[VIDEO] Advanced STP Features: BPDU Guard

BPDU Guard prevents a port from receiving BPDUs. If the port still receives a BPDU, it is put in the error-disabled state as a protective measure. 

Why do we use it? Considering the operation of the switched network, it is important that the active topology remains stable and predictable. Meaning that you want to be sure that the network is not in a constant state of change and you want to know where the root switch is located because that is at the center of the Spanning Tree topology calculation. 

Problem: For example, if another switch, which has lower bridge ID than the current root switch, is connected to the network, that will cause a new root switch to be elected and the STP topology recalculated. That will interrupt services on the network and reset the traffic paths. 

Solution: BPDU Guard allows you to effectively enforce STP domain borders, so that devices behind the ports that have BPDU Guard enabled are not able to influence the STP topology. As soon as BPDUs are received on a port with BPDU Guard enabled, the port is put in the err-disabled mode and the violating device is blocked out of the network.

Much like the PortFast feature, BPDU Guard has two configuration options: globally ('spanning-tree portfast bpduguard default') and per interface ('spanning-tree bpduguard enable'). 

As you might guess from the command syntax, if configured globally, BPDU Guard is dependent on the operational PortFast state. It does not matter how PortFast was configured; as long as it is enabled, BPDU Guard will be in effect. The per interface configuration unconditionally enables BPDU Guard on the port, independent of PortFast or access/trunk mode.

There are two ways to recover an err-disabled port, either by manually re-enabling with 'shutdown' and 'no shutdown' commands or by configuring automatic err-disable recovery with 'errdisable recovery cause bpduguard'. The default recovery interval is 300 seconds but can be changed with the 'errdisable recovery interval sec' command. 

Automatic recovery does not fix the root cause. After 300 seconds, the port would be re-enabled only for a short period of time before being err-disabled again when the next BPDU from the root switch is received.

As a summary, here are the most important take-aways from this video:

  • BPDU Guard prevents a port from receiving BPDUs. If a BPDU is received, the port is put in the err-disabled state.
  • There are two ways to configure BPDU Guard: globally and per interface.
  • BPDU Guard global mode is dependent on operational PortFast state.
  • BPDU Guard interface mode is independent and unconditional.
  • Remember the normal operation of STP - when BPDUs are sent and not sent.