cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2081
Views
0
Helpful
3
Replies

Root guard issue

jerem38
Level 1
Level 1

Hello,

I’m working on a L2 compartment on which I have enabled Root Guard

nw-design.jpg

Switches 1, 2, 3 and 4 are Catalyst 6500

Switches 5 and 6 are third party switches.

Switch 1 is root of the first MSTP instance.

Switch 2 is root of the second MSTP instance.

I want to protect the “main loop” (switchs 1 2 3 and 4), and I don’t want switch 5 or 6 to become STP root.

So I’ve enabled root guard (the red points on the map).

Maybe the links speed seems strange, but it is required (There is a lot of bandwidth needs between switches 1, 2, 5, 6, on a specific VLAN).

According to the default MSTP costs, Sw1 Port-Channel 1 and Sw2 Port-Channel 1 are the root ports.

Unfortunately, the root guard protected ports are moving to the root-inconsistent STP state.

Do you have an idea why?

Is it because switch 1 is receiving BPDU from switch2, but on the following path: Sw2 -> sw6 -> Sw5 -> sw1?

Any recommendation to solve this issue?

Thanks in advance,

Jeremie

3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Jeremie

,

This happens, because you have multiple ports connecting switch 1 and switch 2 together.

The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

Have a look at this document for more info:

https://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

Question:

Why do you have multiple 1Gig ports connecting switches 5 and 6 to 1 and 2 but only a single 1Gig from 1 and 2 to 3 and 4. Seems like a choke point

HTH

Reza

Ganesh Hariharan
VIP Alumni
VIP Alumni

Switches 1, 2, 3 and 4 are Catalyst 6500

Switches 5 and 6 are third party switches.

Switch 1 is root of the first MSTP instance.

Switch 2 is root of the second MSTP instance.

I want to protect the “main loop” (switchs 1 2 3 and 4), and I don’t want switch 5 or 6 to become STP root.

So I’ve enabled root guard (the red points on the map).

Maybe the links speed seems strange, but it is required (There is a lot of bandwidth needs between switches 1, 2, 5, 6, on a specific VLAN).

According to the default MSTP costs, Sw1 Port-Channel 1 and Sw2 Port-Channel 1 are the root ports.

Unfortunately, the root guard protected ports are moving to the root-inconsistent STP state.

Do you have an idea why?

Is it because switch 1 is receiving BPDU from switch2, but on the following path: Sw2 -> sw6 -> Sw5 -> sw1?

Any recommendation to solve this issue?

Thanks in advance,

Jeremie

Hi Jeremie,

It can be possible that in port  where you have enabled root gaurd is not a designated port,As Reza pointed correctly root gaurd needs to be enabled on root bridges where all your ports are designated ports.

Check out the spanning tree status on both the switches about the bridge and port roles and then enble root gaurd on this switches,If not a root briedge then make these switches as root bridge with tuning pirority of the bridges.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

jerem38
Level 1
Level 1

Hello Reza, Ganesh,

Thanks for your answers.

Yes, I've read the Spanning Tree Protocol Root Guard Enhancement paper from Cisco, and, in fact, I've setup Root Guard following the reading of this document.

Yes Reza, the design is a little weird.

There are DWDM links between the 2 buildings, that is why the links between sw1 – sw3 and sw2 – sw4 are only 1G. The bandwidth is higher between switches 1, 2, 5 and 6 because of high bandwidth needs for servers connected to these switches, on a specific VLAN.

“Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together.”

As mentioned, I run MSTP, and Switch 1 is root of the first MSTP instance; Switch 2 is root of the second MSTP instance. I set low bridge priorities to ensure this on the switches. So.. I have 2 roots

From my understanding, switch 1 Po2 should not be the root port.

According to MSTP default costs (10G: 2000 ; 4G: 5000 ; 2G : 10 000 ; 1G : 20 000):

Switch1 is receiving BPDU from switch2 (root of the second MSTP instance) from both Po1 and Po2.

From Po1, it should receive BPDU with a cost of 0.

From Po2, it should receive BPDU with a cost of 5000+2000 = 7000

So Po1 should be the RP.

But from my understanding sw2 BPDU can be received from sw1 po1 and Po2, because of the loop.

Does that mean we should not use Root Guard on a port if there is a loop (that is to say another path to the Root bridge)? The Cisco paper example is not showing an example with a loop (if there were 2 links to their switch D, for instance).

In your opinion, how can I prevent the third party switches from becoming root, in this situation?

Thanks in advance,

Jeremie

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco