Solved: Re: Root guard enabled interface receiving BPDU 's or not Ques

mahesh18 · ‎03-12-2011

Hi all,

I was reading this

In essence root guard designates that a port can only relay BPDUs and not receive them. The port can never become a root port that would normally only receive BPDUs.

As per my understanding of this is if i enable root guard on port say fa0/8 which connects to layer 2 switch and i do not want that layer 2 switch

should become root bridge

So now that port fa0/8 on root bridge switch can only send BPDU to Layer 2 switch and it will not receive any BPDU from layer 2 switch on port fa0/8

right?

but here i see it receives the BPDU

3550SMIA# sh spanning-tree int fa0/8 detail
Port 8 (FastEthernet0/8) of VLAN0001 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.8.
   Designated root has priority 32769, address 0009.e8a2.0080
   Designated bridge has priority 32769, address 000d.28bc.fd80
   Designated port id is 128.8, designated path cost 4
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Root guard is enabled on the port
   BPDU: sent 1529, received 2*******************************************

Port 8 (FastEthernet0/8) of VLAN0010 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.8.
   Designated root has priority 20490, address 000d.28bc.fd80
   Designated bridge has priority 20490, address 000d.28bc.fd80
   Designated port id is 128.8, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Root guard is enabled on the port
   BPDU: sent 1529, received 4***************************************************

Port 8 (FastEthernet0/8) of VLAN0020 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.8.
   Designated root has priority 24596, address 000d.28bc.fd80
   Designated bridge has priority 24596, address 000d.28bc.fd80
   Designated port id is 128.8, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Root guard is enabled on the port
   BPDU: sent 1529, received 4

Port 8 (FastEthernet0/8) of VLAN0030 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.8.
   Designated root has priority 4126, address 000d.28bc.fd80
   Designated bridge has priority 4126, address 000d.28bc.fd80
   Designated port id is 128.8, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Root guard is enabled on the port
   BPDU: sent 1530, received 4

Port 8 (FastEthernet0/8) of VLAN0040 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.8.
   Designated root has priority 32808, address 0009.e8a2.0080
   Designated bridge has priority 32808, address 000d.28bc.fd80
   Designated port id is 128.8, designated path cost 4
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Root guard is enabled on the port
   BPDU: sent 1529, received 5***********************************

also when it says The port can never become a root port that would normally only receive BPDUs what does this mean if someone can explain me in detail please?

thanks

mahesh

Peter Paluch · ‎03-14-2011

Hello Mahesh,

I have confirmed that the Root-inconsistent state is analogous to the Blocking/Discarding state, not to the Listening state as your book incorrectly claims.

Please observe the following commented output.

Switch(config)#do show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID    Priority    4097
             Address     0017.0ebb.3480
             Cost        19
             Port        3 (FastEthernet0/1)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32769 (priority 32768 sys-id-ext 1)
             Address     0017.9446.b300
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.3 P2p

Switch(config)#int fa0/1
Switch(config-if)#span guard root ! The BPDU Root Guard is activated on Fa0/1
Switch(config-if)#
*Mar 1 00:12:14.321: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/1.
*Mar 1 00:12:14.833: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/1 on VLAN0001.
Switch(config-if)#
Switch(config-if)#do show span

VLAN0001
Spanning tree enabled protocol ieee
Root ID    Priority    32769
             Address     0017.9446.b300
             This bridge is the root
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32769 (priority 32768 sys-id-ext 1)
             Address     0017.9446.b300
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg BKN*19 128.3 P2p *ROOT_Inc

Switch(config-if)#do show span int fa0/1 detail
Port 3 (FastEthernet0/1) of VLAN0001 is broken (Root Inconsistent)
   Port path cost 19, Port priority 128, Port Identifier 128.3.
   Designated root has priority 32769, address 0017.9446.b300
   Designated bridge has priority 32769, address 0017.9446.b300
   Designated port id is 128.3, designated path cost 0
   Timers: message age 2, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   Link type is point-to-point by default
   Root guard is enabled on the port
   BPDU: sent 8, received 156
Switch(config-if)#
Switch(config-if)#do show span blocked

Name Blocked Interfaces List
-------------------- ------------------------------------
VLAN0001 Fa0/1

Number of blocked ports (segments) in the system : 1

Switch(config-if)#
Switch(config-if)#do debug span events
Spanning Tree event debugging is on
Switch(config-if)#
*Mar 1 00:15:17.839: STP: VLAN0001 heard root 4097-0017.0ebb.3480 on Fa0/1
*Mar 1 00:15:17.839:     supersedes 32769-0017.9446.b300
*Mar 1 00:15:19.844: STP: VLAN0001 heard root 4097-0017.0ebb.3480 on Fa0/1
*Mar 1 00:15:19.844:     supersedes 32769-0017.9446.b300span bpdu
*Mar 1 00:15:21.840: STP: VLAN0001 heard root 4097-0017.0ebb.3480 on Fa0/1
*Mar 1 00:15:21.840:     supersedes 32769-0017.9446.b300filter enable
*Mar 1 00:15:23.837: STP: VLAN0001 heard root 4097-0017.0ebb.3480 on Fa0/1
*Mar 1 00:15:23.837:     supersedes 32769-0017.9446.b300
Switch(config-if)#span bpdufilter enable
Switch(config-if)#
*Mar 1 00:15:25.850: STP: VLAN0001 heard root 4097-0017.0ebb.3480 on Fa0/1
*Mar 1 00:15:25.850:     supersedes 32769-0017.9446.b300
*Mar 1 00:15:45.857: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/1 on VLAN0001.
*Mar 1 00:15:45.857: STP: VLAN0001 Fa0/1 -> listening
*Mar 1 00:16:00.864: STP: VLAN0001 Fa0/1 -> learning
*Mar 1 00:16:15.871: STP[1]: Generating TC trap for port FastEthernet0/1
*Mar 1 00:16:15.871: STP: VLAN0001 Fa0/1 -> forwarding

What I have done here is that I have connected the switch via its Fa0/1 port to another switch currently configured with a lower STP priority (4096). Initially, my switch elected its Fa0/1 as the root port. After I activated the BPDU Root Guard feature on the Fa0/1, it was immediately moved to the Root Inconsistent Broken (BKN) state. This state is equivalent to the Blocking state - the show span blocked command considers the port to be blocked, and even more importantly, after I activated the BPDUFilter on the port to ignore any further received BPDUs (to simply emulate the situation that the opposing switch stops advertising itself as the root), it takes 20 seconds (from 00:15:25 to 00:15:45) for the Fa0/1 to move to listening state, clearly indicating that it must have been placed into the Blocking state.

From this I conclude that every document stating that the Root Inconsistent state is equivalent to the Listening state is in error.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎03-14-2011

Kishore,

That is very kind of you. Thank you!

Best regards,

Peter

View solution in original post

Peter Paluch · ‎03-12-2011

Hello Mahesh,

In essence root guard designates that a port can only relay BPDUs and 
not receive them. The port can never become a root port that would 
normally only receive BPDUs.

That statement is incorrect. The BPDU Root Guard prevents a port from becoming a root port but it does not prevent it from becoming any other port - Designated Forwarding, Alternate/Backup Discarding. Thus, even a Root Guard-protected port can receive BPDUs without triggering the BPDU Root Guard. The Root Guard is triggered only if the incoming BPDU is objectively superior and would cause the port to become the root port.

A protection that is triggered whenever a port receives a BPDU is the BDPU Guard, not the BPDU Root Guard.

Best regards,

Peter

mahesh18 · ‎03-13-2011

Hi Peter,

Thanks for reply back.

If you can explain me this in detail please?

A protection that is triggered whenever a port receives a BPDU is the BDPU Guard, not the BPDU Root Guard

Also cisco book says when root guard enabled port when it receives the better BPDU then port transitions to a special STP state root -inconsistent

which is same as listening state.

mahesh

Peter Paluch · ‎03-13-2011

Hi Mahesh,

If you can explain me this in detail please?

A protection that is triggered whenever a port receives a BPDU is the BDPU Guard, not the BPDU Root Guard

I wanted to emphasize that there are two protections similar in their names but different in their actions: the BPDUGuard and the BPDU Root Guard. The BPDU Root Guard prevents a port from becoming a root port - if it receives a superior BPDU then it is moved to Root inconsistent state.

The BPDUGuard is a different feature: it moves a port to the err-disabled state whenever it receives any BPDU, inferior or superior. It is a rather strong protection against connecting a switch to the port where only end station is supposed to be connected.

Also cisco book says when root guard enabled port when it receives 
the better BPDU then port transitions to a special STP state root 
-inconsistent which is same as listening state.

I would have to confirm this. My understanding has always been that the state is similar to Blocking, not to the Listening state.

Please in the meantime, read the following document for more info:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

Best regards,

Peter

Peter Paluch · ‎03-14-2011