cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1884
Views
0
Helpful
1
Replies

Proper placement of root guard

ngthen
Level 1
Level 1

I had asked this question before but think I didn't explain myself the best so we'll try again.  I attached a quick diagram of how a network that I am working on is currently configured.  It's not optimal but that will be fixed in the future.  Right now I am trying to protect my network from unauthorized switches and them becoming the STP root.  The network is currently running MST for spanning tree with core 1 set at 8192 and core 2 set at 16384. 

Access Switch 1 in the diagram will have another switch connected to port Gi0/1 that I cannot control (not shown in diagram however).  And in the future Access Switch 2 may be in the same boat.  Both Access switches have "spanning-tree bpduguard default" enabled and ports 1-22 are configured for portfast.  The switch being added to Gi0/1 on Access Switch 1 only needs access to one VLAN so I would like to leave the port as an access port rather than a trunk port.  There will only be one single cable connecting Access Switch 1 to the new switch run by the building tenant.

1) I would like to protect the network from admins adding other switches that could overtake my STP root.  I understand "root guard" will prevent this but I am not sure what ports to put it on based on the diagram.  Would I need to put it on Gi0/1 for the other tenant switch that is not shown as well?  Does it need to go on my Core swiches or just Access?

2) Since there will be another switch on Access Switch 1 port Gi0/1, I am assuming bpduguard will cause issues and disable the port preventing the client from accessing the shared resources.  So...

    a) Should I disable bpduguard on this port?

    b) Would the bpdu filter help here in anyway?  If so and it is turned on so the port is always in a forwarding state can a loop somehow occur from the client switch even though there is just a single cable?  I would think not, but could it happen on their switch?

3) Since I will not have control over the tenant switch I need to assume they may set it up incorrectly.  If they are not running spanning-tree and connect two ports together can it take down the VLAN I am sharing with them?  Is there a way to prevent it?  Would loop guard do anything?

Thanks in advance!!!

1 Accepted Solution

Accepted Solutions

Jerry Ye
Cisco Employee
Cisco Employee

Since it is a tenant, you can put root guard on Access SW 1 port G0/1. You need to remove the portfast feature and bpduguard on that port.

BPDU filter from interface will stop your switch to send them BPDU but you cannot control it on your end to not receiving BPDU.

Regards,

jerry

View solution in original post

1 Reply 1

Jerry Ye
Cisco Employee
Cisco Employee

Since it is a tenant, you can put root guard on Access SW 1 port G0/1. You need to remove the portfast feature and bpduguard on that port.

BPDU filter from interface will stop your switch to send them BPDU but you cannot control it on your end to not receiving BPDU.

Regards,

jerry

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: