elapse...
SW3#
%LINK-3-UPDOWN: Interface GigabitEthernet1/0/10, changed state to up
Port is forwarding again, user regains connectivity.
- Manual investigation. If you want to control the timeline:
! Manually clear the port
SW3(config)# interface Gi1/0/10
SW3(config-if)# no shutdown
SW3(config-if)# exit
Port re-enables immediately.
BPDU Guard vs. Other STP Protection Features
| Feature | PortFast | BPDU Guard | Root Guard | Loop Guard |
|---|---|---|---|---|
| Purpose | Fast access port transition | Protect against rogue switches | Prevent unauthorized root | Prevent unidirectional loops |
| Where Used | Access ports only | Access ports (paired with PortFast) | Designated ports (uplinks) | Root/alternate ports |
| Action on Issue | N/A | Error-disables port | Blocks port (root berth) | Error-disables port |
| Typical Config | spanning-tree portfast |
spanning-tree bpduguard enable |
spanning-tree guard root |
spanning-tree guard loop |
Verification and Monitoring
Check All Error-Disabled Ports
SW1# show interfaces status err-disabled
Interface Error Disable Reason Time Disabled
Gi1/0/10 BPDU Guard (Portfast) 00:05:23
Check Errdisable Status
SW1# show errdisable recovery
ErrDisable Reason Timer Status
----------------- ----- ------
bpduguard Enabled 60 sec(s)
View Port Detail (Including BPDU Guard Status)
SW1# show spanning-tree interface Gi1/0/10 detail
Portfast: Enabled
BPDU Guard: Enabled
Edge Port: Yes
Portfast Incurred Cost: 0
Monitor Syslog for BPDU Guard Events
Configure syslog to central server to alert when ports error-disable:
SW1(config)# logging host 10.1.1.50
SW1(config)# logging trap errors
SW1(config)# end
Syslog messages will show BPDU Guard events across the network.
Common BPDU Guard Mistakes
Mistake 1: BPDU Guard Without PortFast
BPDU Guard only works on PortFast (edge) ports. If PortFast is not enabled:
! WRONG:
interface Gi1/0/10
spanning-tree bpduguard enable
! PortFast not configured—BPDU Guard is ignored
exit
Fix:
interface Gi1/0/10
spanning-tree portfast ! Required first
spanning-tree bpduguard enable
exit
Verify:
show spanning-tree interface Gi1/0/10 detail
! Should show "Portfast: Enabled" and "BPDU Guard: Enabled"
Mistake 2: Forgetting Errdisable Recovery in Production
Problem: A user plugs a rogue switch into access port. Port error-disables. User is offline indefinitely until IT manually re-enables the port.
Fix: Enable errdisable recovery:
errdisable recovery cause bpduguard
errdisable recovery interval 60
After 60 seconds, the port auto-recovers if the rogue device is unplugged.
Mistake 3: Using BPDU Guard on Uplinks
Problem:
! WRONG:
interface GigabitEthernet 1/0/49 ! Uplink
spanning-tree portfast
spanning-tree bpduguard enable
exit
If the uplink experiences a topology change and proposal/agreement is needed, BPDU Guard might error-disable the port before negotiation completes.
Fix: PortFast and BPDU Guard are for access ports only:
interface GigabitEthernet 1/0/49
no spanning-tree portfast
spanning-tree link-type point-to-point
exit
Mistake 4: BPDU Guard on Ports Connected to Printers or APs
Some network devices (older printers, rogue access points) may generate STP BPDUs. If BPDU Guard is enabled on their port, they get error-disabled unexpectedly.
Solution: Disable BPDU Guard on specific ports if you know they're safe:
interface GigabitEthernet 1/0/5
spanning-tree portfast
spanning-tree bpduguard disable ! Allow this device to send BPDUs
exit
Document why in the interface description:
interface GigabitEthernet 1/0/5
description Xerox Printer (requires BPDU forwarding)
spanning-tree bpduguard disable
exit
Mistake 5: Errdisable Recovery Interval Too Short
Problem:
errdisable recovery interval 10 ! 10 seconds—too aggressive
If a rogue switch is still plugged in, the port recovers and forwards traffic from the rogue, creating loops.
Fix: Use reasonable intervals:
errdisable recovery interval 60 ! 60 seconds (1 minute)
This gives IT time to manually unplug the rogue device.
BPDU Guard in Production
Small Campus (1–2 Buildings)
! Recommended config on all access switches
spanning-tree portfast default
spanning-tree portfast bpduguard default
errdisable recovery cause bpduguard
errdisable recovery interval 60
Rogue switches are isolated in <1 second and port recovers in 60 seconds. Minimal operational overhead.
Large Campus (Many Buildings)
! Add centralized logging
logging host 10.1.1.50
logging trap notifications
spanning-tree portfast default
spanning-tree portfast bpduguard default
errdisable recovery cause bpduguard
errdisable recovery interval 300 ! 5 minutes, more conservative
Longer recovery interval (5 minutes) ensures IT has time to physically investigate the issue. Central syslog alerts them.
Data Center
! BPDU Guard on all ToR access ports
spanning-tree portfast
spanning-tree bpduguard enable
! But DO NOT enable errdisable recovery
! Force manual verification before re-enabling
In data centers, every port error-disable event should be manually reviewed and cleared.
Troubleshooting BPDU Guard Issues
Symptom: Port Keeps Error-Disabling Every 60 Seconds
Cause: Rogue device still plugged in, errdisable recovery keeps re-enabling, device is rediscovered, port error-disables again.
Fix: Find the rogue device:
! Check port history
show interfaces Gi1/0/10 status
! Check for connected device via CDP
show cdp neighbors interface Gi1/0/10
! Physically inspect the port and unplug rogue device
Once unplugged, recovery succeeds and port stays up.
Symptom: BPDU Guard Enabled But Port Still Error-Disables for Other Reasons
Cause: Port might be error-disabled for reasons other than BPDU Guard (e.g., duplex mismatch, hardware issues).
Fix: Check the specific error:
show errdisable interface
Interface Reason Status
Gi1/0/10 Channel Misconfig Errdisabled ! Different reason
If it's not BPDU Guard, investigate the root cause (duplex, line protocol, etc.).
What's Next
BPDU Guard protects access ports from rogue switches, but uplinks need different protection. Article 12 covers "Root Guard and Loop Guard: STP Stability Features Explained and Configured," including how Root Guard prevents unauthorized root bridges and Loop Guard detects unidirectional links on designated ports.