Spanning-Tree BPDUGuard

Spanning-tree BPDUguard is one of the features that helps you protect your spanning-tree topology. Let me give you an example:

spanning tree fake bpdu

In my topology above we have a perfectly working spanning tree topology. By default spanning tree will send and receive BPDUs on all interfaces. In our example we have a computer on the fa0/2 interface of SW2. Someone with curious hostile intentions could start a tool that generates BPDUs with a superior bridge ID. What’ll happen is that our switches will believe that the root bridge can now be reached through SW2 and we’ll have a spanning tree re-calculation. Doesn’t sound like a good idea right? Here’s what could go wrong:

spanning tree mitm

You could even do a man in the middle attack without anyone knowing. Imagine I connect my computer to two switches. If I become the root bridge all traffic from SW1 or SW3 towards SW2 will flow through me. I’ll run Wireshark and wait till the magic happens.

We can use BPDUGuard to prevent this from happening as it will block BPDUs:

spanning tree bpdu guard active

BPDUguard will ensure that when we receive a BPDU on an interface that the interface will go into err-disable mode.

Let’s take a look how to configure this…

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

542 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!


Forum Replies

  1. In the Portfast tutorial, it was mentioned that once portfast is enabled on an access port it won’t send topology change notification. Will it still send BPDUs?
    Is that why we use BUDUGuard to stop BPDUs on Accessport?

  2. Hello rosna

    By default, all ports on a switch, including those configured with portfast SENDBPDUs. (It is possible to disable BPDU sending on these ports using BPDU filtering.) Portfast essentially skips the listening and learning states to enter the forwarding state immediately but does not disable STP. It also applies the global BPDUGuard feature (if it is enabled) to all ports configured using portfast.

    In addition, as you mentioned, it won’t send any TC information on that port because by definition, there should be no switches connected to the specific

    ... Continue reading in our forum

  3. Good explanation !!
    I really enjoy reading your topics and make me feel more comfortable and confident.

  4. Hello Durga

    BPDUguard should be enabled on interfaces to which you should never receive BPDUs such as those interfaces connected to end devices and hosts. BPDUGuard is often combined with portfast to protect these interfaces from creating an unwanted loop. You should never configure BPDUguard on interfaces where you expect BPDUs to arrive such as a link between switches. In your case, you should expect to receive BPDUs on the link between your core and access switch so BPDU guard should never be implemented there. BPDUs will be sent and the interface will go

    ... Continue reading in our forum

  5. Hello Laz
    Thanks a lot.

31 more replies! Ask a question or join the discussion by visiting our Community Forum