08-14-2008 01:34 PM - edited 03-06-2019 12:48 AM
I've never understood why it is recommended to run BPDU guard and root guard on access ports. It seems a bit redundant to me. If you're running BPDU guard, and a superior, inferior or otherwise BPDU is received on a port, BPDU guard err-disables the port. If the port is disabled....wallah, the root bridge is protected.
Perhaps it's a best practice as a bug catch? Ergo, bug in BPDU Guard lets superior BPDU though, but BPDU Guard catches it.
Please confirm my thinking, or illustrate where it is flawed.
Thanks in advance!
Solved! Go to Solution.
08-14-2008 01:46 PM
Perfectly agree. If you have bpduguard, rootguard is irrelevant.
With rootguard, you allow the port to participate in the STP as long as it does not attempt to inject better information.
With bpduguard, you don't want the port to participate in STP at all and you errdisable it as soon as it attempts to do so.
So basically, if it's a recommendation to do both, it's a wrong recommendation;-)
Regards,
Francois
08-14-2008 01:46 PM
Perfectly agree. If you have bpduguard, rootguard is irrelevant.
With rootguard, you allow the port to participate in the STP as long as it does not attempt to inject better information.
With bpduguard, you don't want the port to participate in STP at all and you errdisable it as soon as it attempts to do so.
So basically, if it's a recommendation to do both, it's a wrong recommendation;-)
Regards,
Francois
08-14-2008 02:10 PM
Thanks for the sanity check!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide