BPDU-Guard
Sections:
Overview:
- BPDU Guard is a security STP feature used to protect the network from STP topology changes that could cause loops or network instability
- BPDU Guard often used in conjunction with Portfast enabled ports, helps protect against accidental or malicious BPDUs being received on those switch edge or access ports, which could disrupt the spanning tree topology
How it Works:
- When BPDU Guard is enabled on a port, BPDUs that are received on that port will immediately transition into an error-disabled state, effectively shutting it down
- BPDU Guard can prevent a rogue switch from joining the STP domain at the access layer
When to use:
- BPDU Guard is typically enabled on access ports connected to end-user devices (like computers, printers, etc.), where you don’t expect BPDUs to be received
Lab Topology
Scenario:
- An employee in an office brought in an unauthorized switch from home to have access to more Ethernet ports to plug in additional devices
BPDU Guard Configuration
Configuring BPDU Guard on SW1's Gi3/3 interface.
Syslog messages displaying alerts of received BPDUs on interface Gi3/3 causing it to err-disable.
Note: Only way to bring an err-disabled port back in an 'up' state is to remove the source (Rogue Switch) and cycle the port.
