Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1100
Views
5
Helpful
7
Replies

STP Root Guard - Clarification

Not applicable

‎11-14-2012 04:25 AM - last edited on ‎03-07-2019 10:02 AM by

Hi all,

I've just been reading up on STP root guard, and whilst I'm sure there are plenty, I'm struggling to see scenario's where you would use this over bpdu guard.

If you are talking about access ports accessible outside of a secured wiring closet, then I'm guessing bpdu guard would be the most suitable protection. Otherwise I could only really see root guard being used in a comms room to protect against misconfiguration by an administrator...

Is anybody able to give some examples of where you would use root guard over bpdu guard in a real world scenario?

Cheers,

Neil               

Labels:
0 Helpful
7 Replies 7

Hari Vishnu
Level 1
Level 1

‎11-14-2012 04:37 AM

Practically there will be unused switch ports in default Dynamic desirable mode. There can be chance that admin/other employee connect an old switch (having lower priority) to the switch port and negotiate a truck. The newly added switch can become the STP root.

Hope this helps.

Thanks

Hari

0 Helpful

Not applicable
In response to Hari Vishnu

‎11-14-2012 04:46 AM

Hari,

Thanks for this. In this instance though, would you not be better off using bpdu guard, thus preventing the switch from being connected with a poor or incorrect configuration?


From what I've read, it sounds to me as though root guard isn't really a security feature, it's just a means to enforce your topology design. I realise that could well make it a security feature to prevent somebody maliciously changing your topology, but in the instance you mention above somebody would have to have physical access to a switchport and ultimatley ownership of the device being attached.

However, I would have assumed the following:

  • Unused switch ports should be shutdown or at minimum have bpdu guard configured.
  • You will want to be as dynamic as possible in accomodating STP changes, albeit to a design in order to ensure continuity and protect against as many failures (link or switch) as possible?

Is root guard something that would be more prevelant the more switches you chain off of one and other, and less prevelant in a core & access design?

0 Helpful

Abzal
Level 7
Level 7

‎11-14-2012 04:50 AM

Hi,

What Is the Difference Between STP BPDU Guard and STP Root Guard?

BPDU guard and root guard are similar, but their impact is different.       BPDU guard disables the port upon BPDU reception if PortFast is enabled on the       port. The disablement effectively denies devices behind such ports from       participation in STP. You must manually reenable the port that is put into       errdisable state or configure errdisable-timeout.

Root guard allows the device to participate in STP as long as the       device does not try to become the root. If root guard blocks the port,       subsequent recovery is automatic. Recovery occurs as soon as the offending       device ceases to send superior BPDUs.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

Hope it will help.

Best regards,
Abzal
0 Helpful

Not applicable
In response to Abzal

‎11-14-2012 04:56 AM

Thanks. I'd seen that, but I'm still confused with a scenario where you would want to prevent STP being dynamic in it's election of a new root by using root guard.

I can only assume that this scenario would be that you would conclude operationally you would accommodate up to x amount of root bridge failures, and after x it's likelihood of further failure is reduced to the point where it doesn't justify the security risk?

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to

‎11-14-2012 09:23 AM

Hello Neil,

Basically, the Root Guard is a feature more interesting in scenarios where you interface a separate, independent switched domain operated by someone else but for whatever reason, you need to have a single STP instance that interoperates across both your and the "neighbor" domain. It is your requirement that whatever the neighbor does, he may not overthrow your root switch - you are the domain that holds the root and you do not want that ever to change. In these cases, the Root Guard is something that allows you to interoperate your STP with the neighbor's STP but it still prevents the neighbor from hijacking your root.

This may be a situation more typical for large enterprises or service providers but I admit, it is quite rare.

Best regards,

Peter

Not applicable
In response to Peter Paluch

‎11-15-2012 01:42 AM

Thanks Peter, that clarifies it enough for me. I appreciate the input.

0 Helpful

raadalhafnawi
Level 1
Level 1

‎11-15-2012 04:24 AM

If the root guard is enabled on the interface, it ensure that the port is designated port and if this port recieves the bpdu, it puts the port in root-inconsistent state which means listening state (no way to forward the traffic through it)...i donnt think i can negotiate that port to become trunk...regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card