I've never understood why it is recommended to run BPDU guard and root guard on access ports. It seems a bit redundant to me. If you're running BPDU guard, and a superior, inferior or otherwise BPDU is received on a port, BPDU guard err-disables the port. If the port is disabled....wallah, the root bridge is protected.
Perhaps it's a best practice as a bug catch? Ergo, bug in BPDU Guard lets superior BPDU though, but BPDU Guard catches it.
Please confirm my thinking, or illustrate where it is flawed.
Thanks in advance!
Perfectly agree. If you have bpduguard, rootguard is irrelevant.
With rootguard, you allow the port to participate in the STP as long as it does not attempt to inject better information.
With bpduguard, you don't want the port to participate in STP at all and you errdisable it as soon as it attempts to do so.
So basically, if it's a recommendation to do both, it's a wrong recommendation;-)