RootGuard en BPDUGuard
• The BPDU guard feature is designed to allow network designers to keep the active network topology predictable. BPDU guard is used to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports that should not be receiving them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.
The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port.
Because an administrator can manually set the bridge priority of a switch to zero, root guard may seem unnecessary. However, setting the priority of a switch to zero does not guarantee that switch will be elected as the root bridge because another switch could have a priority of zero and a lower MAC address, and therefore a lower Bridge ID.
Root guard is best deployed toward ports that connect to switches which should not be the root bridge.