📘 CCNA 200-301 v1.1
2.5 Interpret basic operations of Rapid PVST+ Spanning Tree Protocol
2.5.d Root guard, loop guard, BPDU filter, and BPDU guard
What Is Rapid PVST+?
Before diving into the protection features, let’s quickly recall what Rapid PVST+ (Per VLAN Spanning Tree Plus) is:
- It’s Cisco’s version of Rapid Spanning Tree Protocol (RSTP).
- It runs a separate instance of STP per VLAN.
- It provides faster convergence (recovery) than the old IEEE 802.1D STP.
- Its main purpose is to prevent switching loops by blocking redundant paths.
Now, while RPVST+ prevents loops, it still needs protection against misconfigurations or unexpected connections that can mess up the STP topology.
That’s where these four protection features come in:
- Root Guard
- Loop Guard
- BPDU Filter
- BPDU Guard
🧱 1. Root Guard
💡 Purpose:
Prevents another switch from becoming the Root Bridge.
🧠 Why We Need It:
In STP, the switch with the lowest Bridge ID (Priority + MAC) becomes the Root Bridge.
Sometimes, an unauthorized or misconfigured switch connected to the network could send superior BPDUs (Bridge Protocol Data Units) that make it become the Root Bridge.
That can cause unwanted network topology changes or instability.
⚙️ How It Works:
- You enable Root Guard on ports where you expect to connect to other switches, but you do not want them to become the Root.
- If a port with Root Guard receives a superior BPDU (a BPDU claiming to be the new Root), the port is put into “root-inconsistent” state (temporarily blocked).
- When the bad BPDUs stop, the port automatically returns to normal (forwarding).
🔧 Configuration (Cisco CLI):
Switch(config)# interface fa0/1
Switch(config-if)# spanning-tree guard root
✅ Summary Table:
| Feature | Protects Against | Action Taken | Typical Location |
|---|---|---|---|
| Root Guard | Unauthorized Root Bridge | Puts port in root-inconsistent state | Uplink or inter-switch links |
🔁 2. Loop Guard
💡 Purpose:
Prevents STP loops caused by unidirectional links or missing BPDUs.
🧠 Why We Need It:
In STP, ports transition based on BPDU exchange.
If a port stops receiving BPDUs due to a link issue, it may incorrectly assume the link is safe and move to forwarding state, causing a loop.
⚙️ How It Works:
- Loop Guard is enabled on non-designated ports (typically root or alternate ports).
- If a port stops receiving BPDUs, it moves into a “loop-inconsistent” state instead of forwarding.
- When BPDUs return, it automatically recovers.
🔧 Configuration (Cisco CLI):
Switch(config)# interface fa0/1
Switch(config-if)# spanning-tree guard loop
✅ Summary Table:
| Feature | Protects Against | Action Taken | Typical Location |
|---|---|---|---|
| Loop Guard | Missing BPDUs / unidirectional links | Puts port in loop-inconsistent state | Links between switches |
🧱 3. BPDU Guard
💡 Purpose:
Protects the network by disabling ports that should never receive BPDUs — usually access ports (ports connected to end devices).
🧠 Why We Need It:
Access ports are not supposed to be part of the STP topology.
If a user connects a switch to an access port, it will send BPDUs.
This can cause STP recalculation or even make that new switch a root bridge.
⚙️ How It Works:
- When BPDU Guard is enabled on a port and the port receives any BPDU, the port is immediately put into “errdisable” state (shut down).
- Admin must manually re-enable the port or configure errdisable recovery.
🔧 Configuration (Cisco CLI):
Option 1: Enable globally on all PortFast ports
Switch(config)# spanning-tree portfast bpduguard default
Option 2: Enable per interface
Switch(config)# interface fa0/1
Switch(config-if)# spanning-tree bpduguard enable
✅ Summary Table:
| Feature | Protects Against | Action Taken | Typical Location |
|---|---|---|---|
| BPDU Guard | BPDUs on access (PortFast) ports | Port goes into err-disable state | Access ports connected to PCs, printers, etc. |
🔕 4. BPDU Filter
💡 Purpose:
Controls sending and receiving of BPDUs on a port.
It can be used to stop BPDU transmission or reception depending on configuration.
⚠️ Important:
This feature can be dangerous if used incorrectly, because blocking BPDUs can lead to loops.
🧠 Why We Need It:
In some cases, you may want to isolate parts of the network from participating in STP (e.g., testing environments, special edge devices).
BPDU Filter stops those ports from sending or receiving BPDUs.
⚙️ How It Works:
There are two modes of operation:
🔹 Global (PortFast) BPDU Filter
- Command:
spanning-tree portfast bpdufilter default - Applied to all PortFast ports.
- If a port receives a BPDU, PortFast and BPDU Filter are disabled automatically (for safety).
🔹 Interface-level BPDU Filter
- Command:
spanning-tree bpdufilter enable - Always blocks sending and receiving of BPDUs, regardless of what happens.
- Risky — can cause loops if used incorrectly.
✅ Summary Table:
| Feature | Protects Against | Action Taken | Typical Location |
|---|---|---|---|
| BPDU Filter | Unwanted STP participation | Stops sending/receiving BPDUs | Edge ports / testing scenarios |
🧩 Summary Comparison Table
| Feature | Protects Against | Affected Ports | Port Action | Auto Recovery | Notes |
|---|---|---|---|---|---|
| Root Guard | Unauthorized Root Bridge | Uplink or trunk | Root-inconsistent (blocked) | ✅ Yes | Stops superior BPDUs |
| Loop Guard | Missing BPDUs / unidirectional links | Non-designated (root/alternate) | Loop-inconsistent (blocked) | ✅ Yes | Prevents loops when BPDUs stop |
| BPDU Guard | BPDUs on PortFast (access) ports | Access | Err-disable (shutdown) | ❌ No (manual or timer) | Protects from rogue switches |
| BPDU Filter | BPDUs on edge ports | Access or testing ports | Stop sending/receiving BPDUs | ⚠️ Depends on mode | Risky if used incorrectly |
🎯 Exam Tips for CCNA 200-301
✅ Root Guard → Prevents other switches from becoming Root Bridge.
✅ Loop Guard → Prevents loops if BPDUs are missing.
✅ BPDU Guard → Shuts down ports that receive BPDUs unexpectedly.
✅ BPDU Filter → Blocks sending/receiving of BPDUs (use with caution).
✅ Root & Loop Guard → Used on switch-to-switch links.
✅ BPDU Guard & BPDU Filter → Used on access/edge ports.
