BPDU Guard

BPDU Sep 30, 2012

When BPDU Guard is enabled and a switch port receives a BPDU it stops forwarding and disables itself. It is common to enable this on a access port, usually in addition to portfast. In theory a user should never generate legitimate BPDUs therefore this mechanism helps prevent malicious alteration of the STP topology, it also acts as a protection should the port be cabled to anther switch by accident causing a bridging loop.

interface gig0/1 spanning-tree bpdugaurd enable

A port that has been disabled because of a violation shows a status of err-disable (show int status). The interface needs to be bounced to bring it back up.
You can also configure the switch to automatically bring an interface out of err-disable

(config)# errdisable recovery cause bpduguard (config)# errdisable recovery interval 30


Rob Edwards

Northern (UK) chap focusing on platforms, automation, cloud and cloud native applications. Recovering network engineer, although it turns out networking is as important, if not more, now than before!