Good Spanning Tree designs make certain assumptions about which switch ports should connect to upstream switches using trunk ports and which should be connected to downstream independent host devices using access ports. Properly configuring edge ports with the appropriate STP enhancements, like PortFast, improves network access times and limits TCN flooding.
Designing STP networks to operate efficiently is important, but what happens when a user needs a few more ports in the second floor conference room? They plug in their own small switch of course! Adding a rogue switch to an access port with PortFast enabled can have unintended consequences. Not only can a loop form if a cable from the rogue switch is also accidentally added to another wall jack, but what happens if the switch is running Spanning Tree and has the lowest priority? It will be elected as the Root Bridge and all forwarding paths will change with it at the top. Not what any network engineer wants.
Root Guard and BPDU Guard are two STP enhancements that could be applied to the access port to prevent such a situation. Both protections monitor for incoming Spanning Tree BPDUs on the port, but take different actions in response. BPDU Filter is another feature designed to limit unnecessary BPDUs from being sent or received on host-connected port. All three are important Spanning Tree optimizations we will explore in more detail.
Root Guard was developed to control where root bridges can be located within the network. Switches learn about and elect root bridges based on BPDUs they receive, so if a new switch is added to the environment with a lower bridge priority than the current Root Bridge, the new switch will become root – and in turn disrupt your carefully planned traffic patterns. To prevent this from occurring, root guard can be applied to interface where a root bridge should never been seen.
When Root Guard is applied to an interface, it forces the port to essentially always remain a designated interface, never allowing it to transition to a root port. If a Root Guard enabled port received a superior BPDU, it immediately moves the port to a root-inconsistent STP state (essentially the same as the listening state) and does not forward any traffic out that port.
When the Root Guard protected port stops receiving superior BPDUs, it automatically unblocks the port and proceeds through its normal listening, learning, and eventually forwarding states. No intervention is required.
Root Guard Configuration
Root Guard is enabled on a per-port basis using the spanning-tree guard root interface command. For this reason Root Guard is often applied on access and distribution switches on all ports that face away from the network core (where the Root Bridge and backup Root Bridge should reside).
BPDU Guard places a port in err-disabled state upon receipt of any BPDU, disabling the interface. Because of this, it is often used to prevent problems related to remote switches accidentally being connected to PortFast-enabled ports.
BPDU Guard Global Configuration
BPDU Guard can be configured globally using the spanning-tree bpduguard default command. Applying it globally activates BPDU Guard on all switch ports operating in PortFast status.
BPDU Guard can optionally be deactivated on a per-port basis after the gobal command is applied using the spanning-tree bpduguard disable interface command.
BPDU Guard Interface-level Configuration
BPDU Guard can be configured on a per-interface basis using the spanning-tree bpduguard enable interface command.
While the PortFast and BPDU Guard are often used together on the same port, they are completely independent features with no dependence on the other.
Also, a port configured with BPDU Guard that goes into the err-disabled state will not automatically recover by default as Root Guard does. To auto-recover the port back to the up state, the errdisable recovery
BPDU Filter is a Spanning Tree enhancement used to prevent STP BPDUs from being transmitted or received on interfaces. This is most useful in on PortFast-enabled access ports where the expectation is that connected host does not not speak Spanning Tree and doesn’t want the BPDUs.
Pay attention to the specific differences in how BPDUs are filtered depending on whether global or interface configurations are applied.
BPDU Filter Global Configuration
- Causes all PortFast ports to stop sending BPDUs
- If BPDUs are seen, the port looses its PortFast status, BPDU filtering is disabled, and STP resumes default operation on the port
- When the port comes up, it sends 10 BPDUs, if it hears any BPDUs during that time PortFast and BPDU filtering are disabled
BPDU Filter Interface-level Configuration
- Causes the port to stop sending and processing received BPDUs
- Because it ignores incoming BPDUs, this prevents STP participation with a switch connected on the port; potentially leading to bridging loop scenarios
Much like BPDU Guard, BPDU Filter and PortFast are completely independent features with no dependence on the other. The only exception is related to switches configured with the global BDPU Filter command. In that case, if a PortFast port receives a BPDU, it will loose its PortFast status which will in turn result in BPDU Filter being deactivated as well. Recall that globally enabled BPDU Filtering only applies to ports operating in PortFast status. Once a PortFast port receives a BPDU (even with global BPDU Filter applied) it will loose its PortFast status. That disables the filtering until the port is back in PortFast status. BPDU Filter configured at the interface level does not have the same PortFast dependency.
Note: If you enable both BPDU Guard and BPDU Filter at the interface level, BPDU Guard has no effect because BPDU Filter drops all the received BPDUs. When both applied globally, ports receiving BPDUs will be placed into the err-disabled state.
BPDU Guard and BPDU Filter global configuration can be verified with the show spanning-tree summary command.
BPDU Guard and BPDU Filter applied at the interface level can be verified using the show spanning-tree interface detail command.