Sharing Ilmu

Sharing for useful things

Spanning Tree (STP) Root Guard

When we implement layer 2 network, the standard STP doesn’t provide protection to change root bridge when there are one switch or connection port is down. Root bridge also can be change when bridge network received superior BPDU’s and change root bridge to undesired switch.

To solved the problem we can implement a root guard. The root guard provides a way to enforces root bridge placement in the network. That means the root guard ensures port that root guard enabled is on designated port.

When bridge network received a superior BPDU’s on the root guard enabled port, The port will move to a root-inconsistent STP state. This state is equal as listening state. No traffic will be forwarded. in this way the root guard enforces position of the root bridge.

To clearly understand the root guard concept. let’s look at the example of topology bellow :

On the Topology above the root bridge is CORE-1. for the alternate port is on SW-a e0/1 because e0/0 has a lower cost toward the root bridge.



CORE-1#sh span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address aabb.cc00.0100
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p

CORE-1#




 




CORE-2#show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address aabb.cc00.0100
Cost 100
Port 1 (Ethernet0/0)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0200
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p

CORE-2#




 




SW-A#show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address aabb.cc00.0100
Cost 100
Port 1 (Ethernet0/0)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0300
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 100 128.1 P2p
Et0/1 Altn BLK 100 128.2 P2p

SW-A#




 




SW-B#show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address aabb.cc00.0100
Cost 200
Port 1 (Ethernet0/0)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0400
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p

SW-B#




 


Then what will be occur if the SW-B has a superior BPDU’s ? it will cause the problem the root bridge will be change to SW-B and also lead to topology changes. Let’s try to change SW-B with lower priority




SW-B(config)#spanning-tree vlan 1 priority 8192




After that, verify the stp topology again :




SW-B#show spanning-tree

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.0400
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8193 (priority 8192 sys-id-ext 1)
Address aabb.cc00.0400
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p

SW-B#


CORE-1#show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.0400
Cost 200
Port 2 (Ethernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Root FWD 100 128.2 P2p


CORE-1#




CORE-2#show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.0400
Cost 200
Port 2 (Ethernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0200
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Altn BLK 100 128.1 P2p
Et0/1 Root FWD 100 128.2 P2p


CORE-2#


SW-A#show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 8193
Address aabb.cc00.0400
Cost 100
Port 3 (Ethernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0300
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p
Et0/2 Root FWD 100 128.3 P2p

SW-A#






After SW-B assign a superior BPDUs then the stp topology will be changes. SW-B is undessired switch to become a Root Bridge and look at the SW-A port 0/2 become a root port state.  So to prevent the issue is occur, impelement spanning tree Root Guard on the port that will be protect as designated port and enforces the root bridge position.


Configure root guard on the e0/2 SW-A :




SW-A(config)#int e0/2
SW-A(config-if)#spanning-tree guard root




After configuration the root guard, if there is a superior BPDU it will be block by root guard.


You will received the log like this :




*Apr 16 06:56:10.929: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0/2.
*Apr 16 06:56:11.308: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Ethernet0/2 on VLAN0001.






Then confirm the spanning tree configuration on CORE-1 and SW-A :


CORE-1 are still become a Root Bridge not changes the topology altough SW-B has a superior BPDU.




CORE-1#show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address aabb.cc00.0100
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p

CORE-1#




 


And see on SW-A, the interface e0/2 has move to root-inconsistent stp state. So it will be prevent form changes the stp topology when there are undessired switch has a superior BPDU.




SW-A#show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address aabb.cc00.0100
Cost 100
Port 1 (Ethernet0/0)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0300
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 100 128.1 P2p
Et0/1 Altn BLK 100 128.2 P2p
Et0/2 Desg BKN*100 128.3 P2p *ROOT_Inc

SW-A#




 



z











        
        
Previous Article
Next Article
        

      
   







	         

    
    	

		 
Leave a Reply 
Your email address will not be published. Required fields are marked *.
*


*


 


You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes:  <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 


 


	

	  
    





	
	

    			

        	

         

       

     

    
 
 

			Copyright © 2024 Sharing Ilmu All Right Reserved. Online CV Resume Theme By eDataStyle . Proudly powered by WordPress .