BPDUGuard & RootGuard

Unanswered Question
crow930us Sat, 12/06/2008 - 22:49
User Badges:
  • Bronze, 100 points or more

They are similar, but their impact is different.

BPDU Guard disables the port if it receives a BPDU on a port fast enabled port. The disablement effectively denies devices behind such ports from participation in STP. You must manually reenable the port that is put into errdisable state or configure errdisable-timeout.



Root Guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. recover is automatic as soon as the bad device stops sending superior BPDU's.


http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml


jimmyc_2 Fri, 12/19/2008 - 10:30
User Badges:

It sounds like for this to be effective, I must enable Root Guard on every access port on every switch, yes?


Isn't there a way to force my core switche to always be root with just a couple of commands, instead of thousands of commands to cover every access port? Regards, jc

Giuseppe Larosa Fri, 12/19/2008 - 12:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jimmy,

these commands are to be used to protect STP even if you can configure the root bridge with base priority 0 using

spanning-tree priority 0 vlan 1-4096 there is a chance that someone sending BPDUs with the same priority but with a lower MAC address can take the role of root bridge.


For access-ports bdpu guard is the right tool and can be associated to ports using portfast in global config.


spanning-tree portfast bpduguard default


this enables bpdu guard on all ports that are configured for STP portfast


Hope to help

Giuseppe



ney25 Sat, 12/20/2008 - 02:22
User Badges:

Hi Giuseppe,


just have a quick check, which means RootGuard will apply to Core-Switch whereby BPDU Guard apply to Access switch , is that correct ?


thanks .


regards,

Jack

Giuseppe Larosa Sun, 12/21/2008 - 03:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jack,

the difference between the two can be the following:

suppose you want or you are required to allow users to connect a small switch that you don't manage to one of your access layer ports.

You cannot use BPDU guard for this or the port will go on errordisable.

However, you are concerned that the small switch should not try to become the root bridge: until the port receives BPDUs that agree on root bridge bridge ID and on the fact that your switch is nearest to the root no problems otherwise the rootguard triggers its action.

On core switches and on distribution switches the useful tool can be loop guard (very helpful if using any form of rapid STP because UDLD is too slow for it) and/or UDLD.


Hope to help

Giuseppe


passioncas Sun, 12/21/2008 - 22:49
User Badges:

BPDU guard should be enabled on all access port where the the Desktop/Servers are connected.Root Gurad should be enabled on all down straem uplinks of the designated Swicth.

jimmyc_2 Mon, 12/22/2008 - 07:27
User Badges:

Just to clarify, I should apply root guard on all non-root switches that connect to the root. I apply this to all interfaces that connect to the root switch, yes?

Giuseppe Larosa Mon, 12/22/2008 - 07:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jimmy,

if you do so you isolate the access switches.


I think it should be applied on the other side on the core/distribution switches on ports to access layer devices



Hope to help

Giuseppe


jimmyc_2 Mon, 12/22/2008 - 08:28
User Badges:

The example shows the root guard applied to the distribution switches, not the root switch. In my case, I basically go from root (and B/U root) into a large amount of access switches. Can I apply the root-guard on the root switches connections to all other switches?

ullasupendran Mon, 12/22/2008 - 08:50
User Badges:

Hi jimmy


On an ideal design the root switch will be the distribution switch. In ur case ,if all your access switches are uplinked to the root switch we can call it as the distribution switch too.Bcoz ur access swiches will have redundant paths to this root switch. So its good to apply root guard on your root switch so that you can prevent your acces switches accidently becoming the root bridge.


Hope this helps


Ullas



passioncas Mon, 12/22/2008 - 21:03
User Badges:

You should configure Root Guard on all uplinks of the Designated Swicth (It can be a Root Bridge or a Non-Root Bridge).Let us say about a scenario that includes 4 Switches(Root-A,B,C,D).Switch A(Root Bridge) is connected to B and C , then D is connected to Switch B.Root Gurad shoukd be configured on the uplinks of the Switch A where the Switch B & C are connected and on the uplink of the Switch B where Swicth D is connected(that means Root guard Should be configured on the upliks of the Designated Swicth (A,B and C)

r.sneekes Wed, 12/24/2008 - 04:15
User Badges:

Be carefull when applying rootguard in an enviroment that had redundant uplinks.


When puting root guard on of of the uplink that is not the current root path, thing will work fine.


Until there is an problem with the root switch or somewhere along the path to the root switch.


In that case the stp needs to take the other path to the new root.


Now root advertisement are send over the other trunk. If u have enabled root guard on this trunk the port wil go in err-dis.


Thus making everthing behind that link go unreachable.


As stated earlyer i would only use root guard on an trunk to an isolated switch or enviroment that you don't want to become root under any circumstances.








jimmyc_2 Tue, 01/06/2009 - 11:32
User Badges:

Hi Roy,

I have a root switch, and a back-up root switch. As long as I don't put root-guard on the connection between my root and B/U root, I should be good. I never want any other switch to become root, nor any switch attached to those. So I apply root-guard to every trunk leaving the root and the B/U root, but do not apply root-guard to the trunk between the root and B/U root. Yes? jc

ney25 Tue, 01/06/2009 - 18:55
User Badges:

Hi Jimmyc


i would suggest you to attach the network diagram and config. and let's revise with NetPro together. this can get more clear picture.


isn't a good idea ?


regards,

Jack

Actions

This Discussion