How does bpdu guard work

The root guard assures that the interface on which the root guard is enabled is set as the designated port.

Normally, the root bridge ports are all set as designated ports unless two or more root bridge ports are connected. This root-inconsistent state is effectively equivalent to a listening state. No traffic is forwarded across this interface. In this process, the root guard enforces the position of the root bridge. When PortFast feature is enabled on a switch or a trunk port, the port immediately transitions to the STP forwarding state.

If the port happens to be part of topology that could form a loop, the port eventually transitions into STP blocking mode. In most deployments, edge ports are access ports. However, in this scenario there are no restrictions in enabling the PortFast feature. If link L1 fails, Switch C detects this failure as an indirect failure, because it is not connected directly to link L1. Switch B no longer has a path to the root switch. BackboneFast allows the blocked port on Switch C to move immediately to the listening state without waiting for the maximum aging time for the port to expire.

This switchover takes approximately 30 seconds. Figure shows how BackboneFast reconfigures the topology to account for the failure of link L1.

If a new switch is introduced into a shared-medium topology, BackboneFast is not activated. Figure shows a shared-medium topology in which a new switch is added. The new switch begins sending inferior BPDUs, which indicate that it is the root switch. Unidirectional link failures may cause a root port or alternate port to become designated as root if BPDUs are absent. Some software failures may introduce temporary loops in the network.

Loop guard checks if a root port or an alternate root port receives BPDUs. Loop guard isolates the failure and lets spanning tree converge to a stable topology without the failed link or bridge. Note When you are in MST mode, you can set all the ports on a switch with the set spantree global-defaults loop-guard command. When you enable loop guard, it is automatically applied to all of the active instances or VLANs to which that port belongs.

When you disable loop guard, it is disabled for the specified ports. Disabling loop guard moves all loop-inconsistent ports to the listening state. If you enable loop guard on a channel and the first link becomes unidirectional, loop guard blocks the entire channel until the affected port is removed from the channel. Figure shows loop guard in a triangle switch configuration. Figure illustrates the following configuration:.

Use loop guard only in topologies where there are blocked ports. Topologies that have no blocked ports, which are loop free, do not need to enable this feature.

Enabling loop guard on a root switch has no effect but provides protection when a root switch becomes a nonroot switch. Note We recommend that you enable loop guard on root ports and alternate root ports on access switches. Loop guard is effective only if the port is a root port or an alternate port. Do not enable loop guard and root guard on a port at the same time. Because a PortFast-enabled port will not be a root port or alternate port, loop guard and PortFast cannot be configured on the same port.

Do not configure a loop guard-enabled port with dynamic VLAN membership. The port transitions out of the inconsistent state after the message age expires. Loop guard ignores the message age expiration on type-inconsistent ports and PVID-inconsistent ports. If the port is already blocked by loop guard, misconfigured BPDUs that are received on the port make loop guard recover, but the port is moved into the type-inconsistent state or PVID-inconsistent state. The newly activated supervisor engine recovers the port only after receiving a BPDU on that port.

However, to form a channel, all the physical ports grouped in the channel must have compatible configurations. Bpdu guard is enabled by default so it means bpdu guard needs portfast command enabled in first place. If a port configured for root guard receives a superior BPDU, the port immediately goes to the root -inconsistent blocked state. Errdisable is a feature that automatically disables a port on a Cisco Catalyst switch. When a port is error disabled, it is effectively shut down and no traffic is sent or received on that port.

The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. PortFast is not enabled by default. With PortFast enabled on a port, you effectively take the port and tell spanning tree not to implement STP on that port. Configure the Spanning-Tree portfast Setting Enter the configuration mode for the interface.

Shut down the interface. Change the portfast setting. Review the portfast status. Reset the default spanning tree portfast value for the interface.

How does a Bpdu Guard work?