Hi all, Ruckus says about root-guard that: "Root guard must be configured on the perimeter of the network rather than the core." But as far as I know the root guard should be configured on the core switch (most of the time the core switch is root Switch for the STP) to prevent any superior BPDU to come from the Access Switches. any explication about this quote?? Thank you
You configure Root guard at the edge of the network......so as to not have any switch converge to a new root bridge.....if you have a multiple hop network at L2 from edge to core...........why would you allow L2 bridges at any layer converge to a new root bridge?
I didn't understand your question, but root guard simply means : if you get a superior BPDU in the interface than there is something wrong , so it shouldn't be enabled on the Access switches as the AS receive superior BPDU from the CS? If i'm right so why the doc says ... rather than the Core ?
For all all properly configured bridges.....and all associated inter-switch links.....we have the spanning tree.....rooted. The core of the network should reside in the MDF and should be in a secure location..............IDF's with access switch's in somewhat less secure locations......and wall jacks not secure at all. This is a generalization........it is recommended that we apply root-guard on those ports that are at the edge of the network(wall jacks)....since they are not secure. However, the access or edge of the network can be the unused ports on core and aggregation switches as well. So look at the behavior of the root-guard feature.....it makes sense....in that in a well designed and properly deployed network..............you would know who the primary and secondary root bridges should be, all path costs from each network layer to the primary and secondary root bridges.....and which ports are designated to face or potentially path to the root bridge. If I inject a BPDU generating device into the environment, with a bridge priority that is lower than the root bridge..............or a bridge that has a lower priority than a other bridges at the same layer of the tree...then this would cause the tree to re-converge...and STP port states to change...and in the worse case the root bridge to change. So convergences does not need to only occur at the root level it can occur at any point inside the tree. Root-guard prevents these events from occurring...and also provides an automatic way for the network to recover, when the cause is removed....(no err-disable).