BPDU Guard is a Cisco spanning-tree security feature that error-disables a PortFast-enabled switch port upon BPDU reception, preventing rogue switch loops.
Console> (enable) set spantree portfast bpdu-guard enable
Spantree portfast bpdu-guard enabled on this switch.
Console> (enable)Usage Examples
Example 1: Enable BPDU Guard globally on a CatOS switch
Console> (enable) set spantree portfast bpdu-guard enable
Spantree portfast bpdu-guard enabled on this switch.
Console> (enable)All ports that have PortFast enabled (e.g., set spantree portfast 2/1 enable) will now be protected. If a BPDU is received on any such port, it goes errdisabled.
Example 2: Per-interface BPDU Guard on Cisco IOS (Catalyst 3750)
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# spanning-tree portfast
Switch(config-if)# spanning-tree bpduguard enable
Switch(config-if)# endThis sequence explicitly enables PortFast and BPDU Guard on interface G0/1 – typical for an edge port connected to a desktop. The bpduguard enable command will reject BPDUs and errdisable the port.
Example 3: Automatic recovery from BPDU Guard errdisable state
Switch(config)# errdisable recovery cause bpduguard
Switch(config)# errdisable recovery interval 300
Switch(config)# endIf the port was disabled due to BPDU Guard reception of a BPDU, the switch will automatically re-enable it after 300 seconds (5 minutes). This reduces manual intervention for accidental BPDU injection but should be used carefully – a persistently misbehaving device will flap the port every 5 minutes.
Error States and Recovery
| Error/Event | Syslog Message | Port State | Recovery Action |
|---|---|---|---|
| BPDU received on PortFast port | %SPANTREE-2-RX_PORTFAST: Received BPDU on PortFast enable port. Disabling 2/1 |
errdisabled (err-disabled) | Manually shutdown / no shutdown or enable errdisable recovery |
| Port disabled due to BPDU Guard | %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on PortFast port. Disabling interface |
errdisabled | Same as above; verify cause before recovery |
| Interface stays errdisabled indefinitely | None additional | errdisabled | configure terminal; errdisable recovery cause bpduguard; errdisable recovery interval 400 |
When a port enters errdisabled due to BPDU Guard, it drops all traffic. The show interfaces status err-disabled command (IOS) or show port errdisable (CatOS) confirms the cause.
Prerequisites
Tested on Cisco IOS Release 12.0(7)XE (Catalyst 6500) and CatOS 8.4.
- PortFast must be enabled on the target interface.
- The feature is only effective on access ports or ports where PortFast is configured.
- No additional licensing required; built into IOS/CatOS spanning-tree implementations.
Feature Description – Background Information
BPDU Guard (Bridge Protocol Data Unit Guard) is an STP enhancement that automatically disables a port when a BPDU is received on a PortFast-enabled port. In normal operation, PortFast ports (connected to end hosts) should never receive BPDUs. If a BPDU arrives, it indicates a misconfiguration or malicious device attempting to inject STP frames. BPDU Guard immediately transitions the port to errdisabled, blocking all traffic and preventing potential loops.
The feature is configured per switchport using either CatOS or Cisco IOS CLI syntax. It is commonly deployed on edge ports where end hosts, printers, or IP phones connect. Without BPDU Guard, a rogue switch connected to such a port could alter the root bridge election and cause network instability.
Configuration Commands
| Platform | Command | Scope |
|---|---|---|
| CatOS (set-based) | set spantree portfast bpdu-guard enable |
Global – enables BPDU Guard on all PortFast-enabled ports |
| CatOS (set-based with errdisable recovery) | set errdisable-timeout enable bpdu-guard |
Global – enables automatic recovery after timeout |
| Cisco IOS (global) | spanning-tree portfast bpduguard |
Global – enables BPDU Guard on all PortFast-enabled interfaces |
| Cisco IOS (interface) | interface GigabitEthernet0/1; spanning-tree bpduguard enable |
Per-interface – enables BPDU Guard on a specific port |
| Both (IOS errdisable recovery) | errdisable recovery cause bpduguard; errdisable recovery interval 400 |
Global – sets recovery cause and timer (400 seconds) |
On CatOS, the global command set spantree portfast bpdu-guard enable applies BPDU Guard to all interfaces already configured with PortFast. To disable on specific ports, use clear spantree portfast bpdu-guard enable on that port.
On Cisco IOS, the interface-level command spanning-tree bpduguard enable overrides global settings. To disable: no spanning-tree bpduguard enable.
Closing Tip
Configure errdisable recovery cause bpduguard interval 300 on every access switch to automatically restore BPDU Guard disabled ports after five minutes, but never rely on automatic recovery as a substitute for identifying and reconfiguring the offending device.
Frequently Asked Questions
What is the difference between spanning-tree portfast bpduguard and spanning-tree bpduguard enable?
Answer: spanning-tree portfast bpduguard is a global command that enables BPDU Guard on all PortFast-enabled ports. spanning-tree bpduguard enable is a per-interface command that enables BPDU Guard on that specific interface regardless of global settings.
Use spanning-tree portfast bpduguard globally for consistent protection across all access ports. For selective protection on interfaces without PortFast, use spanning-tree bpduguard enable under the interface. Verify with show spanning-tree interface GigabitEthernet0/1 detail.
When should I use the per-interface spanning-tree bpduguard enable command?
Answer: Use per-interface bpduguard when you need to protect specific edge ports without enabling PortFast globally or changing global defaults.
Syntax: interface GigabitEthernet0/1 → spanning-tree bpduguard enable. Ideal for untrusted endpoints like IP phones or printers where BPDU receipt indicates a bridging loop or misconfiguration. Does not require PortFast but works well alongside it for faster convergence.
How do I fix BPDU guard error: port is error-disabled after receiving BPDU on a Cisco switch?
Answer: Automatically re-enable the port with errdisable recovery cause bpduguard and set errdisable recovery interval 300.
After a BPDU violation, the port enters errdisable state. Recovery requires manual shutdown/no shutdown or automatic recovery. Configure:
errdisable recovery cause bpduguard
errdisable recovery interval 300 Verify with show errdisable recovery. Investigate source of unauthorized BPDU to prevent recurrence.
Does bpduguard work on Cisco Nexus switches running NX-OS?
Answer: Yes, NX-OS supports spanning-tree bpduguard enable per port but uses bpduguard port-shutdown instead of errdisable.
On Nexus 9000/7000, configure: interface eth1/1 → spanning-tree bpduguard enable. Upon BPDU receipt, the port is placed in a “BPDUguard shutdown” state (not errdisable). Recovery requires shutdown/no shutdown. Global recovery via errdisable is not available. Check with show spanning-tree interface eth1/1 detail.
What is the fastest way to enable bpduguard on all access ports across a Cisco switch?
Answer: Use global config spanning-tree portfast edge bpduguard default after globally enabling spanning-tree portfast edge default.
This one-liner applies bpduguard to every interface that already has spanning-tree portfast (edge port).
spanning-tree portfast edge default
spanning-tree portfast edge bpduguard default Alternatively, for interfaces without PortFast, use a range command: interface range Gi1/0/1-24 → spanning-tree bpduguard enable. Verify with show running-config | include bpduguard.
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.