Spanning Tree - Root Guard

nathan.edwards1 · ‎06-18-2013

I have three switches connected in a full mesh. I have two distribution switches that are sharing the root bridge roles for numerous instances of RPVST+. Today I noticed that "spanning-tree guard root" is configured on several of my P2P links and after some further digging noticed that some of the vlans on these ports were in a "root inconsistent" state. I understand this to mean that the switch recieved a superior BPDU on the interface and root guard has placed it into the Broken state until the superior BPDUs stop coming. What's confusing me is that the BPDUs are coming from the actual root bridge. Since it's recieving a BPDU with the same bridge ID and a higher path cost than it's current root port, I thought it would just block one of the interfaces on the segment. Why the BKN state?

SwitchA:

VLAN0149

Spanning tree enabled protocol rstp

Root ID Priority 24725

Address 001b.9027.3400

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24725 (priority 24576 sys-id-ext 149)

Address 001b.9027.3400

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 480

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi1/2 Desg FWD 4 128.2 P2p Peer(STP)

Gi1/4 Desg FWD 4 128.4 P2p

Gi1/5 Desg FWD 4 128.5 P2p Peer(STP)

Gi1/7 Desg FWD 4 128.7 P2p

Gi1/8 Desg FWD 4 128.8 P2p

Gi1/10 Desg FWD 4 128.10 P2p Peer(STP)

Gi1/13 Desg FWD 4 128.13 P2p

Gi1/14 Desg FWD 4 128.14 P2p

Gi1/18 Desg FWD 4 128.18 P2p Peer(STP)

Gi1/21 Desg FWD 4 128.21 P2p Peer(STP)

Gi1/22 Desg FWD 4 128.22 P2p

Te3/5 Desg FWD 2 128.261 P2p Peer(STP)

Po1 Desg FWD 3 128.1665 P2p

Switch B:

VLAN0149

Spanning tree enabled protocol rstp

Root ID Priority 24725

Address 001b.9027.3400

Cost 3

Port 1665 (Port-channel1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768

Address 001c.f91e.2495

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 480

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi1/2 Desg FWD 4 128.2 P2p

Gi1/4 Desg FWD 4 128.4 P2p

Gi1/5 Desg FWD 4 128.5 P2p Peer(STP)

Gi1/7 Desg FWD 4 128.7 P2p

Gi1/8 Desg FWD 4 128.8 P2p

Gi1/10 Desg FWD 4 128.10 P2p

Gi1/12 Desg FWD 4 128.12 P2p

Gi1/13 Desg FWD 4 128.13 P2p

Gi1/14 Desg FWD 4 128.14 P2p Peer(STP)

Gi1/15 Desg FWD 4 128.15 P2p

Gi1/17 Desg FWD 4 128.17 P2p

Gi1/18 Desg FWD 4 128.18 P2p

Gi1/20 Desg FWD 4 128.20 P2p Peer(STP)

Gi1/21 Desg FWD 4 128.21 P2p Peer(STP)

Te3/5 Desg BKN*2 128.261 P2p Peer(STP) *ROOT_Inc

Po1 Root FWD 3 128.1665 P2p

Switch C:

VLAN0149

Spanning tree enabled protocol ieee

Root ID Priority 24725

Address 001b.9027.3400

Cost 2

Port 258 (TenGigabitEthernet3/2)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32917 (priority 32768 sys-id-ext 149)

Address 6c20.5606.fc00

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 3600 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Te3/1 Desg FWD 2 128.257 P2p

Te3/2 Root FWD 2 128.258 P2p

InayathUlla Sharieff · ‎06-18-2013

Nathan,

Thats expected behaviour.

Root guard : It protect undesired switch become a root bridge.So you need to enable this feature in your root bridge ports which is going downstream switch .

The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

HTH

REgards

Inayath

nathan.edwards1 · ‎06-18-2013

Thanks for the reply AnayathUlla,

But where does the superior BPDU come into play? All three switches are connected via trunk links, forming a loop. All three agree that 001b.9027.3400 is the root bridge. Shouldn't B recieve C's BPDU with a cost of 4 to the root bridge? The BPDU it recieved on it's link with switch A would be superior. I would expect C's interface going to switch B would be ALT/blocking, not inconsistant.

