Root guard issue

Unanswered Question
May 29th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hello,


I’m working on a L2 compartment on which I have enabled Root Guard

nw-design.jpg

Switches 1, 2, 3 and 4 are Catalyst 6500

Switches 5 and 6 are third party switches.

Switch 1 is root of the first MSTP instance.

Switch 2 is root of the second MSTP instance.

I want to protect the “main loop” (switchs 1 2 3 and 4), and I don’t want switch 5 or 6 to become STP root.

So I’ve enabled root guard (the red points on the map).

Maybe the links speed seems strange, but it is required (There is a lot of bandwidth needs between switches 1, 2, 5, 6, on a specific VLAN).

According to the default MSTP costs, Sw1 Port-Channel 1 and Sw2 Port-Channel 1 are the root ports.

Unfortunately, the root guard protected ports are moving to the root-inconsistent STP state.

Do you have an idea why?

Is it because switch 1 is receiving BPDU from switch2, but on the following path: Sw2 -> sw6 -> Sw5 -> sw1?

Any recommendation to solve this issue?

Thanks in advance,

Jeremie

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Sat, 05/29/2010 - 14:10
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hi Jeremie

,


This happens, because you have multiple ports connecting switch 1 and switch 2 together.


The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

Have a look at this document for more info:

https://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

Question:

Why do you have multiple 1Gig ports connecting switches 5 and 6 to 1 and 2 but only a single 1Gig from 1 and 2 to 3 and 4. Seems like a choke point

HTH

Reza

Ganesh Hariharan Sat, 05/29/2010 - 21:19
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016


Switches 1, 2, 3 and 4 are Catalyst 6500

Switches 5 and 6 are third party switches.

Switch 1 is root of the first MSTP instance.

Switch 2 is root of the second MSTP instance.

I want to protect the “main loop” (switchs 1 2 3 and 4), and I don’t want switch 5 or 6 to become STP root.

So I’ve enabled root guard (the red points on the map).

Maybe the links speed seems strange, but it is required (There is a lot of bandwidth needs between switches 1, 2, 5, 6, on a specific VLAN).

According to the default MSTP costs, Sw1 Port-Channel 1 and Sw2 Port-Channel 1 are the root ports.

Unfortunately, the root guard protected ports are moving to the root-inconsistent STP state.

Do you have an idea why?

Is it because switch 1 is receiving BPDU from switch2, but on the following path: Sw2 -> sw6 -> Sw5 -> sw1?

Any recommendation to solve this issue?

Thanks in advance,

Jeremie

Hi Jeremie,


It can be possible that in port  where you have enabled root gaurd is not a designated port,As Reza pointed correctly root gaurd needs to be enabled on root bridges where all your ports are designated ports.


Check out the spanning tree status on both the switches about the bridge and port roles and then enble root gaurd on this switches,If not a root briedge then make these switches as root bridge with tuning pirority of the bridges.


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

CSCO11688753 Sun, 05/30/2010 - 02:19
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hello Reza, Ganesh,


Thanks for your answers.


Yes, I've read the Spanning Tree Protocol Root Guard Enhancement paper from Cisco, and, in fact, I've setup Root Guard following the reading of this document.


Yes Reza, the design is a little weird.

There are DWDM links between the 2 buildings, that is why the links between sw1 – sw3 and sw2 – sw4 are only 1G. The bandwidth is higher between switches 1, 2, 5 and 6 because of high bandwidth needs for servers connected to these switches, on a specific VLAN.


“Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together.”

As mentioned, I run MSTP, and Switch 1 is root of the first MSTP instance; Switch 2 is root of the second MSTP instance. I set low bridge priorities to ensure this on the switches. So.. I have 2 roots

From my understanding, switch 1 Po2 should not be the root port.

According to MSTP default costs (10G: 2000 ; 4G: 5000 ; 2G : 10 000 ; 1G : 20 000):

Switch1 is receiving BPDU from switch2 (root of the second MSTP instance) from both Po1 and Po2.

From Po1, it should receive BPDU with a cost of 0.

From Po2, it should receive BPDU with a cost of 5000+2000 = 7000

So Po1 should be the RP.

But from my understanding sw2 BPDU can be received from sw1 po1 and Po2, because of the loop.

Does that mean we should not use Root Guard on a port if there is a loop (that is to say another path to the Root bridge)? The Cisco paper example is not showing an example with a loop (if there were 2 links to their switch D, for instance).

In your opinion, how can I prevent the third party switches from becoming root, in this situation?


Thanks in advance,

Jeremie

Actions

This Discussion

Related Content