cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16863
Views
5
Helpful
17
Replies

spanning-tree guard root command blocked trunk port

mahesh18
Level 6
Level 6

Hi all,

I  enabled the spanning-tree guard root  on 2950 trunk port fa0/8 which connects to layer 3 switch 3550SMI  as below

2950T#sh run int fa0/8
Building configuration...

Current configuration : 146 bytes
!
interface FastEthernet0/8
description Dynamic desirable Trunk connection to Switch 3550
speed 100
duplex half
spanning-tree guard root*******************
end

==============================

Once i did that then  from  layer 3 switch i was unable to telnet or ping to switch 2950T.It was showing as CDP nei

3550SMI#                  sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
2950T            Fas 0/8           151           S I      WS-C2950T Fas 0/8

3550SMI#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

on layer 3 switch fa0/8 port is shown as forwarding

3550SMI#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    24586
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg FWD 19        128.8    P2p Peer(STP)

but on layer 2 switch port fa0/8  is shown  up up connected but in blocling state

2950T#sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol ieee
  Root ID    Priority    32778
             Address     000b.bece.bbc0
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     000b.bece.bbc0
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/8            Desg BKN*19        128.8    Shr *ROOT_Inc

--------logs from layer 2 switch

May 18 17:11:27.984 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled
on port FastEthernet0/8.
May 18 17:11:28.100 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port F
astEthernet0/8 on VLAN0010.

--Does anyone can tell me after enabling spanning-tree guard root on layer 2 trunk port why it put the port in blocking state  i was thinking that span tree

guard root is used to stop stp re elections when  someone put rogue switch on network?

many thanks

mahesh

1 Accepted Solution

Accepted Solutions

Mahesh

Vlan 1 will always be on trunk links even if you shutdown the SVI and clear it off trunks. So that is why you saw that message.

Jon

View solution in original post

17 Replies 17

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi Mahesh,

The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state.

So i would suggest just check the STP staus which switch is root bridege and apply root guard on root bridge ports.

Hope to Help !!

Ganesh.H

Jon Marshall
Hall of Fame
Hall of Fame

Mahesh

Which switch should be the root bridge ? From the looks of the priorities the 3550 should be the root bridge. If so, as Ganesh says, you should apply rootguard to the 3550 port that connects to the 2960 and remove the rootguard from the 2960 switch.

Rootguard is meant to be used to stop a switch becoming root so in your case if the 3550 is meant to be the root bridge you want to make sure that the 2960 cannot become root so you apply rootguard to the 3550 switch. If the 2960 then sends a better BPDU the port will then be error disabled rather than the 2960 become the root bridge.

Jon

Hi jon,

thanks for reply

3550 should be the root bridge.

so as per you we should apply root guard only on 3550  as it is root bridge ?  in order that 2950 does not become root bridge.

mahesh

mahesh18 wrote:

Hi jon,

thanks for reply

3550 should be the root bridge.

so as per you we should apply root guard only on 3550  as it is root bridge ?  in order that 2950 does not become root bridge.

mahesh

Mahesh

Yes you should apply the rootguard on the 3550 port that connects to the 2960 which would stop the 2960 becoming the root bridge.

Jon

Hi jon

i did that applied root gurad on fa0/8 on layer 3 switch but after doing that

ay 19 15:00:05.630 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/8.
May 19 15:00:07.462 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/8 on VLAN0001.
May 19 15:00:07.642 MST: %SYS-5-CONFIG_I: Configured from console by manveer on vty0 (192.168.5.1)
May 19 15:00:08.466 MST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down********************

vlan 20 is up down?  do u know why this happen?

thanks

mahesh

Mahesh

Is the 3550 STP root for all vlans including vlan 20 ?

Jon

Hi,

here is info

3550SMI#sh spanning-tree vlan 20

VLAN0020
  Spanning tree enabled protocol rstp
  Root ID    Priority    32788
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32788  (priority 32768 sys-id-ext 20)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg BKN*19        128.8    P2p *ROOT_Inc
Gi0/2               Back BLK 4         128.26   P2p

thanks

mahesh

Also one more thing to add the  vlan 20  layer 2 switch is offline right now.

Can you remove the rootguard and see what happens.

Also when you say vlan 20 switch is off line what is connected to fa0/8 on the 3550 switch. I thought it was the 2960 switch ?

Jon

hi

removed root guard

May 19 15:23:29.073 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port FastEthernet0/8.
May 19 15:23:29.073 MST: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/8 on VLAN0001.
May 19 15:23:30.665 MST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
May 19 15:23:30.865 MST: %SYS-5-CONFIG_I: Configured from console by manveer on vty0 (192.168.5.1)
3550SMI#

as you see vlan 20 is up now

also port fa0/13 connects to other layer 2 switch that is on vlan 20

Fa0/13                         down           down  

3550SMI#                             sh int desc
Interface                      Status         Protocol Description
Vl1                            admin down     down
Vl10                           up             up
Vl20                           up             up
Vl30                           up             up
Fa0/1                          down           down
Fa0/2                          down           down
Fa0/3                          down           down
Fa0/4                          down           down
Fa0/5                          down           down
Fa0/6                          down           down
Fa0/7                          down           down
Fa0/8                          up             up      
Fa0/9                          down           down
Fa0/10                         down           down
Fa0/11                         up             up     
Fa0/12                         down           down
Fa0/13                         down           down   
Fa0/14                         down           down
Fa0/15                         down           down
Fa0/16                         down           down
Fa0/17                         down           down
Fa0/18                         down           down
Fa0/19                         down           down
Fa0/20                         up             up    
Fa0/21                         down           down
Fa0/22                         down           down
Fa0/23                         down           down
Fa0/24                         down           down    
Gi0/1                          down           down
Gi0/2                          up             up
3550SMI#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/13, Fa0/24
10   VLAN0010                         active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
                                                Fa0/6, Fa0/7, Fa0/9, Fa0/10
20   VLAN0020                         active    Fa0/12, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19

Hi

to add

port fa0/8 on  layer 3 goes to layer 2 switch  2950

also port fa0/13  on layer 3  goes to another layer 2 switch which has vlan 20 and is offline

Mahesh

From the 3550 can you post -

sh spanning-tree vlan 1

sh spanning-tree vlan 10

sh spanning-tree vlan 20

Jon

Hi jon

here is required info

3550SMI# sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    32769
             Address     000b.bece.bbc0
             Cost        19
             Port        8 (FastEthernet0/8)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Root FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p

3550SMI# sh spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    24586
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p

3550SMI# sh spanning-tree vlan 20

VLAN0020
  Spanning tree enabled protocol rstp
  Root ID    Priority    32788
             Address     000b.bece.bbc0
             Cost        19
             Port        8 (FastEthernet0/8)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32788  (priority 32768 sys-id-ext 20)
             Address     000d.28bc.fd80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Root FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p

3550SMI#

Mahesh

From the outputs the 3550 is only the root bridge for vlan 10. So you need to make the 3550 root for all the vlans on the trunk link on fa0/8 before applying rootguard or you will see the problems you were having.

You apply rootguard on the root bridge so it must be the root bridge for all vlans that are on that trunk link.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: