What is BPDU Guard and How to Configure BPDU Guard?

Bridge Protocol Data Unit (BPDU) is a spanning tree protocol (STP) message unit which describes the switch port attributes such as MAC address, priority, and cost to achieve which allow switches to participate in the Spanning Tree Protocol to collect information from each other.

BPDU Guard

BPDU Guard is a feature that defends the Layer 2 Spanning Tree Protocol (STP) topology against BPDU-related threats and is designed to protect the switching network. The BPDU guard feature must be activated on ports that should not receive BPDUs from connected devices. If you use the Spanning Tree Protocol (STP) PortFast feature to configure switch ports, you must connect to end devices (workstations, servers, printers, and so on). PortFast is only enabled on the access port to speed up the transition from the access port to the STP forwarding state. End devices should not generate BPDUs because  BPDU messages are exchanged by network switches in a normal network environment.

To avoid a possible bridging loop, the BPDU Guard blocks interfaces as a preventative measure. The BPDU Guard mechanism is used to keep external influences out of the Spanning Tree domain. BPDU Guard is turned off by default, but it is highly recommended for all ports that have the Port Fast function activated. On ports where Spanning Tree is off, this prevents incorrect information from being injected into the Spanning Tree domain.

In Global configuration mode, the BPDU Guard feature can be enabled globally, or per interface in Interface configuration mode. The port gets disabled and the port status is set to Errdisable (same as shutdown status) whenever a BPDU Guard enabled port gets a BPDU from the linked device.

The BPDU guard can be enabled or disabled per port. When a BPDU is received on the port, the BPDU guard disables it. Devices behind such ports are effectively blocked from participating in the STP as a result of the disablement. A port must be manually re-enabled after it has been disabled. The BPDU guard is turned off by default.

Configuring BPDU Guard Globally at Global Configuration Mode

Commands to enable BPDU Guard by default on all PortFast Edge Ports :

system#configure terminal
system(config)#spanning-tree portfast edge bpduguard default
system(config)#exit
system#

 Commands to disable BPDU Guard on all PortFast Edge Ports :

system#configure terminal
system(config)#no spanning-tree portfast edge bpduguard default
system(config)#exit
system#

Configuring BPDU Guard at Interface Configuration Mode per interface

Commands to enable BPDU Guard for an interface

system#configure terminal
system(config)#interface giga 0/0
system(config-if)#spanning-tree bpduguard enable
system(config-if)#exit
system(config)#exit
system#

Commands to disable BPDU Guard for an interface

system#configure terminal
system(config)#interface giga 0/0
system(config-if)#spanning-tree bpduguard disable 
system(config-if)#exit
system(config)#exit
system#

Advantages

1. BPDU Guard prevents switching devices from being accidentally connected to PortFast-enabled ports.
2. If someone tries to connect an L2 device to the network, the BPDU guard ensures that it will be rejected. Before the spanning tree is disrupted, it is clipped.

Disadvantage

1. Whenever the user needs an access switch port with a switch plugged into it, the user needs to visit the CLI of the access switch to disable the BPDU guard.