Root Guard and BPDU Guard are designed to protect the STP tree (RSTP / MSTP / MRSTP) from unauthorized changing of the Root Switch ( Root Guard function ) and from the unauthorized rebuilding of the STP topology ( BPDU Guard function ).
You can learn more about STP protocols in ZyXEL switches from the following articles of our Knowledge Base: KB-1268 and KB-1843
Attention! Root Guard and BPDU Guard functions are implemented in the firmware of Ethernet switches starting from version 4.30.
1. Root Guard
2. BPDU Guard
1. Consider the function of protection against the substitution of the root switch RSTP / MSTP - Root Guard.
The Root Guard feature allows you to prevent the selection and assignment of a new Root switch when new STP devices are connected to the network. The Root Guard function is enabled on switch ports involved in building an STP tree, i.e. on ports that are connected to other switches.
Consider an example:
In this STP topology (Switch A, Switch B, Switch C), the root, or Root switch, is assigned Switch A, as the device with the lowest Bridge Priority. Port 2 on Switch C is in the Blocking state. Suppose you need to expand the network and connect a new switch to the STP tree - Switch D. To do this, Switch C turns on STP on port 5. Connected Switch D will start sending service BPDU STP messages towards other switches. If it suddenly turns out that the configured Bridge Priority parameter on Switch D will be less than on Switch A (current Root), then this will result in the choice of a new Root switch, and it will become Switch D, as well as a change in STP topology:
Now, to prevent the ring, Switch B will switch its port 1 to the Blocking state, blocking the link between itself and Switch A, and Switch C will switch its port 2 to the Forwarding state.
Of course, you can prevent the selection of a new Root switch by setting the Bridge Priority parameter on Switch A to the minimum value of 0, but there is no guarantee that a newly connected switch with the same parameter value will not have a smaller MAC address, which will cause the Root switch to change.
The Root Guard feature allows you to protect an STP tree from unwanted selection of a new Root when connecting incorrectly configured STP devices to the network.
If there is a reference STP ring, the Root Guard function is activated on the STP ports of the reference ring switches that look towards the switches at the edge of the network and is not activated on the ports to which the ring switches are connected. Thus, inside the reference ring, a change of Root switches will be possible, but the edge switches of the network will not be able to become a Root switch.
When Root Guard is activated on port 5 Switch C, to which another STP device is connected (Switch D), Switch B is included in the active STP topology. However, if Superior BPDU messages with a Bridge Priority less than or equal to the current Root come from Switch D, Switch C will switch port 5 to the BLOCKING state, the port's STP state is DISCARDING, the status in the Root Guard function is Root-inconsistent. Information about the event is recorded in the log. Port 5 Switch C will be unavailable for transmitting payload. Port 5 of Switch C in STP status of DISCARDING continues to receive and view BPDU messages from Switch D. As soon as Switch D stops sending Superior BPDUs, for example, when correcting the configuration, Switch C unlocks port 5, and going through the states of Discarding> Learning> Forwarding 5 will eventually be available for the transfer of useful data.
The configuration of the Root Guard function via the web configurator is performed in the Advanced Application> Spanning Tree Protocol> RSTP section:
The configuration for the MSTP protocol is performed in the Advanced Application> Spanning Tree Protocol> MSTP> Port section:
View STP status in Advanced Application> Spanning Tree Protocol :
It is also possible to configure through the command-line interface (CLI) of the switch.
For RSTP protocol:
For MSTP protocol:
2. Consider the function of protection against unauthorized BPDU-messages - BPDU Guard.
If the switch receives STP service BDPU messages from the edge (subscriber) ports, it can cause an undesirable change in the STP topology. To protect the STP-tree from such changes, the BPDU Guard function is enabled on the subscriber ports.
Consider an example:
Switch A, Switch B, and Switch C are included in the active STP topology. Ports 7 and 8 of Switch C are configured as subscriber (edge). Connecting an unauthorized STP device to ports 7, 8 Switch C, or generating bogus BPDU messages from a connected subscriber PC, will force Switch C to process them, which can lead to a change of the Root switch or change the active STP topology, which is unacceptable .
To protect the STP network from such unauthorized exposure, the BPDU Guard feature is enabled on the subscriber ports:
If any BPDU message arrives on the switch port with the BPDU Guard feature enabled, the port is disabled, switching to the Err-Disable state. Information about the event is recorded in the log.
The administrator can manually enable the port in the active state or configure automatic recovery with the Err-Disable Recovery function ( Advanced Application> ErrDisable> ErrDisable Recovery web configurator section), specifying the port activation time-out in seconds.
The configuration of the BPDU Guard function via the web configurator is performed in the Advanced Application> BPDU Guard> Configuration section:
View the status of BPDU Guard in Advanced Application> BPDU Guard :
Configuration via the command line interface (CLI) of the switch is also possible: