Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!
Giovanni Rinaldi

BPDUGuard fail?


I had a problem on my LAN and I hope you can help me to figure out the cause.

What happened: an employee attached a mini-switch to his desk lan outlet and then attached the two ends of same cable in two ports of the miniswitch.

As a result, a loop was generated and all the network "freezed". The cpu of the core switches went to 99%.

When the first time this issue happened, I thought the loop was caused by bpdu frames looped back into the same switchport.

So I configured BPDUGuard on all the access switches.

On the switch where the user mini-switch was attached to (port fa0/3) in can see the config info I report at the end of the post.

Now, would like to know: Is BPDUGuard really enabled? Can you see where I am wrong?

And if BPDUGuard is enabled, can you drive me to the way to figure out what could caused the issue?

Really thank you for your precious help.



#sh run



spanning-tree mode rapid-pvst

spanning-tree portfast default

spanning-tree portfast bpduguard default



interface FastEthernet0/3

no ip address

spanning-tree portfast



#sh int fa0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled

Appliance trust: none



#sh spanning-tree summary totals
Switch is in rapid-pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is enabled
PortFast BPDU Guard Default  is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
41 vlans                    41         0        0         73        114

Giuseppe Larosa
Hall of Fame Master

Hello Giovanni,

you can check the STP features on fas0/3 by using

show spanning-tree interface fas0/3 [detail]

note that you have spanning-tree portfast default and then in port configuration you have configured postfast manually

I'm afraid that most  specific configuration applies and that BPDU guard might be disabled on that specific port.

the show command described before should provide the feedback


bridging loops are not caused by BPDUs, seeing the BPDU back on the port is a symptom of loop not a cause of it

Hope to help


Giuseppe, thank you for your precious answer.
This is the output of the command you suggested.

Port 3 (FastEthernet0/3) of VLAN0001 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.3.
   Designated root has priority 4097, address c89c.1d4c.e080
   Designated bridge has priority 32769, address 000f.901a.3c80
   Designated port id is 128.3, designated path cost 4
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   Bpdu guard is enabled by default
   BPDU: sent 35, received 0

I would say both portfast and bpduguard are enabled on the port.

Iguess I'm wrong somewhere, but I cannot figure out where.

Thank you for you kind help,



I don't see any BPDUs received on this interface from this output

BPDU: sent 35, received 0

So it is normal it hasn't been err-disabled by BPDU guard.

BPDU guard is not there to protect against loops,  that is the role of STP anyway.



Don't forget to rate helpful posts.

Hi Alain.
I did notice that line, too.

I supposed BPDU to be the only traffic (looped back) to appear on the port.
Surely, if a BPDU is sent out from a port, and an "Hub" is connected to the port, and two ports of the hub are connected togheter with the same cable, that BPDU is looped back to the same port.
With this in mind, I tought to BPDUGuard.

Now my problem is the following:
How to allow the users to use their portable mini-switch (they love those devices here), avoinding the risk to shut down the whole network?

s it someway possible or I have to disallow the use of those devices at all?
I could allow one mac address only per switchport, for security.
But doing so the user mini-switch would became useless, of course.

Plese any help/suggestion si appreciated.

Thank you for your precious help.


With STP disabled in miniswitch, it ideally forwards BPDU's and it should not only process the BPDU itself. In case, the miniswitch discards the BPDU's with STP disabled, then BPDU Guard in the uplink switch should not work. Probably that is the case in the output of uplink switch, BPDU's are not received and only sent.



Thank you Narainarun for your answer.

I cannot guess which kind of device a user attaches to a port, but usually are those 8-port unamanaged miniswitches that surely ignore STP. They are very simple store-and-forward swtiches that are just more than hubs.

But I could say that now my question moved away from the main topic I originally posted (BPDUGuard), so I will re-arrange the question in a new topic.

Thank YOU ALL for your kind help.


Hello Alain.

I just have tested BPDUGuard feature on a spare switch and it works as I aspected.

I put a miniswitch on port fas0/7 and then plugged the two ends of a cable into two ports of the miniswitch.

After a second at console I see:


*Mar  1 00:26:51.678: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Fa0/7 with BPDU Guard enabled. Disabling port.

*Mar  1 00:26:51.678: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/7, putting Fa0/7 in err-disable state

*Mar  1 00:26:52.693: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down

*Mar  1 00:26:52.693: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

*Mar  1 00:26:53.691: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down

and then:

sw-test-249#sh int status err-disabled

Port      Name               Status       Reason               Err-disabled Vlans
Fa0/7                        err-disabled bpduguard

Also, I see on this interface 0 BPDU sent, and I think it's because I have just taken it back from the err-disabled state.

What could have gone wrong on the production switch?

Any idea to put me on the right way to allow those miniswitches without a so great danger is appreciated.

Thank you.