06-13-2007 11:47 PM - edited 03-05-2019 04:42 PM
imagine we have 2 distribution switches A and B connected to an access switch C (double connection)
switch A is the root. blocked port is in switch C (uplink to B).
if :
-1-i apply root guard to swA and B but not to swC
-2- i connect a swD to swC and swD has a best Bridg priority so that it could be the new root.
will this cause a problem for swC.
ok swA and B will ignore swD BPDU but what about the behavior of swC?
Solved! Go to Solution.
06-22-2007 01:43 PM
Ohassairi:
Switch B will not only refuse the lower priority BPDU, but it will then block the port. Once the port is blocked, switch C is no longer part of that spanning-tree domain.
After that Switch C & D will negotiate that Switch D is now the root.
The end result? The network is then split into two spanning-tree domains: A&B as well as C&D. C&D cannot send data to A&B since the link between B&C is blocked!
Hope this helps!
06-22-2007 02:53 PM
With root guard enabled on Switches A & B you don't need to worry about switch D coming online with a lower bridge priority. As the previous poster stated both switches A & B would disable the port to switch C once they receive a BPDU with a lower bridge priority.
To address the problem of switch C becoming a victim of this DOS attack you can configure 'bpdu guard' feature on all access ports. This way when switch D comes online and starts sending out BPDUs switch C would disable the port from which BPDUs were received.
HTH
Sundar
06-21-2007 09:23 AM
The Spanning tree root guard feature forces an interface to become a designated port, to protect the current root status and prevent surrounding switches from becoming the root switch. In Your case A is root and If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C.
For more information please click following URL:
06-22-2007 03:18 AM
in my senario there is no link failure but a hacker connects switch D to an access port from switch C and gives it a very low priority so that it would be the root.
sw A and B will refuse its BPDU because they are protected by root guard. but swC is not protected by rootguard, so will it consider swD as root? if this is true, can we say that we must apply root guard in all access ports?
06-22-2007 01:43 PM
Ohassairi:
Switch B will not only refuse the lower priority BPDU, but it will then block the port. Once the port is blocked, switch C is no longer part of that spanning-tree domain.
After that Switch C & D will negotiate that Switch D is now the root.
The end result? The network is then split into two spanning-tree domains: A&B as well as C&D. C&D cannot send data to A&B since the link between B&C is blocked!
Hope this helps!
06-22-2007 02:53 PM
With root guard enabled on Switches A & B you don't need to worry about switch D coming online with a lower bridge priority. As the previous poster stated both switches A & B would disable the port to switch C once they receive a BPDU with a lower bridge priority.
To address the problem of switch C becoming a victim of this DOS attack you can configure 'bpdu guard' feature on all access ports. This way when switch D comes online and starts sending out BPDUs switch C would disable the port from which BPDUs were received.
HTH
Sundar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: