added BPDU guard

This commit is contained in:
shango-wk
2026-05-28 18:07:53 +02:00
parent 172db956a3
commit fd0887a683
2 changed files with 73 additions and 0 deletions

View File

@@ -33,3 +33,4 @@ tags:
[[Protocole Spanning Tree (part2)]]
[[PortFast (STP Toolkit)]]
[[BPDU Guard & BPDU Filter (STP Toolkit)]]
[[Root Guard (STP Toolkit)]]

View File

@@ -0,0 +1,72 @@
---
id: 1779981231-AJMV
aliases:
- Root Guard (STP Toolkit)
tags: []
---
# Root Guard (STP Toolkit)
STP prevents loops by electing a root bridge and ensuring that each other switch has only *one valid path* to reach it.
YOu shouldn't randomly select the root bridge. Some things you should consider include:
- Optimal traffic flow
- minimize latency
- minimize congestion
- Stability and reliability
## The Problem
Within your own [[LAN]], you can easily control the root brdige by setting its priority to 0.
- But there are cases where you might connect your LAN to other switches outside of your direct control:
- A service provider offering Metro Ethernet service to customers
- Often used to connect sites within a [[MAN]]
- Even if you set your root bridge's priority to 0, its role can be taken by another switch with a lower
[[MAC address]] .
## The solution
- *Root Guard* can be configured to protect your [[STP]] topology by preventing your switches from
accepting superior [[BPDU]]s from switches outside of your control.
- Superior BPDUs = a BPDU that is superior in the STP algorith (e.g Claiming a better root bridge ID).
If you want to ensure that the root bridge rmains in your [[LAN]], you can configure Root Guard on the ports connected
to switches outside of your control
To enable root Guard on a port
```Cisco
SW1(config-if) spanning-tree guard root
```
There is no command to enable it by default from global config mode
If a Root Guard-enabled port receives a BPDU, it will enter the *Broken* (Root inconsistent) state
effectively disabling it
- The port will not able to forward data frames and will discard any frames it receives.
To re-enable a port disabled by Root Guard, you must solve the issue that disabled the port
- the disabled port must stop receiving superior BDPUs.
- tell the customer to increase the priority value of their switch.
Once teh superior BPDUs received age out, the ports will automatically be re-enabled.
- A BPDU's Max Age is 20 seconds by default.
To see the Root guard
```Cisco
SW1(config-if)# do show spanning-tree
## if it's broken
Gi0/1 Desg BKN*4 128.3 P2p *ROOT_Inc
BKN = Broken
ROOT_Inc = Root inconsistent
## if it's Work
Gi0/1 Desg FWD 4 128.3 P2p
```
## Review
Prevents a port from becoming a Root Port by disabling it if superior BPDUs are received,
Thereby enforcing the current [[Root Bridge]]