cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11473
Views
4
Helpful
5
Replies

spanning tree root guard command

Jacob Berger
Level 2
Level 2

in my LAN the all access layer switchs/stacks are connected directly to core backbone switch (cisco 6509) via sfp fiber-optic

i want to protect my spanning tree setup with the "root guard" command.

1. where would i set this ? on uplink ports on access layer switches ? or on core backbone ports to which the access layer swithes  connect to?.

2. can this be set on active (production) ports without downtime?.

thanks

2 Accepted Solutions

Accepted Solutions

jimmysands73_2
Level 5
Level 5

In a stable topology, this is only needed on the all the root bridge ports.

No down time since no re-calculation, it only instructs the ports to place the port into root-inconsistent state upon receipt of a superior bpdu, no traffic will pass through this port, until the superior bpdus stop, then normal traffic flow will start.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

To firm up further, you might consider BPDU guard also

View solution in original post

Hi,

Answer is on the blocking ports. However, this is not totally correct. Loop guard must be enabled on the non-designated ports (more precisely, on root and alternate ports) for all possible combinations of active topologies. As long as the loop guard is not a per-VLAN feature, the same (trunk) port might be designated for one VLAN and non-designated for the other. The possible failover scenarios should also be taken into account.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml

Hope it will help.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

View solution in original post

5 Replies 5

jimmysands73_2
Level 5
Level 5

In a stable topology, this is only needed on the all the root bridge ports.

No down time since no re-calculation, it only instructs the ports to place the port into root-inconsistent state upon receipt of a superior bpdu, no traffic will pass through this port, until the superior bpdus stop, then normal traffic flow will start.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

To firm up further, you might consider BPDU guard also

just to clarify

root guard on core switch (set as root bridge)  uplink ports connecting to access layer switches.

bpdu guard on access layer end device ports

what about loop guard? on access layer uplink ports?

Hi,

Answer is on the blocking ports. However, this is not totally correct. Loop guard must be enabled on the non-designated ports (more precisely, on root and alternate ports) for all possible combinations of active topologies. As long as the loop guard is not a per-VLAN feature, the same (trunk) port might be designated for one VLAN and non-designated for the other. The possible failover scenarios should also be taken into account.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml

Hope it will help.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

Hi,

Root guard and loop guard is basically different purpose.

Root guard :  It protect undesired switch become a root bridge.So you need to enable this feature in your root bridge ports which is going downstream switch .

The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

Loop guard : The STP loop guard feature provides additional protection against Layer 2 forwarding loops (STP loops). An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs.

When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop.

The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml

Hi Jacob,

The STP loop guard feature provides additional protection against Layer 2 forwarding loops (STP loops).

When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop

The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop

Once the BPDU is received on a port in a loop-inconsistent STP state, the port transitions into another STP state. According to the received BPDU, this means that the recovery is automatic and intervention is not necessary.

  • The loop guard feature is enabled on a per-port basis. However, as long as it blocks the port on the STP level, loop guard blocks inconsistent ports on a per-VLAN basis (because of per-VLAN STP).
  • Loop guard must be applicable to all links Non-Designated links. Non-Designated here refers to any port that are not designated, including root ports.

Refer:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml

Regards,

Aru

*** Please rate if the post is useful ***

Regards, Aru *** Please rate if the post useful ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: