Hi,

zekebashi · ‎12-15-2015

Hello,

I'm a bit confused about which ports to enable STP Root Guard. I have a Distribution Switch, which has been configured as the Root Bridge. This Dist sw has 7 downstream access-layer switches that are directly uplinked to it via 10Gb Trunk Ports. These ports would be "Root" ports because they connect directly to the Root Bridge and none of them is linked to the other access-layer switch.

The document below states "The root guard ensures that the port on which root guard is enabled is the designated port." So, we don't need to enable STP Root Guard on the downstream switches whose ports are uplinked to the Dist switch(Root Bridge). Is that right?

Also, do we need to enable "Root Guard" on access-ports which are used to connect end-devices?

http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

Thanks in advance.

Best, ~zK

Richard Bradfield · ‎12-15-2015

Hi,

from the link above

You must enable root guard on all ports where the root bridge should not appear. In a way, you can configure a perimeter around the part of the network where the STP root is able to be located.

I think you are right, if your access switches only connect to the root switch and not to each other then on the root switch the root guard command should be on the ports connected to access switches. On the access switches root guard not required on the port that connects to root switch, but would be required on any other port with devices running STP.

HTH

Richard

zekebashi · ‎12-15-2015

Thanks, Rich.

I figured it out. I enabled Root Guard on the Root Bridge ports and enabled loop guard on the uplink ports.

Thanks again.

~zK

Spanning Tree Protocol Root Guard