What if one uses bpdufilter feature on the interfaces going to the switch that we don't want to be the root bridge, would that be a valid solution?
Sent from my BlackBerry wireless device from MTN
-----Original Message-----
From: "Bob Sinclair" <bob_at_bobsinclair.net>
Sender: nobody_at_groupstudy.com
Date: Mon, 21 Jun 2010 10:07:23
To: 'Abiola Jewoola'<biola_y2k_at_yahoo.com>; 'Cisco certification'<ccielab_at_groupstudy.com>
Reply-To: "Bob Sinclair" <bob_at_bobsinclair.net>
Subject: RE: STP ROOT BRIDGE PROBLEM!!!!
Hi Abiola,
Yes, the root guard feature is to protect your network against a switch
becoming root that should not become root. Usually you are defending
against a customer switch, and the feature operates by isolating that
customer switch from your network.
But you can protect your root bridge by configuring root guard on your
non-root bridge that connects to the customer switch; that way you isolate
just that customer switch. If you could only configure the feature on the
root bridge then you might end up isolating large parts of your L2 network,
not just the offending switch.
As we saw, you can configure it on a non-root switch: I chose to demonstrate
it on a root port just to show that the local switch was NOT the current
root. As designed, it put the port connected to the root in Root
Inconsistent state. Here I configure it on a non-root bridge, on a non-root
port, and you see it does not go root inconsistent:
SW3#sh span
VLAN0056
Spanning tree enabled protocol ieee
Root ID Priority 32824
Address 0023.05c4.bb00
Cost 19
Port 21 (FastEthernet0/19)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32824 (priority 32768 sys-id-ext 56)
Address 0023.3307.5680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- --------
--------------------------------
Fa0/19 Root FWD 19 128.21 P2p
Fa0/23 Desg FWD 19 128.25 P2p
SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#int f0/23
SW3(config-if)#spanning-tree guard root
SW3(config-if)#end
SW3#show span
VLAN0056
Spanning tree enabled protocol ieee
Root ID Priority 32824
Address 0023.05c4.bb00
Cost 19
Port 21 (FastEthernet0/19)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32824 (priority 32768 sys-id-ext 56)
Address 0023.3307.5680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- --------
--------------------------------
Fa0/19 Root FWD 19 128.21 P2p
Fa0/23 Desg FWD 19 128.25 P2p
SW3#sh span int f0/23 deet
SW3#sh span int f0/23 det
SW3#sh span int f0/23 detail
Port 25 (FastEthernet0/23) of VLAN0056 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.25.
Designated root has priority 32824, address 0023.05c4.bb00
Designated bridge has priority 32824, address 0023.3307.5680
Designated port id is 128.25, designated path cost 19
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Root guard is enabled on the port
BPDU: sent 382, received 26
From: Abiola Jewoola [mailto:biola_y2k_at_yahoo.com]
Sent: Monday, June 21, 2010 9:54 AM
To: bob_at_bobsinclair.net
Subject: RE: STP ROOT BRIDGE PROBLEM!!!!
If you configure the root guard on a non root switch the root port goes to
inconsistent state as shown in your topology.
Reason to the best of my knowledge( please correct me if am wrong!! ) is
that the root switch will put any root port which has a better bridge id
into root inconsistent so as to protect itself from being overthrown as the
root. The guard root is suppose to guard the root switch not the non-root
switch.
--- On Mon, 6/21/10, Bob Sinclair <bob_at_bobsinclair.net> wrote:
From: Bob Sinclair <bob_at_bobsinclair.net>
Subject: RE: STP ROOT BRIDGE PROBLEM!!!!
To: "'Abiola Jewoola'" <biola_y2k_at_yahoo.com>, "'Cisco certification'"
<ccielab_at_groupstudy.com>
Date: Monday, June 21, 2010, 5:05 AM
Hi Abiola,
Not sure what you are seeing. It seems I can configure root guard on a
nonroot bridge. Below you see it configured on a root port:
SW4#sh span vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID Priority 32788
Address 0023.05c9.5e80
Cost 19
Port 21 (FastEthernet0/19)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)
Address 0023.3307.7000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- --------
--------------------------------
Fa0/10 Desg FWD 19 128.12 P2p
Fa0/19 Root FWD 19 128.21 P2p <<<<<<<<<<<<<<<<<<<
SW4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW4(config)#int f0/19
SW4(config-if)#span guard root <<<<<<<<<<<<<<<<<<<<<
SW4(config-if)#end
SW4#sh span vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID Priority 32788
Address 0023.3307.7000
This bridge is the root <<<<<<<<<<<<<<<<<<<< AFTER
configuration
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)
Address 0023.3307.7000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- --------
--------------------------------
Fa0/10 Desg FWD 19 128.12 P2p
Fa0/19 Desg BKN*19 128.21 P2p *ROOT_Inc
<<<<<<<<<<<<<<<<<<<<<<<
SW4#
HTH,
Bob Sinclair
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Abiola Jewoola
> Sent: Monday, June 21, 2010 2:19 AM
> To: Abdel Bric; Cisco certification; chris
> Subject: Re: STP ROOT BRIDGE PROBLEM!!!!
>
> I thought Root Guard is normally configured on the root bridge. you
> cant
> configure it on non root switches
>
> --- On Wed, 6/16/10, chris <chrish711_at_gmail.com> wrote:
>
> From: chris <chrish711_at_gmail.com>
> Subject: Re: STP ROOT BRIDGE PROBLEM!!!!
> To: "Abdel Bric" <ab4ccie_at_gmail.com>, "Cisco certification"
> <ccielab_at_groupstudy.com>
> Date: Wednesday, June 16, 2010, 3:03 PM
>
> Uplinkfast will indirectly modify the priority. I would use root guard
> in
> the other sitches to make sure this one is not elected ...
>
> On Wed, Jun 16, 2010 at 5:46 PM, Abdel Bric <ab4ccie_at_gmail.com> wrote:
>
> > how about uplinkfast if it is PVST+ mode
> >
> > On Wed, Jun 16, 2010 at 2:53 PM, Narbik Kocharians
> <narbikk_at_gmail.com>wrote:
> >
> >> Puting the switches in diefferent MST domains might also be a valid
> >> solution.
> >>
> >> On Wed, Jun 16, 2010 at 11:47 AM, chris <chrish711_at_gmail.com> wrote:
> >>
> >> > What if the question says:
> >> > >
> >> > > "Make sure sw4 is not elected root bridge without modifying
> priority"
> >> > >
> >> > > Thanks,
> >> > >
> >> > > On Wed, Jun 16, 2010 at 1:07 PM, Ryan DeBerry
> <rdeberry_at_gmail.com
> >> > >wrote:
> >> > >
> >> > >> key phrase - "But i
> >> > >> should not touch thats bridge priority."
> >> > >>
> >> > >> They are giving you the answer.
> >> > >>
> >> > >> Change the other bridge's priorities.
> >> > >>
> >> > >> On Wed, Jun 16, 2010 at 1:03 PM, HEMANTH RAJ
> <hemanthrj_at_gmail.com>
> >> > wrote:
> >> > >>
> >> > >> > In STP I dont want to make a bridge as a root bridge for any
> vlans.
> >> > But
> >> > >> i
> >> > >> > should not touch thats bridge priority.
> >> > >> > How will i make a bridge not to become a root bridge without
> >> touching
> >> > >> their
> >> > >> > bridge priority???
> >> > >> >
> >> > >> > --
> >> > >> > Problems arise Bcoz we talk,prblms r not solve bcoz we dont
> talk So
> >> > gud
> >> > >> r
> >> > >> > bad talk to ur affectionate one's freely
> >> > >> >
> >> > >> > Urs Friendly,
> >> > >> > HP HEMANTH RAJ
> >>
> >> > >> >
> >> > >> >
> >> > >> > Blogs and organic groups at http://www.ccie.net
> >> > >> >
> >> > >> >
> >> >
> _______________________________________________________________________
> >> > >> > Subscription information may be found at:
> >> > >> > http://www.groupstudy.com/list/CCIELab.html
> >> > >>
> >> > >>
> >> > >> Blogs and organic groups at http://www.ccie.net
> >> > >>
> >> > >>
> >>
> _______________________________________________________________________
> >> > >> Subscription information may be found at:
> >> > >> http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >> --
> >> Narbik Kocharians
> >> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> >> www.MicronicsTraining.com <http://www.micronicstraining.com/>
> >> Sr. Technical Instructor
> >> YES! We take Cisco Learning Credits!
> >> Training And Remote Racks available
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.829 / Virus Database: 271.1.1/2952 - Release Date:
> 06/20/10 14:36:00
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.829 / Virus Database: 271.1.1/2952 - Release Date: 06/21/10
02:36:00
Blogs and organic groups at http://www.ccie.net
Received on Mon Jun 21 2010 - 15:03:00 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:37 ART