Home / Basics / BPDUGUARD / ccna / networking / switching / CCNA Basics: What is BPDU GUARD ?

CCNA Basics: What is BPDU GUARD ?

August 16, 2025 , , , ,

CCNA Basics: What is BPDU GUARD ?

BPDU guard disables the port upon BPDU reception if Port-fast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP.

CCNA Basics : BPDU GUARD

You must manually re-enable the port that is put into err-disable state or configure err disable-timeout. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.

BPDU Guard, blocks ports assign to user access, from being connected to non authorized switches.

So BPDU guard is more like standard security option for normal edge (port-fast) ports, while root guard is more likely for specific scenarios

There are two ways to use BPDU guard :

  • On an interface BPDU guard will put the port into err disable state if a BPDU is received
  • In global configuration mode BPDU guard will disable port fast on any interface if a BPDU is received.

Option -1 Enable BPDU GUARD Global

Switch2> enable
Switch2# config t
Switch2(config)# spanning-tree portfast bpduguard default

Option -2 Enable BPDU GUARD Interface Level

Switch2> enable
Switch2# config t
Switch2(config)# interface Gi1/0/23
Switch2(config-if)# switchport mode access
Switch2(config-if)# switchport access vlan 2
Switch2(config-if)# spanning-tree portfast
Switch2(config-if)# spanning-tree bpduguard enable