cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2201
Views
0
Helpful
6
Replies

Root Guard and Rogue Switch Introduction

BGPatemyHamster
Level 1
Level 1

Hi All,

I have a question which occurred to me while studying form my BCMSN on route guard.

Assume i had a network similar to the one described in Figure 2 of the Root Guard feature page on Cisco here:-

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

and deployed root guard on Switch C in the interface connecting to D.

When i switch on D and when D starts to send BPDU's advertising itself as the root, Switch C will block it and put the port into root inconsistent state UNTIL it stops receiving BPDU's on that port.

Am i right in assuming that manual intervention to change the root priority on D is require before any traffic can pass through C?

The article linked seems to indicate it is somehow an automatic process. Does Switch D just give up sending superior BPDU's after a certain time or does it simply sit there claiming to be the root for its own little segment indefinitely?

Thanks

6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Scott,

Switch D has to stop sending better BPDUs then current root bridge.

So a manual intervention on switch D to remove

spanning-tree vlan X priority Y

is needed

Hope to help

Giuseppe

Thank you - most helpful.

Mohamed Sobair
Level 7
Level 7

As soon as aSwitch recieves Better BPDUs claiming to be a root bridge, and the (Root Guard) feature is enabled on the Root Switch, it will block the port due to the inconsistency.

Root inconsistency is not an STP state, its a log message generated by the Switch when it occurs.

HTH

Mohamed

Hi Mohamed, according to the link i provided above:-

"Switch C in Figure 2 blocks the port that connects to Switch D, after the switch receives a superior BPDU. Root guard puts the port in the root-inconsistent STP state. No traffic passes through the port in this state. After device D ceases to send superior BPDUs, the port is unblocked again."

Whilst i agree that root-inconsistent is not an STP "state" as such, like listening or learning etc is, the documentation refers to the port as being in that state, hence the confusion.

I do however think you may be wrong to say that root inconsistency is just a log message generated by the Switch when it occurs. The port is blocked, denying traffic until superior BPDU's stop arriving.

Unless im looking too much into your reply.

Many Thanks

Mohamed Sobair
Level 7
Level 7

Scott,

In PVST+ , the Ports has well known 4 STP states as follows:

1- Blocking

2- listening

3- learning

4- forwarding

If the Switch running RSTP, then STP port states are:

1- Discarding

2- Learning

3- Forwarding

If u do agree that (Inconsistency) is not an STP state, then thats what i was pointing at, I wanted to remind u about STP Port states.

HTH

Mohamed

Hello Mohamed,

a port in incosistent state is not usable.

The behavior is vlan specific so the feature is smart and doesn't require a shut/no shut like bpdu guard.

You can check with

sh spanning-tree inconsistent

It is not correct to say it is a legitimate RSTP state and also it is not correct to say it is just a log message.

You can think of it as a variation of Discarding state that can move to other state if the offending BPDUs stop to be received.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco