Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1810
Views
8
Helpful
12
Replies

Switch spanning-tree bpduguard enable

Go to solution
taro75
Level 1
Level 1

‎06-26-2023 07:27 AM

I am configuring 9200 & 9300 series switches. Do I need to define "spanning-tree bpduguard enable" on each access port or trunk ports? Is it a best practice?

1 person had this problem
Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
taro75
Level 1
Level 1
In response to Gopinath_Pigili

‎09-25-2023 03:57 AM

very clear explanation on BPDUGuard, do you have similar explanation on spanning-tree guard root?

View solution in original post

0 Helpful

Go to solution
Gopinath_Pigili
Spotlight
Spotlight
In response to taro75

‎09-25-2023 04:28 AM - edited ‎09-25-2023 04:40 AM

  • Suppose that another switch is introduced into the network with a bridge priority that is more desirable (lower) than that of the current root bridge.
  • The new switch then would become the root bridge, and the STP topology might reconverge to a new shape. This is entirely permissible by the STP because the switch with the lowest bridge ID always wins the root election. However, this is not always desirable for you...
  • In that case you can use Root Guard feature to not allowing the new switch to become root brige.....
  • If another switch advertises a superior BPDU, or one with a better bridge ID, on a port where Root Guard is enabled, the local switch will not allow the new switch to become the root. As long as the superior BPDUs are being received on the port, the port will be kept in the root-inconsistent STP state.
  • You can enable Root Guard only on a per-port basis. By default, it is disabled on all switch ports.

To enable it, use the following interface configuration command:

Switch(config-if)# [no] spanning-tree guard root

You can display switch ports that Root Guard has put into the root-inconsistent state with the following command:

Switch# show spanning-tree inconsistentports


Best regards

******* If This Helps, Please Rate *******

View solution in original post

12 Replies 12

Go to solution
MHM Cisco World
VIP
VIP

‎06-26-2023 07:30 AM - edited ‎06-26-2023 07:37 AM

No you need to enable it in all port connect to host not SW'

This port access  or trunk.

If you enable it to port connect to SW the STP will blk interconnect between SW.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎06-26-2023 07:37 AM

Hi

 Enable it on ports you dont want to receive BPDU. For example, if you have a trunk port with your Service Provider but you dont need BPDU from their side coming to your network, that could be a good place.

 Only allow BPDU on ports you know you need it.

0 Helpful

Go to solution
taro75
Level 1
Level 1

‎06-26-2023 07:55 AM

So essentially, we should enable this on access ports where end devices are connected. On switch uplinks it should not be set. Am I right?

Go to solution
MHM Cisco World
VIP
VIP
In response to taro75

‎06-26-2023 08:01 AM

Correct 

0 Helpful

Go to solution
M02@rt37
VIP
VIP

‎06-26-2023 08:16 AM - edited ‎06-26-2023 08:17 AM

Hello @taro75,

It is recommended to enable BPDUGuard on access ports where end devices are expected to be connected. This helps ensure that only authorized devices, which do not send BPDUs, are connected to those ports.

On the other hand, enabling BPDUGuard on trunk ports is not necessary or recommended. Trunk ports are expected to carry multiple VLANs and can receive BPDUs as part of the normal STP operation. Enabling BPDUGuard on trunk ports could lead to unintended port shutdowns if BPDUs are received on those ports.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
taro75
Level 1
Level 1
In response to M02@rt37

‎09-25-2023 02:22 AM

Thank You.

BPDUGuard should be enabled on access ports. What about spanning-tree guard root? Is it requried to be set on uplink/trunk ports?

0 Helpful

Go to solution
Gopinath_Pigili
Spotlight
Spotlight

‎09-25-2023 02:51 AM - edited ‎09-25-2023 02:54 AM

  • Suppose that a switch is connected by mistake to a port where PortFast is enabled
  • Now there is a potential for a bridging loop to form. An even greater consequence is that the potential now exists for the newly connected device to advertise itself and become the new root bridge.
  • The BPDU Guard feature was developed to further protect the integrity of switch ports that have PortFast enabled
  • PortFast is recommended only on Hosts/PC's connected ports not on Uplinks or Trunk ports. Same way BPDU Guard also should be enabled on PC's connected ports...not on Uplinks or Switch connected (Trunk) ports....

 

By default, BPDU Guard is disabled on all switch ports. You can configure BPDU Guard as a global default, affecting all switch ports with a single command.

Switch(config)# [no] spanning-tree portfast bpduguard default

You can also enable or disable BPDU Guard on a per-port basis, using the following interface configuration command:

Switch(config-if)# [no] spanning-tree bpduguard enable

Best regards
******* If This Helps, Please Rate *******

Go to solution
taro75
Level 1
Level 1
In response to Gopinath_Pigili

‎09-25-2023 03:57 AM

very clear explanation on BPDUGuard, do you have similar explanation on spanning-tree guard root?

0 Helpful

Go to solution
Gopinath_Pigili
Spotlight
Spotlight
In response to taro75

‎09-25-2023 04:28 AM - edited ‎09-25-2023 04:40 AM

  • Suppose that another switch is introduced into the network with a bridge priority that is more desirable (lower) than that of the current root bridge.
  • The new switch then would become the root bridge, and the STP topology might reconverge to a new shape. This is entirely permissible by the STP because the switch with the lowest bridge ID always wins the root election. However, this is not always desirable for you...
  • In that case you can use Root Guard feature to not allowing the new switch to become root brige.....
  • If another switch advertises a superior BPDU, or one with a better bridge ID, on a port where Root Guard is enabled, the local switch will not allow the new switch to become the root. As long as the superior BPDUs are being received on the port, the port will be kept in the root-inconsistent STP state.
  • You can enable Root Guard only on a per-port basis. By default, it is disabled on all switch ports.

To enable it, use the following interface configuration command:

Switch(config-if)# [no] spanning-tree guard root

You can display switch ports that Root Guard has put into the root-inconsistent state with the following command:

Switch# show spanning-tree inconsistentports


Best regards

******* If This Helps, Please Rate *******

Go to solution
taro75
Level 1
Level 1
In response to Gopinath_Pigili

‎09-25-2023 05:47 AM

Is it always a recommended practice to set BPDUGuard on access ports and root guard on uplinks?

0 Helpful

Go to solution
Gopinath_Pigili
Spotlight
Spotlight
In response to taro75

‎09-25-2023 05:51 AM

Yes...

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card