Cisco Spanning Tree BPDU Guard

A customer had several Cisco 2960 switches that were not managed and did not want us to come onsite to configure them for management. Since she had a Cisco console cable and the switches currently did not have a password, we were able to assist her remotely. The switches were already cabled together and in production. There was an intentional loop cabled between the switches for redundancy. This loop was being shut down by spanning-tree.

As I started entering the global configuration commands on the first switch, I lost my connection to their network because I was connected over the Internet. The commands I had just entered was “spanning-tree portfast bpduguard default”, which enables BPDU Guard globally. Since the switches were already cabled, when I enabled BPDU Guard globally, it put the interfaces connected to the other switches in an err-disabled state as it should. I walked the customer through removing the global spanning-tree commands and performing a shut/no shut on the interfaces connected to the other switches. This allowed my remote connection to come back online.

The proper order to perform these changes is to add the “spanning-tree portfast disable” command on all interfaces connected to other switches before enabling the global spanning-tree options. After the individual interfaces were configured, I entered “spanning-tree portfast bpduguard default” globally with no issues. 

Networking Cisco spanning tree