08-14-2008 01:34 PM - edited 03-06-2019 12:48 AM
I've never understood why it is recommended to run BPDU guard and root guard on access ports. It seems a bit redundant to me. If you're running BPDU guard, and a superior, inferior or otherwise BPDU is received on a port, BPDU guard err-disables the port. If the port is disabled....wallah, the root bridge is protected.
Perhaps it's a best practice as a bug catch? Ergo, bug in BPDU Guard lets superior BPDU though, but BPDU Guard catches it.
Please confirm my thinking, or illustrate where it is flawed.
Thanks in advance!
Solved! Go to Solution.
08-14-2008 01:46 PM
Perfectly agree. If you have bpduguard, rootguard is irrelevant.
With rootguard, you allow the port to participate in the STP as long as it does not attempt to inject better information.
With bpduguard, you don't want the port to participate in STP at all and you errdisable it as soon as it attempts to do so.
So basically, if it's a recommendation to do both, it's a wrong recommendation;-)
Regards,
Francois
08-14-2008 01:46 PM
Perfectly agree. If you have bpduguard, rootguard is irrelevant.
With rootguard, you allow the port to participate in the STP as long as it does not attempt to inject better information.
With bpduguard, you don't want the port to participate in STP at all and you errdisable it as soon as it attempts to do so.
So basically, if it's a recommendation to do both, it's a wrong recommendation;-)
Regards,
Francois
08-14-2008 02:10 PM
Thanks for the sanity check!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: