12-04-2013 09:24 PM - edited 03-07-2019 04:56 PM
Hi,
We have 45xx switch & we enabled spanning tree root guard on ports connected with access switch via fiber uplink
& we enable spanning tree loop guard on access switch side
One of my core switch port connected to Juniper Netscreen Firewall
Whether I need to enable spanning tree guard root on the same port on core switch side ? or not
In case of yes, any config changes required on JUniper Netscreen box
Br/Subhojit
12-04-2013 11:34 PM
It depends if the Netscreen is running STP but probably it's not? If it's not sending BPDUs then there is no need to apply root guard there. You can check with show spanning-tree interface detail on the interface leading to the Netscreen. Check for incoming BPDUs.
Daniel Dib
CCIE #37149
12-04-2013 11:39 PM
Hi, Pls find the output
Port 130 (GigabitEthernet3/2) of VLAN0054 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.130.
Designated root has priority 8246, address 001b.d474.8a40
Designated bridge has priority 16438, address 001b.0cee.0440
Designated port id is 128.130, designated path cost 3
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Bpdu filter is enabled
Root guard is enabled on the port
BPDU: sent 5847158, received 0
Present the bold config enabled on the port
Br/Subhojit
12-04-2013 11:54 PM
Hi Subhoj,
As per your output, no BPDUs are receving, not required to configure spanning tree root guard. As a best practice you can enable.
Thanks
Venkat
12-06-2013 02:14 AM
Like Venkat said it's not really necessary but you can enable it if you want to.
Daniel Dib
CCIE #37149
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide