Spanning Tree Protocol: BPDU Guard and Root Guard

Sometimes you may want to lock down your switchports so that they don’t allow connections to other switches that could be plugged into the network.

BPDU guard is enabled per port or globally and error disables the port immediately if it receives a BPDU on the configured port.

When activated globally BPDU Guard is enabled only on PortFast ports, you can likewise disable portfast on a per port basis if you enable it globally.

Outside of the Portfast and Global BPDU Guard configuration being dependent on one another, all other configuration methods of implementation are independent of each other.

If a port is taken down into err-disabled state because of BPDU guard it will not recover from err-disabled unless you add configuration to set it back to up in a certain amount of time or by bouncing the port.

Also when spanning-tree bpdufilter enable is configured on a per port basis, this effectively stops the port from sending and receiving BPDUs all together.

Root Guard behaves the same except that instead of blocking all BPDUs it only blocks superior BPDUs, if it receives that port is put into a root-inconsistent blocking state.



