Summary of "BPDUGuard in Spanning-Tree"

BPDU Guard feature is used to protect the Layer 2 Spanning Tree Protocol (STP)
Topology from BPDU related attacks.
BPDU Guard feature must be enabled on a port that should never receive a BPDU from
its connected device
If BPDU is received on “BPDUGuard” enabled port, then port will transition to “err-
disabled” state immediately as shown in video lab.
So, you must configure it on port where end devices are connected such as Printers,
Laptops, workstations, scanners etc.
End devices are not supposed to generate BPDUs, because in a normal network
environment, BPDU messages are exchanged by network switches.
In this lab, we discussed on how to enable bpduguard at per-Interface level.
Command is “spanning-tree bpduguard enable” under the interface you want this
enabled.
You can verify it using “show spanning-tree interface x/x detail” to know whether
it is enabled or not.
Whenever port gets disabled, you will get messages with the reason.
If port is disabled, then you can check using the commands “show interface |
include disable” or using “show interface x/x status err-disabled”
You can reset the port to make it working by “shut” and “no shut”
You also have an option to set automatic recovery using the command “errdisable
recovery cause bpduguard” and “errdisable recovery interval xx”
You can verify the err-disable recovery status using command “show errdisable
recovery”