07-12-2023 01:18 AM
Hello everyone,
We are receiving these messages on our root switch, which has a port connected to another company
Jul 12 10:34:33: %SPANTREE-2-PVSTSIM_FAIL: Blocking designated port Po30: Inconsitent superior PVST BPDU received on VLAN 734, claiming root 734:7cad.7491.f740
Jul 12 10:36:14: %SPANTREE-2-PVSTSIM_OK: PVST Simulation inconsistency cleared on port Port-channel30.
Jul 12 10:37:30: %SPANTREE-2-PVSTSIM_FAIL: Blocking designated port Po30: Inconsitent superior PVST BPDU received on VLAN 734, claiming root 734:7cad.7491.f740
Is it feasible to configure root guard on this port? Or there is any other way to protect our STP?
Solved! Go to Solution.
07-12-2023 01:30 AM
Hi @fgasimzade
Root guard will only prevent the Port channel 30 to be a root port.
The best approach on this case is force your switch to be the root on vlan 734.
spanning-tree vlan 734 root primary
07-12-2023 02:09 AM
I suggest you @Flavio Miranda approach.
Root guard will only prevent the Port channel 30 to be a root port.
The best approach on this case is force your switch to be the root on vlan 734.
spanning-tree vlan 734 root primary
07-12-2023 01:29 AM
Your config with Root guard is correct it protect make your SW always elect as Root (and hence keep your virtual topology as it)
what you need instead of disable this feature, make SW other company SW priority less than your company Root priority
07-12-2023 01:31 AM
Hello @fgasimzade,
Yes, it is feasible to configure root guard on the port connected to another company to protect your STP. Root guard is a feature that prevents unauthorized switches from becoming the root bridge in the network and helps to maintain the stability and integrity of your STP.
By enabling root guard on the port, you can ensure that the designated port on your switch does not receive superior BPDUs that claim to be the root bridge for a particular VLAN. This will prevent any unauthorized switches from taking control of the root bridge role and potentially causing disruptions in your network.
To configure root guard on the port, you need to access the switch's configuration mode and enter the interface configuration for the port in question. Within the interface configuration, you can enable root guard using the command spanning-tree guard root. This command enables root guard on that specific interface and helps protect the spanning tree by blocking any inconsistent superior BPDUs received on that port.
In addition to root guard, you can also consider implementing other STP protection mechanisms such as BPDU guard, BPDU filter, and loop guard. These mechanisms provide additional layers of protection to safeguard your spanning tree topology from potential issues or attacks.
https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html
07-12-2023 01:49 AM
Hello,
Currently we have no root guard configured on the switch on this port. Please note, that this switch is our Root. So this is basically feasible to configure this port with root guard, taking into account that this switch is Root?
07-12-2023 02:09 AM
I suggest you @Flavio Miranda approach.
Root guard will only prevent the Port channel 30 to be a root port.
The best approach on this case is force your switch to be the root on vlan 734.
spanning-tree vlan 734 root primary
07-12-2023 01:30 AM
Hi @fgasimzade
Root guard will only prevent the Port channel 30 to be a root port.
The best approach on this case is force your switch to be the root on vlan 734.
spanning-tree vlan 734 root primary
07-12-2023 02:23 AM
Do you try this config or not ? Did you sucess?
I think it will not work.
But let me see if I am right.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide