Root bridge explanation

Mehdi Talei · ‎10-25-2012

I am just trying to understand what is going on here... In attachment you find a simple scenario... The vlans 5 to 10 are the DMZ Vlans which are the sub-interfaces in ASA Firewall. The point that I don't understand is that why for all these Vlans, switch1 and switch DMZ are both root bridge! I understand that a device such as ASA which is not able to manage the BPDU filters them, but in this scenario I have a trunk between the switch1 and DMZ.

Can somebody please explain me why both Switch1 and DMZ are root bridges for these Vlans?

Here is some show command outputs:

DMZ#sh spanning-tree vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID Priority 32773

Address ec30.9173.5100

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)

Address ec30.9173.5100

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi0/1 Desg FWD 4 128.1 P2p

Gi0/22 Desg FWD 4 128.22 P2p

Switch1#sh spanning-tree vlan 5

VLAN0005

Spanning tree enabled protocol rstp

Root ID Priority 32773

Address 5475.d0d0.3a80

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)

Address 5475.d0d0.3a80

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi2/0/20 Desg FWD 4 128.74 P2p

cadet alain · ‎10-25-2012

Hi,

can you post the config from both switches?

Regards.

Alain

Don't forget to rate helpful posts.

Mehdi Talei · ‎10-25-2012

Here is Spanning-tree related config:

DMZ#

spanning-tree mode pvst

spanning-tree portfast default

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

interface GigabitEthernet0/1

description Uplink ASA

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree bpdufilter disable

spanning-tree bpduguard disable

!

interface GigabitEthernet0/22

description Switch1

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree portfast

spanning-tree bpdufilter enable

!

Switch1#

spanning-tree mode rapid-pvst

spanning-tree portfast default

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

interface GigabitEthernet2/0/20

description Uplink - SW-DMZ

switchport trunk encapsulation dot1q

switchport mode trunk

end

!

I think I found the source of issue! I have "spanning-tree bpdufilter enable" which filtering the BPDUs on the port Gi0/22 on DMZ switch. Is that the reason?

milan.kulik · ‎10-26-2012

Hi,

you are probably right, the "spanning-tree bpdufilter enable" is filtering the BPDUs.

As both switches believe to be roots, they should be advertising their BPDUs on all ports.

Using "sh spanning-tree int Gix/y/z detail" command you should be able to see how many BPDUs were sent/received.

You are also using different STP modes (rapid-pvst/pvst) on your switches, but they shouldbe compatible.

HTH,

Milan