spanning-tree guard root command blocked trunk port

Answered Question
May 18th, 2010
User Badges:

Hi all,


I  enabled the spanning-tree guard root  on 2950 trunk port fa0/8 which connects to layer 3 switch 3550SMI  as below


2950T#sh run int fa0/8
Building configuration...

Current configuration : 146 bytes
!
interface FastEthernet0/8
description Dynamic desirable Trunk connection to Switch 3550
speed 100
duplex half
spanning-tree guard root*******************
end


==============================

Once i did that then  from  layer 3 switch i was unable to telnet or ping to switch 2950T.It was showing as CDP nei


3550SMI#                  sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
2950T            Fas 0/8           151           S I      WS-C2950T Fas 0/8


3550SMI#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


on layer 3 switch fa0/8 port is shown as forwarding



3550SMI#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    24586
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg FWD 19        128.8    P2p Peer(STP)


but on layer 2 switch port fa0/8  is shown  up up connected but in blocling state


2950T#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    32778
             Address     000b.bece.bbc0
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     000b.bece.bbc0
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/8            Desg BKN*19        128.8    Shr *ROOT_Inc


--------logs from layer 2 switch


May 18 17:11:27.984 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled
on port FastEthernet0/8.
May 18 17:11:28.100 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port F
astEthernet0/8 on VLAN0010.


--Does anyone can tell me after enabling spanning-tree guard root on layer 2 trunk port why it put the port in blocking state  i was thinking that span tree

guard root is used to stop stp re elections when  someone put rogue switch on network?


many thanks

mahesh

Correct Answer by Jon Marshall about 7 years 6 days ago

Mahesh


Vlan 1 will always be on trunk links even if you shutdown the SVI and clear it off trunks. So that is why you saw that message.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Tue, 05/18/2010 - 22:58
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi Mahesh,


The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state.


So i would suggest just check the STP staus which switch is root bridege and apply root guard on root bridge ports.


Hope to Help !!


Ganesh.H

Jon Marshall Wed, 05/19/2010 - 03:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mahesh


Which switch should be the root bridge ? From the looks of the priorities the 3550 should be the root bridge. If so, as Ganesh says, you should apply rootguard to the 3550 port that connects to the 2960 and remove the rootguard from the 2960 switch.


Rootguard is meant to be used to stop a switch becoming root so in your case if the 3550 is meant to be the root bridge you want to make sure that the 2960 cannot become root so you apply rootguard to the 3550 switch. If the 2960 then sends a better BPDU the port will then be error disabled rather than the 2960 become the root bridge.


Jon

mahesh18 Wed, 05/19/2010 - 12:36
User Badges:

Hi jon,


thanks for reply


3550 should be the root bridge.


so as per you we should apply root guard only on 3550  as it is root bridge ?  in order that 2950 does not become root bridge.


mahesh

Jon Marshall Wed, 05/19/2010 - 13:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

mahesh18 wrote:


Hi jon,


thanks for reply


3550 should be the root bridge.


so as per you we should apply root guard only on 3550  as it is root bridge ?  in order that 2950 does not become root bridge.


mahesh


Mahesh


Yes you should apply the rootguard on the 3550 port that connects to the 2960 which would stop the 2960 becoming the root bridge.


Jon

mahesh18 Wed, 05/19/2010 - 14:02
User Badges:

Hi jon

i did that applied root gurad on fa0/8 on layer 3 switch but after doing that



ay 19 15:00:05.630 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/8.
May 19 15:00:07.462 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/8 on VLAN0001.
May 19 15:00:07.642 MST: %SYS-5-CONFIG_I: Configured from console by manveer on vty0 (192.168.5.1)
May 19 15:00:08.466 MST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down********************


vlan 20 is up down?  do u know why this happen?


thanks

mahesh

Jon Marshall Wed, 05/19/2010 - 14:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mahesh


Is the 3550 STP root for all vlans including vlan 20 ?


Jon

mahesh18 Wed, 05/19/2010 - 14:13
User Badges:

Hi,


here is info


3550SMI#sh spanning-tree vlan 20

VLAN0020
  Spanning tree enabled protocol rstp
  Root ID    Priority    32788
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32788  (priority 32768 sys-id-ext 20)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg BKN*19        128.8    P2p *ROOT_Inc
Gi0/2               Back BLK 4         128.26   P2p

thanks

mahesh

mahesh18 Wed, 05/19/2010 - 14:16
User Badges:

Also one more thing to add the  vlan 20  layer 2 switch is offline right now.

Jon Marshall Wed, 05/19/2010 - 14:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Can you remove the rootguard and see what happens.


Also when you say vlan 20 switch is off line what is connected to fa0/8 on the 3550 switch. I thought it was the 2960 switch ?


Jon

mahesh18 Wed, 05/19/2010 - 14:26
User Badges:

hi


removed root guard


May 19 15:23:29.073 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port FastEthernet0/8.
May 19 15:23:29.073 MST: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/8 on VLAN0001.
May 19 15:23:30.665 MST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
May 19 15:23:30.865 MST: %SYS-5-CONFIG_I: Configured from console by manveer on vty0 (192.168.5.1)
3550SMI#


as you see vlan 20 is up now


also port fa0/13 connects to other layer 2 switch that is on vlan 20


Fa0/13                         down           down  



3550SMI#                             sh int desc
Interface                      Status         Protocol Description
Vl1                            admin down     down
Vl10                           up             up
Vl20                           up             up
Vl30                           up             up
Fa0/1                          down           down
Fa0/2                          down           down
Fa0/3                          down           down
Fa0/4                          down           down
Fa0/5                          down           down
Fa0/6                          down           down
Fa0/7                          down           down
Fa0/8                          up             up      
Fa0/9                          down           down
Fa0/10                         down           down
Fa0/11                         up             up     
Fa0/12                         down           down
Fa0/13                         down           down   
Fa0/14                         down           down
Fa0/15                         down           down
Fa0/16                         down           down
Fa0/17                         down           down
Fa0/18                         down           down
Fa0/19                         down           down
Fa0/20                         up             up    
Fa0/21                         down           down
Fa0/22                         down           down
Fa0/23                         down           down
Fa0/24                         down           down    
Gi0/1                          down           down
Gi0/2                          up             up
3550SMI#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/13, Fa0/24
10   VLAN0010                         active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
                                                Fa0/6, Fa0/7, Fa0/9, Fa0/10
20   VLAN0020                         active    Fa0/12, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19

mahesh18 Wed, 05/19/2010 - 14:31
User Badges:

Hi

to add


port fa0/8 on  layer 3 goes to layer 2 switch  2950

also port fa0/13  on layer 3  goes to another layer 2 switch which has vlan 20 and is offline

Jon Marshall Wed, 05/19/2010 - 14:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mahesh


From the 3550 can you post -


sh spanning-tree vlan 1

sh spanning-tree vlan 10

sh spanning-tree vlan 20


Jon

mahesh18 Wed, 05/19/2010 - 14:38
User Badges:

Hi jon


here is required info


3550SMI# sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    32769
             Address     000b.bece.bbc0
             Cost        19
             Port        8 (FastEthernet0/8)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Root FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p




3550SMI# sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    24586
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p



3550SMI# sh spanning-tree vlan 20

VLAN0020
  Spanning tree enabled protocol rstp
  Root ID    Priority    32788
             Address     000b.bece.bbc0
             Cost        19
             Port        8 (FastEthernet0/8)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32788  (priority 32768 sys-id-ext 20)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Root FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p

3550SMI#

Jon Marshall Wed, 05/19/2010 - 14:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mahesh


From the outputs the 3550 is only the root bridge for vlan 10. So you need to make the 3550 root for all the vlans on the trunk link on fa0/8 before applying rootguard or you will see the problems you were having.


You apply rootguard on the root bridge so it must be the root bridge for all vlans that are on that trunk link.


Jon

mahesh18 Fri, 05/21/2010 - 11:41
User Badges:

Hi jon

thanks again for reply


on 3550 switch i made it root for all vlan 10,20 and 30.


Vlan 1 on 3550 is admin down down.


then i made two trunk ports  on 3550 as root guard that goes to 2 layer 2 switches as shown below


3550SMI#sh run int fa0/8
Building configuration...

Current configuration : 215 bytes
!
interface FastEthernet0/8
description Dynamic Desirable Trunk connection to Switch 2950T
switchport mode dynamic desirable
speed 100
duplex full
spanning-tree bpduguard disable
spanning-tree guard root
end

3550SMI#sh run int fa0/13
Building configuration...

Current configuration : 167 bytes
!
interface FastEthernet0/13
description Dynamic auto  to Switch 2950T2
switchport mode dynamic auto
spanning-tree bpduguard disable
spanning-tree guard root


Oncei did that in logs of 3550 i got message


May 21 12:09:42.933 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled
on port FastEthernet0/8.
May 21 12:09:44.161 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port F
astEthernet0/8 on VLAN0001.*******************************blocking



then i config vlan 1 on switch 3550 as root primary as shown below  and status of fa0/8 changed to forwarding *******************************


3550SMI#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    24577
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p


then message in logs of 3550 changed as shown below


May 21 12:10:20.206 MST: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking po
rt FastEthernet0/8 on VLAN0001.
May 21 12:10:38.690 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disable
d on port FastEthernet0/8.


My question is although vlan 1 on 3550 is admin  down down then why trunk port fa0/8  still  uses vlan 1?

is it because it is native vlan?

if you can explain me this please?


thanks

mahesh

Correct Answer
Jon Marshall Fri, 05/21/2010 - 11:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mahesh


Vlan 1 will always be on trunk links even if you shutdown the SVI and clear it off trunks. So that is why you saw that message.


Jon

mahesh18 Fri, 05/21/2010 - 14:53
User Badges:

Hi Jon


thanks once again.


Best  regards


mahesh

Actions

This Discussion