Root Guard and Rogue Switch Introduction

Unanswered Question
Feb 9th, 2009
User Badges:

Hi All,

I have a question which occurred to me while studying form my BCMSN on route guard.


Assume i had a network similar to the one described in Figure 2 of the Root Guard feature page on Cisco here:-


http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml


and deployed root guard on Switch C in the interface connecting to D.


When i switch on D and when D starts to send BPDU's advertising itself as the root, Switch C will block it and put the port into root inconsistent state UNTIL it stops receiving BPDU's on that port.


Am i right in assuming that manual intervention to change the root priority on D is require before any traffic can pass through C?


The article linked seems to indicate it is somehow an automatic process. Does Switch D just give up sending superior BPDU's after a certain time or does it simply sit there claiming to be the root for its own little segment indefinitely?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 02/09/2009 - 06:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Scott,

Switch D has to stop sending better BPDUs then current root bridge.


So a manual intervention on switch D to remove

spanning-tree vlan X priority Y


is needed


Hope to help

Giuseppe


Mohamed Sobair Mon, 02/09/2009 - 06:50
User Badges:
  • Gold, 750 points or more


As soon as aSwitch recieves Better BPDUs claiming to be a root bridge, and the (Root Guard) feature is enabled on the Root Switch, it will block the port due to the inconsistency.


Root inconsistency is not an STP state, its a log message generated by the Switch when it occurs.



HTH

Mohamed

Scott Brown Mon, 02/09/2009 - 07:25
User Badges:

Hi Mohamed, according to the link i provided above:-


"Switch C in Figure 2 blocks the port that connects to Switch D, after the switch receives a superior BPDU. Root guard puts the port in the root-inconsistent STP state. No traffic passes through the port in this state. After device D ceases to send superior BPDUs, the port is unblocked again."


Whilst i agree that root-inconsistent is not an STP "state" as such, like listening or learning etc is, the documentation refers to the port as being in that state, hence the confusion.


I do however think you may be wrong to say that root inconsistency is just a log message generated by the Switch when it occurs. The port is blocked, denying traffic until superior BPDU's stop arriving.


Unless im looking too much into your reply.


Many Thanks

Mohamed Sobair Tue, 02/10/2009 - 11:02
User Badges:
  • Gold, 750 points or more

Scott,


In PVST+ , the Ports has well known 4 STP states as follows:


1- Blocking

2- listening

3- learning

4- forwarding


If the Switch running RSTP, then STP port states are:


1- Discarding

2- Learning

3- Forwarding


If u do agree that (Inconsistency) is not an STP state, then thats what i was pointing at, I wanted to remind u about STP Port states.



HTH

Mohamed

Giuseppe Larosa Tue, 02/10/2009 - 11:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Mohamed,

a port in incosistent state is not usable.


The behavior is vlan specific so the feature is smart and doesn't require a shut/no shut like bpdu guard.


You can check with

sh spanning-tree inconsistent


It is not correct to say it is a legitimate RSTP state and also it is not correct to say it is just a log message.


You can think of it as a variation of Discarding state that can move to other state if the offending BPDUs stop to be received.


Hope to help

Giuseppe


Actions

This Discussion