LAB – Rootguard

You have been working a lot on STP lately and you are coming to appreciate the niceties of a stable L2 topology. To ensure than older devices that still exist in the network you are to protect the core switches from a STP root bridge hijack.

STP Stability

  • Enable STP enhancements that will allow SW1 to block downstream switches from becoming a rootbridge
  • Enable STP enhancements that will allow SW1 to block downstream switches from becoming a rootbridge
  • Ensure this across multiple VLANs.

Bonus: Why is it important to establish a stable topology?

Answer Key Below

[dropdown_box expand_text=”Lab Answers” show_more=”Show” show_less=”Hide” start=”hide”]

Guarding the root bridge is a very very important thing to do inside a layer 2 topology. You may just want to allow STP to sort it’s business out but we all know that this bad boy has burnt us all one too many times. What do we say to being burnt? Not today.

It is really a simple concept and worth implementing as you just do not know when it will come in handy.

S1(config)#int po2
S1(config-if)#spanning-tree guard root
S2(config)#int po2
S2(config-if)#spanning-tree guard root
*Mar 1 00:33:39.272: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Port-channel2.

S1 is my root bridge for VLAN 10 and S2 is the secondary root. As you can see by the port priorities I have used the spanning-tree vlan 10 root primary/secondary commands. Very nifty.
Below I have changed the priority of VLAN 10 on switch three to be lower than S1/S2 our defined bridges. This can simulate a switch that is plugged in with a lower priority or an older switch with a lower MAC address. Do you really want an old 1900 catalyst switch in an access cabinet being the root? I’d rather my 6500 at the core to be honest .Lets check at the errors that occur.

*May 18 16:34:14.655: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Port-channel2 on VLAN0010.

Let us issue a show command and verifiy the port state of the downstream switch – in this case switch three.

S2#sh spanning-tree
VLAN0010
 Spanning tree enabled protocol rstp
 Root ID Priority 24586
 Address 001d.7189.ba80
 Cost 12
 Port 56 (Port-channel1)
 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 28682 (priority 28672 sys-id-ext 10)
 Address 001d.7189.2680
 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Root FWD 12 128.56 P2p
Po2 Desg BKN*12 128.64 P2p *ROOT_Inc

Important to note here the *ROOT_Inc state. This shows us with a simple check that root guard mechanisms that in place have been triggered. It has detected a switch in a lower layer (distribution/access) with a better bridge priority. Once we remove the offending commands (or switch if a real device) then the port states recovery automatically.

*Mar 1 00:44:00.079: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port Port-channel2 on VLAN0010.
S1#sh spanning-tree vlan 10
VLAN0010
 Spanning tree enabled protocol rstp
 Root ID Priority 24586
 Address 001d.7189.ba80
 This bridge is the root
 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24586 (priority 24576 sys-id-ext 10)
 Address 001d.7189.ba80
 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 12 128.56 P2p
Po2 Desg FWD 12 128.64 P2p

 

Nice and simple. Saving your topology from STP hijacks!
[/dropdown_box]

Leave a Reply

Your email address will not be published. Required fields are marked *


*