CCNA Switching: Basics about BPDU Guard and Root Guard

Today I am going to talk about the basic concept of BPDU Guard and Root Guard which is one of the most interesting topic for most of the network engineers. Most of people confused on the difference between them. Let's talk about both one by one.

BPDU Guard
BPDU guard disables the port upon BPDU reception if Port-fast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP.

You must manually re-enable the port that is put into err-disable state or configure err disable-timeout. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.

BPDU Guard, blocks ports assign to user access, from being connected to non authorized switches.

So BPDU guard is more like standard security option for normal edge (port-fast) ports, while root guard is more likely for specific scenarios

There are two ways to use BPDU guard :
  • On an interface BPDU guard will put the port into err disable state if a BPDU is received
  • In global configuration mode BPDU guard will disable port fast on any interface if a BPDU is received.

Fig 1.1- Root Guard & BPDU Guard

Root guard
When we talk about the Root guard,If you have a port that is configured with root guard and it receives a superior BPDU it will move that specific vlan to a root inconsistent state which effectively means it will stop passing traffic to that vlan off that port.  Because of this you need to be very careful where you put the root-guard not only for normal environment scenarios but you need to be aware of what would happen if your primary root bridge goes down. 

The easiest thing to do would be to only setup root-guard on your primary root bridge to avoid a scenario where your root bridge goes down and you happen to have root guard configured on the only port available to get to your new root bridge.

 The Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs

The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state

Note: Root guard is best deployed towards ports that connect to switches which should not be the root bridge

The Root Guard feature can be enabled on all switch ports in the network off of which the root bridge should not appear. Root guards protects the root bridge from being modified without administrator permission by another switch.

If you manage all the switches you do not need root guard, because you can just set the switch priorities. Root guard is needed when you connect a network that you manage to one that you do not.