Cisco Support Community
Community Member

BPDU guard question

Does BPDU guard stop end users from installing ANY switch (including the SOHO switches - Netgear, Linksys, D-Link, etc)?


Re: BPDU guard question

Anything that sends BPDU packets will cause the port to shutdown. If the switch uses Spanning tree it should shut it down.

Super Bronze

Re: BPDU guard question

To elaborate... things that don't participate in STP - e.g hubs or APs with STP turned off... would likely not be prevented from being added.

To prevent that sort of thing you could use MAC port security with aging to allow only 2 or so MAC addresses per port...



Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

Re: BPDU guard question

On the other hand, most SOHO switches do not implement Spanning Tree. If you are concerned about users installing switches, you need to take other precautions as well.

You can stop the users using a switch to fan out a port, by configuring port security and only allowing one MAC address on the port.

The BPDU guard will give you some protection against certain malicious user practices, even if the rogue switch does not do Spanning Tree. For example, the user who plug in a SOHO switch, and then plugs two other ports of that SOHO switch back-to-back with a cross-cable. In this case, your Catalyst will see its own BPDUs circulating round the loop, and will close the port down. (If the SOHO switch is not doing Spanning Tree, then it will pass the BPDUs through transparently.) This is why you should not have bdpu-guard and bpdu-filter on the same port.

Kevin Dorrell


CreatePlease to create content