Spanning-tree bpduguard/spanning-tree rootguard

Answered Question
Feb 2nd, 2010
User Badges:

Dear Expert,


I wouldl like to ask If spanning-tree bpduguard is enabled in a port, that means that port will not send or receive BPDU. Then how about if add one more command, "spanning-tee rootguard" on the same port, Is it meaningless ? Becuase that port already ignore the bpduguard.

Correct Answer by Jon Marshall about 7 years 5 months ago

acbennyma wrote:


Dear Expert,


I wouldl like to ask If spanning-tree bpduguard is enabled in a port, that means that port will not send or receive BPDU. Then how about if add one more command, "spanning-tee rootguard" on the same port, Is it meaningless ? Becuase that port already ignore the bpduguard.

They are used for 2 different things -


bpduguard is used for end devices and as you say will disable a port if it receives a BPDU


rootguard is not intended for ports that have end devices on them. It is intended for switch interconnect ports ie. ports that are used to uplink to other switches.


So BPDUGuard would never be used on switch uplinks because you want BPDUs to be sent and received on these ports.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Tue, 02/02/2010 - 01:06
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Dear Expert,


I wouldl like to ask If spanning-tree bpduguard is enabled in a port, that means that port will not send or receive BPDU. Then how about if add one more command, "spanning-tee rootguard" on the same port, Is it meaningless ? Becuase that port already ignore the bpduguard.


Hi,



The PortFast BPDU guard feature prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that port. When the BPDU guard feature is enabled on the switch, spanning tree shuts down PortFast-configured interfaces that receive BPDUs, instead of putting them into the spanning tree blocking state.


On the other hand for root gaurd ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.


The Action differs when you configure the the baove on swith ports.


Hope that helps


If helpful do rate


Ganesh.H

Correct Answer
Jon Marshall Tue, 02/02/2010 - 01:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

acbennyma wrote:


Dear Expert,


I wouldl like to ask If spanning-tree bpduguard is enabled in a port, that means that port will not send or receive BPDU. Then how about if add one more command, "spanning-tee rootguard" on the same port, Is it meaningless ? Becuase that port already ignore the bpduguard.

They are used for 2 different things -


bpduguard is used for end devices and as you say will disable a port if it receives a BPDU


rootguard is not intended for ports that have end devices on them. It is intended for switch interconnect ports ie. ports that are used to uplink to other switches.


So BPDUGuard would never be used on switch uplinks because you want BPDUs to be sent and received on these ports.


Jon

Actions

This Discussion