Guarding Against Rogue STP Root Bridges
BPDU guard configuration commands

BPDU guard protects the network from loops that might form if BPDUs are received on a PortFast enabled switch port.

NOTE:

When the BPDU guard feature is enabled, spanning tree applies BPDU guard to all PortFast-configured interfaces.

BPDU Guard Applied Globally versus Per-Port
At the global level, you can enable BPDU guard on PortFast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. In a valid configuration, PortFast-enabled ports do not receive BPDUs. Receiving a BPDU on a PortFast-enabled port signals an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state.

At the interface level, you can enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the PortFast feature. When the port receives a BPDU, it is put in the error-disabled state.

Configuring BPDU Guard
To enable BPDU guard use this command:

Switch(config)#spanning-tree portfast bpduguard default

The no argument before the command will disable the feature on the switch.

Verifying BPDU Guard
Figure shows how to verify the BPDU configuration.