Networks Training

  • About
  • My Books
  • IP Tools
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • Tech News
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco Switches / Discussion and Explanation of BPDU Guard (With Cisco Config Example)

Discussion and Explanation of BPDU Guard (With Cisco Config Example)

Edited By Lazaros Agapidis

Spanning Tree Protocol (STP) is a mechanism that is used on network switches to eliminate layer 2 loops.

bpdu guard explanation

Within the framework of STP operations, there are various additional features that can be enabled to further protect a topology from malicious users that may attempt to leverage STP to their advantage.

BPDU Guard is one of those features. In this article, we’ll examine its purpose, how it works, some best practices, and how it can be applied on a Cisco switch.

Table of Contents

Toggle
  • STP Review
  • STP Attack Scenario
  • Mitigating STP Attacks with BPDU Guard
  • Best Practices
  • Configuration Examples on a Cisco Switch
    • Enabling BPDU Guard on a single port
    • Enable BPDU Guard on all PortFast enabled interfaces
    • Verifying configuration
  • A note on different STP versions
  • Conclusion
    • Related Posts

STP Review

STP-enabled switches will exchange Bridge Protocol Data Units or BPDUs to communicate STP-related information.

Using the BPDUs, switches will decide which ports to block and which ports will forward traffic in such a way so that no layer 2 loops are formed in the topology.

Take a look at the following topology:

basic switch topology

Let’s say that the STP topology has converged with SW1 chosen to be the root bridge. That means that all of the ports on SW1 must be designated ports, that is, they must forward traffic.

The ports on SW2 and SW3 that face the root bridge, by definition, will become root ports, which also forward traffic.

The ports on SW2 and SW3 that connect to each other must choose one port to become a designated port and the other to become a blocked port. As you can see, the port on SW3 has become blocked.

STP Attack Scenario

This is a perfectly functioning STP topology. However, what happens if a malicious user decides to try to trick SW2 into believing that there is another link that leads to the root bridge? Take a look at this scenario:

stp attack scenario

We have an attacker that is masquerading as a switch, and he connects to both SW1 and SW2, and sends superior BPDUs to both of those switches.

The result is a reconvergence of the STP topology making the attacker the root bridge. The attacker can now act as a “man in the middle” and read all data between SW1 and SW2 while relaying the data without any disruption to data flow, allowing him to remain undetected.

MORE READING:  Cisco Networking Tutorials for Beginners and Experts

Mitigating STP Attacks with BPDU Guard

BPDU Guard is a feature that helps to mitigate against these types of attacks. BPDU Guard is a feature that you can enable on a per-interface basis. When enabled, a port will immediately shut down if a BPDU is received, regardless of the priority of that BPDU.

mitigation

In the above diagram, SW1 and SW2 have been configured with BPDU Guard on their attacker-facing interfaces.

When a BPDU is received on these ports, they immediately enter an err-disabled state, which is essentially the same as being shutdown.

They can only be reenabled if they are manually shut down and reenabled. A Syslog message is logged that indicates that the reason for the shutdown was a violation of the BPDU Guard feature.

Best Practices

BPDU Guard should be enabled on access ports where only end devices such as PCs, printers, IP phones, and servers are expected to be connected. That way, if a BPDU is detected, you know that someone inadvertently or maliciously connected a switch to a port where it should not be connected.

BPDU Guard is typically configured in conjunction with PortFast. PortFast is a feature that is also enabled on access ports where end devices are connected.

It is used to skip the listening and learning phases of the STP protocol, allowing immediate communication upon connection.

By enabling BPDU Guard on all PortFast-enabled ports, you are helping to protect the switch from unexpected BPDUs that may cause STP topology reconvergence and, ultimately, network failures.

Configuration Examples on a Cisco Switch

There are various ways that BPDU Guard can be implemented.

Enabling BPDU Guard on a single port

The following configuration will enable BPDU Guard on the GigabitEthernet 0/0 interface on SW1:

SW1(config)#interface GigabitEthernet 0/0
SW1(config-if)#spanning-tree bpduguard enable

Now if a BPDU is detected on this interface, the following will occur:

SW1#
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/0 with BPDU Guard enabled. Disabling port.
%PM-4-ERR_DISABLE: bpduguard error detected on Gi0/0, putting Gi0/0 in err-disable state
: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 00:19:32.089: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down

You can see that the port is being put in ERR_DISABLE state due to a bpduguard error. To bring it back up, you must shut it and reenable it like so:

MORE READING:  What is SNMP (Simple Network Management Protocol) in Networking

SW1(config-if)#shutdown
SW1(config-if)#no shutdown

Enable BPDU Guard on all PortFast enabled interfaces

A more appropriate approach to enabling BPDU Guard is to enable it by default on all ports configured with PortFast. This can be done using the following global configuration mode command:

SW1(config)# spanning-tree portfast bpduguard default

The result is that all those ports configured with PortFast will have BPDU Guard enabled by default. This is best practice since this protects the switch from both inadvertent connections to other switches, as well as malicious transmission of BPDUs on such ports.

Verifying configuration

To verify BPDU Guard configurations, you can use the following show command:

SW2#show spanning-tree summary

Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is enabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

In the above output you can see that the BPDU Guard feature is enabled by default on all PortFast-enabled interfaces.

A note on different STP versions

There are various versions of STP, including RSTP, PVST+, MSTP, and others, and in many cases, different STP features function differently in each version.

BPDU Guard is one of the few features of STP that works across different STP versions. It prevents unauthorized switches from participating in STP by disabling a port immediately if a BPDU is received.

Conclusion

BPDU Guard is a vital security feature that protects STP environments from unauthorized topology changes by disabling ports that receive unexpected BPDUs. This prevents malicious attacks and accidental loops, ensuring network stability.

Best practice is to enable BPDU Guard on all PortFast-enabled access ports, where only end devices should connect. It works across all **STP versions** and can be configured per interface or globally on Cisco switches.

By implementing BPDU Guard, network administrators enhance security, prevent STP manipulation, and maintain a resilient network infrastructure.

Spread the love

Related Posts

  • What is an SFP Port-Module in Network Switches and Devices
  • 8 Different Types of VLANs in TCP/IP Networks
  • Difference Between Routers and Switches in TCP/IP Networks
  • 11 Different Types of IP Addresses Used in Computer Networks
  • What is Cisco Switch Virtual Interface (SVI) – Configuration Example and Explanation

Filed Under: Cisco Switches, General Networking

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

By subscribing to our email list you will be receiving technical tutorials and industry news from time-to-time. You can unsubscribe at any time.

About Lazaros Agapidis

Lazaros Agapidis is a Telecommunications and Networking Specialist with over twenty years of experience.
He works primarily with IP networks, VoIP, Wi-Fi, and 5G, has extensive experience in training professionals for Cisco certifications, and his expertise extends into telecommunications services and infrastructure from both an enterprise and a service provider perspective.
In addition to his numerous vendor certifications, Lazaros has a solid online presence as an expert in his field, having worked in both public and private sectors within North America and in Europe.
He has enjoyed sharing his practical experiences in writing as well as through engaging online training.
LinkedIn: Lazaros Agapides

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2026 | Privacy Policy | Terms and Conditions | Contact | Amazon Disclaimer | Delivery Policy