Root Guard, BPDU Guard, etc

Ok then techies... having a hard time keeping this straight. Hopefully one of you has worked out a simpler method.

Portfast I get... ideally suited for ports connecting to one node. Doesn't share in STP.

BPDU Guard... again, for end user devices. Question: if run globally on a switch where a port is already connected to a downstream switch, does the port errdisable? or does BPDU Guard not enable for that one port?

Root Guard... if BPDU Guard is already configured on all end user ports, is there a reason to enable Root Guard? Seems like BPDU Guard will prevent bpdu's already, so a new switch on the port could never become the root, right?

Loop Guard... doesn't this effectively prevent creation of a new root switch if the existing one goes down? As I read it, BPDU's are expected on the BLK'd port. When they stop appearing (ie, the root switch is down), Loop Guard prevents the port from Listening/Learniing. Huh? The root went down... shouldn't the port come up?

Preciate your thoughts,
Mike

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

networker050184

Enabling BPDU guard globaly only applys to portfast ports.

You apply root guard on ports connecting to non root switches on switches other than the root, not end user ports.

Loop guard prevents the port from trasitioning to forwarding when it stops receiving BPDUs so a loop is not formed.

mikearama

I'm clear then on everything except:

networker050184 wrote:

Loop guard prevents the port from trasitioning to forwarding when it stops receiving BPDUs so a loop is not formed.

Again, what if the root REALLY does go down. I want this port to transition, don't I? How does Loop Guard know the difference?

networker050184

Loop guard prevents blocked ports from transitioning to forwarding. If the port is blocking than it must mean it is receiving BPDUs on another port from the root (the root port). If the root fails the stp will be recalulated.

mikearama

Oh... my... god. How'd I miss that!??! Thanks bro.

networker050184

No problem, those all got kinda blurred together for me at first also.