This post will cover the Root Guard and Loop Guard features. I'll use the simplified topology from the previous post again.
SW4 is the root bridge. Gi0/1 on SW3 is blocking.
SW4(config)#interface range Gi0/3, Gi1/1
SW4(config-if-range)#spanning-tree guard root
SW4(config-if-range)#
*Oct 23 18:51:31.131: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet0/3.
*Oct 23 18:51:31.136: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet1/1.
Root Guard is enabled for both VLANs.
SW4#show spanning-tree interface Gi0/3 detail
Port 4 (GigabitEthernet0/3) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.4.
Designated root has priority 24577, address fa16.3ee9.46f6
Designated bridge has priority 24577, address fa16.3ee9.46f6
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Root guard is enabled on the port
BPDU: sent 92, received 2
Port 4 (GigabitEthernet0/3) of VLAN0002 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.4.
Designated root has priority 24578, address fa16.3ee9.46f6
Designated bridge has priority 24578, address fa16.3ee9.46f6
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Root guard is enabled on the port
BPDU: sent 45, received 40
SW4#show spanning-tree interface Gi1/1 detail
Port 6 (GigabitEthernet1/1) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.6.
Designated root has priority 24577, address fa16.3ee9.46f6
Designated bridge has priority 24577, address fa16.3ee9.46f6
Designated port id is 128.6, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Root guard is enabled on the port
BPDU: sent 90, received 0
Port 6 (GigabitEthernet1/1) of VLAN0002 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.6.
Designated root has priority 24578, address fa16.3ee9.46f6
Designated bridge has priority 24578, address fa16.3ee9.46f6
Designated port id is 128.6, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Root guard is enabled on the port
BPDU: sent 57, received 31
Root Guard
The Root Guard feature is used to secure the placement of the root bridge in a switched network. If a BPDU is received on a port where Root Guard is enabled, the port is moved into a Root Inconsistent state, which is effectively equal to a blocking state. Root Guard should be used on designated ports, where the root bridge should not appear. Although Root Guard is enabled at the port level, it actually works on a per-VLAN basis. To see this in action, I've created VLAN 2 on all switches. Now, let's enable Root Guard on SW4.SW4(config)#interface range Gi0/3, Gi1/1
SW4(config-if-range)#spanning-tree guard root
SW4(config-if-range)#
*Oct 23 18:51:31.131: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet0/3.
*Oct 23 18:51:31.136: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet1/1.
Root Guard is enabled for both VLANs.
SW4#show spanning-tree interface Gi0/3 detail
Port 4 (GigabitEthernet0/3) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.4.
Designated root has priority 24577, address fa16.3ee9.46f6
Designated bridge has priority 24577, address fa16.3ee9.46f6
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Root guard is enabled on the port
BPDU: sent 92, received 2
Port 4 (GigabitEthernet0/3) of VLAN0002 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.4.
Designated root has priority 24578, address fa16.3ee9.46f6
Designated bridge has priority 24578, address fa16.3ee9.46f6
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Root guard is enabled on the port
BPDU: sent 45, received 40
SW4#show spanning-tree interface Gi1/1 detail
Port 6 (GigabitEthernet1/1) of VLAN0001 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.6.
Designated root has priority 24577, address fa16.3ee9.46f6
Designated bridge has priority 24577, address fa16.3ee9.46f6
Designated port id is 128.6, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Root guard is enabled on the port
BPDU: sent 90, received 0
Port 6 (GigabitEthernet1/1) of VLAN0002 is designated forwarding
Port path cost 4, Port priority 128, Port Identifier 128.6.
Designated root has priority 24578, address fa16.3ee9.46f6
Designated bridge has priority 24578, address fa16.3ee9.46f6
Designated port id is 128.6, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Root guard is enabled on the port
BPDU: sent 57, received 31
Now, let's try to make SW3 the root bridge for VLAN 1 by changing its priority to 4096.
SW3(config)#spanning-tree vlan 1 priority 4096
SW4 immeadiately puts the ports in the Root Inconsistent state.
SW4#
*Oct 23 19:04:38.323: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet0/3 on VLAN0001.
*Oct 23 19:04:39.323: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet1/1 on VLAN0001.
SW4#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ee9.46f6
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address fa16.3ee9.46f6
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/3 Desg BKN*4 128.4 Shr *ROOT_Inc
Gi1/1 Desg BKN*4 128.6 Shr *ROOT_Inc
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 24578
Address fa16.3ee9.46f6
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24578 (priority 24576 sys-id-ext 2)
Address fa16.3ee9.46f6
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/3 Desg FWD 4 128.4 Shr
Gi1/1 Desg FWD 4 128.6 Shr
Note that only VLAN 1 is affected. VLAN 2 is still forwarding.
The ports will automatically recover when they stop receiving superior BPDUs. Remove the STP priority configuration on SW3 and verify the results on SW4.
SW3(config)#no spanning-tree vlan 1 priority 4096
SW4#
*Oct 23 19:08:42.618: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port GigabitEthernet0/3 on VLAN0001.
*Oct 23 19:08:43.618: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port GigabitEthernet1/1 on VLAN0001.
SW4#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ee9.46f6
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address fa16.3ee9.46f6
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/3 Desg FWD 4 128.4 Shr
Gi1/1 Desg FWD 4 128.6 Shr
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 24578
Address fa16.3ee9.46f6
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24578 (priority 24576 sys-id-ext 2)
Address fa16.3ee9.46f6
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/3 Desg FWD 4 128.4 Shr
Gi1/1 Desg FWD 4 128.6 Shr
Loop Guard
Loop Guard is used to prevent STP loops caused by unidirectional links. If a non-designated (blocking) port stops receiving BPDUs, the port is eventually moved to the forwarding state. This can create a loop. If Loop Guard is enabled, that port is put in the Loop Inconsistent state. Loop Guard can be enabled globally (applied to point-to-point links) or per interface. As with Root Guard, the feature is enabled on the port level but applied on a per-VLAN basis.
SW3(config)#interface Gi0/1
SW3(config-if)#spanning-tree guard loop
SW3#show spanning-tree interface Gi0/1 detail
Port 2 (GigabitEthernet0/1) of VLAN0001 is alternate blocking
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24577, address fa16.3ee9.46f6
Designated bridge has priority 32769, address fa16.3ec4.8b80
Designated port id is 128.2, designated path cost 4
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Loop guard is enabled on the port
BPDU: sent 119, received 583
Port 2 (GigabitEthernet0/1) of VLAN0002 is alternate blocking
Port path cost 4, Port priority 128, Port Identifier 128.2.
Designated root has priority 24578, address fa16.3ee9.46f6
Designated bridge has priority 32770, address fa16.3ec4.8b80
Designated port id is 128.2, designated path cost 4
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is shared by default
Loop guard is enabled on the port
BPDU: sent 4, received 696
Next, configure BPDU Filter on SW1 port Gi0/1 to stop it from sending BPDUs to SW3. This should trigger Loop Guard.
SW1(config)#interface Gi0/1
SW1(config-if)#spanning-tree bpdufilter enable
SW3#
*Oct 23 19:21:38.639: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet0/1 on VLAN0002.
*Oct 23 19:21:40.288: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet0/1 on VLAN0001.
SW3#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address fa16.3ee9.46f6
Cost 4
Port 6 (GigabitEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address fa16.3ec4.8b80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg BKN*4 128.2 Shr *LOOP_Inc
Gi1/1 Root FWD 4 128.6 Shr
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 24578
Address fa16.3ee9.46f6
Cost 4
Port 6 (GigabitEthernet1/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address fa16.3ec4.8b80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg BKN*4 128.2 Shr *LOOP_Inc
Gi1/1 Root FWD 4 128.6 Shr
Similar to Root Guard, Loop Guard recovers automatically. Once BPDUs are received on the port again, the port transitions back to the forwarding state.
SW1(config-if)#no spanning-tree bpdufilter enable
SW3#
*Oct 23 19:23:43.890: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port GigabitEthernet0/1 on VLAN0002.
*Oct 23 19:23:45.603: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port GigabitEthernet0/1 on VLAN0001.
Root Guard and Loop Guard are mutually exclusive. If Root Guard is configured on a port and Loop Guard is enabled on that port, Root Guard is disabled and vice versa.
SW4(config)#interface Gi0/3
SW4(config-if)#spanning-tree guard loop
*Oct 23 19:24:34.875: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disabled on port GigabitEthernet0/3.
SW4(config-if)#spanning-tree guard root
*Oct 23 19:24:51.840: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet0/3.
Comments
Post a Comment