I had asked this question before but think I didn't explain myself the best so we'll try again. I attached a quick diagram of how a network that I am working on is currently configured. It's not optimal but that will be fixed in the future. Right now I am trying to protect my network from unauthorized switches and them becoming the STP root. The network is currently running MST for spanning tree with core 1 set at 8192 and core 2 set at 16384.
Access Switch 1 in the diagram will have another switch connected to port Gi0/1 that I cannot control (not shown in diagram however). And in the future Access Switch 2 may be in the same boat. Both Access switches have "spanning-tree bpduguard default" enabled and ports 1-22 are configured for portfast. The switch being added to Gi0/1 on Access Switch 1 only needs access to one VLAN so I would like to leave the port as an access port rather than a trunk port. There will only be one single cable connecting Access Switch 1 to the new switch run by the building tenant.
1) I would like to protect the network from admins adding other switches that could overtake my STP root. I understand "root guard" will prevent this but I am not sure what ports to put it on based on the diagram. Would I need to put it on Gi0/1 for the other tenant switch that is not shown as well? Does it need to go on my Core swiches or just Access?
2) Since there will be another switch on Access Switch 1 port Gi0/1, I am assuming bpduguard will cause issues and disable the port preventing the client from accessing the shared resources. So...
a) Should I disable bpduguard on this port?
b) Would the bpdu filter help here in anyway? If so and it is turned on so the port is always in a forwarding state can a loop somehow occur from the client switch even though there is just a single cable? I would think not, but could it happen on their switch?
3) Since I will not have control over the tenant switch I need to assume they may set it up incorrectly. If they are not running spanning-tree and connect two ports together can it take down the VLAN I am sharing with them? Is there a way to prevent it? Would loop guard do anything?
Cisco DNA Software Demo Series - Cisco ThousandEyesRegister nowWednesday, May 12, 202110:00 am Pacific Daylight Time(San Francisco, GMT-07:00)SaaS applications and cloud-based services are increasingly critical for on-campus users, but they can be challen...