BPDU Guard is a security feature that automatically disables (err-disables) a switch port if it receives a BPDU, protecting the network from unauthorized switches being connected to ports intended for end hosts.
BPDU Filter is a feature that prevents a port from sending BPDUs, and depending on configuration, may also ignore received BPDUs.
PortFast-enabled ports still participate in STP - they continue sending BPDUs and will revert to normal STP operation if they receive BPDUs from a neighbor.
ErrDisable Recovery is a feature that automatically re-enables err-disabled ports after a configurable time period (default 300 seconds/5 minutes).
BPDU Filter behaves differently depending on whether it's configured per-port (interface config mode) or by default (global config mode).
Protects against unauthorized switches on end-host ports
Port continues to send BPDUs
If port receives a BPDU → enters err-disabled state
Usually used together with PortFast
When enabled by default → activates on all PortFast-enabled ports (NOT all access ports)
Stops a port from sending BPDUs
Per-port configuration: Ignores received BPDUs (effectively disables STP - DANGEROUS!)
Global/default configuration: If BPDU received, PortFast and BPDU Filter are disabled, port operates normally
Recommended to only enable by default (global config mode)
Disabled by default
Default timer: 300 seconds (5 minutes)
Must enable for specific causes (e.g., BPDU Guard)
Always fix underlying problem first!
Term
Definition
BPDU
Bridge Protocol Data Unit - STP messages exchanged between switches
Err-disabled
A Cisco switch state that disables a port due to a violation
PortFast
Feature allowing ports to skip STP states and immediately enter Forwarding
Root Bridge
The switch with the lowest Bridge ID that serves as the reference point for STP
Item
Value
Default ErrDisable Recovery Timer
300 seconds (5 minutes)
BPDU sending interval
2 seconds
BPDU Guard:
spanning-tree bpduguard enable (per-port)
spanning-tree portfast bpduguard default (global - enables on PortFast ports)
spanning-tree bpduguard disable (disable on specific port)
BPDU Filter:
spanning-tree bpdufilter enable (per-port - USE WITH CAUTION)
spanning-tree portfast bpdufilter default (global - RECOMMENDED)
spanning-tree bpdufilter disable (disable on specific port)
ErrDisable Recovery:
show errdisable recovery
errdisable recovery cause bpduguard
errdisable recovery interval <seconds>
Verification:
show spanning-tree interface <int> detail
show interfaces <int>
PortFast default vs BPDU Guard default behavior:
PortFast default → enables on all access ports
BPDU Guard default → enables on all PortFast-enabled ports
BPDU Filter per-port vs global:
Per-port = ignores BPDUs = disables STP = can cause permanent loops
Global/default = disables BPDU Filter if BPDU received = safer
BPDU Guard + BPDU Filter together:
BPDU Filter global + receives BPDU → BPDU Filter disabled → BPDU Guard triggers
BPDU Filter per-port + receives BPDU → BPDU ignored → BPDU Guard NOT triggered
Re-enabling err-disabled ports:
Must fix underlying issue first, or port will be disabled again immediately
Mnemonic
Meaning
"Guard = Goodbye"
BPDU Guard shuts down the port (says goodbye)
"Filter = No Flow"
BPDU Filter stops BPDUs from flowing out
"5 for 5"
ErrDisable Recovery = 5 minutes = 300 seconds
"Global is Good"
Always prefer global config for BPDU Filter (safer)
"Per-port is Permanent"
Per-port BPDU Filter can cause permanent loops
Scenario: User connects unauthorized switch to wall jack
Without BPDU Guard:
User's switch sends BPDUs
Could become root bridge if lower priority
Disrupts entire STP topology
Traffic takes inefficient paths
With BPDU Guard:
Port receives BPDU from user's switch
Port immediately err-disables
Network topology protected
User complains "internet doesn't work" → IT investigates
What does BPDU Guard do when a port receives a BPDU?
It places the port in the err-disabled state, preventing it from sending or receiving any data.
What is the default ErrDisable Recovery timer?
500 seconds (5 minutes)
What command enables BPDU Guard globally?
spanning-tree portfast bpduguard default
When BPDU Guard is enabled by default, which ports is it activated on?
All PortFast-enabled ports (NOT all access ports)
What is the key difference between BPDU Filter configured per-port vs globally?
Per-port: ignores received BPDUs (disables STP). Global: if BPDU received, BPDU Filter and PortFast are disabled, port operates normally.
What command enables ErrDisable Recovery for BPDU Guard?
What are the two methods to re-enable an err-disabled port?
1) Manual: shutdown/no shutdown commands. 2) Automatic: ErrDisable Recovery feature.
Why is per-port BPDU Filter configuration dangerous?
It effectively disables STP on that port, which can cause permanent Layer 2 loops if connected to another switch.
Does a PortFast-enabled port still send BPDUs?
Yes, PortFast only affects port state transitions; the port still sends BPDUs every 2 seconds.
What command enables BPDU Filter per-port?
spanning-tree bpdufilter enable (in interface config mode)
spanning-tree bpdufilter enable
If both BPDU Guard and BPDU Filter (per-port) are enabled, and the port receives a BPDU, what happens?
The BPDU is ignored by BPDU Filter, and BPDU Guard is NOT triggered. The port stays up.
If both BPDU Guard and BPDU Filter (global/default) are enabled, and the port receives a BPDU, what happens?
BPDU Filter is disabled, then BPDU Guard is triggered, and the port is err-disabled.
What command shows ErrDisable Recovery status?
What should you always do before re-enabling an err-disabled port?
Fix the underlying problem that caused the err-disable, otherwise the port will be disabled again immediately.
What is the recommended method to configure BPDU Filter and why?
Global config mode (spanning-tree portfast bpdufilter default) because it's safer - if a BPDU is received, the port reverts to normal STP operation instead of ignoring it.
spanning-tree portfast bpdufilter default
Last changed15 days ago