Solved: root guard vs bpdu guard

alliasneo1 · ‎10-26-2012

Hi,

Why would you choose one over the other?

Root-guard will stop a superior bpdu from becoming the root.

Bpdu guard will stop another switch from connecting entirely by shutting the port down.

Why not just configure bpdu guard on all access layer ports and be done with it? It would seem like this would be a better option?

Arumugam Muthaiah · ‎10-26-2012

Hi Daryl,

BPDU guard and Root guard are similar, but their impact is different.

BPDU Guard

BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP.

You must manually reenable the port that is put into errdisable state or configure errdisable-timeout. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.

Root guard

Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs

The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state

Note: Root guard is best deployed towards ports that connect to switches which should not be the root bridge

The Root Guard feature can be enabled on all switch ports in the network off of which the root bridge should not appear

Root guards protects the root bridge from being modified without administrator permission by another switch,

BPDU Guard, blocks ports assigen to user acces, from being connected to non authorized switches.

So BPDU guard is more like standard security option for normal edge (portfast) ports, while root guard is more likely for specific scenarios

Refer:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml#diff

Regards,

Aru

*** Please rate if the post useful ***

Regards, Aru *** Please rate if the post useful ***

View solution in original post

Stuart Gall · ‎10-27-2012

If you manage all the switches you do not need root guard, because you can just set the switch priorities.
Root guard is needed when you connect a network that you manage to one that you do not.
You may or may not want BPDUs but you definitely will not want a switch that you do not manage becoming the root.

Also IMPORTANT
there are two ways to use BPDU guard, it is often misunderstood
On an interface BPDU guard will put the port into err disable state if a BPDU is received

In global configuration mode BPDU guard will disable port fast on any interface if a BPDU is received.

Sent from Cisco Technical Support iPad App

View solution in original post

Arumugam Muthaiah · ‎10-26-2012

Hi Daryl,

BPDU guard and Root guard are similar, but their impact is different.

BPDU Guard

BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP.

You must manually reenable the port that is put into errdisable state or configure errdisable-timeout. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.

Root guard

Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs

The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state

Note: Root guard is best deployed towards ports that connect to switches which should not be the root bridge

The Root Guard feature can be enabled on all switch ports in the network off of which the root bridge should not appear

Root guards protects the root bridge from being modified without administrator permission by another switch,

BPDU Guard, blocks ports assigen to user acces, from being connected to non authorized switches.

So BPDU guard is more like standard security option for normal edge (portfast) ports, while root guard is more likely for specific scenarios

Refer:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml#diff

Regards,

Aru

*** Please rate if the post useful ***

Regards, Aru *** Please rate if the post useful ***

Shehu Isah · ‎07-02-2023

Great and very simple explanation. kudos man

Stuart Gall · ‎10-27-2012

If you manage all the switches you do not need root guard, because you can just set the switch priorities.
Root guard is needed when you connect a network that you manage to one that you do not.
You may or may not want BPDUs but you definitely will not want a switch that you do not manage becoming the root.

Also IMPORTANT
there are two ways to use BPDU guard, it is often misunderstood
On an interface BPDU guard will put the port into err disable state if a BPDU is received

In global configuration mode BPDU guard will disable port fast on any interface if a BPDU is received.

Sent from Cisco Technical Support iPad App

shillings · ‎10-27-2012

Ref BPDU Guard global configuration, is the global operation you describe not called BPDU Filtering?