Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

BPDU guard and root guard, redundant?

I've never understood why it is recommended to run BPDU guard and root guard on access ports. It seems a bit redundant to me. If you're running BPDU guard, and a superior, inferior or otherwise BPDU is received on a port, BPDU guard err-disables the port. If the port is disabled....wallah, the root bridge is protected.

Perhaps it's a best practice as a bug catch? Ergo, bug in BPDU Guard lets superior BPDU though, but BPDU Guard catches it.

Please confirm my thinking, or illustrate where it is flawed.

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: BPDU guard and root guard, redundant?

Perfectly agree. If you have bpduguard, rootguard is irrelevant.

With rootguard, you allow the port to participate in the STP as long as it does not attempt to inject better information.

With bpduguard, you don't want the port to participate in STP at all and you errdisable it as soon as it attempts to do so.

So basically, if it's a recommendation to do both, it's a wrong recommendation;-)

Regards,

Francois

2 REPLIES

Re: BPDU guard and root guard, redundant?

Perfectly agree. If you have bpduguard, rootguard is irrelevant.

With rootguard, you allow the port to participate in the STP as long as it does not attempt to inject better information.

With bpduguard, you don't want the port to participate in STP at all and you errdisable it as soon as it attempts to do so.

So basically, if it's a recommendation to do both, it's a wrong recommendation;-)

Regards,

Francois

New Member

Re: BPDU guard and root guard, redundant?

Thanks for the sanity check!

176
Views
0
Helpful
2
Replies