This happens, because you have multiple ports connecting switch 1 and switch 2 together.
The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.
I want to protect the “main loop” (switchs 1 2 3 and 4), and I don’t want switch 5 or 6 to become STP root.
So I’ve enabled root guard (the red points on the map).
Maybe the links speed seems strange, but it is required (There is a lot of bandwidth needs between switches 1, 2, 5, 6, on a specific VLAN).
According to the default MSTP costs, Sw1 Port-Channel 1 and Sw2 Port-Channel 1 are the root ports.
Unfortunately, the root guard protected ports are moving to the root-inconsistent STP state.
Do you have an idea why?
Is it because switch 1 is receiving BPDU from switch2, but on the following path: Sw2 -> sw6 -> Sw5 -> sw1?
Any recommendation to solve this issue?
Thanks in advance,
It can be possible that in port where you have enabled root gaurd is not a designated port,As Reza pointed correctly root gaurd needs to be enabled on root bridges where all your ports are designated ports.
Check out the spanning tree status on both the switches about the bridge and port roles and then enble root gaurd on this switches,If not a root briedge then make these switches as root bridge with tuning pirority of the bridges.
Yes, I've read the Spanning Tree Protocol Root Guard Enhancement paper from Cisco, and, in fact, I've setup Root Guard following the reading of this document.
Yes Reza, the design is a little weird.
There are DWDM links between the 2 buildings, that is why the links between sw1 – sw3 and sw2 – sw4 are only 1G. The bandwidth is higher between switches 1, 2, 5 and 6 because of high bandwidth needs for servers connected to these switches, on a specific VLAN.
“Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together.”
As mentioned, I run MSTP, and Switch 1 is root of the first MSTP instance; Switch 2 is root of the second MSTP instance. I set low bridge priorities to ensure this on the switches. So.. I have 2 roots
From my understanding, switch 1 Po2 should not be the root port.
According to MSTP default costs (10G: 2000 ; 4G: 5000 ; 2G : 10 000 ; 1G : 20 000):
Switch1 is receiving BPDU from switch2 (root of the second MSTP instance) from both Po1 and Po2.
From Po1, it should receive BPDU with a cost of 0.
From Po2, it should receive BPDU with a cost of 5000+2000 = 7000
So Po1 should be the RP.
But from my understanding sw2 BPDU can be received from sw1 po1 and Po2, because of the loop.
Does that mean we should not use Root Guard on a port if there is a loop (that is to say another path to the Root bridge)? The Cisco paper example is not showing an example with a loop (if there were 2 links to their switch D, for instance).
In your opinion, how can I prevent the third party switches from becoming root, in this situation?
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.