Lab 22: PortFast + BPDU Guard on Access Ports
Two settings every access port should have: PortFast (skip STP's 30-second wait for end devices) and BPDU Guard (kill the port if a switch is ever plugged in). Configure both, then attack yourself. Difficulty: Intermediate · Time: ~25 min.
Lab objectives
- Enable PortFast on access ports and see instant forwarding
- Arm BPDU Guard on those ports
- Plug in a rogue switch and watch err-disable
- Recover the port
Topology & addressing
1× main switch with PCs on Fa0/1–2, and 1× spare "rogue" switch to connect during the test.
Step-by-step configuration
interface range fa0/1 - 2switchport mode accessspanning-tree portfast | Ports jump straight to forwarding for end devices |
spanning-tree bpduguard enable | If a BPDU (switch-talk) arrives here → err-disable |
| Test: connect the rogue switch to Fa0/2 | It sends BPDUs → guard fires |
Verification
PC ports now go green immediately (no 30-second listening/learning). Connect the rogue switch: the port slams into err-disabled (show interfaces status err-disabled) the instant its BPDU arrives — topology protected. Recover after removing it: shutdown / no shutdown.
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
Why not enable PortFast everywhere?
On switch-to-switch links it would bypass loop protection during convergence — PortFast belongs on end-device ports only, which is why BPDU Guard rides along as the enforcement.
What exactly triggers BPDU Guard?
Receipt of any BPDU on the guarded port — the signature of a switch (or bridging device) where only an end host should be.
What attack does this stop?
Rogue switches joining the topology — accidental loops from desk switches, or deliberate STP manipulation attempts.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.