BPDUguard does not shut down port when bridge connected

Unanswered Question
Nov 10th, 2009

I have a port configured as follows:-


test01#sh run int fa0/10

Building configuration...

Current configuration : 217 bytes


interface FastEthernet0/10

description <user ports>

switchport access vlan 10

switchport mode access

switchport nonegotiate

no snmp trap link-status

spanning-tree portfast

spanning-tree bpduguard enable



It is still participating in STP

test01#sh spanning-tree vlan 10


Spanning tree enabled protocol ieee

Root ID Priority 4106

Address 001f.6dcf.3000

Cost 3004

Port 25 (GigabitEthernet0/1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 49162 (priority 49152 sys-id-ext 10)

Address 0025.b40c.3880

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Uplinkfast enabled

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/10 Desg FWD 3019 128.10 Edge P2p

Gi0/1 Root FWD 3004 128.25 P2p


test01# sh cdp ne

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID

Switch Fas 0/10 170 S I WS-C2960- Fas 0/4


If I turn snmp trap link-status on then it works as expected.

Bug search does not come back with anything relevant

I am running WS-C2960-24TC-L 12.2(35)SE5

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 11/10/2009 - 10:21

Hello Steven,

have you enabled BPDU guard before connecting the other switch of after ?

because the port is Designated the other switch doesn't talk on the link.

to test BPDU guard on other switch you need to cause it to send a BPDU for example by changing state of a port that is not portfast so that it has to send a TCN BPDU upstream towards root bridge.

I had the same problem first time I tested BPDU guard.

Hope to help


sprosons Wed, 11/11/2009 - 01:35

thanks for the reply Giuseppe

I tried it both ways and it still didn't work. However, I have since upgraded to 12.2.44SE6

and it works fine now. Must be a bug.

Giuseppe Larosa Wed, 11/11/2009 - 03:24

Hello Steven,

if adding the switch after having enabled bpdu guard still no reaction well it is a SW bug.

I'm glad that you solved with an IOS upgrade.

Hope to help


Francois Tallet Wed, 11/11/2009 - 07:40

Could be a timing issue too. F0/10 is designated. That means typically that the bridge on the remote end of f0/10 has a root/alternate/backup role. In those role, no bpdu is sent. So it might well be that f0/10 never received a bpdu.

If you saw some bpdu received on f0/10 in "show spanning-tree detail", then it would obviously be a bug.




This Discussion