Cisco Portfast, BPDU Guard, and Root Guard

In this Cisco CCNA training tutorial, you’ll learn about Spanning Tree Portfast, BPDU Guard, and Root Guard. Scroll down for the video and also text tutorial.

Cisco Portfast, BPDU Guard, and Root Guard Video Tutorial

YouTube video

Josh Gold

Josh Gold

This course is not just to help you prepare for the exam, but will be invaluable help in your real world I.T. situations and challenges.

Josh Gold


Spanning Tree Portfast


Portfast can take up to 50 seconds for Spanning Tree to transition a port to a forwarding state when that port becomes active by powering on the switch or plugging a network cable into it. If you think about it, a loop cannot be formed on ports where a single end host is plugged in.


In the diagram below, I do have a potential loop between my three switches there, so one of the ports was put into a blocking state. I then go and plug a PC into one of the switches with a single network cable connecting it, well, it's impossible to have a loop going through there as long as it doesn't change.


Spanning Tree Portfast


It would be nice if we didn't have to wait 50 seconds for the port to come up and we can actually configure that. We can make the port transition to a forwarding state immediately when it becomes active by disabling the Spanning Tree on the port.


We can do that with the Portfast command. This is configured at the interface level. Since my PC is plugged in interface F0/10, we enter the command:

interface f0/10

spanning-tree portfast


The command disabled Spanning Tree from running on the port and it will transition to forwarding immediately. You can also set all of your ports to be in Portfast by default. To do that, at global configuration mode, we enter the command:

spanning-tree portfast default


Spanning Tree Portfast 1


Then, to make sure that on any ports that are connected to switches, we enter this command on these ports:

no spanning-tree portfast


Spanning Tree BPDU Guard


There could be a big problem though, if you enable Portfast on a port, you're disabling Spanning Tree. If a loop is formed through it, then you're going to get a broadcast storm.


The most common reason is users doing things they shouldn't be doing like adding devices to the network, adding switches, or changing the cabling. You can see that's what happened in the diagram below.


Spanning Tree BPDU Guard


We've got our switches up at the top are configured with Portfast and we expect normally that it would be end hosts that get plugged in there. But probably what happened was for some part of a building there were not enough wall ports.


So, a user has come in with their own switch and they've plugged that into two different wall ports in that part of the office to get more ports for the additional users. By doing that, they've formed a loop and now you're going to get a broadcast storm.


It’s dangerous enabling Portfast, therefore, we want to take some mitigation against this kind of problem happening and that is where BPDU Guard comes in. You can enable BPDU Guard on the same interfaces where you've enabled Portfast. Then, if a BPDU is received, the port will be shut down.


When switches come online, they send BPDUs at all ports to build the Spanning Tree. So if you do plug a switch into a port, it will receive a BPDU on there and this can allow you to switch to automatically shut down that port to prevent a loop from happening.


Spanning Tree BPDU Guard 1


The command to enable BPDU Guard is:

spanning-tree bpduguard enable


It is best practise to use these commands on your networks where you've got ports that the end hosts are going to be plugged into. Just like we could with Portfast, you can also make BPDU Guard the global default. To do that in global config, we use the command:

spanning-tree portfast bpduguard default


Spanning Tree BPDU Guard 2


Spanning Tree Root Guard


Another Spanning Tree command to cover is Root Guard and this is used for a different reason than Portfast and BPDU Guard are. Spanning Tree Root Guard prevents an unintended switch from becoming the root bridge.


For example, you have an old switch which had been in a different office and it happened to be the root bridge in that different office, but it's a much older switch than the root bridge which is in your main office.


You get that old switch shipped back to the main office, then you didn’t do a factory reset and you plugged it into the network. It happens to have a higher priority than the current root bridge. Now, that old switch is going to become the root bridge and you want to make sure that this should not happen.


Spanning Tree Root Guard


Another reason that the wrong switch could become a root bridge is maybe that you're under an attack. What the attacker will do is put a switch in the network, trying to make that the root bridge to force traffic to come through the switch that they're controlling. They'll then be able to sniff the traffic and gain access to sensitive information.


So, if you want to make sure that the current root bridge remains your root bridge, you can use Root Guard to help ensure that. The way it works is if a port was Root Guard is enabled when it receives BPDUs that superior to the current root bridge, it will transition that port to root-inconsistent.


There will be no traffic forwarded over that port. The way that you configure this is on the interface configuration mode, you enter the command:

spanning-tree guard root


In our example, we've got our root bridge up in the top left. This is the one that we want to remain the root bridge. What we do is on the port connected to the bottom switch in the Root Bridge and SW2, we configure Root Guard.


Now, if a switch at the bottom starts sending out superior BPDUs, they are not going to be accepted and the port that is connected to that switch is going to be transitioned to root-inconsistent, basically shutting the port down.


Portfast and BPDU Guard Configuration Example


This configuration example is taken from my free ‘Cisco CCNA Lab Guide’ which includes over 350 pages of lab exercises and full instructions to set up the lab for free on your laptop.

Click here to download your free Cisco CCNA Lab Guide.


Portfast and BPDU Guard Configuration


  1. A Layer 2 loop cannot be formed on a port where a single end host is connected. Disable spanning tree on these ports.


You are concerned that a user may introduce a loop into the network by adding additional switches or changing the cabling. Also ensure that the ports where Spanning Tree is disabled will be automatically shut down if a switch is detected on the other side of the link.


Acc3(config)#int f0/1

Acc3(config-if)#spanning-tree portfast

Acc3(config-if)#spanning-tree bpduguard enable


Acc4(config)#int f0/1

Acc4(config-if)#spanning-tree portfast

Acc4(config-if)#spanning-tree bpduguard enable


CD1(config)#int g0/1

CD1(config-if)#spanning-tree portfast

CD1(config-if)#spanning-tree bpduguard enable


CD2(config)#int g0/1

CD2(config-if)#spanning-tree portfast

CD2(config-if)#spanning-tree bpduguard enable


Additional Resources


Spanning-Tree RootGuard:

What is BPDU Guard and how to configure BPDU Guard in Cisco Switches:,What%20is%20BPDU%20Guard%20and%20how%20to%20configure%20BPDU%20Guard,BPDU%20from%20its%20connected%20device.

Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, BackboneFast, and Loop Guard:


Want to practice Cisco CCNA technologies on your laptop? Download my complete 350-page Cisco CCNA Lab Guide for free.


Click Here to get my Cisco CCNA Gold Bootcamp, the highest rated CCNA course online with a 4.8 star rating from over 20,000 public reviews.


Libby Teofilo

Text by Libby Teofilo, Technical Writer at

With a mission to spread network awareness through writing, Libby consistently immerses herself into the unrelenting process of knowledge acquisition and dissemination. If not engrossed in technology, you might see her with a book in one hand and a coffee in the other.