When we implement layer 2 network, the standard STP doesn’t provide protection to change root bridge when there are one switch or connection port is down. Root bridge also can be change when bridge network received superior BPDU’s and change root bridge to undesired switch.
To solved the problem we can implement a root guard. The root guard provides a way to enforces root bridge placement in the network. That means the root guard ensures port that root guard enabled is on designated port.
When bridge network received a superior BPDU’s on the root guard enabled port, The port will move to a root-inconsistent STP state. This state is equal as listening state. No traffic will be forwarded. in this way the root guard enforces position of the root bridge.
To clearly understand the root guard concept. let’s look at the example of topology bellow :
On the Topology above the root bridge is CORE-1. for the alternate port is on SW-a e0/1 because e0/0 has a lower cost toward the root bridge.
CORE-1#sh span VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address aabb.cc00.0100 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.0100 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Desg FWD 100 128.1 P2p Et0/1 Desg FWD 100 128.2 P2p CORE-1#
CORE-2#show span VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address aabb.cc00.0100 Cost 100 Port 1 (Ethernet0/0) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.0200 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Root FWD 100 128.1 P2p Et0/1 Desg FWD 100 128.2 P2p CORE-2#
SW-A#show span VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address aabb.cc00.0100 Cost 100 Port 1 (Ethernet0/0) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.0300 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Root FWD 100 128.1 P2p Et0/1 Altn BLK 100 128.2 P2p SW-A#
SW-B#show span VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address aabb.cc00.0100 Cost 200 Port 1 (Ethernet0/0) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.0400 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Root FWD 100 128.1 P2p Et0/1 Desg FWD 100 128.2 P2p SW-B#
Then what will be occur if the SW-B has a superior BPDU’s ? it will cause the problem the root bridge will be change to SW-B and also lead to topology changes. Let’s try to change SW-B with lower priority
SW-B(config)#spanning-tree vlan 1 priority 8192
After that, verify the stp topology again :
SW-B#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address aabb.cc00.0400 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 8193 (priority 8192 sys-id-ext 1) Address aabb.cc00.0400 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Desg FWD 100 128.1 P2p Et0/1 Desg FWD 100 128.2 P2p SW-B#CORE-1#show span VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address aabb.cc00.0400 Cost 200 Port 2 (Ethernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.0100 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Desg FWD 100 128.1 P2p Et0/1 Root FWD 100 128.2 P2p CORE-1#CORE-2#show span VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address aabb.cc00.0400 Cost 200 Port 2 (Ethernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.0200 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Altn BLK 100 128.1 P2p Et0/1 Root FWD 100 128.2 P2p CORE-2#SW-A#show span VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 8193 Address aabb.cc00.0400 Cost 100 Port 3 (Ethernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.0300 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Desg FWD 100 128.1 P2p Et0/1 Desg FWD 100 128.2 P2p Et0/2 Root FWD 100 128.3 P2p SW-A#
After SW-B assign a superior BPDUs then the stp topology will be changes. SW-B is undessired switch to become a Root Bridge and look at the SW-A port 0/2 become a root port state. So to prevent the issue is occur, impelement spanning tree Root Guard on the port that will be protect as designated port and enforces the root bridge position.
Configure root guard on the e0/2 SW-A :
SW-A(config)#int e0/2 SW-A(config-if)#spanning-tree guard root
After configuration the root guard, if there is a superior BPDU it will be block by root guard.
You will received the log like this :
*Apr 16 06:56:10.929: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0/2. *Apr 16 06:56:11.308: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Ethernet0/2 on VLAN0001.
Then confirm the spanning tree configuration on CORE-1 and SW-A :
CORE-1 are still become a Root Bridge not changes the topology altough SW-B has a superior BPDU.
CORE-1#show span VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address aabb.cc00.0100 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.0100 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Desg FWD 100 128.1 P2p Et0/1 Desg FWD 100 128.2 P2p CORE-1#
And see on SW-A, the interface e0/2 has move to root-inconsistent stp state. So it will be prevent form changes the stp topology when there are undessired switch has a superior BPDU.
SW-A#show span VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address aabb.cc00.0100 Cost 100 Port 1 (Ethernet0/0) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address aabb.cc00.0300 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Et0/0 Root FWD 100 128.1 P2p Et0/1 Altn BLK 100 128.2 P2p Et0/2 Desg BKN*100 128.3 P2p *ROOT_Inc SW-A#