I have following diagram and two distribution switch connected back to back over vPC
Related spanning-tree question is it ok to use RootGuard
on both distribution switch where access switch is connected or i should only use RootGuard
on ROOT
switches?
- RG – Root Guard
- BG – BPDU Guard
Best Answer
Based on the comments I think you are confused about
guard root
. You configureguard root
on the downstream interfaces of all the switches, except the root switch. Basically, you are trying to protect the root interfaces on a switch (root switches do not have root interfaces) by preventing the other interfaces from becoming root interfaces. This will protect the topology that you have put in place. Interfaces that haveportfast
andbpduguard
do not needguard root
because they will disable if any BPDU (superior, or not) is received on the interface.Cisco explains it in Spanning Tree Protocol Root Guard Enhancement. Notice in the example, it tells you to configure
guard root
on the Switch C (non-root switch) interface toward Switch D.Edit:
This is another Cisco Root Guard diagram show the placement of
guard root
, not on the root switch, but on the switches to be protected from a rogue root switch:If the root switch is receiving superior BPDUs, then your topology is already compromised. It is not to protect the root switch, but it is designed to protect the rest of the switches from being fooled into thinking an incorrect switch is the root switch by protecting other interfaces from becoming root interfaces.