spanning-tree guard root command blocked trunk port

Answered Question
May 18th, 2010

Hi all,

I  enabled the spanning-tree guard root  on 2950 trunk port fa0/8 which connects to layer 3 switch 3550SMI  as below

2950T#sh run int fa0/8
Building configuration...

Current configuration : 146 bytes
!
interface FastEthernet0/8
description Dynamic desirable Trunk connection to Switch 3550
speed 100
duplex half
spanning-tree guard root*******************
end

==============================

Once i did that then  from  layer 3 switch i was unable to telnet or ping to switch 2950T.It was showing as CDP nei

3550SMI#                  sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
2950T            Fas 0/8           151           S I      WS-C2950T Fas 0/8

3550SMI#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

on layer 3 switch fa0/8 port is shown as forwarding

3550SMI#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    24586
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg FWD 19        128.8    P2p Peer(STP)

but on layer 2 switch port fa0/8  is shown  up up connected but in blocling state

2950T#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    32778
             Address     000b.bece.bbc0
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     000b.bece.bbc0
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/8            Desg BKN*19        128.8    Shr *ROOT_Inc

--------logs from layer 2 switch

May 18 17:11:27.984 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled
on port FastEthernet0/8.
May 18 17:11:28.100 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port F
astEthernet0/8 on VLAN0010.

--Does anyone can tell me after enabling spanning-tree guard root on layer 2 trunk port why it put the port in blocking state  i was thinking that span tree

guard root is used to stop stp re elections when  someone put rogue switch on network?

many thanks

mahesh

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 8 months ago

Mahesh

Vlan 1 will always be on trunk links even if you shutdown the SVI and clear it off trunks. So that is why you saw that message.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Tue, 05/18/2010 - 22:58

Hi Mahesh,

The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state.

So i would suggest just check the STP staus which switch is root bridege and apply root guard on root bridge ports.

Hope to Help !!

Ganesh.H

Jon Marshall Wed, 05/19/2010 - 03:09

Mahesh

Which switch should be the root bridge ? From the looks of the priorities the 3550 should be the root bridge. If so, as Ganesh says, you should apply rootguard to the 3550 port that connects to the 2960 and remove the rootguard from the 2960 switch.

Rootguard is meant to be used to stop a switch becoming root so in your case if the 3550 is meant to be the root bridge you want to make sure that the 2960 cannot become root so you apply rootguard to the 3550 switch. If the 2960 then sends a better BPDU the port will then be error disabled rather than the 2960 become the root bridge.

Jon

mahesh18 Wed, 05/19/2010 - 12:36

Hi jon,

thanks for reply

3550 should be the root bridge.

so as per you we should apply root guard only on 3550  as it is root bridge ?  in order that 2950 does not become root bridge.

mahesh

Jon Marshall Wed, 05/19/2010 - 13:36

mahesh18 wrote:

Hi jon,

thanks for reply

3550 should be the root bridge.

so as per you we should apply root guard only on 3550  as it is root bridge ?  in order that 2950 does not become root bridge.

mahesh

Mahesh

Yes you should apply the rootguard on the 3550 port that connects to the 2960 which would stop the 2960 becoming the root bridge.

Jon

mahesh18 Wed, 05/19/2010 - 14:02

Hi jon

i did that applied root gurad on fa0/8 on layer 3 switch but after doing that

ay 19 15:00:05.630 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/8.
May 19 15:00:07.462 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/8 on VLAN0001.
May 19 15:00:07.642 MST: %SYS-5-CONFIG_I: Configured from console by manveer on vty0 (192.168.5.1)
May 19 15:00:08.466 MST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down********************

vlan 20 is up down?  do u know why this happen?

thanks

mahesh

mahesh18 Wed, 05/19/2010 - 14:13

Hi,

here is info

3550SMI#sh spanning-tree vlan 20

VLAN0020
  Spanning tree enabled protocol rstp
  Root ID    Priority    32788
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32788  (priority 32768 sys-id-ext 20)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg BKN*19        128.8    P2p *ROOT_Inc
Gi0/2               Back BLK 4         128.26   P2p

thanks

mahesh

mahesh18 Wed, 05/19/2010 - 14:16

Also one more thing to add the  vlan 20  layer 2 switch is offline right now.

Jon Marshall Wed, 05/19/2010 - 14:20

Can you remove the rootguard and see what happens.

Also when you say vlan 20 switch is off line what is connected to fa0/8 on the 3550 switch. I thought it was the 2960 switch ?

Jon

mahesh18 Wed, 05/19/2010 - 14:26

hi

removed root guard

May 19 15:23:29.073 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port FastEthernet0/8.
May 19 15:23:29.073 MST: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/8 on VLAN0001.
May 19 15:23:30.665 MST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
May 19 15:23:30.865 MST: %SYS-5-CONFIG_I: Configured from console by manveer on vty0 (192.168.5.1)
3550SMI#

as you see vlan 20 is up now

also port fa0/13 connects to other layer 2 switch that is on vlan 20

Fa0/13                         down           down  

3550SMI#                             sh int desc
Interface                      Status         Protocol Description
Vl1                            admin down     down
Vl10                           up             up
Vl20                           up             up
Vl30                           up             up
Fa0/1                          down           down
Fa0/2                          down           down
Fa0/3                          down           down
Fa0/4                          down           down
Fa0/5                          down           down
Fa0/6                          down           down
Fa0/7                          down           down
Fa0/8                          up             up      
Fa0/9                          down           down
Fa0/10                         down           down
Fa0/11                         up             up     
Fa0/12                         down           down
Fa0/13                         down           down   
Fa0/14                         down           down
Fa0/15                         down           down
Fa0/16                         down           down
Fa0/17                         down           down
Fa0/18                         down           down
Fa0/19                         down           down
Fa0/20                         up             up    
Fa0/21                         down           down
Fa0/22                         down           down
Fa0/23                         down           down
Fa0/24                         down           down    
Gi0/1                          down           down
Gi0/2                          up             up
3550SMI#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/13, Fa0/24
10   VLAN0010                         active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
                                                Fa0/6, Fa0/7, Fa0/9, Fa0/10
20   VLAN0020                         active    Fa0/12, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19

mahesh18 Wed, 05/19/2010 - 14:31

Hi

to add

port fa0/8 on  layer 3 goes to layer 2 switch  2950

also port fa0/13  on layer 3  goes to another layer 2 switch which has vlan 20 and is offline

Jon Marshall Wed, 05/19/2010 - 14:37

Mahesh

From the 3550 can you post -

sh spanning-tree vlan 1

sh spanning-tree vlan 10

sh spanning-tree vlan 20

Jon

mahesh18 Wed, 05/19/2010 - 14:38

Hi jon

here is required info

3550SMI# sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    32769
             Address     000b.bece.bbc0
             Cost        19
             Port        8 (FastEthernet0/8)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Root FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p

3550SMI# sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    24586
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p

3550SMI# sh spanning-tree vlan 20

VLAN0020
  Spanning tree enabled protocol rstp
  Root ID    Priority    32788
             Address     000b.bece.bbc0
             Cost        19
             Port        8 (FastEthernet0/8)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32788  (priority 32768 sys-id-ext 20)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Root FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p

3550SMI#

Jon Marshall Wed, 05/19/2010 - 14:49

Mahesh

From the outputs the 3550 is only the root bridge for vlan 10. So you need to make the 3550 root for all the vlans on the trunk link on fa0/8 before applying rootguard or you will see the problems you were having.

You apply rootguard on the root bridge so it must be the root bridge for all vlans that are on that trunk link.

Jon

mahesh18 Fri, 05/21/2010 - 11:41

Hi jon

thanks again for reply

on 3550 switch i made it root for all vlan 10,20 and 30.

Vlan 1 on 3550 is admin down down.

then i made two trunk ports  on 3550 as root guard that goes to 2 layer 2 switches as shown below

3550SMI#sh run int fa0/8
Building configuration...

Current configuration : 215 bytes
!
interface FastEthernet0/8
description Dynamic Desirable Trunk connection to Switch 2950T
switchport mode dynamic desirable
speed 100
duplex full
spanning-tree bpduguard disable
spanning-tree guard root
end

3550SMI#sh run int fa0/13
Building configuration...

Current configuration : 167 bytes
!
interface FastEthernet0/13
description Dynamic auto  to Switch 2950T2
switchport mode dynamic auto
spanning-tree bpduguard disable
spanning-tree guard root

Oncei did that in logs of 3550 i got message

May 21 12:09:42.933 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled
on port FastEthernet0/8.
May 21 12:09:44.161 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port F
astEthernet0/8 on VLAN0001.*******************************blocking

then i config vlan 1 on switch 3550 as root primary as shown below  and status of fa0/8 changed to forwarding *******************************

3550SMI#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    24577
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p

then message in logs of 3550 changed as shown below

May 21 12:10:20.206 MST: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking po
rt FastEthernet0/8 on VLAN0001.
May 21 12:10:38.690 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disable
d on port FastEthernet0/8.

My question is although vlan 1 on 3550 is admin  down down then why trunk port fa0/8  still  uses vlan 1?

is it because it is native vlan?

if you can explain me this please?

thanks

mahesh

Correct Answer
Jon Marshall Fri, 05/21/2010 - 11:49

Mahesh

Vlan 1 will always be on trunk links even if you shutdown the SVI and clear it off trunks. So that is why you saw that message.

Jon

Actions

This Discussion