Protecting STP – Root Guard , BPDU Guard & BPDU Filter

byPGR Spot Post a Comment
STP builds Topology, based on sending and receiving BPDU’s. If a better Bridge ID is received on the Switch, it is vulnerable to the Network.
Protection Methods:
  • Root Guard
  • BPDU Guard
  • BPDU Filtering
Root Guard:
Root guard  prevents an unauthorized switch from advertising itself as a Root Bridge.
If a better BPDU is received on the interface that is enable with Root Guard, the interface will automatically moves to the root-inconsistent state.
When the interface is in root-inconsistent state, it is similar to blocking mode and will not forward any frames.
Root guard is disabled by default on Switches.
 It can be enabled by,
  • Switch(config)#  interface F0/0 
  • Switch(config-if)#  spanning-tree guard root 
We can verify by ,
  • Switch#  show spanning-tree inconsistentports
The interface can automatically recover from the root-inconsistent state, if it doesn’t receive any superior BPDU’s.

BPDU Guard:
BPDU Guard will be enabled in port-fast interface.
Port-fast will be enabled on access-ports, for fast-convergence of End devices.
If a BPDU is received from port-fast enabled interface, it might end up with loops.
If a BPDU is received on port-fast interface with BPDU Guard, the interface will end up with err-disable state.
We can configure by,
  • Switch(config)#  interface F0/0 
  • Switch(config-if)#  spanning-tree bpduguard enable
Or, by globally as
Switch(config)#  spanning-tree portfast bpduguard default
To recover from err-disable state, 
  • Switch(config)#  interface F0/0
  • Switch(config-if)#  shutdown 
  • Switch(config-if)#  no shutdown
No shutdown command is not enough.

BPDU Filter:
BPDU Filter will be enabled in port-fast interface
It is also similar to BPDU Guard, But BPDU Filter filters it.
BPDU Filtering can be done in 2 ways.
Globally : If Enable globally, the received BPDU will disable the port fast on the interface, and it goes through normal STP process.
  • Switch(config)#  spanning-tree portfast bpdufilter default
Interface Level : If enabled on interface, the received BPDU will be discarded, similar to disabling the STP.
  • Switch(config)#  interface F0/0 
  • Switch(config-if)#  spanning-tree bpdufilter enable 
You can watch my Video Tutorial:


Tagged In:

Posted by PGR Spot

Post a Comment

Post a Comment