Here's a pretty high-speed diagram:

A--------B

\ /

C

Thanks,

Nate

Abzal · ‎06-19-2013

Hi,

Could you show output from command on switchB:

sh spanning-tree int te3/5 detail

Hope it will help.

Best regards,
Abzal

nathan.edwards1 · ‎06-19-2013

Hi Abzal,

Here's the output:

Port 261 (TenGigabitEthernet3/5) of VLAN0149 is broken (Root Inconsistent)

Port path cost 2, Port priority 128, Port Identifier 128.261.

Designated root has priority 24725, address 001b.9027.3400

Designated bridge has priority 32768, address 001c.f91e.2495

Designated port id is 128.261, designated path cost 3

Timers: message age 16, forward delay 0, hold 0

Number of transitions to forwarding state: 1

Link type is point-to-point by default, Peer is STP

Root guard is enabled on the port

BPDU: sent 295, received 7036519

And here's the interface on Switch B that connects to Switch A:

Port 1665 (Port-channel1) of VLAN0149 is root forwarding

Port path cost 3, Port priority 128, Port Identifier 128.1665.

Designated root has priority 24725, address 001b.9027.3400

Designated bridge has priority 24725, address 001b.9027.3400

Designated port id is 128.1665, designated path cost 0

Timers: message age 16, forward delay 0, hold 0

Number of transitions to forwarding state: 1

Link type is point-to-point by default

BPDU: sent 5028, received 29412169

Thanks,

Nate

InayathUlla Sharieff · ‎06-19-2013

Nathan,

Could you please check with your network team once to see if by any chance someone connected any switch to Switch C? Which is in turn has lower bridge id and broadcasting itself as root to SwitchC?

Here is the below link which would give some idea why the port says as broken and its in root-inconsistent state?

http://astorinonetworks.com/2011/10/28/understanding-stp-rootguard/

HTH

Regards

Inayath

nathan.edwards1 · ‎06-20-2013

InayathUlla,

No, no other switches are plugged into switch C...I'm thinking this may be an issue with the PortChannel vs the TenGig link. I may just be overthinking it at this point, but I'm at a loss...

InayathUlla Sharieff · ‎06-20-2013

Nathan,

YEs it could be. Could you please provide the following data so that we dig much more into this:

1- Show etherchannel summary

2- Running config and logs from the devices.

3- Show spanning-tree vlan 149

4- show int t3/5 & TX/x which is in the port-channel.

Regards

Inayath

Dennis Mink · ‎06-20-2013

I think it has to do with the fact that on switch B , the Po1 is the root port (to switch A).

I am assuming Te3/5 is part of that same port channel 1, correct?

so switch B has established that the Root can be reached through Po1. Now switch A also sends a BPDU to advertise it being the root through te3/5 (received by swutch B on Te3/5) and on switch B you have root guard enabled on that, which means that Te3/5 goes into inconsistant, as it should. (because the port cost from B-->A is only 2 through Te3/5 and 3 through po1, remember bridge ID and priority send by A are a tie between Po1 and Te3/5, so port cost has to be the decider).

switch B:

Te3/5 Desg BKN*2 128.261 P2p Peer(STP) *ROOT_Inc

Po1 Root FWD 3 128.1665 P2p

the best way to find out if the superior BPDU is coming from A is to debug. possible work around would be to increase the stp port cost on te3/5 on switch B.

Let us know how you go

=============================
Please remember to rate useful posts, by clicking on the stars below.

=============================

Please remember to rate useful posts, by clicking on the stars below.

nathan.edwards1 · ‎06-20-2013

Minkdennis,

Thanks for the reply. I really should have posted a cdp nei output in my original post. I don't have access to the switch right now but Switch A is connected to Switch B through the port-channel with two 1 gig interfaces. Switch A and B both connect to Switch C via their T3/5 interfaces. So switch B's accumulative path cost to the root through Switch C should be 4, if I'm not mistaken since it crosses two 10 gig links.

Inayath,

I will post the info as soon as possible. Thanks again.

Nate