Root guard

Answered Question
Jun 13th, 2007

imagine we have 2 distribution switches A and B connected to an access switch C (double connection)

switch A is the root. blocked port is in switch C (uplink to B).

if :

-1-i apply root guard to swA and B but not to swC

-2- i connect a swD to swC and swD has a best Bridg priority so that it could be the new root.

will this cause a problem for swC.

ok swA and B will ignore swD BPDU but what about the behavior of swC?

I have this problem too.
0 votes
Correct Answer by sundar.palaniappan about 9 years 5 months ago

With root guard enabled on Switches A & B you don't need to worry about switch D coming online with a lower bridge priority. As the previous poster stated both switches A & B would disable the port to switch C once they receive a BPDU with a lower bridge priority.

To address the problem of switch C becoming a victim of this DOS attack you can configure 'bpdu guard' feature on all access ports. This way when switch D comes online and starts sending out BPDUs switch C would disable the port from which BPDUs were received.

HTH

Sundar

Correct Answer by michaelmcdaniel about 9 years 5 months ago

Ohassairi:

Switch B will not only refuse the lower priority BPDU, but it will then block the port. Once the port is blocked, switch C is no longer part of that spanning-tree domain.

After that Switch C & D will negotiate that Switch D is now the root.

The end result? The network is then split into two spanning-tree domains: A&B as well as C&D. C&D cannot send data to A&B since the link between B&C is blocked!

Hope this helps!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
carenas123 Thu, 06/21/2007 - 09:23

The Spanning tree root guard feature forces an interface to become a designated port, to protect the current root status and prevent surrounding switches from becoming the root switch. In Your case A is root and If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C.

For more information please click following URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/8aew/configuration/guide/stp_enha.html#wp1022496

ohassairi Fri, 06/22/2007 - 03:18

in my senario there is no link failure but a hacker connects switch D to an access port from switch C and gives it a very low priority so that it would be the root.

sw A and B will refuse its BPDU because they are protected by root guard. but swC is not protected by rootguard, so will it consider swD as root? if this is true, can we say that we must apply root guard in all access ports?

Correct Answer
michaelmcdaniel Fri, 06/22/2007 - 13:43

Ohassairi:

Switch B will not only refuse the lower priority BPDU, but it will then block the port. Once the port is blocked, switch C is no longer part of that spanning-tree domain.

After that Switch C & D will negotiate that Switch D is now the root.

The end result? The network is then split into two spanning-tree domains: A&B as well as C&D. C&D cannot send data to A&B since the link between B&C is blocked!

Hope this helps!

Correct Answer
sundar.palaniappan Fri, 06/22/2007 - 14:53

With root guard enabled on Switches A & B you don't need to worry about switch D coming online with a lower bridge priority. As the previous poster stated both switches A & B would disable the port to switch C once they receive a BPDU with a lower bridge priority.

To address the problem of switch C becoming a victim of this DOS attack you can configure 'bpdu guard' feature on all access ports. This way when switch D comes online and starts sending out BPDUs switch C would disable the port from which BPDUs were received.

HTH

Sundar

Actions

This Discussion