Root Guard and Rogue Switch Introduction

Unanswered Question
Feb 9th, 2009

Hi All,

I have a question which occurred to me while studying form my BCMSN on route guard.

Assume i had a network similar to the one described in Figure 2 of the Root Guard feature page on Cisco here:-

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

and deployed root guard on Switch C in the interface connecting to D.

When i switch on D and when D starts to send BPDU's advertising itself as the root, Switch C will block it and put the port into root inconsistent state UNTIL it stops receiving BPDU's on that port.

Am i right in assuming that manual intervention to change the root priority on D is require before any traffic can pass through C?

The article linked seems to indicate it is somehow an automatic process. Does Switch D just give up sending superior BPDU's after a certain time or does it simply sit there claiming to be the root for its own little segment indefinitely?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 02/09/2009 - 06:38

Hello Scott,

Switch D has to stop sending better BPDUs then current root bridge.

So a manual intervention on switch D to remove

spanning-tree vlan X priority Y

is needed

Hope to help

Giuseppe

Mohamed Sobair Mon, 02/09/2009 - 06:50

As soon as aSwitch recieves Better BPDUs claiming to be a root bridge, and the (Root Guard) feature is enabled on the Root Switch, it will block the port due to the inconsistency.

Root inconsistency is not an STP state, its a log message generated by the Switch when it occurs.

HTH

Mohamed

Scott Brown Mon, 02/09/2009 - 07:25

Hi Mohamed, according to the link i provided above:-

"Switch C in Figure 2 blocks the port that connects to Switch D, after the switch receives a superior BPDU. Root guard puts the port in the root-inconsistent STP state. No traffic passes through the port in this state. After device D ceases to send superior BPDUs, the port is unblocked again."

Whilst i agree that root-inconsistent is not an STP "state" as such, like listening or learning etc is, the documentation refers to the port as being in that state, hence the confusion.

I do however think you may be wrong to say that root inconsistency is just a log message generated by the Switch when it occurs. The port is blocked, denying traffic until superior BPDU's stop arriving.

Unless im looking too much into your reply.

Many Thanks

Mohamed Sobair Tue, 02/10/2009 - 11:02

Scott,

In PVST+ , the Ports has well known 4 STP states as follows:

1- Blocking

2- listening

3- learning

4- forwarding

If the Switch running RSTP, then STP port states are:

1- Discarding

2- Learning

3- Forwarding

If u do agree that (Inconsistency) is not an STP state, then thats what i was pointing at, I wanted to remind u about STP Port states.

HTH

Mohamed

Giuseppe Larosa Tue, 02/10/2009 - 11:37

Hello Mohamed,

a port in incosistent state is not usable.

The behavior is vlan specific so the feature is smart and doesn't require a shut/no shut like bpdu guard.

You can check with

sh spanning-tree inconsistent

It is not correct to say it is a legitimate RSTP state and also it is not correct to say it is just a log message.

You can think of it as a variation of Discarding state that can move to other state if the offending BPDUs stop to be received.

Hope to help

Giuseppe

Actions

This Discussion