Spanning-Tree BPDUGuard

This topic is to discuss the following lesson:

awesome explaination Renee .
I really enjoy reading your topics and make me feel more confortable and confident when I learn it

Good stuffs!

Hi Rene,

I am more curious if STP will send BPDUs on Access ports enabled with Portfast or this will be out of the STP topology, Let be more specific with my query

In case i have 2 SWs running RSTP a third SW is introduced which happens to be not supporting STP and is connected to my 2 Sws with portfast enabled

In case BPDUs is being sent on portfast then i assume BPDUGuard will save the day for me on the 2nd SW as it will shut down the port once it receives BPDU on its access port, Is this correct?





Hi Ahmed,

Enabling portfast doesn’t disable STP and the interface will still send BPDUs. Take a look at this post:

In your example, you shouldn’t enable portfast on interfaces that connect to other switches. Only use this for “end” devices like computers, laptops, servers, etc. In your case, BPDUguard will ensure that the interface will go down.

Mixing PVST and rapid PVST is no problem btw, they are compatible.


Thanks Rene, The point here is usually you don’t know the end host capability, I saw cases loop can happen from a server with NIC bridging without STP capability.

Just wanted to make sure Portfast + BPDUGuard can address this case



1 Like

Hi Ahmed,

In that case it might be wise to enable BPDUguard. If someone connects something that isn’t supposed to send BPDUs then it’s best to shut the interface with BPDUguard :slight_smile:



spanning-tree portfast is enough ? or also spanning-tree portfast bpduguard must be enaled globally


In almost all cases you want to pair BPDUGuard with Portfast


Thanks for easy clarification . Is my below statement correct :

BPDU Guard is only useful when we have ports on a switch where computers/laptops/servers are connected OR may connect in future so that by any chance they don’t send any BPDU on our switch port.

thats it ! right ?

I would phrase is slightly differently:

BPDUGuard is used on ports where BPDUs are not expected to be received, but if BPDUs are received, the port will be placed into an error state.

BPDUGuard does not prevent devices from sending BPDUs (BPDU Filtering does this). BPDUGuard simply listens for BPDUs and takes an action if it hears them.

thanks Andrew , it clears the doubt.

Hi Rene,

Thank you for your great explanation on this, just got a question here.
In ideal scenario, if we just configure all switch ports which are not connected to other switches to be In access mode (will they still receive BPDUs?) and will that eliminate the need of BPDU guard to be configured on these ports?
Also if you can please explain a bit the difference between portfast and port mode access?


Hi Said,

If you configure an interface in access mode then the interface only belongs to a single VLAN. The alternative is trunk mode, where multiple VLANs can cross the interfaces and they get tagged with the VLAN ID (using 802.1Q or ISL).

An interface in access mode still sends, receives, and processes BPDUs, this behavior doesn’t change. If your access mode interface connects to end devices then it’s a good idea to enable BPDU guard. You don’t want to process BPDUs from computers / laptops or anything like that.

Portfast is used to put interfaces in the forwarding state right away. It doesn’t go through the listening and learning states anymore. It also doesn’t trigger a TCN when the interface goes up/down. You can find a detailed explanation here:

In the Portfast tutorial, it was mentioned that once portfast is enabled on an access port it won’t send topology change notification. Will it still send BPDUs?
Is that why we use BUDUGuard to stop BPDUs on Accessport?

Hello rosna

By default, all ports on a switch, including those configured with portfast SENDBPDUs. (It is possible to disable BPDU sending on these ports using BPDU filtering.) Portfast essentially skips the listening and learning states to enter the forwarding state immediately but does not disable STP. It also applies the global BPDUGuard feature (if it is enabled) to all ports configured using portfast.

In addition, as you mentioned, it won’t send any TC information on that port because by definition, there should be no switches connected to the specific port.

The reason we use BPDUGuard is because we don’t want any switches to be connected to a port configured with portfast. It is only for end devices. So if a BPDU is RECEIVED, the port goes into err-disabled state, essentially shutting down.

I hope this has been helpful!


1 Like

Good explanation !!
I really enjoy reading your topics and make me feel more comfortable and confident.

1 Like


What do you recommend if want to make point to point Trunk connection,

Core sw (3850) -------> Access switch (2960X) (single leg)
If I configure my Core switch trunk interface with Bpduguard enable and root guuard, and the interface was going to error disable mode after sometime. I want to understand can we keep Bpduguard enable on trunk iterface or not ? could you please explain ?


Hello Durga

BPDUguard should be enabled on interfaces to which you should never receive BPDUs such as those interfaces connected to end devices and hosts. BPDUGuard is often combined with portfast to protect these interfaces from creating an unwanted loop. You should never configure BPDUguard on interfaces where you expect BPDUs to arrive such as a link between switches. In your case, you should expect to receive BPDUs on the link between your core and access switch so BPDU guard should never be implemented there. BPDUs will be sent and the interface will go into errdisable state, something that is not desirable.

Rootguard on the other hand can be implemented on the interface on the core sw connecting to the access switch. This is because you want the core switch to always be the root and you should not accept any BPDUs that are incoming to change that.

I hope this has been helpful!


why bpdu guard is not recommend on ports having uplink fast enabled?