Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
2
Replies

Root guard

nnn_sss22
Level 1
Level 1

‎08-01-2017 04:17 PM - edited ‎03-08-2019 11:34 AM

Hello

if i enable root guard on global mode then it will enable only on all access ports or also it will enable trunk port?

2nd question: if i have three switches in my topology. sw1,sw2 and sw3. sw1 is root bridge. now if i want to enable root guard then i will enable it on all switches?

Labels:
0 Helpful
2 Replies 2

Kevin Rivest
Level 1
Level 1

‎08-01-2017 07:36 PM

I don't believe there is a way to enable root guard globally. At the interface level it is enabled with spanning-tree guard root. Are you instead asking about bpdu filter or bpdu guard?

If one of these is what you are asking about, than it would depend on whether the port is configured for portfast or not. If the access port is configured with portfast or the trunk port is configured with portfast trunk, than yes both would be configured with bpdu guard or bpdu filter if globally enabled.as the default. If the port is not configured as a portfast port it will not be enabled though.

If you are talking about root guard, it is enabled at the port level and can be configured on either access, trunk, or portfast ports.

For your second question again it depends on what spanning tree feature you are talking about.

If you are talking about root guard, you would enable it on the port from SW1 to SW2 and the port from SW1 to SW3. This is all based on your design though. If your design calls for root bridge redundancy or security, then you will have to place root guard on whatever ports are facing away from the expected location of any possible root bridge, or at your network trust boundary. You can also enable it on all other ports not expected to become root, such as those towards end hosts and devices not participating in STP.

If you are talking about bpdu guard, you would normally only enable it on interfaces connecting to end hosts or other devices that do not participate in STP.

If you are talking about bpdu filter it is a little bit different, it depends on whether you configure it globally or at the port level. If you enable it at the port level, you would normally configure this to partition the STP domain. You would configure it on the two ports (or one) on the segment that you would like to partition. It effectively turns off STP on the interface, neither sending or processing BPDUs. If you enable it globally, you would normally do this for ports that are not expected to receive BPDUs and participate in STP. At port up, the port sends 11 BPDUs and if a BPDU is received it would transition to a normal STP port and participate in STP. If a BPDU is not received in response within this time frame, the port stops sending and processing BPDUs again effectively turning STP off. This is normally used in an environment where the device connected is unknown and may be a device that will participate in STP, or may be an end host that will not. You have to be careful configuring bpdu filter as it effectively disables STP and you can create switching loops if you have any physical loops in the network.

Hope this explains everything and is what you are looking for.

0 Helpful

Moses Fernandes
Level 1
Level 1

‎08-01-2017 09:41 PM

A 2). If you manage all the switches you do not need root guard, because you can just set the switch priorities. Root guard is needed when you connect a network that you manage to one that you do not.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card