Hello Belai,

I agree in your case you should be fine if you have deployed STP bdpu guard on all access ports.

Hope to help

Giuseppe

Hello Belal,

                   The Guard root is usually configured on a port connected to another switch which could have a probability of sending lower priority BPDUs which could cause your manually configured root switch to become a designated bridge.

Since your two switches are access switches connected to a server farm ONLY, a portfast command is all that is needed which will enable them to transition faster.

Instead of a BPDU guard, it would be advisable to put a bpdufilter in place as bpduguard will put that port into "errdisable" state when it detects a bpdu packet (if by accident you do put a switch on a port on these switches), whereas bpdufilter will drop the STP bpdu packets.

-/ Kiran

Hello,
I
have two Cat6500 running CatOS as access switches to my servers farms,
I have enabled portfast per port basis where needed and enabled
portfast bpdu guard globally, so my question is how about guard root?
Do I need to enable this features? because as each ports connected to
the servers with portfast bpdu guard enabled cannot receive bpdu and
thus cannot receive a new root information from this port? 
  
Thanks for your answer.

Hi,

BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port.

The disablement effectively denies devices behind such ports from participation in STP. You must manually reenable the port that is put into errdisable state or configure errdisable-timeout.

Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.

Hope to help !!

Remember to rate the helpful post

Ganesh.H

Thanks to all for all those explaination.

Its more clare now.

Regards