Spanning-Tree RootGuard

Hi Thomas,

  1. I would prefer BPDU guard on the access layer switches towards the hosts. You don’t want to see any BPDUs from the hosts, if you see them then someone has been messing with bridge mode (bridging two NICs) or they connected a switch, one exception could be a wireless access point. Some of those send BPDUs. If you have BPDU guard enabled, there’s no need to use root guard since a BPDU triggers a violation.

We use root guard on interfaces where we DO want to receive BPDUs from but we don’t want to accept a root switch on these interfaces.

  1. Take a look at this picture:

In a network like this, you probably want one of the core switches to be the root bridge and the other one to be the backup. Your core switches should never accept a distribution switch as a root so you could configure root guard on the core interfaces that connect to the distribution switches.

Your distribution switches also should never accept the access layer switches as a root…so on the distribution switch interfaces facing the access layer, enable root guard.

In your example with SW1, SW2 and SW3. You want to make sure that SW1 or SW2 always remains the root. If someone gets access to SW3 and sets the STP priority to 0, it would normally become the root bridge. If you use root guard on SW1 or SW2 then you can prevent this without disturbing STP operations.

Hope this helps!

Rene

2 Likes