Spanning Tree Root Guard, BPDU Guard, and BPDU Filter

Good Spanning Tree designs make certain assumptions about which switch ports should connect to upstream switches using trunk ports and which should be connected to downstream independent host devices using access ports. Properly configuring edge ports with the appropriate STP enhancements, like PortFast, improves network access times and limits TCN flooding.

Designing STP networks to operate efficiently is important, but what happens when a user needs a few more ports in the second floor conference room? They plug in their own small switch of course! Adding a rogue switch to an access port with PortFast enabled can have unintended consequences. Not only can a loop form if a cable from the rogue switch is also accidentally added to another wall jack, but what happens if the switch is running Spanning Tree and has the lowest priority? It will be elected as the Root Bridge and all forwarding paths will change with it at the top. Not what any network engineer wants.

Root Guard and BPDU Guard are two STP enhancements that could be applied to the access port to prevent such a situation. Both protections monitor for incoming Spanning Tree BPDUs on the port, but take different actions in response. BPDU Filter is another feature designed to limit unnecessary BPDUs from being sent or received on host-connected port. All three are important Spanning Tree optimizations we will explore in more detail.

Root Guard

Root Guard was developed to control where root bridges can be located within the network. Switches learn about and elect root bridges based on BPDUs they receive, so if a new switch is added to the environment with a lower bridge priority than the current Root Bridge, the new switch will become root – and in turn disrupt your carefully planned traffic patterns. To prevent this from occurring, root guard can be applied to interface where a root bridge should never been seen.

When Root Guard is applied to an interface, it forces the port to essentially always remain a designated interface, never allowing it to transition to a root port. If a Root Guard enabled port received a superior BPDU, it immediately moves the port to a root-inconsistent STP state (essentially the same as the listening state) and does not forward any traffic out that port.

When the Root Guard protected port stops receiving superior BPDUs, it automatically unblocks the port and proceeds through its normal listening, learning, and eventually forwarding states. No intervention is required.

Root Guard Configuration

Root Guard is enabled on a per-port basis using the spanning-tree guard root interface command. For this reason Root Guard is often applied on access and distribution switches on all ports that face away from the network core (where the Root Bridge and backup Root Bridge should reside).

SW1(config)# interface gi1/0/10
SW1(config-if)#spanning-tree guard root

BPDU Guard

BPDU Guard places a port in err-disabled state upon receipt of any BPDU, disabling the interface. Because of this, it is often used to prevent problems related to remote switches accidentally being connected to PortFast-enabled ports.

BPDU Guard Global Configuration

BPDU Guard can be configured globally using the spanning-tree bpduguard default command. Applying it globally activates BPDU Guard on all switch ports operating in PortFast status.

SW1(config)#spanning-tree portfast bpduguard default

BPDU Guard can optionally be deactivated on a per-port basis after the gobal command is applied using the spanning-tree bpduguard disable interface command.

BPDU Guard Interface-level Configuration

BPDU Guard can be configured on a per-interface basis using the spanning-tree bpduguard enable interface command.

SW1(config-if)#spanning-tree bpduguard enable

While the PortFast and BPDU Guard are often used together on the same port, they are completely independent features with no dependence on the other.

Also, a port configured with BPDU Guard that goes into the err-disabled state will not automatically recover by default as Root Guard does. To auto-recover the port back to the up state, the errdisable recovery command must be applied.

BPDU Filter

BPDU Filter is a Spanning Tree enhancement used to prevent STP BPDUs from being transmitted or received on interfaces. This is most useful in on PortFast-enabled access ports where the expectation is that connected host does not not speak Spanning Tree and doesn’t want the BPDUs.

Pay attention to the specific differences in how BPDUs are filtered depending on whether global or interface configurations are applied.

BPDU Filter Global Configuration

  • Causes all PortFast ports to stop sending BPDUs
  • If BPDUs are seen, the port looses its PortFast status, BPDU filtering is disabled, and STP resumes default operation on the port
  • When the port comes up, it sends 10 BPDUs, if it hears any BPDUs during that time PortFast and BPDU filtering are disabled

SW1(config)#spanning-tree portfast bpdufilter default

BPDU Filter Interface-level Configuration

  • Causes the port to stop sending and processing received BPDUs
  • Because it ignores incoming BPDUs, this prevents STP participation with a switch connected on the port; potentially leading to bridging loop scenarios

SW1(config-if)#spanning-tree bpdufilter enable

Much like BPDU Guard, BPDU Filter and PortFast are completely independent features with no dependence on the other. The only exception is related to switches configured with the global BDPU Filter command. In that case, if a PortFast port receives a BPDU, it will loose its PortFast status which will in turn result in BPDU Filter being deactivated as well. Recall that globally enabled BPDU Filtering only applies to ports operating in PortFast status. Once a PortFast port receives a BPDU (even with global BPDU Filter applied) it will loose its PortFast status. That disables the filtering until the port is back in PortFast status. BPDU Filter configured at the interface level does not have the same PortFast dependency.

Note: If you enable both BPDU Guard and BPDU Filter at the interface level, BPDU Guard has no effect because BPDU Filter drops all the received BPDUs. When both applied globally, ports receiving BPDUs will be placed into the err-disabled state.


Global Verification

BPDU Guard and BPDU Filter global configuration can be verified with the show spanning-tree summary command.

SW1#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0020-VLAN0039, VLAN0050, VLAN0062
EtherChannel misconfig guard is enabled
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is enabled
Loopguard Default is disabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short

Interface Verification

BPDU Guard and BPDU Filter applied at the interface level can be verified using the show spanning-tree interface detail command.

SW1#show spanning-tree interface gig1/0/10 detail
Port 10 (GigabitEthernet1/0/10) of VLAN0100 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.10.
Designated root has priority 4196, address 0008.e3ff.fd90
Designated bridge has priority 32868, address 189c.5d8a.fa80
Designated port id is 128.10, designated path cost 1
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Bpdu guard is enabled
BPDU: sent 731473, received 0

Author Aaron

Aaron knows networks. He's been involved in building and supporting world-class data networks for the past 10 years - from international cloud service providers to Fortune 50 data centers. Aaron consults independently and is focused on building the best training platform available.

More posts by Aaron

Leave a Reply