PT LAB: Bringing up Nours small network – Protecting STP

Root Guard

In my network, I have core switch 2 as the primary root and core switch 1 as secondary root. I want to prevent another switch from advertising itself as a root, to achieve this I will add the root guard to all the ports in the distribution layer switches that don’t reach to the core switches.

dist_2(config)#int range fa 0/20 -21

dist_2(config-if-range)#spanning-tree guard root

 

core_2#show spanning-tree

VLAN0001

Spanning tree enabled protocol rstp

Root ID Priority 24577

Address 0002.1740.A017

This bridge is the root

 

dist_2#show spanning-tree inconsistentports

Name Interface Inconsistency

——————– ——————– ——————

Number of inconsistent ports (segments) in the system : 0

Now, I will set the priority for one of the access layer switches to lower priority

access_3(config)#spanning-tree vlan 1 priority 0

access_3#show spanning-tree vlan 1

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 1

Address 0000.0C75.6B76

This bridge is the root

Now in the dist switch:

dist_2(config-if)#e%SPANTREE-2-ROOTGUARDBLOCK: Port 0/20 tried to become non-designated in VLAN 1.

Moved to root-inconsistent state

dist_2#show spanning-tree inconsistentports

Name Interface Inconsistency

——————– ——————– ——————

VLAN0001 FastEthernet0/20 Root Inconsistent

Number of inconsistent ports (segments) in the system : 1

 

BPDU Guard (Edge ports)

Enabled by default for all port fast ports, to shut down (err-disable) the port when BPDU is received from that port

access_1(config)#int fa 0/4

access_1(config-if)#switchport mode access

access_1(config-if)#switchport access vlan 10

access_1(config-if)#spanning-tree portfast

access_1(config-if)#spanning-tree bpduguard enable

Now, I connect a switch to this port:

access_1(config-if-range)#%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/4 with BPDU Guard enabled. Disabling port.

%PM-4-ERR_DISABLE: bpduguard error detected on 0/4, putting 0/4 in err-disable state

%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down

 

#show ip int bri

Interface IP-Address OK? Method Status Protocol

FastEthernet0/4 unassigned YES manual down down

-> Loop Guard feature is not added to PT

This entry was posted in Cisco- R&S. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s