cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1249
Views
34
Helpful
16
Replies

BPDUGuard & RootGuard

huntlee
Level 1
Level 1

Hi All,

Can someone please tell me what's the difference between BPDUGuard & RootGuard?? In general, do i apply both of these on all access switches ports??

16 Replies 16

crow930us
Level 3
Level 3

They are similar, but their impact is different.

BPDU Guard disables the port if it receives a BPDU on a port fast enabled port. The disablement effectively denies devices behind such ports from participation in STP. You must manually reenable the port that is put into errdisable state or configure errdisable-timeout.

Root Guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. recover is automatic as soon as the bad device stops sending superior BPDU's.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

It sounds like for this to be effective, I must enable Root Guard on every access port on every switch, yes?

Isn't there a way to force my core switche to always be root with just a couple of commands, instead of thousands of commands to cover every access port? Regards, jc

Hello Jimmy,

these commands are to be used to protect STP even if you can configure the root bridge with base priority 0 using

spanning-tree priority 0 vlan 1-4096 there is a chance that someone sending BPDUs with the same priority but with a lower MAC address can take the role of root bridge.

For access-ports bdpu guard is the right tool and can be associated to ports using portfast in global config.

spanning-tree portfast bpduguard default

this enables bpdu guard on all ports that are configured for STP portfast

Hope to help

Giuseppe

Hi Giuseppe,

just have a quick check, which means RootGuard will apply to Core-Switch whereby BPDU Guard apply to Access switch , is that correct ?

thanks .

regards,

Jack

Hello Jack,

the difference between the two can be the following:

suppose you want or you are required to allow users to connect a small switch that you don't manage to one of your access layer ports.

You cannot use BPDU guard for this or the port will go on errordisable.

However, you are concerned that the small switch should not try to become the root bridge: until the port receives BPDUs that agree on root bridge bridge ID and on the fact that your switch is nearest to the root no problems otherwise the rootguard triggers its action.

On core switches and on distribution switches the useful tool can be loop guard (very helpful if using any form of rapid STP because UDLD is too slow for it) and/or UDLD.

Hope to help

Giuseppe

BPDU guard should be enabled on all access port where the the Desktop/Servers are connected.Root Gurad should be enabled on all down straem uplinks of the designated Swicth.

Just to clarify, I should apply root guard on all non-root switches that connect to the root. I apply this to all interfaces that connect to the root switch, yes?

Hello Jimmy,

if you do so you isolate the access switches.

I think it should be applied on the other side on the core/distribution switches on ports to access layer devices

Hope to help

Giuseppe

The example shows the root guard applied to the distribution switches, not the root switch. In my case, I basically go from root (and B/U root) into a large amount of access switches. Can I apply the root-guard on the root switches connections to all other switches?

Hi jimmy

On an ideal design the root switch will be the distribution switch. In ur case ,if all your access switches are uplinked to the root switch we can call it as the distribution switch too.Bcoz ur access swiches will have redundant paths to this root switch. So its good to apply root guard on your root switch so that you can prevent your acces switches accidently becoming the root bridge.

Hope this helps

Ullas

You should configure Root Guard on all uplinks of the Designated Swicth (It can be a Root Bridge or a Non-Root Bridge).Let us say about a scenario that includes 4 Switches(Root-A,B,C,D).Switch A(Root Bridge) is connected to B and C , then D is connected to Switch B.Root Gurad shoukd be configured on the uplinks of the Switch A where the Switch B & C are connected and on the uplink of the Switch B where Swicth D is connected(that means Root guard Should be configured on the upliks of the Designated Swicth (A,B and C)

r.sneekes
Level 1
Level 1

Be carefull when applying rootguard in an enviroment that had redundant uplinks.

When puting root guard on of of the uplink that is not the current root path, thing will work fine.

Until there is an problem with the root switch or somewhere along the path to the root switch.

In that case the stp needs to take the other path to the new root.

Now root advertisement are send over the other trunk. If u have enabled root guard on this trunk the port wil go in err-dis.

Thus making everthing behind that link go unreachable.

As stated earlyer i would only use root guard on an trunk to an isolated switch or enviroment that you don't want to become root under any circumstances.

Hi Roy,

I have a root switch, and a back-up root switch. As long as I don't put root-guard on the connection between my root and B/U root, I should be good. I never want any other switch to become root, nor any switch attached to those. So I apply root-guard to every trunk leaving the root and the B/U root, but do not apply root-guard to the trunk between the root and B/U root. Yes? jc

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: