Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
1
Helpful
2
Replies

Configure root guard only on root-bridge

Go to solution
keesepema
Level 1
Level 1

‎04-08-2024 02:27 PM

I learned that root guard must be enabled on a switch that is prone to be overtaken by a switch with a lower priority number (so more likely to become the root bridge). However the switch that is prone to be overtaken by a better priority switch, does not have to be the root-bridge.

In my logic it would be better to root-guard all ports on the root bridge itself. I think this would refuse all bdpu's trying to overtake the root-bridge it's role

My question: is my assumption right?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎04-08-2024 02:44 PM

images (2).jpeg

If I understand your Q correctly' you ask why we not config root guard in SW-A or SW-B instead of SW-C ?

The answer is since we want SW-A or SW-B to be root bridge we can not config it interface with root guard.

For more 

Assume SW-A is root guard and we config it port as root guard for some reason the SW-B is elect as root bridge (SW-A is failed or reboot)

Here SW-A will be root and it port is error becuase we config root guard in it interface.

So this case we dont config root guard in root bridge.

Instead we config root guard in SW-C port connect to all except port connect to SW-A and SW-B (primary and secondary root bridge).

This design if SW-A will reboot and SW-B is elect as root bridge SW-C ports connect to SW-B not effect 

BuT

Any new SW connect to SW-C and attempt to elect as root bridge the SW-C will error the ports.

MHM

View solution in original post

2 Replies 2

Go to solution
MHM Cisco World
VIP
VIP

‎04-08-2024 02:44 PM

images (2).jpeg

If I understand your Q correctly' you ask why we not config root guard in SW-A or SW-B instead of SW-C ?

The answer is since we want SW-A or SW-B to be root bridge we can not config it interface with root guard.

For more 

Assume SW-A is root guard and we config it port as root guard for some reason the SW-B is elect as root bridge (SW-A is failed or reboot)

Here SW-A will be root and it port is error becuase we config root guard in it interface.

So this case we dont config root guard in root bridge.

Instead we config root guard in SW-C port connect to all except port connect to SW-A and SW-B (primary and secondary root bridge).

This design if SW-A will reboot and SW-B is elect as root bridge SW-C ports connect to SW-B not effect 

BuT

Any new SW connect to SW-C and attempt to elect as root bridge the SW-C will error the ports.

MHM

Go to solution
keesepema
Level 1
Level 1

‎04-08-2024 03:05 PM

So I understand the primary reason for my wrong assumption is that SW-A will have error-disable ports when it reboots or fails and therefore it is better to root guard a switch that is not primary or secondary root bridge. If SW-C fails or reboots, its ports will be error disabled and not SW-A or SW-B.

That makes sense. But what if a 'rogue' or misconfigured switch is directly attached to the root bridge?

0 Helpful
Customers Also Viewed These Support Documents