12-16-2012 01:03 PM - edited 03-07-2019 10:38 AM
in my LAN the all access layer switchs/stacks are connected directly to core backbone switch (cisco 6509) via sfp fiber-optic
i want to protect my spanning tree setup with the "root guard" command.
1. where would i set this ? on uplink ports on access layer switches ? or on core backbone ports to which the access layer swithes connect to?.
2. can this be set on active (production) ports without downtime?.
thanks
Solved! Go to Solution.
12-16-2012 01:45 PM
In a stable topology, this is only needed on the all the root bridge ports.
No down time since no re-calculation, it only instructs the ports to place the port into root-inconsistent state upon receipt of a superior bpdu, no traffic will pass through this port, until the superior bpdus stop, then normal traffic flow will start.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml
To firm up further, you might consider BPDU guard also
12-16-2012 06:47 PM
Hi,
Answer is on the blocking ports. However, this is not totally correct. Loop guard must be enabled on the non-designated ports (more precisely, on root and alternate ports) for all possible combinations of active topologies. As long as the loop guard is not a per-VLAN feature, the same (trunk) port might be designated for one VLAN and non-designated for the other. The possible failover scenarios should also be taken into account.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml
Hope it will help.
Sent from Cisco Technical Support iPhone App
12-16-2012 01:45 PM
In a stable topology, this is only needed on the all the root bridge ports.
No down time since no re-calculation, it only instructs the ports to place the port into root-inconsistent state upon receipt of a superior bpdu, no traffic will pass through this port, until the superior bpdus stop, then normal traffic flow will start.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml
To firm up further, you might consider BPDU guard also
12-16-2012 02:11 PM
just to clarify
root guard on core switch (set as root bridge) uplink ports connecting to access layer switches.
bpdu guard on access layer end device ports
what about loop guard? on access layer uplink ports?
12-16-2012 06:47 PM
Hi,
Answer is on the blocking ports. However, this is not totally correct. Loop guard must be enabled on the non-designated ports (more precisely, on root and alternate ports) for all possible combinations of active topologies. As long as the loop guard is not a per-VLAN feature, the same (trunk) port might be designated for one VLAN and non-designated for the other. The possible failover scenarios should also be taken into account.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml
Hope it will help.
Sent from Cisco Technical Support iPhone App
12-16-2012 06:51 PM
Hi,
Root guard and loop guard is basically different purpose.
Root guard : It protect undesired switch become a root bridge.So you need to enable this feature in your root bridge ports which is going downstream switch .
The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml
Loop guard : The STP loop guard feature provides additional protection against Layer 2 forwarding loops (STP loops). An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs.
When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop.
The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml
12-16-2012 06:54 PM
Hi Jacob,
The STP loop guard feature provides additional protection against Layer 2 forwarding loops (STP loops).
When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop
The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop
Once the BPDU is received on a port in a loop-inconsistent STP state, the port transitions into another STP state. According to the received BPDU, this means that the recovery is automatic and intervention is not necessary.
Refer:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml
Regards,
Aru
*** Please rate if the post is useful ***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide