4 Replies Latest reply: Mar 24, 2011 8:29 AM by tnewshott@gmail.com RSS

    Root Guard Placement

    Steven Williams

      I was reading about Root Guard today and couldn't really decide where this should be placed. I have to assume all ports because you don't where a switch would plugged into. But at the same time if I am running bpdu guard on all access ports I shouldnt need root guard on them as well. So then I thought root guard should go on current trunk links, in the case that a network admin forgets to check the spanning-tree configuration on a switch and plugs a replacement in. Am I correct in thinking this?

        • 1. Re: Root Guard Placement

          Hi Hollywood0728


          In our network we use root guard in conjunction with bpduguard on the edge switches.  This helps to prevent an end user from plugging a rogue switch into the network and assuming the role of the root bridge.





          • 2. Re: Root Guard Placement
            Keith Barker - CCIE RS/Security, CISSP



            BPDU guard would be applied to ports where we should never see a BPDU, ever.


            Regarding Root Guard, if we want our core switches to the the primary and secondary candidates for root, it would be a great idea to manipulate the priorities so they would win the STP election.


            If accidentally, a technician sets the priority on an access-layer switch (up on the 5th floor in the wiring closet) to have a better priority, and we want to protect the network from allowing the access-swith to become root, then on the core switches (as well as the distribution switches if we have them), we would use root guard on our core and distribution layer switch ports which are facing the access-layer switches.


            We would want to look at our topology, and make sure that root guarded ports never need to be root ports as part of our failover plan, because if spanning tree decides that these guarded ports should be root ports, the ports will be blocked.  


            Best wishes,



            • 3. Re: Root Guard Placement
              Steven Williams

              So root guard should be placed on all ports in the dist and core? Or just the current uplinks?

              • 4. Re: Root Guard Placement

                Excellent explanation Keith!  


                Hollywood - you set rootguard on any port where you should never see a root bridge as downstream from it. If your root is at the distribution layer, and you route between distribution and core(aka, NO L2 links) then all Access Link uplink ports should have rootguard on them.