Root Guard Vs. BPDU Guard


What Does Whitelisting mean?

Root Guard Vs. BPDU Guard

By definition, the BPDU and root guard represent very similar things and they work in a similar way. However, their roles and impact on the network are rather very different.

Root guard is used on all ports that connect to switches that are not supposed to be the root bridge. The root guard is acting as protection against unauthorized change of the root bridge. BPDU guard is stopping ports from accessing unauthorized switches. 

This simple difference is what sets apart the BPDU and root guard. But there are also some similarities which will be explained further in the text. For beginning let’s start by explaining what the STP is because both BPDU and root guard play a big role in this protocol and are tightly connected to it.

What Is STP?

A standard STP or Spanning Tree Protocol is put in place to prevent switching loops from occurring. A switching loop happens when there is more than one path available for the data flow in layer 2. 

This can happen when two switches are not configured properly so there is more than one path that exists between them. The data keeps going back and forth from one port to another.

When a switching loop is started, the data bounces from one port to another, creating so-called switching storms which will end up crashing the network, if the loop is not attended. 

The switching loop cannot resolve on its own, and that is why the Spanning Tree Protocol was invented. The STP creates the shortest or fastest route through the system for the data to travel and helps prevent the switching loops.

This is done by choosing a root switch that has to be unique in the network. The root switch is locked into forwarding mode, and all other ports are designated ones. 

What Is a Root Guard?

Standard STP does not have a way to ensure that the network administrator can enforce a switched layer 2 network. The position of the root bridge and the preset parameters is what is going to determine the forwarding topology of a switched network.

When translated into more simple language, this means that any switch in the network can take the role of a root guard. The only condition is that that specific switch has the lowest bridge ID.

In order for the Spanning Tree Protocol to work, the role of the root bridge has to be assigned to only one and unique port. This means that there has to be a way to prevent other switches from taking the role of a root bridge.

That is exactly the main role of a root guard – to prevent the switches from taking that role on their own. The root guard will determine the root bridge and prevent all other switches from taking that role away.

Since there are several roles a switch can play, the root guard is designed to keep the switch into its designated role and to stop it from changing the role on its own.

In a situation where the port receives a superior STP command like the BPDU, which will be explained further in the text, the root guard will put the port into a root-inconsistent state. 

This state means that the port is basically in a blocked state, meaning that there is no traffic going through that port – no sending or receiving data. This way the bridge is making sure that misconfigured bridges are not receiving any forwarding data.

Once the BPDU command is removed, the port is automatically being sent back to the learning state, and eventually to the forwarding state again. However, this can sometimes cause the network to lag and to be very slow.

To solve the slow connectivity issue, a PortFast was introduced. It is able to make a shortcut in the states, and that will be explained later on.

What Is BPDU Guard?

BPDU or Bridge Protocol Data Units are used for the exchange of information in a path created by the Spanning tree protocol. BPDU is basically ensuring that the data will find the fastest path in the network.

Another thing BPDU does is keep any unwanted network devices away from the chosen topology. The chosen topology is guarded by the BPDU guard-enabled ports. 

Sometimes there are cases where for the end stations or ports it is not mandatory to be a part of STP topology change. The BPDU can put this port into the disabled mode, and it will not participate in the process.

BPDU Filter Vs. BPDU Guard

Let’s not confuse the BPDU filter with the BPDU guard. They are very often in the center of attention because people tend to confuse them and to identify them as the same thing.

As already explained, the BPDU guard is a part of the STP that is in charge of assigning and identifying the states and attributes of each port. 

Before I continue explaining the BPDU filter, first I have to explain what a PortFast is. When an STP-enabled port finds itself in a blocking state, it must go through the listening and learning state before it goes back to the forwarding state. 

The PortFast is enabling a shortcut and making the port jump over from blocking to the forwarding state. The PortFast was introduced to solve the issue of slow connectivity and to increase efficiency, as aforementioned.

PortFast is usually configured on the edge port. This basically means that this configuration should stop the port from receiving any BPDUs. But if the port receives the BPDU, the port will move from PortFast to non-PortFast port.

BPDU filter is the one that does this. It will remove the PortFast state if the BPDU is received. This means that the port can again be part of a switching loop since it is no longer part of the STP.

Recent Posts