RE: BPDU & Root Guard

If you have BPDU guard on ports then they don't need root guard. Root guard
needs to be applied to anywhere a switch can be plugged into the network
that would affect your current L2 scheme. Both what I have Cristian have
stated depends on your implementation. But the key is if you only apply
root guard on the designated ports of the root switch and if something takes
over as root for the rest of the network except the root switch then you
haven't protected your network. You have broken your L2 domain.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com

-----Original Message-----
From: Cristian Matei [mailto:cristian.matei_at_datanets.ro]
Sent: Wednesday, July 28, 2010 10:29 AM
To: 'Babatunde Sanda'; 'Tyson Scott'
Cc: 'Ankur Thakkar'; 'Tony claros'; 'Cisco certification'
Subject: RE: BPDU & Root Guard

HI all,

        It depends on the logical topology of the layer 2 domain; if you
follow cisco's recommendation like redundant distribution layer with
dual-connected access switches on both distribution sw, you will enable root
guard at distribution level only on DSG/downstream ports towards access
switches; as root guard keeps DSG ports from becoming non-DSG. On access
switches there is no mean to use root guard on downstream ports towards
terminals but use bpdu guard.

Regards,
Cristian.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Babatunde Sanda
Sent: Wednesday, July 28, 2010 5:07 PM
To: Tyson Scott
Cc: Ankur Thakkar; Tony claros; Cisco certification
Subject: Re: BPDU & Root Guard

Tyson,
My understanding is that the root bridge should be planned to be at the
center of the network.

When this is planned out and all switches know of each other and who is the
root for each vlan through the initial discovery from sending BPDU traffic
into the network.

Identifying your central point and protecting it need be done only at this
central point with "guard root". You need not go configure "root guard" on
other switches except the are acting as roots for other vlans. Hence the
initial command "spanning-tree vlan (vlan or range) root primary/secondary
".

Is there something I missed in your thought process please explain.

Thank you

Sanda Babatunde B.Sc (Accounting) CCNP, CCVP, CCNA(R,S,V), MCSA, N+, A+.
Sent from my iPhone

On Jul 28, 2010, at 6:04 AM, "Tyson Scott" <tscott_at_ipexpert.com> wrote:

> root guard should be applied to the edge of your controlled network. So
not
> only the root switch but all your downstream switches too. You wouldn't
> want half of your network to disagree on who is root.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Ankur Thakkar
> Sent: Wednesday, July 28, 2010 12:39 AM
> To: Tony claros
> Cc: Cisco certification
> Subject: Re: BPDU & Root Guard
>
> Hi Tony,
>
> Root guard is ideally applied on all the ports of a root bridge so that it
> will not allow any superior BPDU's to demote itself.
>
>
> Rgrds
> Ankur
>
> On Sun, Jul 18, 2010 at 2:46 PM, Tony claros <tonyclaros26_at_gmail.com>
wrote:
>
>> Hi
>>
>> When to use BPDU Guard && Root Guard.
>>
>> Condition needs to be applied on SW 2 that it should not become root for
>> any
>> vlan
>> solution : spanning-tree vlan 1-1005 priority 255 ( is this correct )
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> -------------------------
> "Born with a Noble personality is an accident .
> But dying with a Noble personality is an achievement "
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 28 2010 - 11:19:06 ART