BPDU Guard

The Root Guard feature can be enabled on all switchports in the network off of which the root bridge should not appear (that is, every port that is not a root port , the port on each switch that is considered to be closest to the root

bridge). If a port configured for Root Guard receives a superior BPDU, instead of believing the BPDU, the port goes into a root-inconsistent state. While a port is in the root-inconsistent state, no user data is sent across it. However, after the superior BPDUs stop, the port returns to the forwarding state.

 

The BPDU Guard feature is enabled on ports configured with the Cisco PortFast feature. The PortFast feature is enabled on ports that connect to end-user devices, such as PCs. It reduces the amount of time required for the port to go into forwarding state after being connected. The logic of PortFast is that a port that connects to an end-user device does not have the potential to create atopology loop. Therefore, the port can go active sooner by skipping STP’s listening and

learning states, which by default take 15 seconds each. Because these PortFast ports are connected to end-user devices, they should never receive a BPDU. Therefore, if a port enabled for BPDU Guard receives a BPDU, the port is disabled.

 

 

Root Guard Versus BPDU Guard

·          Mitigation                             Method Description

·         Root Guard After receiving a superior BPDU, a port configured for Root

Guard goes into a root-inconsistent state. While in this state, the

port stops forwarding. After the superior BPDUs stop, the port

returns to forwarding state.

·         BPDU Guard BPDU Guard is designed to work on ports configured for the

PortFast feature. If a port enabled for BPDU Guard receives a

BPDU, the port is disabled.

 

Root guards protects the root bridge from being modified without administrator permission by another switch, BPDU Guard, blocks ports assigen to user acces, from being connected to non authorized switches.