CCIE Routing & Switching v5 Workbook -
CCIE R&S v5 Advanced Technology Labs -
LAN Switching
STP Root Guard
You must load the initial configuration files for the section, LAN
Switching Initial Spanning Tree, which can be found in
. Reference
the Virtual Routers & Physical Switches Diagram to complete this
task.
Task
Configure SW1 so that STP logically blocks Ethernet links connected to SW2 and
SW3 if any of SW2 - SW4 tries to become Root Bridge for any VLAN.
Configuration
SW1:
interface range FastEthernet0/19 - 20
spanning-tree guard root
!
interface range FastEthernet0/23 - 24
spanning-tree guard root
Verification
Root Guard is similar to the BPDU Guard feature in the manner in which it is used to
detect STP packets and disable the interface they were received on. The difference
between them is that with Root Guard, the interface is only logically disabled (via
Root Inconsistent state) if a superior BPDU is received on the port with Root
Guard enabled. Root Inconsistent state is similar to blocking state, in that BPDUs
are not sent outbound but accepted inbound, and of course all received frames are
dropped. The switch automatically recovers the port from Root Inconsistent and
starts negotiating the new port state and role, as soon as superior BPDUs are no
longer received inbound.
A superior BPDU indicates a better cost to the root bridge than what is currently
installed. Therefore, in terms of design, this feature is used to prevent a rogue
device from announcing itself as the new root bridge and possibly implementing a
layer 2 man-in-the-middle attack. Root Guard can be enabled only at the port level
and basically prevents a Designated port from becoming Non-Designated. You will
want to configure this functionality on the Root Bridge itself.
Verify that Root Guard is enabled for all VLANs, for example on FastEthernet0/19
port.
SW1#show spanning-tree interface fastEthernet0/19 detail | i Port|Root
Port 21 (FastEthernet0/19) of VLAN0001
is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0002
is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0005 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0007 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0008 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0009 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0010 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0022 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0043 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0058 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0067 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0079 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0146 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Root guard is enabled on the port
Although Root Guard is enabled at the port level, it works on a per-VLAN basis. For
example, let’s configure SW2 with a better bridge priority for VLAN 2, which means
that SW1 will logically disable its port to SW2 only for VLAN 2.
SW2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.SW2(config)#spanning-tree vlan 2 priority 0
!
!SW1#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root IDPriority
4098
Address
0013.605f.f000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority4098 (priority 4096 sys-id-ext 2)
Address0013.605f.f000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
InterfaceRole Sts CostPrio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/19Desg BKN*19
128.21 P2p *ROOT_Inc Fa0/20
Desg BKN*19
128.22 P2p *ROOT_Inc Fa0/23
Desg BKN*19
128.25 P2p *ROOT_Inc Fa0/24
Desg BKN*19
128.26 P2p *ROOT_Inc
!
!SW1#show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol ieee
Root IDPriority
4106
Address
0013.605f.f000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority4106 (priority 4096 sys-id-ext 10)
Address0013.605f.f000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
InterfaceRole Sts CostPrio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/19Desg FWD
19128.21
P2p Fa0/20
Desg FWD
19128.22
P2p Fa0/23
Desg FWD
19128.25
P2p Fa0/24
Desg FWD
19128.26
P2p
SW1 will also log messages similar to the following, notifying of the problem.
%SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/23 on VLAN0002.
%SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/24 on VLAN0002.
Because SW1 no longer sends BPDUs outbound on its Root Inconsistent port,
note that SW2 and SW3 have their ports toward SW1 in FWD state for VLAN 2.
SW2#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root IDPriority
2
Address
000a.b832.3a80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority2(priority 0 sys-id-ext 2)
Address000a.b832.3a80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
InterfaceRole Sts CostPrio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/19Desg FWD 19
128.21 P2p
Fa0/20Desg FWD 19
128.22 P2p Fa0/23Desg FWD
19128.25
P2p Fa0/24Desg FWD
19128.26
P2p
!
!SW3#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root IDPriority
2
Address
000a.b832.3a80
Cost
38
Port
25 (FastEthernet0/23)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority32770 (priority 32768 sys-id-ext 2)
Address0022.5627.1f80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
InterfaceRole Sts CostPrio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/19Desg FWD
19128.21
P2p Fa0/20Desg FWD
19128.22
P2p
Fa0/23Root FWD 19
128.25 P2p
Fa0/24Altn BLK 19
128.26 P2p
When superior BPDUs are no longer received, SW1 will start to send BPDUs
outbound on the ports to negotiate the STP state and role; it will also log messages
similar to the following:
%SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/23 on VLAN0002.
%SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/24 on VLAN0002.