Spanning-tree root guard, BPDU guard and loop guard

This is another (short) post about three more important features of spanning-tree, as discussed on my previous blog.

Spanning-tree root guard is useful in avoiding layer 2 loops during network anomalies. Root guard forces an interface to become a designated port to prevent switches from becoming a root switch.

So, with this feature you can force to root bridge to stay at the switch you want to.  If the switch receives BPDU’s with a better bridge ID then the current root, that specific port moves to a “root-inconsistent STP state” and the switch does not forward any traffic out of that port. Root guard can protect the network for changing the root bridge to an switch you don’t want to be root (because it creates bad traffic flows).

A design recommendation is to enable root guard on all access ports. Not enabling root guard could be a potential security risk.
Root guard can only function on portfast enabled ports!

Recovery of a root-inconsistent state occurs automatically when the port stops receiving the superior BPDUs

BPDU guard

BPDU guard puts an portfast enabled port into err-disabled state when a BPDU is received.

Loop guard

Loop guard is very usefull in conjunction with UDLD. When a switch stops receiving BPDU’s on a port, it could think that it’s safe to put that port into forwarding state. But in case of a UDLD error, there could a loop created. Loop guard adds an extra check before the port transitions to forwarding state.

When a switch stops receiving BPDUs on a port, the switch places the port into STP loop-inconsistent blocking state instead if transitioning to listening, learning and forwarding states.

A switchport in STP loop-inconsistent blocking state does not forwarding any data, so no loop is present. This state looks like, and acts like the blocking state. When necessery the STP process changes a blocking port to listering, learning and finally forwarding state.

Important to know: loop guard can be enabled on per-vlan basis. loop guard and aggressive mode UDLD can be used together to get the highest possible protection against bridging loops.

  • ernesto

    is it possible to use UDLD and loop guard at the same time ? same ports ?

    The overlap ?

  • rob

    Yes, it is possible to enable both on the same switchport:

    Loop guard doesn’t work on links who are unidirectional since the moment the cable is plugged in. To prevent these loops, UDLD is needed.

  • EddySan


    If you already have BPDU guard enabled globally and your access ports have portfast enabled. Why would you need to have root guard also enabled on the interfaces?

    If a BPDU is received on any port with portfast it will be err-disabled so why bother with the root guard command on the intrface?

    • rob

      That’s correct: when bpdu guard is globally enabled, it’s enabled for all portfast ports.
      It’s possible to disable bpdu guard on a per port basis.

      bpdu guard and root guard are two different things. It’s not possible to use them together on the same switchport (as you said: 1 bpdu = disabled port)

      On a root guard port, bpdu’s are allowed. Only “better” bpdu’s will disable the port.

  • EddySan

    Hi Rob,

    Where did you find your docoumentation on root guard? I am trying to find where it says the port has to be port fasted enabled to have this feature turned on.

  • Pingback: 350-001 Real Dumps | TestsExpert Actual Exam()

  • Pingback: 350-001 Real Dumps | Cert4Prep Certification()

  • Pingback: 350-001 Real Dumps | ExamKill Brain Dumps()

  • Pingback: 2014 Latest Cisco 350-001 Dump Free Download(191-200)! | Certificate Exam()