Protect Against Unauthorized Switches

Posted February 9, 2004 by Al Banks in Cisco switch

The following recipe contains one method to protect against the addition of unauthorized switches to a Cisco Catalyst. This refers to the 6500 series, but it may be available on other platforms as well.


Unauthorized switches can pose a significant problem for networks. Oddball switches can win a spanning-tree root election or can increase network diameter beyond accepted specifications.

One way to prevent the addition of an unauthorized switch is to enable BPDU Guard.

In global configuration mode, enter:spanning-tree portfast bpduguard default

This command enables the switch to disable a port that receives a BPDU (Bridge Protocol Data Unit).

Normally, a port configured for portfast will be connected to an end device, like a workstation, server, or printer. End devices do not send BPDUs, so this condition is not triggered. A switch, however, will normally send BPDUs on every port. When a switch is connected, the 6500 receives a BPDU and shuts down the offending port.

After 12.1, this configuration may be applied to interfaces. When configured in this manner, the 6500 will disable the port upon receipt of a BPDU, regardless of the portfast configuration.

The Conversation

Follow the reactions below and share your own thoughts.