12-06-2008 08:22 PM - edited 03-06-2019 02:50 AM
Hi All,
Can someone please tell me what's the difference between BPDUGuard & RootGuard?? In general, do i apply both of these on all access switches ports??
12-06-2008 10:49 PM
They are similar, but their impact is different.
BPDU Guard disables the port if it receives a BPDU on a port fast enabled port. The disablement effectively denies devices behind such ports from participation in STP. You must manually reenable the port that is put into errdisable state or configure errdisable-timeout.
Root Guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. recover is automatic as soon as the bad device stops sending superior BPDU's.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml
12-19-2008 10:30 AM
It sounds like for this to be effective, I must enable Root Guard on every access port on every switch, yes?
Isn't there a way to force my core switche to always be root with just a couple of commands, instead of thousands of commands to cover every access port? Regards, jc
12-19-2008 12:50 PM
Hello Jimmy,
these commands are to be used to protect STP even if you can configure the root bridge with base priority 0 using
spanning-tree priority 0 vlan 1-4096 there is a chance that someone sending BPDUs with the same priority but with a lower MAC address can take the role of root bridge.
For access-ports bdpu guard is the right tool and can be associated to ports using portfast in global config.
spanning-tree portfast bpduguard default
this enables bpdu guard on all ports that are configured for STP portfast
Hope to help
Giuseppe
12-20-2008 02:22 AM
Hi Giuseppe,
just have a quick check, which means RootGuard will apply to Core-Switch whereby BPDU Guard apply to Access switch , is that correct ?
thanks .
regards,
Jack
12-21-2008 03:12 AM
Hello Jack,
the difference between the two can be the following:
suppose you want or you are required to allow users to connect a small switch that you don't manage to one of your access layer ports.
You cannot use BPDU guard for this or the port will go on errordisable.
However, you are concerned that the small switch should not try to become the root bridge: until the port receives BPDUs that agree on root bridge bridge ID and on the fact that your switch is nearest to the root no problems otherwise the rootguard triggers its action.
On core switches and on distribution switches the useful tool can be loop guard (very helpful if using any form of rapid STP because UDLD is too slow for it) and/or UDLD.
Hope to help
Giuseppe
12-21-2008 10:49 PM
BPDU guard should be enabled on all access port where the the Desktop/Servers are connected.Root Gurad should be enabled on all down straem uplinks of the designated Swicth.
12-22-2008 07:27 AM
Just to clarify, I should apply root guard on all non-root switches that connect to the root. I apply this to all interfaces that connect to the root switch, yes?
12-22-2008 07:43 AM
Hello Jimmy,
if you do so you isolate the access switches.
I think it should be applied on the other side on the core/distribution switches on ports to access layer devices
Hope to help
Giuseppe
12-22-2008 08:09 AM
Hi jimmy
Check out the following link which can answer all your questions abt STP features
Ullas
12-22-2008 08:28 AM
The example shows the root guard applied to the distribution switches, not the root switch. In my case, I basically go from root (and B/U root) into a large amount of access switches. Can I apply the root-guard on the root switches connections to all other switches?
12-22-2008 08:50 AM
Hi jimmy
On an ideal design the root switch will be the distribution switch. In ur case ,if all your access switches are uplinked to the root switch we can call it as the distribution switch too.Bcoz ur access swiches will have redundant paths to this root switch. So its good to apply root guard on your root switch so that you can prevent your acces switches accidently becoming the root bridge.
Hope this helps
Ullas
12-22-2008 09:03 PM
You should configure Root Guard on all uplinks of the Designated Swicth (It can be a Root Bridge or a Non-Root Bridge).Let us say about a scenario that includes 4 Switches(Root-A,B,C,D).Switch A(Root Bridge) is connected to B and C , then D is connected to Switch B.Root Gurad shoukd be configured on the uplinks of the Switch A where the Switch B & C are connected and on the uplink of the Switch B where Swicth D is connected(that means Root guard Should be configured on the upliks of the Designated Swicth (A,B and C)
12-24-2008 04:15 AM
Be carefull when applying rootguard in an enviroment that had redundant uplinks.
When puting root guard on of of the uplink that is not the current root path, thing will work fine.
Until there is an problem with the root switch or somewhere along the path to the root switch.
In that case the stp needs to take the other path to the new root.
Now root advertisement are send over the other trunk. If u have enabled root guard on this trunk the port wil go in err-dis.
Thus making everthing behind that link go unreachable.
As stated earlyer i would only use root guard on an trunk to an isolated switch or enviroment that you don't want to become root under any circumstances.
01-06-2009 11:32 AM
Hi Roy,
I have a root switch, and a back-up root switch. As long as I don't put root-guard on the connection between my root and B/U root, I should be good. I never want any other switch to become root, nor any switch attached to those. So I apply root-guard to every trunk leaving the root and the B/U root, but do not apply root-guard to the trunk between the root and B/U root. Yes? jc
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: