cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1392
Views
5
Helpful
1
Replies

MST and Root Guard??

JamesVPN123
Level 1
Level 1

Hi All,

I need some help.

I would like to understand the practical application of using root guard and MST (or PVRST+ for that matter) where different MST instances have different nominal root and secondary positions within the network?

Explicitly, where MST instance 1 has a root port on fa0/2 and should never have a root port on fa0/3, but MST instance 2 root is usually found via fa0/3.  The issuance of root guard is it seems on a per port basis rather than per instance per port basis.  So issuing root guard on fa0/3 will put the port into an inconsistent state for MST instance 2 and block access to the root for MST instance 2, but protect MST instance 1...

Have I understood this correctly?

Is there a way to implement a root guard on a per MST instance basis?

Thanks,

James.

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

James,

To spoil all the surprise at the very beginning of my answer, your observation is correct: the BPDU Root Guard is a per-port feature, and it can not be tweaked to work on a per-VLAN or a per-instance basis.

You do not usually use the BPDU Root Guard feature within your own network because of two reasons:

  • Your own network can be considered controlled and trusted, so there is no foreign root to protect against
  • If a link or a switch fails, you want to have a backup path towards a (potentially new) root, and using BPDU Root Guard inside your network interferes with this

The BPDU Root Guard is intended to be used in scenarios when you have to interface with a customer's network you have no control over, but for some case, you need to run STP with the customer. Quite naturally, you do not want the customer to hijack your root switches, nor would you want to back up your network connectivity through the customer. You would therefore use the BPDU Root Guard on your ports facing the customer's network. Notice that here, the BPDU Root Guard would work nicely.

So once again, your observation about the BPDU Root Guard work in an arguably coarse granularity is correct; however, you do not actually want to use it inside your own network that constitutes a well-known and trusted environment.

Please feel welcome to discuss this further!

Best regards,

Peter

View solution in original post

1 Reply 1

Peter Paluch
Cisco Employee
Cisco Employee

James,

To spoil all the surprise at the very beginning of my answer, your observation is correct: the BPDU Root Guard is a per-port feature, and it can not be tweaked to work on a per-VLAN or a per-instance basis.

You do not usually use the BPDU Root Guard feature within your own network because of two reasons:

  • Your own network can be considered controlled and trusted, so there is no foreign root to protect against
  • If a link or a switch fails, you want to have a backup path towards a (potentially new) root, and using BPDU Root Guard inside your network interferes with this

The BPDU Root Guard is intended to be used in scenarios when you have to interface with a customer's network you have no control over, but for some case, you need to run STP with the customer. Quite naturally, you do not want the customer to hijack your root switches, nor would you want to back up your network connectivity through the customer. You would therefore use the BPDU Root Guard on your ports facing the customer's network. Notice that here, the BPDU Root Guard would work nicely.

So once again, your observation about the BPDU Root Guard work in an arguably coarse granularity is correct; however, you do not actually want to use it inside your own network that constitutes a well-known and trusted environment.

Please feel welcome to discuss this further!

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: