05-18-2010 04:34 PM - edited 03-06-2019 11:09 AM
Hi all,
I enabled the spanning-tree guard root on 2950 trunk port fa0/8 which connects to layer 3 switch 3550SMI as below
2950T#sh run int fa0/8
Building configuration...
Current configuration : 146 bytes
!
interface FastEthernet0/8
description Dynamic desirable Trunk connection to Switch 3550
speed 100
duplex half
spanning-tree guard root*******************
end
==============================
Once i did that then from layer 3 switch i was unable to telnet or ping to switch 2950T.It was showing as CDP nei
3550SMI# sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
2950T Fas 0/8 151 S I WS-C2950T Fas 0/8
3550SMI#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
on layer 3 switch fa0/8 port is shown as forwarding
3550SMI#sh spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 24586
Address 000d.28bc.fd80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24586 (priority 24576 sys-id-ext 10)
Address 000d.28bc.fd80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8 Desg FWD 19 128.8 P2p Peer(STP)
but on layer 2 switch port fa0/8 is shown up up connected but in blocling state
2950T#sh spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 32778
Address 000b.bece.bbc0
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address 000b.bece.bbc0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/8 Desg BKN*19 128.8 Shr *ROOT_Inc
--------logs from layer 2 switch
May 18 17:11:27.984 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled
on port FastEthernet0/8.
May 18 17:11:28.100 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port F
astEthernet0/8 on VLAN0010.
--Does anyone can tell me after enabling spanning-tree guard root on layer 2 trunk port why it put the port in blocking state i was thinking that span tree
guard root is used to stop stp re elections when someone put rogue switch on network?
many thanks
mahesh
Solved! Go to Solution.
05-21-2010 11:49 AM
Mahesh
Vlan 1 will always be on trunk links even if you shutdown the SVI and clear it off trunks. So that is why you saw that message.
Jon
05-18-2010 10:58 PM
Hi Mahesh,
The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state.
So i would suggest just check the STP staus which switch is root bridege and apply root guard on root bridge ports.
Hope to Help !!
Ganesh.H
05-19-2010 03:09 AM
Mahesh
Which switch should be the root bridge ? From the looks of the priorities the 3550 should be the root bridge. If so, as Ganesh says, you should apply rootguard to the 3550 port that connects to the 2960 and remove the rootguard from the 2960 switch.
Rootguard is meant to be used to stop a switch becoming root so in your case if the 3550 is meant to be the root bridge you want to make sure that the 2960 cannot become root so you apply rootguard to the 3550 switch. If the 2960 then sends a better BPDU the port will then be error disabled rather than the 2960 become the root bridge.
Jon
05-19-2010 12:36 PM
Hi jon,
thanks for reply
3550 should be the root bridge.
so as per you we should apply root guard only on 3550 as it is root bridge ? in order that 2950 does not become root bridge.
mahesh
05-19-2010 01:36 PM
mahesh18 wrote:
Hi jon,
thanks for reply
3550 should be the root bridge.
so as per you we should apply root guard only on 3550 as it is root bridge ? in order that 2950 does not become root bridge.
mahesh
Mahesh
Yes you should apply the rootguard on the 3550 port that connects to the 2960 which would stop the 2960 becoming the root bridge.
Jon
05-19-2010 02:02 PM
Hi jon
i did that applied root gurad on fa0/8 on layer 3 switch but after doing that
ay 19 15:00:05.630 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/8.
May 19 15:00:07.462 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/8 on VLAN0001.
May 19 15:00:07.642 MST: %SYS-5-CONFIG_I: Configured from console by manveer on vty0 (192.168.5.1)
May 19 15:00:08.466 MST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down********************
vlan 20 is up down? do u know why this happen?
thanks
mahesh
05-19-2010 02:08 PM
Mahesh
Is the 3550 STP root for all vlans including vlan 20 ?
Jon
05-19-2010 02:13 PM
Hi,
here is info
3550SMI#sh spanning-tree vlan 20
VLAN0020
Spanning tree enabled protocol rstp
Root ID Priority 32788
Address 000d.28bc.fd80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)
Address 000d.28bc.fd80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8 Desg BKN*19 128.8 P2p *ROOT_Inc
Gi0/2 Back BLK 4 128.26 P2p
thanks
mahesh
05-19-2010 02:16 PM
Also one more thing to add the vlan 20 layer 2 switch is offline right now.
05-19-2010 02:20 PM
Can you remove the rootguard and see what happens.
Also when you say vlan 20 switch is off line what is connected to fa0/8 on the 3550 switch. I thought it was the 2960 switch ?
Jon
05-19-2010 02:26 PM
hi
removed root guard
May 19 15:23:29.073 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port FastEthernet0/8.
May 19 15:23:29.073 MST: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/8 on VLAN0001.
May 19 15:23:30.665 MST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
May 19 15:23:30.865 MST: %SYS-5-CONFIG_I: Configured from console by manveer on vty0 (192.168.5.1)
3550SMI#
as you see vlan 20 is up now
also port fa0/13 connects to other layer 2 switch that is on vlan 20
Fa0/13 down down
3550SMI# sh int desc
Interface Status Protocol Description
Vl1 admin down down
Vl10 up up
Vl20 up up
Vl30 up up
Fa0/1 down down
Fa0/2 down down
Fa0/3 down down
Fa0/4 down down
Fa0/5 down down
Fa0/6 down down
Fa0/7 down down
Fa0/8 up up
Fa0/9 down down
Fa0/10 down down
Fa0/11 up up
Fa0/12 down down
Fa0/13 down down
Fa0/14 down down
Fa0/15 down down
Fa0/16 down down
Fa0/17 down down
Fa0/18 down down
Fa0/19 down down
Fa0/20 up up
Fa0/21 down down
Fa0/22 down down
Fa0/23 down down
Fa0/24 down down
Gi0/1 down down
Gi0/2 up up
3550SMI#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/13, Fa0/24
10 VLAN0010 active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/9, Fa0/10
20 VLAN0020 active Fa0/12, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19
05-19-2010 02:31 PM
Hi
to add
port fa0/8 on layer 3 goes to layer 2 switch 2950
also port fa0/13 on layer 3 goes to another layer 2 switch which has vlan 20 and is offline
05-19-2010 02:37 PM
Mahesh
From the 3550 can you post -
sh spanning-tree vlan 1
sh spanning-tree vlan 10
sh spanning-tree vlan 20
Jon
05-19-2010 02:38 PM
Hi jon
here is required info
3550SMI# sh spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 000b.bece.bbc0
Cost 19
Port 8 (FastEthernet0/8)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000d.28bc.fd80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8 Root FWD 19 128.8 P2p
Gi0/2 Back BLK 4 128.26 P2p
3550SMI# sh spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 24586
Address 000d.28bc.fd80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24586 (priority 24576 sys-id-ext 10)
Address 000d.28bc.fd80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8 Desg FWD 19 128.8 P2p
Gi0/2 Back BLK 4 128.26 P2p
3550SMI# sh spanning-tree vlan 20
VLAN0020
Spanning tree enabled protocol rstp
Root ID Priority 32788
Address 000b.bece.bbc0
Cost 19
Port 8 (FastEthernet0/8)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)
Address 000d.28bc.fd80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8 Root FWD 19 128.8 P2p
Gi0/2 Back BLK 4 128.26 P2p
3550SMI#
05-19-2010 02:49 PM
Mahesh
From the outputs the 3550 is only the root bridge for vlan 10. So you need to make the 3550 root for all the vlans on the trunk link on fa0/8 before applying rootguard or you will see the problems you were having.
You apply rootguard on the root bridge so it must be the root bridge for all vlans that are on that trunk link.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: