Root guard:
Enabling root guard provides protection to the root bridge.
Once root guard is enabled, the port will not entertain any BPDUs
that are superior to the existing root bridge BPDUs. If a better BPDU is received,
the port will be placed into root-inconsistent state.
The port will be moved out of root-inconsistent state once the
port stops seeing superior BPDUs .The recovery is automatic.
In the standard core-distribution-access layers of network model,
the root bridge is always positioned in the core layer. If an attacker
connecting to the access layer generates better BPDU (with priority zero), then
the access layer switch can become root causing inefficient traffic paths, attacker
sniffing all the traffic, etc.
Root guard should be enabled to avoid these kind of situations, to
enforce the core switch to be the root,
Where to enabled root guard?
On all the ports where root bridge should not appear.
In the standard network model, access layer switches should not
see any BPDUs from end hosts, so BPDU guard should be enabled.
The distribution layer switches should not receive any better
BPDUs from access layer switches, so enable root guard on all the ports in the
distribution switches that are connecting to the access layer switches.
The core layer switches should not receive any better BPDUs from
distribution switches, so enable root guard on all the ports connecting to the
distribution switches.
Here root guard should be enabled on
Cat
A --- fa1/1 and fa1/2
Cat
B --- fa2/3
Cat
C --- fa3/3
and fa3/1
Cat
D --- None.
BPDU guard is enabled on fa4/3.
Root
guard can only be enabled per port level.
It
might be tempting to say root guard must be enabled on all designated ports or
why not a single command to enable root guard at global level which in turn can
activate the feature on all designated ports
Consider this topology,
Say primary core switch Cat A went down and Cat E will become the
root bridge.
In this situation, Cat B fa2/1 will be the designated port for
that segment and when Cat A comes up, Cat B will not accept Cat A as the root
bridge if root guard is configured on fa2/1. So root guard need not always be
enabled on all designated ports, the topology should be considered and should
be enabled wherever required. So a single command at global level is not possible.
Configuration:
SwitchA(config)#interface
fa0/1
SwitchA(config‐if)#spanning‐tree guard root
SwitchA#show spanning‐tree inconsistentports
