Solved: what ports should I configure root guard, loop guard, and bpdu guard?

langcblt · ‎02-19-2022

I am learning Cisco configuration and want to configure loop guard, root guard, and BPDU guard on the switch ports, but not sure which interfaces should I configure those commands on that will not affect the STP. I saw some recommendations that I can configure spanning-tree loop guard default globally, but not sure if it affects the STP. Please advise. thank you

marce1000 · ‎02-19-2022

>...but not sure if it affects the STP.

Good insight, initially you should do nothing , meaning define correct root bridge according to your intended network layout and setup , check device logs , look for loops , should not appear. Then you may configure BPDU guard on ports in access mode or globally

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

MHM Cisco World · ‎02-19-2022

As my friend Mr.Marce mention you need to know the topology.
but for reference please see below photo where exactly you need each guard in topology "this topology is triangle STP"

View solution in original post

paul driver · ‎02-19-2022

Hello
Regards route-guard it would more beneficial if you had boundary stp ports between differing stp domains but within a single stp domain I would refrain from applying this feature

The reason being, If you lost the direct connection between primary and secondary root switches then either those switches would need transition into having a root port to reach the primary root switch

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

MHM Cisco World · ‎02-19-2022

follow

marce1000 · ‎02-19-2022

>...but not sure if it affects the STP.

Good insight, initially you should do nothing , meaning define correct root bridge according to your intended network layout and setup , check device logs , look for loops , should not appear. Then you may configure BPDU guard on ports in access mode or globally

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎02-19-2022

As my friend Mr.Marce mention you need to know the topology.
but for reference please see below photo where exactly you need each guard in topology "this topology is triangle STP"

langcblt · ‎02-19-2022

Thank you so much for providing the diagram explaining how STP rootguard, loopguard and bpduguard should be configured.

I agree that an accurate map of the current network topology should be created before configuring the above technology, but currently I don't have a tool to map out the network layout for approximately 110 devices.

Is there a best way to figure out which device is elected as a root bridge from the device configuration? In my switch configuration the show spanning-tree shows some VLANs, Root ID and says this bridge is the root, but other VLANs does not say it is the root bridge.

thanks

MHM Cisco World · ‎02-19-2022

approximately 110 device, Wow it huge I don't think it all in same STP domain? or many of them is L3 and Server ?

paul driver · ‎02-19-2022

Hello
Regards route-guard it would more beneficial if you had boundary stp ports between differing stp domains but within a single stp domain I would refrain from applying this feature

The reason being, If you lost the direct connection between primary and secondary root switches then either those switches would need transition into having a root port to reach the primary root switch

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

langcblt · ‎02-19-2022

Thank you for your response.

balaji.bandi · ‎02-19-2022

Here is from my notes :

ROOT-GUARD - Root guard for spanning tree can be used to prevent a certain switch from becoming the root bridge. Even if you receive a superior BPDU from another switch, the root guard will prevent that switch from becoming the root bridge.

LOOPGAURD : Spanning Tree Loop Guard helps to prevent loops when you use fiber links.

BPDU-GUARD - Spanning Tree BPDU guard ensures that an interface will be error-disabled as soon as you receive a BPDU on it. This is useful on access ports where you shouldn't expect any BPDUs and will protect your switched network.

some reference :

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help