Search

Home >> Knowledgebase >> CCNA Security >> What is BPDU Guard and how to configure BPDU Guard in Cisco Switches

What is BPDU Guard and how to configure BPDU Guard in Cisco Switches

BPDU Guard feature is used to protect the Layer 2 Spanning Tree Protocol (STP) Topology from BPDU related attacks. BPDU Guard feature must be enabled on a port that should never receive a BPDU from its connected device. If a switch port which is configured with Spanning Tree Protocol (STP) PortFast feature, it must be connected to an end device (For exampe: workstation, server, printer etc). The PortFast is enabled only on access ports to speed the transition of access port to STP forwarding state. End devices are not supposed to generate BPDUs, because in a normal network environment, BPDU messages are exchanged by network switches.

BPDU Guard feature can be enabled globally at Global configuration mode or per interface at Interface configuration mode. When a BPDU Guard enabled port receive BPDU from the connected device, BPDU Guard disables the port and the port state is changed to Errdisable state.

How to configure BPDU Guard Globally at Global Configuration Mode

Below configuration commands enable BPDU Guard by default on all PortFast edge ports.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#spanning-tree portfast edge bpduguard default
OmniSecuSW1(config)#exit
OmniSecuSW1#

Below configuration commands disable BPDU Guard on all PortFast edge ports.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#no spanning-tree portfast edge bpduguard default
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

How to configure BPDU Guard per interface at Interface Configuration Mode

Below configuration commands enable BPDU Guard for an interface.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface giga 0/0
OmniSecuSW1(config-if)#spanning-tree bpduguard enable
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

Below configuration commands disable BPDU Guard for an interface.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface giga 0/0
OmniSecuSW1(config-if)#spanning-tree bpduguard disable 
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

<< What is Root Guard and how to configure Root Guard in Cisco Switches
What is BPDU Filter and how to configure BPDU Filter in Cisco Switches >>
Related Tutorials