Root Guard in Action

VN:F [1.9.6_1107]
Rating: 5.0/5 (1 vote cast)
By Anthony Sequeira on October 13th, 2011

Many Layer 2 implementations these days have Cisco switches facing customers or partners and there is a risk of inadvertent or malicious Spanning Tree Topology manipulations. Remember from previous posts that STP will reconvergence the topology based on the receipt of what we term superior BPDUs. The Root Guard feature guards a port or ports against such an occurrence by moving the port into a root inconsistent state (effectively disabled) based on the receipt of one of these superior BPDUs.

How do you enable the feature? Notice below that I have moved to the Designated ports on the root bridge and enabled the STP tool:

SW3(config)#int range fa0/19 - 24
SW3(config-if-range)#spanning-tree guard root
SW3(config-if-range)#end

Verification of the feature is immediate thank to system meggasing. For example:

00:38:23: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/20.

Now that we have the feature enabled, let us test it and see what happens. Notice I will visit a device that is connected and issue superior BPDUs to the root bridge (SW3):

SW4(config)#spanning-tree vlan 1 priority 0

This triggers a new system message on SW3:

1d19h: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/19 on VLAN0001.

We can see that the Root Guard feature has done its job! Now, in the event that you missed that console message, here is an excellent verification command for this feature:

SW3#show spanning-tree inconsistentports
Name                 Interface              Inconsistency
-------------------- ---------------------- ------------------
VLAN0001             FastEthernet0/19       Root Inconsistent
VLAN0001             FastEthernet0/20       Root Inconsistent
VLAN0001             FastEthernet0/21       Root Inconsistent
VLAN0001             FastEthernet0/22       Root Inconsistent
VLAN0001             FastEthernet0/23       Root Inconsistent
VLAN0001             FastEthernet0/24       Root Inconsistent
Number of inconsistent ports (segments) in the system : 6

Removing the priority command from SW4 causes an automatic reversal ofthe blocking behaviour on the root bridge as seen below:

1d19h: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet0/23 on VLAN0001.
SW3#show spanning-tree inconsistentports
Name                 Interface              Inconsistency
-------------------- ---------------------- ------------------
Number of inconsistent ports (segments) in the system : 0

We hope you will be joining us here at blog.ipexpert.com when we examine more Layer 2 features in great detail.

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Root Guard in Action, 5.0 out of 5 based on 1 rating
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , , ,

This entry was posted on Thursday, October 13th, 2011 at 10:20 am and is filed under CCIE, Routing & Switching, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Root Guard in Action”

  1. Interesting Links « Just another CCIE says:
    October 24, 2011 at 10:29 am

    [...] IPExperts RootGuard in Action [...]

    Reply

Leave a Reply