Courseiva
Spanning TreeGlobal Config

spanning-tree portfast bpduguard default

Globally enables BPDU guard on all PortFast-enabled ports, automatically err-disabling a port if it receives a BPDU, protecting the spanning-tree topology from unauthorized switches.

Syntax·Global Config
spanning-tree portfast bpduguard default

When to Use This Command

  • Prevent a rogue switch from being connected to an access port and causing a bridging loop.
  • Automatically disable a port if an end-user accidentally connects a switch instead of a PC.
  • Enforce security policy on all access ports without configuring BPDU guard per interface.
  • Simplify deployment by enabling BPDU guard once globally for all PortFast ports.

Command Examples

Enable BPDU Guard Globally on All PortFast Ports

spanning-tree portfast bpduguard default

No output is generated; the command is applied silently. Use 'show running-config | include bpduguard' to verify.

Verify BPDU Guard Configuration

show running-config | include bpduguard
spanning-tree portfast bpduguard default

The output confirms that BPDU guard is enabled globally. If the line is missing, the feature is not active.

Understanding the Output

This command does not produce direct output. To verify, use 'show running-config | include bpduguard' to see if the global command is present. To check if a specific port has been err-disabled due to BPDU guard, use 'show interfaces status err-disabled' or 'show interfaces <interface> status'. Look for 'err-disabled' state and the reason 'bpduguard' in the output. A port in err-disabled state must be manually re-enabled with 'shutdown' followed by 'no shutdown' or automatically via errdisable recovery if configured.

CCNA Exam Tips

1.

CCNA exam tip: BPDU guard is typically used with PortFast; remember that PortFast alone does not prevent loops, but BPDU guard does.

2.

CCNA exam tip: When a port receives a BPDU with BPDU guard enabled, it goes into err-disabled state; you must manually re-enable it or configure errdisable recovery.

3.

CCNA exam tip: The global command 'spanning-tree portfast bpduguard default' applies to all interfaces with PortFast enabled; you can also enable it per interface with 'spanning-tree bpduguard enable'.

4.

CCNA exam tip: BPDU guard is a security feature; it does not affect normal STP operation on non-PortFast ports.

Common Mistakes

Mistake 1: Enabling BPDU guard globally without also enabling PortFast on access ports — BPDU guard only activates on PortFast-enabled ports.

Mistake 2: Forgetting that BPDU guard err-disables the port; administrators may not realize why the port is down and try to troubleshoot connectivity instead of checking for BPDU reception.

Mistake 3: Confusing BPDU guard with BPDU filter — BPDU filter prevents sending/receiving BPDUs, while BPDU guard disables the port upon BPDU reception.

Related Commands

spanning-tree portfast

Enables PortFast on an interface to immediately transition from blocking to forwarding state, bypassing STP listening and learning phases, used on access ports connected to end devices to speed up convergence.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions