Implenting Root Guard on a SPT campus

Unanswered Question
Jun 6th, 2008
User Badges:


I have a doubt of how proceed in the implementation of the ROOT GUARD in my LAN

1. Its better to implement the ROOT GUARD ( per port config ) on the CORE switch (6509 ) or on the ACCESS switch ? ( 3550 )

2. Its correct to implement Root Guard and BPDU GUARD in the same switch ? The first works per port the 2nd works globally

Thanks for your suggestion !

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ohassairi Fri, 06/06/2008 - 10:53
User Badges:
  • Silver, 250 points or more

1-tradionnaly core sw is the root. so it will be more simple to implement the ROOT GUARD ( on cascade/trunk port) on the CORE switch .

2-BPDU GUARD could be implemented globaly or per port:

Switch(config)# spanning-tree portfast bpduguard default

Switch(config-if)# spanning-tree bpduguard enable

if we implement BPDU guard i think we implement automatically root guard (in an implicit way).

it could be interresting to implement root guard on trunk/cascade ports and BPDU guard on access ports

cisco_lad2004 Sun, 06/08/2008 - 08:54
User Badges:
  • Gold, 750 points or more

1-I would configure rootguard on untrusted boundaries, i.e access switch.

2-I prefer to have more control on bpduguard, so again I would apply it on access layer. I trust my uplink to the core and I expect to send and receive BPDUs I only need it for access on untrusted ports.




This Discussion