spanning-tree bpduguard enable
Enables BPDU guard on an interface to protect against unauthorized switches by disabling the port if a BPDU is received, typically used on access ports to prevent bridge loops from rogue devices.
spanning-tree bpduguard enableWhen to Use This Command
- Securing access ports on a switch to prevent a rogue switch from being connected and causing a bridging loop.
- Enforcing port security in a campus network where only end devices (PCs, printers) should be connected.
- Protecting the root bridge from being usurped by an unauthorized switch sending superior BPDUs.
- Automatically error-disabling a port when a BPDU is received, reducing manual intervention for loop prevention.
Command Examples
Enable BPDU Guard on an Access Port
interface GigabitEthernet0/1
switchport mode access
spanning-tree bpduguard enableSwitch(config-if)# spanning-tree bpduguard enable Switch(config-if)# end Switch# show spanning-tree interface GigabitEthernet0/1 detail Port 1 (GigabitEthernet0/1) of VLAN 1 is forwarding Port path cost 4, Port priority 128, Port Identifier 128.1. Designated root has priority 32768, address aabb.cc00.0100 Designated bridge has priority 32768, address aabb.cc00.0100 Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 BPDU: sent 3, received 0 BPDU guard: enabled
The command enables BPDU guard on the interface. The output shows the interface is forwarding, BPDU guard is enabled, and no BPDUs have been received. If a BPDU were received, the port would transition to errdisable state.
Verify BPDU Guard Status and Errdisable Recovery
show interfaces status err-disabledPort Name Status Reason Gi0/1 Access Port err-disabled bpduguard Gi0/2 Trunk Port err-disabled bpduguard
This output shows ports that are in errdisable state due to BPDU guard. The 'Reason' column indicates 'bpduguard' as the cause. To recover, the port must be manually re-enabled or configured with errdisable recovery.
Understanding the Output
The 'show spanning-tree interface <interface> detail' command displays BPDU guard status under the interface details. The 'BPDU guard: enabled' line confirms the feature is active. If a BPDU is received, the port enters errdisable state, which can be seen with 'show interfaces status err-disabled' where the reason is 'bpduguard'. Key fields: 'BPDU: sent 3, received 0' indicates no BPDUs received; if received count increases, the port will error-disable. In production, watch for errdisable ports to identify rogue devices or misconfigurations.
CCNA Exam Tips
BPDU guard is configured per interface, not globally, unless using 'spanning-tree portfast bpduguard default'.
BPDU guard is typically used with PortFast on access ports; a BPDU received on a PortFast port triggers errdisable.
The exam may test that BPDU guard disables the port upon receiving any BPDU, not just superior ones.
Remember that BPDU guard is a Layer 2 security feature; it does not prevent BPDU transmission, only reception.
Common Mistakes
Enabling BPDU guard on trunk ports, which can cause legitimate BPDUs to disable the port.
Forgetting to configure errdisable recovery, requiring manual intervention to bring the port back up.
Confusing BPDU guard with BPDU filter; BPDU filter prevents sending/receiving BPDUs, while guard only disables on receipt.
Related Commands
errdisable recovery cause psecure-violation
Enables automatic recovery of ports that have been error-disabled due to port security violation (psecure-violation), allowing them to come back up after a specified timeout without manual intervention.
show interfaces status
Displays a summary of all switch interfaces including their status, VLAN, duplex, speed, and type, used to quickly verify interface connectivity and configuration.
spanning-tree portfast
Enables PortFast on an interface to immediately transition from blocking to forwarding state, bypassing STP listening and learning phases, used on access ports connected to end devices to speed up convergence.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions