In your CCNA studies, you learned about PortFast and the trouble it can
cause if configured on the wrong port! Suitable only for switch ports
connected directly to a single host, PortFast allows a port running STP
to go directly from blocking to forwarding mode.
A Cisco router will give you a warning when you configure PortFast:
SW1(config)#int fast 0/5
SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a
single host. Connecting hubs, concentrators, switches, bridges, etc...
to this interface when portfast is enabled, can cause temporary
bridging loops. Use with CAUTION
%Portfast has been configured on FastEthernet0/5 but will only
have effect when the interface is in a non-trunking mode.
SW1(config-if)#
Not only will the switch warn you about the proper usage of PortFast,
but you must put the port into access mode before PortFast will take
effect.
Now, you'd think that would be enough of a warning, right? But there is
a chance - just a chance - that someone is going to manage to connect a
switch to a port running Portfast. That could lead to two major
problems, the first being the formation of a switching loop. Remember,
the reason we have listening and learning modes is to help prevent
switching loops. The next problem is that there could be a new root
bridge elected - and it could be a switch that isn't even in your
network!
BPDU Guard protects against this disastrous possibility. If any BPDU
comes in on a port that's running BPDU Guard, the port will be shut
down and placed into error disabled state, shown on the switch as
err-disabled. A port placed in err-disabled state must be reopened
manually.
BPDU Guard is off on all ports by default, and is enabled as shown here:
SW1(config)#int fast 0/5
SW1(config-if)#spanning-tree bpduguard enable
It's a good idea to enable BPDU Guard on any port you're running
PortFast on. There's no cost in overhead, and it does prevent the
possibility of a switch sending BPDUs into a port configured with
PortFast - not to mention the possibility of a switch not under your
control becoming a root switch to your network!