Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Two root switches Spanning Tree 2

Status
Not open for further replies.
drbk563

drbk563

IS-IT--Management
Nov 21, 2006
194
US
I configured root guard on 2900XL switch, which is currently the root of vlan 23. On the other side of the 2900XL switch there is a 2950 switch, which is connected to the 2900XL via two trunk lines. I was testing the root guard by forcing the 2950 switch to become the root for vlan 23. However, instead of the 2900XL switch blocking that request I believe it was allowed and now I have two root switches on vlan 23. Why? Below is the output from the "sh spanning-tree vlan 23" from both switches.

Thank You

2900 XL Switch

SW1#sh spanning-tree vlan 23

Spanning tree 23 is executing the IEEE compatible Spanning Tree protocol
Bridge Identifier has priority 32768, address 0030.f2fd.4741
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag not set, detected flag not set, changes 5
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 1, topology change 0, notification 0

Interface Fa0/12 (port 1) in Spanning tree 23 is ROOT-INCONSISTENT
Port path cost 12, Port priority 128
Designated root has priority 32768, address 0030.f2fd.4741
Designated bridge has priority 32768, address 0030.f2fd.4741
Designated port is 1, path cost 0
Timers: message age 1, forward delay 0, hold 0
BPDU: sent 451, received 104
Root guard is enabled

2950 Switch

SW2#sh spanning-tree vlan 23

VLAN0023
Spanning tree enabled protocol ieee
Root ID Priority 24599
Address 0008.a3f7.0a00
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24599 (priority 24576 sys-id-ext 23)
Address 0008.a3f7.0a00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 12 128.65 P2p
 
Sort by date Sort by votes
How did your default bridge priority change on your 2950? Default is 32768 and your 2950 has priority of 24599. If you changed this manually then this will become root switch.

When a switch that has ports with root guard enabled detects a new root, the ports will go into root-inconsistent state. It looks like your 2900XL did what its was supposed to and put its ports in root-inconsistent Then, when the switch no longer detects a new root, its ports will automatically go into the listening state.

I would change the priority on your 2950 back to its default, then lower the priority on your 2900XL forcing it back to being the original root. Then check to ensure that the 2900XL is in fact root before enabling root guard again.

M

 
Upvote 0 Downvote
I changed the default bridge priority by using the command "spanning-tree vlan 23 root primary" I did the changes which you mentioned and the 2900XL is now the root and root guard is enable again. So you are telling me that the switch did exactly what it should have done?

 
Upvote 0 Downvote
The root bridge with root guard enabled will put the ports that see the superior BPDUs into a root-inconsistant state which we see from your sho span vlan 23. When you tried making the 2950 root, the 2900XL saw the superior BPDUs, put its port into root-inconsistant state but still remained root for that vlan. On your 2950, it looks as if it remained root for that vlan, and forwarded out as it was supposed to. If any switches were then nested under the 2950, I suppose they would see that 2950 as root, but all other switches that would be connected directly to the 2900XL would still see the 2900XL as root. I would use root guard as a failsafe, on your other ports that have users attached. If you design and implement your own network, then you will configure it properly as to not introduce a switch until you are satisfied with any/all STP changes you are making. If you have access ports that are accessible to other users, they could bring in a switch that has superior root possibilities and introduce their switch forcing STP to converge on that VLAN forcing it as root. With your rootguard enabled, then any malicious user (or a user not knowing better) can not force STP convergence. Am I making sense?
 
Upvote 0 Downvote
You are making perfect sense. I now fully understand the concept of the root guard. Thank you for taking the time to reply to my comments.


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Known issues or dangers in purchasing L3 switches that are used
Replies
3
Views
391
CASSBusinessSystems
CASSBusinessSystems
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
280
acabezas2014
acabezas2014
DrB0b
  • Locked
  • Question
SG300 switches behind Barracuda X400 FW
Replies
11
Views
599
DrB0b
DrB0b
jmkelly
  • Locked
  • Question
Dynamic routing protocols for catalyst 3850 switches
Replies
4
Views
658
ADB100
ADB100
veilside
  • Locked
  • Question
Configure VRRP with VSS Core switches.
Replies
1
Views
275
VinceWhirlwind
VinceWhirlwind

Part and Inventory Search

Sponsor

Back
Top