CCNP BCMSN Notes – Protecting the Spanning Tree Protocol Topology


Root Guard

If a switch with a lower bridge ID enters the network, it can preempt the current STP root.

Root guard can be enabled on an interface to prevent it from becoming a root port:


Root guard will affect all VLANs on the port.

Ports disabled by root guard can be viewed with show spanning-tree inconsistentports.

BPDU Guard

BPDU guard automatically places an interface in the error-disabled state upon receipt of a BPDU.

BPDU guard can be enabled globally or per interface:


Loop Guard

Loop guard prevents a blocked port from transitioning to the forwarding state if it stops receiving BPDUs. Instead, the port is placed in the loop-inconsistent state and continues to block traffic.

Loop guard operates per VLAN, and can be enabled globally or per interface:


Unidirectional Link Detection (UDLD)

UDLD can detect link failures which do no explicitly shutdown the interface (such as a unidirectional fiber link or failed intermediate media converter).

UDLD transmits frames across a link at regular intervals, expecting the distant end to transmit them back.

The default UDLD message timer is 7 or 15 seconds (depending on the platform), allowing it to detect a unidirectional link before STP has time to transition the interface to forwarding mode.

UDLD has two modes of operation:

       Normal mode – UDLD will notice and log a unidirectional link condition, but the interface is allowed to continue operating.

       Aggressive mode – UDLD will transmit 8 additional messages (1 per second); if none of these are echoed back the interface is placed in the error-disabled state.

UDLD can be enabled globally for all fiber interfaces, or per-interface:


The UDLD message time can be from 7 to 90 seconds.

UDLD will not consider a link eligible for disabling until it has seen a neighbor on the interface already.

This prevents it from disabling an interface when only one end of the link has been configured to support UDLD.

udld reset can be issued in user exec to re-enable interfaces which UDLD has disabled.

BPDU Filtering

BPDU filter can be enabled globally or per-interface to effectively disable STP:


[Report Dead Link] Please leave a comment or send email to report dead links, so that we will update new links within 24 hours.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.