Guarding Against Rogue STP Root Bridges
Protecting Spanning Tree

Cisco provides two features to protect Spanning Tree from loops being created on ports where PortFast has been enabled. In a proper configuration, PortFast would be enabled only on ports supporting end devices such as servers and workstations. It is anticipated that BPDUs from a switch device should not be received on a PortFast interface. BPDU guard and BPDU filtering provide protection in case BPDUs are received on a PortFast interface. Both BPDU guard and BPDU filtering can be configured globally on all PortFast-configured ports, or also on individual ports.

BPDU Guard
BPDU Guard is used to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports which have been identified as ports that should not be receiving them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network.

BPDU Filtering
PortFast BPDU filtering effects how the switch acknowledges BPDUs seen on PortFast-configured ports. Its functionality differs when it is configured globally or on a per-port basis. The functionality will be explained later in this section.

BPDU Root Guard
BPDU Root Guard protects against a switch outside the designated network attempting to become the root bridge, its access is blocked until the receipt of its BPDUs ceases.