BPDU Guard

1. What is BPDU Guard ?

Have you ever wondered what is BPDU Guard and how it protects your network?

Let’s make it simple and start with an example.

STP topology where a rogue switch becomes Root Bridge after sending a BPDU – example of what BPDU Guard prevents

In the diagram above, we see a typical STP topology with three core switches: SW1, SW2, and SW3.

  • SW1 is the Root Bridge, with Bridge ID 32769:AABB.CCDD.EE01
  • SW2 has a port (G0/2) configured with PortFast, normally meant for end devices

But here’s the problem:

A rogue switch gets connected to that access port !

Instead of staying quiet, it sends BPDUs with a lower Bridge Priority: 4096:AABB.CCDD.EE10
That’s better than the current Root Bridge!

And since BPDU Guard is not enabled, the switch accepts the BPDU and SW2 lets it into the STP topology…

Without BPDU Guard

Now look at what happens:

What is BPDU Guard: rogue switch becomes Root Bridge by using a lower Bridge ID in STP topology

The rogue switch wins.

Because it advertises a better priority, it’s now selected as the new Root Bridge.

The result?

Your entire Spanning Tree topology is compromised and all of this started from a single access port not properly secured.

This is exactly what BPDU Guard is designed to prevent: rogue devices trying to take over your STP network.

Solution: Enabling BPDU Guard

To prevent this situation, BPDU Guard is applied to the PortFast-enabled port.
When enabled, any incoming BPDU is immediately discarded and the port is placed into an err-disable state (down/down).

This ensures that access ports typically connected to end-user devices like PCs or printers can’t participate in STP.

After: With BPDU Guard

Here is an example with BPDU Guard enabled on the interface connected to the rogue switch.

What is BPDU Guard: port G0/2 disabled after rogue switch sends BPDU, blocked by BPDU Guard

If you’re still wondering what is BPDU Guard in action look above ! The feature detects the incoming BPDU and immediately disables the port to protect the network.

*Dec  8 12:58:28.065: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/2 with BPDU Guard enabled. Disabling port.

*Dec  8 12:58:28.066: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/2, putting Gi0/2 in err-disable state

*Dec  8 12:58:29.073: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down

*Dec  8 12:58:30.109: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to down

I hope your question about what BPDU Guard is is now clear, you’ve seen the risk, the reaction, and the impact.

2. Configuring BPDU Guard

Before diving into the configuration, let’s clarify an important point: BPDU Guard and PortFast are separate features.

While they are often used together, they can be configured independently based on your network requirements.

If you want end-user devices (like PCs or printers) to access the network instantly and be protected from rogue switches, you should activate both PortFast and BPDU Guard on the same port.

In this example, we will configure :

  • PortFast to skip the usual STP delay.
  • BPDU Guard to shut down the port if an unexpected BPDU is received.

We’ll apply this to interface G0/2 on switch SW2.

Switch configuration example applying BPDU Guard and PortFast on interface G0/2 to protect against rogue BPDUs

BPDU Guard can be configured in two ways:

  1. On Individual Ports: Applied manually to a specific port.
  2. Globally: Automatically applied to all interface configured with PortFast.

Enabling BPDU Guard on Individual Ports

Configuration Steps:

  1. Enter interface configuration mode:
SW2(config)# interface GigabitEthernet0/2

2. Enable BPDU Guard on the interface:

SW2(config-if)# spanning-tree bpduguard enable
BPDU Guard configuration on interface G0/2 of SW2 using CLI commands to protect access ports from rogue switches

Verifying BPDU Guard Status

To confirm BPDU Guard is enabled and active, use the following commands:

SW2(config-if)# show spanning-tree interface g0/2 detail 
 Port 3 (GigabitEthernet0/2) of VLAN0001 is designated forwarding 
   Port path cost 4, Port priority 128, Port Identifier 128.3.
   Designated root has priority 32769, address 50e2.aa04.6b00
   Designated bridge has priority 32769, address 50e2.aa04.6b00
   Designated port id is 128.3, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast edge mode
   Link type is point-to-point by default
   Bpdu guard is enabled
   BPDU: sent 3, received 0

As you can see in the output, BPDU guard is enabled !

This configuration ensures that if BPDUs are received on this port, it will immediately shut down and place into Err-disable state.

Behavior When a BPDU is Received

If a BPDU is detected, the interface is immediately shut down and placed into an err-disabled state.

