Solved: spanning-tree guard root command blocked trunk port - Page 2

mahesh18 · ‎05-18-2010

Hi all,

I enabled the spanning-tree guard root on 2950 trunk port fa0/8 which connects to layer 3 switch 3550SMI as below

2950T#sh run int fa0/8
Building configuration...

Current configuration : 146 bytes
!
interface FastEthernet0/8
description Dynamic desirable Trunk connection to Switch 3550
speed 100
duplex half
spanning-tree guard root*******************
end

==============================

Once i did that then from layer 3 switch i was unable to telnet or ping to switch 2950T.It was showing as CDP nei

3550SMI# sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
2950T Fas 0/8 151 S I WS-C2950T Fas 0/8

3550SMI#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

on layer 3 switch fa0/8 port is shown as forwarding

3550SMI#sh spanning-tree vlan 10

VLAN0010
Spanning tree enabled protocol rstp
Root ID    Priority    24586
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    24586 (priority 24576 sys-id-ext 10)
             Address     000d.28bc.fd80
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8 Desg FWD 19 128.8 P2p Peer(STP)

but on layer 2 switch port fa0/8 is shown up up connected but in blocling state

2950T#sh spanning-tree vlan 10

VLAN0010
Spanning tree enabled protocol ieee
Root ID    Priority    32778
             Address     000b.bece.bbc0
             This bridge is the root
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32778 (priority 32768 sys-id-ext 10)
             Address     000b.bece.bbc0
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/8 Desg BKN*19 128.8 Shr *ROOT_Inc

--------logs from layer 2 switch

May 18 17:11:27.984 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled
on port FastEthernet0/8.
May 18 17:11:28.100 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port F
astEthernet0/8 on VLAN0010.

--Does anyone can tell me after enabling spanning-tree guard root on layer 2 trunk port why it put the port in blocking state i was thinking that span tree

guard root is used to stop stp re elections when someone put rogue switch on network?

many thanks

mahesh

mahesh18 · ‎05-21-2010

Hi jon

thanks again for reply

on 3550 switch i made it root for all vlan 10,20 and 30.

Vlan 1 on 3550 is admin down down.

then i made two trunk ports on 3550 as root guard that goes to 2 layer 2 switches as shown below

3550SMI#sh run int fa0/8
Building configuration...

Current configuration : 215 bytes
!
interface FastEthernet0/8
description Dynamic Desirable Trunk connection to Switch 2950T
switchport mode dynamic desirable
speed 100
duplex full
spanning-tree bpduguard disable
spanning-tree guard root
end

3550SMI#sh run int fa0/13
Building configuration...

Current configuration : 167 bytes
!
interface FastEthernet0/13
description Dynamic auto to Switch 2950T2
switchport mode dynamic auto
spanning-tree bpduguard disable
spanning-tree guard root

Oncei did that in logs of 3550 i got message

May 21 12:09:42.933 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled
on port FastEthernet0/8.
May 21 12:09:44.161 MST: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port F
astEthernet0/8 on VLAN0001.*******************************blocking

then i config vlan 1 on switch 3550 as root primary as shown below and status of fa0/8 changed to forwarding *******************************

3550SMI#sh spanning-tree vlan 1

VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    24577
             Address     000d.28bc.fd80
             This bridge is the root
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    24577 (priority 24576 sys-id-ext 1)
             Address     000d.28bc.fd80
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/8               Desg FWD 19        128.8    P2p
Gi0/2               Back BLK 4         128.26   P2p

then message in logs of 3550 changed as shown below

May 21 12:10:20.206 MST: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking po
rt FastEthernet0/8 on VLAN0001.
May 21 12:10:38.690 MST: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard disable
d on port FastEthernet0/8.

My question is although vlan 1 on 3550 is admin down down then why trunk port fa0/8 still uses vlan 1?

is it because it is native vlan?

if you can explain me this please?

thanks

mahesh

Jon Marshall · ‎05-21-2010

Mahesh

Vlan 1 will always be on trunk links even if you shutdown the SVI and clear it off trunks. So that is why you saw that message.

Jon

mahesh18 · ‎05-21-2010

Hi Jon

thanks once again.

Best regards

mahesh