05-29-2010 01:20 PM - edited 03-06-2019 11:20 AM
Hello,
I’m working on a L2 compartment on which I have enabled Root Guard
Switches 1, 2, 3 and 4 are Catalyst 6500
Switches 5 and 6 are third party switches.
Switch 1 is root of the first MSTP instance.
Switch 2 is root of the second MSTP instance.
I want to protect the “main loop” (switchs 1 2 3 and 4), and I don’t want switch 5 or 6 to become STP root.
So I’ve enabled root guard (the red points on the map).
Maybe the links speed seems strange, but it is required (There is a lot of bandwidth needs between switches 1, 2, 5, 6, on a specific VLAN).
According to the default MSTP costs, Sw1 Port-Channel 1 and Sw2 Port-Channel 1 are the root ports.
Unfortunately, the root guard protected ports are moving to the root-inconsistent STP state.
Do you have an idea why?
Is it because switch 1 is receiving BPDU from switch2, but on the following path: Sw2 -> sw6 -> Sw5 -> sw1?
Any recommendation to solve this issue?
Thanks in advance,
Jeremie
05-29-2010 02:10 PM
Hi Jeremie
,
This happens, because you have multiple ports connecting switch 1 and switch 2 together.
The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.
Have a look at this document for more info:
https://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml
Question:
Why do you have multiple 1Gig ports connecting switches 5 and 6 to 1 and 2 but only a single 1Gig from 1 and 2 to 3 and 4. Seems like a choke point
HTH
Reza
05-29-2010 09:19 PM
Switches 1, 2, 3 and 4 are Catalyst 6500
Switches 5 and 6 are third party switches.
Switch 1 is root of the first MSTP instance.
Switch 2 is root of the second MSTP instance.
I want to protect the “main loop” (switchs 1 2 3 and 4), and I don’t want switch 5 or 6 to become STP root.
So I’ve enabled root guard (the red points on the map).
Maybe the links speed seems strange, but it is required (There is a lot of bandwidth needs between switches 1, 2, 5, 6, on a specific VLAN).
According to the default MSTP costs, Sw1 Port-Channel 1 and Sw2 Port-Channel 1 are the root ports.
Unfortunately, the root guard protected ports are moving to the root-inconsistent STP state.
Do you have an idea why?
Is it because switch 1 is receiving BPDU from switch2, but on the following path: Sw2 -> sw6 -> Sw5 -> sw1?
Any recommendation to solve this issue?
Thanks in advance,
Jeremie
Hi Jeremie,
It can be possible that in port where you have enabled root gaurd is not a designated port,As Reza pointed correctly root gaurd needs to be enabled on root bridges where all your ports are designated ports.
Check out the spanning tree status on both the switches about the bridge and port roles and then enble root gaurd on this switches,If not a root briedge then make these switches as root bridge with tuning pirority of the bridges.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
05-30-2010 02:19 AM
Hello Reza, Ganesh,
Thanks for your answers.
Yes, I've read the Spanning Tree Protocol Root Guard Enhancement paper from Cisco, and, in fact, I've setup Root Guard following the reading of this document.
Yes Reza, the design is a little weird.
There are DWDM links between the 2 buildings, that is why the links between sw1 – sw3 and sw2 – sw4 are only 1G. The bandwidth is higher between switches 1, 2, 5 and 6 because of high bandwidth needs for servers connected to these switches, on a specific VLAN.
“Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together.”
As mentioned, I run MSTP, and Switch 1 is root of the first MSTP instance; Switch 2 is root of the second MSTP instance. I set low bridge priorities to ensure this on the switches. So.. I have 2 roots
From my understanding, switch 1 Po2 should not be the root port.
According to MSTP default costs (10G: 2000 ; 4G: 5000 ; 2G : 10 000 ; 1G : 20 000):
Switch1 is receiving BPDU from switch2 (root of the second MSTP instance) from both Po1 and Po2.
From Po1, it should receive BPDU with a cost of 0.
From Po2, it should receive BPDU with a cost of 5000+2000 = 7000
So Po1 should be the RP.
But from my understanding sw2 BPDU can be received from sw1 po1 and Po2, because of the loop.
Does that mean we should not use Root Guard on a port if there is a loop (that is to say another path to the Root bridge)? The Cisco paper example is not showing an example with a loop (if there were 2 links to their switch D, for instance).
In your opinion, how can I prevent the third party switches from becoming root, in this situation?
Thanks in advance,
Jeremie
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide