Showing results for 
Search instead for 
Did you mean: 

bpdu-guard vs stp-protect ruckus switch

New Contributor II
Can anyone explain what is the difference between stp-protect and bpdu-guard?
as far as I know stp-protect can be enabled on the end station port to prevent port from initiate or participate on STP topology, also bpdu-guard can be configured on the end station port to disable the port if a BPDU is received on that port. So I don't see the difference between two of them.
Thank you

New Contributor III
The BPDU guard, an enhancement to STP, removes a node that reflects BPDUs back in the network. It enforces the STP domain borders and keeps the active topology predictable by not allowing any network devices behind a BPDU guard-enabled port to participate in STP.

You can enable STP Protection on a per-port basis.

To prevent an end station from initiating or participating in STP topology changes, enter the following command at the Interface level of the CLI.

device#(config) interface ethernet 2

This command causes the port to drop STP BPDUs sent from the device on the other end of the link.

Enter the no form of the command to disable STP protection on the port.

So STP Protect drops BPDUs coming in and err-disables the port.
BPDU guard Will err-disable ports where BPDUs are reflected back into the switch.....meaning there is a loop and it will open up the loop.

STP-protect causes the port to drop STP BPDUs. In reality, we ignore those packets which may or may not be the sign of a problem (Ex. employee plugged in stp-enabled switch). With BPDU guard, we can take action and shut that port down. The general recommendation on access ports is BPDU guard as they should not be receiving STP BPDUs. STP-protect should really be more of a corner case where you specifically want to drop/ignore STP BPDUs (which should be rare). 
Ben Beck, RCNA, Principal Technical Support Engineer

New Contributor II
thank you for your answers.
So in case of access switch , by enabling BPDU guard on end ports , it's automatically enable port fast on the port , or still need to enable fast port too with BPDU guard?

Hi Mohamed - In 802.1w (RSTP), admin-edge-port is similar to Portfast. Port enabled with admin-edge-port will not participate in STP topology changes. Although 802.1w can auto-detect edge port,  it is recommended to to configure edge port manually. BPDU-guard or root-protect also recommended for edge port to protect the network. Please see configuration guide here:

Per-vlan rapid-STP (802.1w):
(config-vlan-40)#spanning-tree 802-1w ethernet 1/1/9 admin-edge-port

device(config)# mstp admin-edge-port ethernet 3/1/1