Port security(shutdown mode) vs bpduguard?

I was reading up on bpduguard and I immediately thought of port security. My question is this, If my goal was to shutdown a port on a switch as soon as a device was connected to it, would port security "shutdown" suffice, or would I need to use bpduguard, or both? from what I understand bpduguard is only used in conjunction with portfast on edge ports. So, if I'm using portfast then I need bpduguard and if I'm not using portfast I should use port security?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

elderkai

bpduguard only acts when the switchport receives a bpdu, so something running STP(a switch).

Adam B

Yeah as elder said, bpduguard would be used in a situation where you don't want other switches connecting but you're fine with lets just say other hosts connecting. That way bpdu's are never transmitted causing internal loops between the switches. It's used in synch with Portfast generally, as it will allow hosts to come up on those switches quicker than the usual convergence time, and not allow other switches to go up on them thanks to bpduguard

OfWolfAndMan

The purpose of bpduguard is to prevent someone from inserting a switch into your topology (Especially preventing someone from becoming a root bridge, as they could steal all your trafficz). Port security, by default, will shut an interface down after a second device with a different MAC address is attached to the switchport, unless you configure the port with #switchport port-security maximum [number of max mac addresses]. What is your purpose of trying to shut a port down?

Heero

Maybe he is trying to do a ghetto man's wire trace by plugging into wall jacks and seeing what port goes down on the switch?

Dieg0M

BPDU Guard will not shut down the port, it will put it in Err-disable mode. You can use both BPDU Guard and port-security on the same switch port but for different purposes.