Basics: What’s the Difference between STP BPDU Guard and Root Guard

BPDU Guard and Root Guard are enhancements to Spanning Tree Protocol (STP) enhancements that improve the reliability of the protocol to unexpected events.

Why ?

Remember that the purpose of the the Spanning Tree algorithm is to create a single path through the network to prevent loops because the Ethernet frame has no loop prevention mechanism. As a result an Ethernet network is always designed like an inverted tree like this:

Bpdu root guard 1

There are loops in this design that are implemented for resilience ie. STP will block a given path in planned operation but an alternate path can be activated if the primary path fails.

However, STP is susceptible to various failures due to poor network design 1 or certain types of operational problems. Both BPDU Guard and Root Guard are used to enforce design discipline and ensure that the STP protocol operates as designed.

BPDU Guard

BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. This effectively denies devices connected to these ports from participating in the desgined STP thus protecting your data centre core.

Note: In the event of the BPDU being received the port will typically be shutdown in “errdisable” state and will require manually reenabling the port. Alternately you can configure the port to attempt to re-enable by configuring the “errdisable timeout”

Root Guard

Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.

Where ?

Because BPDU Guard and Root Guard are primarily to ensure design enforcement ( integrity / security) , they must configured in specific locations in the networks.

Bpdu root guard 2

  1. By “design” I mean that people add new switches in the wrong places which breaks that controlled design as shown here. ↩
  • Cislin

    good article.

    what about loop guard?

  • Edson Soares

    I got the same doubt, what about loop guard?

    And thank you, your articles are excellent.


  • Roger Akl

    Pretty Good and straight forward explanation, plus the graph is excellent. Thank you

  • Srinivasan Rao

    what about BPDU filtering?

  • James Byrd

    If devices are not trying to become the root then how is it possible that root guard allow those devices to participate in the stp ??

    • Sheakub

      They participate in STP for the primary purpose STP exists – loop prevention. The calculations still occur at that edge, and they do not need to be a root or secondary root for that participation to both occur, and matter.

  • Tommie P

    Loop Guard can work independent from STP and is a mechanism of its own…. Root guard and BPDU protection are STP mechanics…