Spanning TreeCCNA 200-301

BPDU Guard Putting Port in err-disabled State

Presenting Symptom

A switch port configured with PortFast and BPDU Guard goes into err-disabled state after receiving a BPDU from another switch.

Network Context

In a small branch office, an access layer switch (Cisco Catalyst 2960, IOS 15.2) connects end-user devices. PortFast is enabled on access ports for faster convergence. BPDU Guard is enabled globally or per interface to protect against rogue switch connections. The network uses Rapid PVST+ as the STP variant.

Diagnostic Steps

Check interface status

show interfaces status

Port      Name   Status       Vlan    Duplex  Speed Type
Gi0/1           err-disabled 1       auto    auto  10/100/1000BaseTX

If the port shows err-disabled, it indicates a violation or error condition. This confirms the port is not operational.

Check errdisable reason

show interfaces gi0/1 | include err-disabled

Gi0/1 is down, line protocol is down (err-disabled)

The output confirms the port is err-disabled. To find the specific cause, use 'show errdisable detect' or 'show errdisable recovery'.

Identify errdisable cause

show errdisable detect

ErrDisable Reason    Detection Status
-----------------    ----------------
bpduguard           Enabled

This shows that BPDU Guard detection is enabled. If a BPDU was received on a PortFast-enabled port, BPDU Guard would put the port in err-disabled state.

Verify PortFast and BPDU Guard configuration

show running-config interface gi0/1

interface GigabitEthernet0/1
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable

This confirms that both PortFast and BPDU Guard are configured on the interface. If a BPDU is received, BPDU Guard will err-disable the port.

Root Cause

The port is configured with PortFast and BPDU Guard. When a BPDU is received (e.g., from another switch inadvertently connected), BPDU Guard places the port in err-disabled state to prevent a potential bridging loop.

Resolution

1. Re-enable the port manually: 'interface gi0/1', 'shutdown', 'no shutdown'. 2. If the connection is legitimate (e.g., connecting another switch), remove BPDU Guard: 'no spanning-tree bpduguard enable'. 3. Optionally configure errdisable recovery: 'errdisable recovery cause bpduguard' and 'errdisable recovery interval 300'.

Verification

Run 'show interfaces gi0/1 status' and verify the port is in 'connected' state. Also run 'show interfaces gi0/1' and check that 'err-disabled' is no longer present. Confirm with 'show errdisable recovery' to see if recovery is configured.

Prevention

1. Only enable BPDU Guard on ports that are definitively access ports (end-user devices). 2. Use BPDU Guard globally with 'spanning-tree portfast bpduguard default' and then disable on trunk ports. 3. Implement errdisable recovery with a reasonable interval to automatically restore ports after a violation.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where a port goes err-disabled. The exam tests understanding of BPDU Guard behavior, PortFast interaction, and errdisable recovery. Candidates must know that BPDU Guard err-disables a PortFast-enabled port upon BPDU reception.

Exam Tips

Remember that BPDU Guard only works on PortFast-enabled ports; if PortFast is not configured, BPDU Guard does not trigger errdisable.

Know that 'show errdisable detect' lists all errdisable causes and their status; 'show errdisable recovery' shows recovery settings.

Be able to differentiate between BPDU Guard (err-disables port) and BPDU Filter (ignores BPDUs without errdisable).

Commands Used in This Scenario

show interfaces status

Displays a summary of all switch interfaces including their status, VLAN, duplex, speed, and type, used to quickly verify interface connectivity and configuration.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions