STP Enhancements Part 1 - BDPU Guard, BPDU Filter, BPDU Root Guard
BPDU Guard - BPDU is guarding your switch against BPDUs. Wait, I thought BPDUs were a good thing? Yes but only on ports uplinked to other switches, ports you expect to have BPDUs.
Why: When you configure your switch to connect to hosts (PCs and Servers) you are probably using portfast. If a user ever connected a switch, or some wires got crossed and a switch got plugged in to a host port, or a linux user enabled a software bridge etc. etc.... you could have a network loop
What: BPDU guard is a port setting that will shut down a port if it ever sees any BPDU
How:
Globally:
spanning-tree portfast edge bpduguard default
*make sure you disable bpduguard on the uplink ports you expect to have switches plug into: the global command affects all ports with portfast enabled*
Per Interface:
spanning-tree bpduguard enable
Recovery: if BPDU guard triggers (sees a BPDU) it places the port in an error-disabled state, and the port is effectively shut down. You can recover by (first removing the offending device), then logging into the switch, and issuing a shut command, followed by no shut.
If you would like the switch to be able to re-enable the port by itself, you can use error-disabled's regular methods:
errdisable recovery cause bpduguard
errdisable recovery interval 400
This will cause the switch to shut down the port for 400 seconds, then if it isn't receiving BPDUs, re-enable the interface.
*Note that BPDU Guard is triggered by BPDUs, so if a user plugs in a home/residential switch, it will not trigger as small home switches do not send BPDUs or participate in spanning tree at all. This will not have any effect on home switches or hubs. (unless there is a loop and the cisco switch see's it's own BPDU sent back to itself, but then you already have a problem!)
BPDU Filter:
Why: Filter is slightly trickier as the global command and the interface command perform two different functions.
1. First the interface method. If you apply BPDU filtering to a specific interface, it effectively turns off spanning-tree.
2. The global method is intended to save on bandwidth/proc overhead by not sending BPDUs out host ports.
What:
1. Interface Method: When turned on for a specific interface, that interface will ignore BPDUs sent to it, and it will not send any BPDUs. It will continue forwarding traffic and not participate in spanning-tree.
2. In global mode: all interfaces in portfast mode will be put in filtering mode. They will send out 10 BPDUs when the port comes up, and assuming no incoming BPDUs the switch will stop sending any BPDUs. If a port ever receives a BPDU at any time, it will lose it's BPDU filter mode, removes the portfast status, and begins regular spanning tree listening/learning process.
How:
global mode
config)# spanning-tree portfast bpdufilter default
interface mode
(config-if)# spanning-tree bpdufilter enable
*note - enabling both BPDU guard and BPDU filtering on the same interface - BPDU filtering takes precedence and BPDU guard has no effect
Root Guard:
Why: ensure an interface will never be used as a root port, increasing STP stability. Now at first it is tempting to think you should add root guard to all non-root ports but don't forget, you have a redundant topology for a reason. You need your STP domain to be able to reconverge in the case of a failure and elect a new root bridge/use a different root port. When you choose what ports get root guard, take into consideration any paths you might ever want your traffic to traverse and do not implement root guard on them. The easiest and preferred way might be to just use this on edge/access ports and leave it off for all switch-to-switch connections, but perhaps your topology has a "leaf loop" off of your primary STP loop that you never want to use as an STP root, and would rather stop forwarding traffic than allow a switch out there to become root... maybe.
Anyway, root guard is designed so that if anyone plugs a new or non-corporate switch into your network, and it happens to have a low priority, it won't become root.
What: If the root guard port receives a BPDU with superior priority to what the LOCAL switch is seeing (not the root's own priority) the port will move to a "root-inconsistent state" and stop forwarding traffic. If the switch is removed or the priority is raised, the port will move out of root inconsistent state on it's own and begin forwarding traffic (after moving through listening/learning states). No user intervention or config changes needed to unblock the port.
This feature does not have a global function, only a per-interface function.
config# int fa0/2
config-if)# spanning-tree guard root
*note - if you are just enabling this on host ports to protect your STP topology, just use BPDU guard instead. The only useful time I can think of using root guard: if you want to create a policy that all un-used uplink ports have root guard configured to protect the topology. When a new switch is added the root is protected, and once the switch is up and operational you can remove the root guard feature.