The Role of BPDU Guard in Spanning Tree


As a CCNA / CCNP candidate you are expected to understand the purpose and function of Spanning-tree BPDU guard. The CCNA / CCNP’s exam will ask of you to determine the purpose of the BPDUGuard (Bridge Protocol Data Unit) within the spanning-tree protocol.

Before we go into detail as to the purpose of the BPDU Guard feature a quick recap on the spanning-tree protocol is required.

Spanning-tree is a protocol which is designed to prevent physical and/or logical loops in your layer 2 network. Spanning-tree achieves this loop free environment by first of all electing a device to act as the focal point of the network which all other switches measure themselves from. This focal point role is an elected role. The election of the focal point known as the “Root Bridge” is done at the very start of spanning-tree determining the loop free topology, the election of the Root Bridge is carried out by using a combination of the switches MAC address and a value known as the “Default Priority”.

These two values are conveyed into the network via BPDU’s. BPDU’s are used by spanning-tree to maintain a stable state network. In standard 802.1D spanning-tree for instance only the Root Bridge generated a BPDU.

The stability of the Root Bridge is of paramount importance in the operation and continual uninterrupted service of spanning-tree. A change in the position of the Root Bridge will cause service disruption on the network with data and voice session timing out.

It is important to consider what events could cause a change in the position of the Root Bridge, events such as links failing between the existing Root Bridge and the rest of the network would cause a change, or possibly a duplex mismatch between the Root Bridge and downstream switches causing the spanning-tree messages from the Root Bridge from reaching the other parts of the network. These events are easily fixed and resolved none of which would require the use of the BPDU Guard feature.

In our network we want to enforce the Spanning-tree domain borders and keep our active topology and the position of our Root Bridge predictable.

In our network we enable BPDU Guard only on access ports (access ports lead to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology.

BPDU Guard is enabled on an access port:

Swith(config-if)#spanning-tree bpduguard enable

Once BPDU Guard is enabled it will keep an eye open for any BPDU’s entering the access ports. The only devices which can reliably create and transmit BPDU’s are switches.

We want to keep a predictable topology and not allow other switches outside our control onto our network. If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has “better” values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users.

By configuring the “BPDU Guard” feature on the access-ports enables the spanning-tree protocol to shut the port down in the event that is receives a BPDU. As a rule of thumb, BPDU’s are really only expected across trunk links.

If a rogue switch is plugged into a port configured for BPDU Guard, the port will disable as soon as the first BPDU is received, by shutting the port down we prevent the rogue switch from affecting our spanning-tree topology.

To re-enable a port disabled by BDPU Guard you will need to remove the offending device and then bounce the port by issuing the shut/no shut command.