BPDU Guard blocks a rogue switch on interface G0/2 by disabling the port after receiving a BPDU

You can verify this using:

SW2# show interfaces g0/2 
GigabitEthernet0/2 is down, line protocol is down (err-disabled)
!output omitted

As you can see the port is down/down with the err-disabled ! Hacker you won’t be able to destroy my STP topology 🙂

Disabling BPDU Guard on Individual Ports

In some situations, you may need to disabled BPDU Guard on a specific interface. This can be done directly in interface configuration mode:

Disabling BPDU Guard on SW2 interface G0/2 using CLI to allow BPDU traffic from the connected device
SW2(config)# int g0/2
SW2(config-if)# spanning-tree bpduguard disable

This command removes BPDU Guard protection from the selected port only.

Enabling BPDU Guard Globally

BPDU Guard can be enabled globally, allowing it to be automatically applied to all interface configured with PortFast.

SW2(config)# spanning-tree portfast bpduguard default

3. Understanding ErrDisable State

When BPDU Guard detects a BPDU it immediately shuts the port down to protect the network. The interface enters the err-disabled state with a status of down/down.

In the diagram below, interface G0/2 on SW2 receives a BPDU from a rogue device. As a result, the switch disables the port:

Interface G0/2 in err-disabled state after rogue switch sends BPDU and is blocked by BPDU Guard

⚠️ Important : Do not re-enable the port immediately !

First, identify and remove the device sending the BPDU.

Otherwise, the port will shut down again…

We’ll now see how to recover the port once the issue is resolved.

4. Recovering Ports from ErrDisable State

Once the cause of the err-disabled state has been removed, the port can be restored manually or automatically.

Manual Recovery

You can reset the port manually using the following steps:

SW2(config)# interface g0/2
SW2(config-if)# shutdown
SW2(config-if)# no shutdown

Then verify that the interface is back online:

SW2# show interfaces g0/2
GigabitEthernet0/2 is up, line protocol is up (connected) 
!output omitted

Automatic Recovery (ErrDisable Recovery)

Switches can also recover ports automatically using the errdisable recovery feature.

By default, this mechanism is disabled. You can check its current status with the following command:

SW2# show errdisable recovery
ErrDisable Reason            Timer Status
-----------------            --------------
arp-inspection               Disabled
bpduguard                    Disabled
!output omitted

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

Enabling Automatic Recovery

To enable ErrDisable Recovery for a specific cause, such as BPDU Guard:

SW2(config)# errdisable recovery cause bpduguard
Enabling automatic ErrDisable recovery for BPDU Guard with a 300-second timer on interface G0/2

Verify that ErrDisable Recovery has been enabled:

SW2# show errdisable recovery 
ErrDisable Reason            Timer Status
-----------------            --------------
arp-inspection               Disabled
bpduguard                    Enabled
!output omitted

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

Interface       Errdisable reason       Time left(sec)
---------       -----------------       --------------
Gi0/2                  bpduguard          299

In this example, Gi0/2 is scheduled to recover in 299 seconds.

What Happens During Recovery

Once the timer expires, the port is automatically restored to the up/up state. The following logs illustrate the recovery process:

*Dec  8 15:30:45.261: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Gi0/2
*Dec  8 15:30:47.290: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up
*Dec  8 15:30:48.290: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up

Adjusting the Recovery Timer

The default recovery timer is 300 seconds. You can modify it to any value between 30 and 86400 seconds.

To check the available range:

SW2(config)# errdisable recovery interval ?
  <30-86400>  timer-interval(sec)

To set a custom interval, for example 30 seconds:

SW2(config)# errdisable recovery interval 30

This setting applies to all active errdisable recovery causes.

5. Conclusion

What is BPDU Guard?

BPDU Guard disables a port immediately if it receives a BPDU, as long as BPDU Guard is enabled on that port.
This prevents unauthorized switches from interfering with the Spanning Tree topology.

Throughout this lesson, you’ve learned:

  • Why it’s important
    A single BPDU on an access port can disrupt STP. BPDU Guard stops it instantly.
  • How it behaves
    When triggered, the port is placed into the err-disabled state (down/down).
  • How to configure it
    • Per port: spanning-tree bpduguard enable
    • Globally: spanning-tree portfast bpduguard default
  • How to recover the port
    • Manually: using shutdown / no shutdown
    • Automatically: with errdisable recovery cause bpduguard