Root Guard config

Answered Question
Feb 13th, 2008

Hi ,


Please let me know where do we configure Root Guard & designated part means on which switch.


Also please let me know where do we configure Ip Helper Address on a switch/Router?

Correct Answer by Amit Singh about 9 years 1 week ago

Goutam,


Go ahead and configure the switch port as layer-3 port by issuing " no switchport " command. This should work for your and will be able to put the ip helper command on it.


HTH,

-amit singh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (6 ratings)
Loading.
aijaz802 Wed, 02/13/2008 - 02:51

Hi,


I think the following links will help you for root guard placement.


http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

http://conft.com/univercd/cc/td/doc/product/lan/cat2960/12244se/scg1/swstpopt.htm


In the routers ip helper address is configured in the interface config mode, where as in switches its configured on layer 3 vlan and if any layer 3 physical interfaces.


Like...


interface Vlan11

ip address 10.0.0.2 255.255.255.0

ip helper-address 10.0.0.100



I hope it helps you.


Regards,

*aijaz*



Goutam Sanyal Wed, 02/13/2008 - 02:52

Hi,


For Root Guard, pls visit:


http://cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml


ip helper-address : IP helper-address is an interface configuration command and which is disable by default. To enable the forwarding of User Datagram Protocol (UDP) broadcasts, including BOOTP received on an interface.


As per Cisco: Forwards UDP broadcasts, including BOOTP, received on an interface.


Thanks & Regards

Goutam

Pls rate if it helps

Istvan_Rabai Wed, 02/13/2008 - 20:06

Hi,


Root Guard is a feature to prevent another switch newly attached to the network from becoming a root bridge, and protect the network to reconverge.


You have to configure root guard on those ports where root bridge BPDUs are not expected at all, like user access ports.


Don't configure root guard on ports where BPDUs from the root are expected, otherwise you will block that port.


Helper address:


The "ip helper-address" command should be configured on the router interface which is directly connected to the LAN segment where DHCP hosts reside.

In other words it is the incoming interface for the DHCP discover and request packets (not the outgoing).


If you have more routers between the given LAN segment and the DHCP server, you do not need to configure "ip helper-address" on each router along the way:

The first router with its directly connected interface will convert DHCP broadcasts to unicasts and forward them to the DHCP server.


Of course, you need to have the approriate routes in the routers that will direct the packets between the DHCP hosts and the DHCP server.


Cheers:

Istvan


mirzaakberali Thu, 02/14/2008 - 21:48

Appreciate for the valuable information!


I)But I have a query on Ip-Helper Address as you said we can configre "Ip-Helper on a Router interface which is directly connected to the LAN segment where DHCP hosts reside" along with this i believe you can keep the DHCP server in the other network segment as well to perform the same function if proper routing is enabled .


Also can we configure Ip-Helper address on L3 switch inteface ?


II) what is the diffrence in Root Guard and Loop Guard ?


Thanks,

Akber.

Goutam Sanyal Thu, 02/14/2008 - 22:18

Hi,


I) No you can not at L3 Switches.


II) As per Cisco : BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP. You must manually reenable the port that is put into errdisable state or configure errdisable-timeout.


Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.



thanks

Goutam

Pls rate if it helps.

mirzaakberali Thu, 02/14/2008 - 23:16

hi Goutan,


If i am not wrong we can configure Ip-Helper address on switch layer 3 interface.


Ex:-

Interface vlan 10

ip address 10.200.2.10 255.255.255.0

ip helper address x.x.x.x


Please answer me.


Regds,

Akber.

Goutam Sanyal Thu, 02/14/2008 - 23:39

Hi Akber,


The question is "Also can we configure Ip-Helper address on L3 switch interface?" if I go for the physical interface then as per my knowledge it is not possible. If I go as per u then its possible. Pls find the below:


SW_L3(config)#int gi 0/4

SW_L3(config-if)#ip ?

Interface IP configuration subcommands:

access-group Specify access control for packets

arp Configure ARP features

dhcp DHCP

igmp IGMP interface commands

verify verify


SW_L3(config-if)#ip


SW_L3(config-if)#int vlan1

SW_L3(config-if)#ip ?

SW_L3(config-if)#ip helper-address ?

A.B.C.D IP destination address


Goutam :)


Correct Answer
Amit Singh Fri, 02/15/2008 - 01:33

Goutam,


Go ahead and configure the switch port as layer-3 port by issuing " no switchport " command. This should work for your and will be able to put the ip helper command on it.


HTH,

-amit singh

Goutam Sanyal Fri, 02/15/2008 - 01:49

Hi Amit,


I just realised that one can always learn something or other from a good company. Thanks :)


Goutam

mirzaakberali Fri, 02/15/2008 - 01:55

Amit,


I believe we can configure ip-helper on L3 switch port with out no switch port command.( I have performed on a 6509 L3 switch)

Ex:-

interface gi 0/1

ip address x.x.x.x x.x.x.x

ip-helper address x.x.x.x


I think we cant perform a ip helper address with no switch port comand on l3 port.


Thnks,

Akber.


Amit Singh Fri, 02/15/2008 - 05:05

Akber,


Bydefault on Cisco 6500 switch running IOS all the ports are Layer-3 ports, so you dont need to put " no switchport " command. That's why you are also able to put an IP address on it because it is a layer 3 port. On other switches like 4500/3750/3560's your ports are L2 bydefault and you need to put " no switchport " command to make it L3 port and work the things out.


HTH, Please rate if it does.


-amit singh

mirzaakberali Sun, 02/17/2008 - 20:33

Thanks for the inputs!


So that means Ip-Helper Address command on a Router and L2 switch as well with no switch port coomand .


Also i believe we can perform ip-helper on a l3 switch port.


Please confirm.


Thanks,

Akber.

Amit Singh Sun, 02/17/2008 - 22:20

Akber,


You can put an Ip-helper on a layer-3 interface br it on a router or L3 switch with SVI's or the L3 switchport.


HTH,

-amit singh

Actions

This Discussion