BPDG Guard

Answered Question
Jan 26th, 2009

Is there a difference in BPDU Guard and Root Guard?. I read that with BPDU Guad the port is disabled if it receives a Hello BPDU.... and with Root Guard it can receive Hello BPDU but disables the port if it receives a better BPDU. Can someone let me know those are two different things? Tnks.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 8 months ago


Have a look at this doc which gives a nice example of where root guard would be used in a switched environment -



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Mon, 01/26/2009 - 09:34


The 2 features are essentally doing 2 different things.

1) BPDU Guard is enabled on a port or globally in which case it applies to all ports enabled as portfast. The idea behing BPDU Guard is that a BPDU should never been seen on this port as there should not be another switch connected to this port.

2) Root Guard is enabled on a port basis and is designed to make sure that the switch you have designated as the root bridge stays as the root bridge. So a port enabled with Root Guard would expect to receive BPDU's on it as there will be a switch on the other end but it does not expect to see a superior BPDU ie. it does not expect to see A BPDU that would lead to a new root bridge being selected.


fjcardenas-1 Mon, 01/26/2009 - 09:46

Another question comes to me... so, is Root Guard configured only in ports of the Root Switch to ensure the actual Root Switch remains been the root? or it can be configure on Non-Switch ports to avoid a Switch with a better BPDU than the actual Root Switch to cause a change by becoming the Root Switch?


This Discussion