Solved: Root Guard on root switch

fgasimzade · ‎07-12-2023

Hello everyone,

We are receiving these messages on our root switch, which has a port connected to another company

Jul 12 10:34:33: %SPANTREE-2-PVSTSIM_FAIL: Blocking designated port Po30: Inconsitent superior PVST BPDU received on VLAN 734, claiming root 734:7cad.7491.f740
Jul 12 10:36:14: %SPANTREE-2-PVSTSIM_OK: PVST Simulation inconsistency cleared on port Port-channel30.
Jul 12 10:37:30: %SPANTREE-2-PVSTSIM_FAIL: Blocking designated port Po30: Inconsitent superior PVST BPDU received on VLAN 734, claiming root 734:7cad.7491.f740

Is it feasible to configure root guard on this port? Or there is any other way to protect our STP?

Flavio Miranda · ‎07-12-2023

Hi @fgasimzade

Root guard will only prevent the Port channel 30 to be a root port.

The best approach on this case is force your switch to be the root on vlan 734.

spanning-tree vlan 734 root primary

View solution in original post

M02@rt37 · ‎07-12-2023

@fgasimzade,

I suggest you @Flavio Miranda approach.

 Root guard will only prevent the Port channel 30 to be a root port.
 The best approach on this case is force your switch to be the root on vlan 734. 
 spanning-tree vlan 734 root primary

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

MHM Cisco World · ‎07-12-2023

Your config with Root guard is correct it protect make your SW always elect as Root (and hence keep your virtual topology as it)
what you need instead of disable this feature, make SW other company SW priority less than your company Root priority

M02@rt37 · ‎07-12-2023

Hello @fgasimzade,

Yes, it is feasible to configure root guard on the port connected to another company to protect your STP. Root guard is a feature that prevents unauthorized switches from becoming the root bridge in the network and helps to maintain the stability and integrity of your STP.

By enabling root guard on the port, you can ensure that the designated port on your switch does not receive superior BPDUs that claim to be the root bridge for a particular VLAN. This will prevent any unauthorized switches from taking control of the root bridge role and potentially causing disruptions in your network.

To configure root guard on the port, you need to access the switch's configuration mode and enter the interface configuration for the port in question. Within the interface configuration, you can enable root guard using the command spanning-tree guard root. This command enables root guard on that specific interface and helps protect the spanning tree by blocking any inconsistent superior BPDUs received on that port.

In addition to root guard, you can also consider implementing other STP protection mechanisms such as BPDU guard, BPDU filter, and loop guard. These mechanisms provide additional layers of protection to safeguard your spanning tree topology from potential issues or attacks.

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

fgasimzade · ‎07-12-2023

Hello,

Currently we have no root guard configured on the switch on this port. Please note, that this switch is our Root. So this is basically feasible to configure this port with root guard, taking into account that this switch is Root?

M02@rt37 · ‎07-12-2023

@fgasimzade,

I suggest you @Flavio Miranda approach.

 Root guard will only prevent the Port channel 30 to be a root port.
 The best approach on this case is force your switch to be the root on vlan 734. 
 spanning-tree vlan 734 root primary

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Flavio Miranda · ‎07-12-2023

Hi @fgasimzade

Root guard will only prevent the Port channel 30 to be a root port.

The best approach on this case is force your switch to be the root on vlan 734.

spanning-tree vlan 734 root primary

MHM Cisco World · ‎07-12-2023

Do you try this config or not ? Did you sucess?

I think it will not work.

But let me see if I am right.