cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
519
Views
0
Helpful
4
Replies

Root guard

ohassairi
Level 5
Level 5

imagine we have 2 distribution switches A and B connected to an access switch C (double connection)

switch A is the root. blocked port is in switch C (uplink to B).

if :

-1-i apply root guard to swA and B but not to swC

-2- i connect a swD to swC and swD has a best Bridg priority so that it could be the new root.

will this cause a problem for swC.

ok swA and B will ignore swD BPDU but what about the behavior of swC?

2 Accepted Solutions

Accepted Solutions

Ohassairi:

Switch B will not only refuse the lower priority BPDU, but it will then block the port. Once the port is blocked, switch C is no longer part of that spanning-tree domain.

After that Switch C & D will negotiate that Switch D is now the root.

The end result? The network is then split into two spanning-tree domains: A&B as well as C&D. C&D cannot send data to A&B since the link between B&C is blocked!

Hope this helps!

View solution in original post

With root guard enabled on Switches A & B you don't need to worry about switch D coming online with a lower bridge priority. As the previous poster stated both switches A & B would disable the port to switch C once they receive a BPDU with a lower bridge priority.

To address the problem of switch C becoming a victim of this DOS attack you can configure 'bpdu guard' feature on all access ports. This way when switch D comes online and starts sending out BPDUs switch C would disable the port from which BPDUs were received.

HTH

Sundar

View solution in original post

4 Replies 4

carenas123
Level 5
Level 5

The Spanning tree root guard feature forces an interface to become a designated port, to protect the current root status and prevent surrounding switches from becoming the root switch. In Your case A is root and If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C.

For more information please click following URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/8aew/configuration/guide/stp_enha.html#wp1022496

in my senario there is no link failure but a hacker connects switch D to an access port from switch C and gives it a very low priority so that it would be the root.

sw A and B will refuse its BPDU because they are protected by root guard. but swC is not protected by rootguard, so will it consider swD as root? if this is true, can we say that we must apply root guard in all access ports?

Ohassairi:

Switch B will not only refuse the lower priority BPDU, but it will then block the port. Once the port is blocked, switch C is no longer part of that spanning-tree domain.

After that Switch C & D will negotiate that Switch D is now the root.

The end result? The network is then split into two spanning-tree domains: A&B as well as C&D. C&D cannot send data to A&B since the link between B&C is blocked!

Hope this helps!

With root guard enabled on Switches A & B you don't need to worry about switch D coming online with a lower bridge priority. As the previous poster stated both switches A & B would disable the port to switch C once they receive a BPDU with a lower bridge priority.

To address the problem of switch C becoming a victim of this DOS attack you can configure 'bpdu guard' feature on all access ports. This way when switch D comes online and starts sending out BPDUs switch C would disable the port from which BPDUs were received.

HTH

Sundar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco