To prevent switching loops, unauthorized topology changes, and misconfigurations, Cisco offers several Spanning Tree Protocol (STP) protection mechanisms:
1οΈβ£ BPDU Guard (Prevents Unauthorized Switches)
β
Purpose: Disables a port if it receives a BPDU.
β
Use Case: Prevents unauthorized switches from connecting to PortFast-enabled ports.
π¨ Applies to: Access ports (where only end devices should be connected).
How BPDU Guard Works:
- If an attacker or unauthorized switch is connected to an access port running PortFast, it could participate in STP and cause loops.
- BPDU Guard immediately shuts down the port when a BPDU is received.
Configuration:
Enable on an interface:
Switch(config-if)# spanning-tree bpduguard enable
Enable globally for all PortFast ports:
Switch(config)# spanning-tree portfast bpduguard default
β Best Practice: Always enable BPDU Guard on end-user ports.
2οΈβ£ BPDU Filter (Stops BPDU Transmission & Reception)
β
Purpose: Blocks BPDUs from being sent or received.
β
Use Case: Prevents STP participation on specific ports (e.g., ISP uplinks).
π¨ Risky: Can cause loops if misused.
How BPDU Filter Works:
πΉ Interface-Level (Risky, Stops BPDUs Completely)
- If enabled, the port does not send or receive BPDUs.
- If a switch is mistakenly connected, a loop can form.
Switch(config-if)# spanning-tree bpdufilter enable
πΉ Global-Level (Safer, Works with PortFast)
- BPDUs are filtered unless a BPDU is received.
- If a BPDU is detected, STP reactivates on the port.
Switch(config)# spanning-tree portfast bpdufilter default
β Best Practice: Avoid using BPDU Filter unless absolutely necessary.
3οΈβ£ Root Guard (Prevents Unauthorized Root Bridges)
β
Purpose: Blocks a port if it receives superior BPDUs (which could change the Root Bridge).
β
Use Case: Prevents unauthorized switches from becoming the Root Bridge.
π¨ Applies to: Access layer uplinks (toward distribution/core switches).
How Root Guard Works:
- Normally, the lowest Bridge ID becomes the Root Bridge.
- If a misconfigured or malicious switch tries to take over as Root, Root Guard blocks the port.
- The port enters Root-Inconsistent State instead of forwarding.
Configuration:
Switch(config-if)# spanning-tree guard root
β Best Practice: Enable Root Guard on all access layer uplinks toward the Root Bridge.
4οΈβ£ Loop Guard (Prevents STP Loop Due to Unidirectional Links)
β
Purpose: Stops STP from transitioning a blocking port to forwarding if BPDUs stop being received.
β
Use Case: Prevents unidirectional link failures from causing loops.
π¨ Applies to: Non-designated (blocking) ports in STP.
How Loop Guard Works:
- If a port stops receiving BPDUs (e.g., due to fiber failure or misconfiguration),
STP assumes the link is down and may transition the port to Forwarding β This causes loops! - Loop Guard keeps the port in Loop-Inconsistent State until BPDUs are received again.
Configuration:
Switch(config-if)# spanning-tree guard loop
β Best Practice: Use Loop Guard on non-designated (blocking) ports in core/distribution switches.
5οΈβ£ UDLD (Unidirectional Link Detection β Prevents Silent Failures)
β
Purpose: Detects and disables unidirectional fiber or Ethernet links.
β
Use Case: Prevents hidden link failures that can cause STP loops.
π¨ Applies to: Fiber links and EtherChannel links.
How UDLD Works:
- If one direction of a fiber link fails (e.g., a bad fiber cable or transceiver issue),
STP may not detect the failure and keep the link active, causing loops. - UDLD detects unidirectional links and disables the port.
UDLD Modes:
πΉ Normal Mode β Detects issue, but STP still determines the state.
Switch(config-if)# udld enable
πΉ Aggressive Mode β Detects issue and automatically disables the port if no response.
Switch(config-if)# udld aggressive
β Best Practice: Use UDLD Aggressive Mode on all fiber uplinks and critical links.
π Feature Comparison Table
| Feature | Purpose | Prevents | Applies To | Recovery |
|---|---|---|---|---|
| BPDU Guard | Blocks unauthorized switches | Unauthorized switches connecting to edge ports | End-user access ports | Manual (Shutdown state) |
| BPDU Filter | Stops BPDU transmission/reception | STP participation on specific ports | Trunk ports (use with caution) | Manual (Interface) |
| Root Guard | Prevents unauthorized Root Bridge election | A switch taking over as Root | Uplinks from access to distribution | Auto (Resumes if BPDU stops) |
| Loop Guard | Stops loops due to unidirectional failures | Blocking ports becoming forwarding | Blocking ports (non-designated ports) | Auto (Recovers if BPDUs resume) |
| UDLD | Detects & disables unidirectional links | Silent failures on fiber links | Fiber & EtherChannel links | Normal (STP decides) or Aggressive (Port shutdown) |
π Best Practices for a Secure STP Network
β
Enable BPDU Guard on all end-user access ports to prevent rogue switches.
β
Enable Root Guard on distribution uplinks to enforce a stable Root Bridge.
β
Enable Loop Guard on blocking ports to prevent loops caused by link failures.
β
Enable UDLD (Aggressive Mode) on fiber and EtherChannel links to prevent silent failures.
π Real-World Scenario: Preventing a Rogue Switch Attack
Problem:
A junior admin accidentally connects a low-priority switch to an access port, making it the new Root Bridge. This changes the STP topology, causing massive network disruption.
Solution:
- Enable Root Guard on all uplinks.
- Enable BPDU Guard on all access ports.
- Enable BPDU Filter (Global) to prevent unnecessary BPDU processing.
β Result: The rogue switch is blocked immediately, preventing downtime!
The Lazy Networker 
Leave a comment