Sunday, August 30, 2009

STP Root Guard

Well, using the same topology as before, I configured DLS 1 to be the root switch for vlans 1 and 100, while being the secondary for vlan 200.
dls1(config)#spanning-tree vlan 1,100 root primary
dls1(config)#spanning-tree vlan 200 root secondary

I essentially did the same thing, except opposite on DLS2, making it the root for 200, and the secondary root for 1 and 100.   This gives some consistency in the network, allowing the admin to really control what is happening with the elections.  This primarily gives each switch a value based on the current roots priority.
When you enter this command, the switch checks the switch priority of the root switches for each VLAN. Because of the extended system ID support, the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN.  If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own priority for the specified VLAN to 4096 less than the lowest switch priority. --> From

I then, just for fun, was playing with root guard.  This again is a feature to protect from rouge switches being placed on the network, and taking over root bridge responsibilities if they have a lower priority number.  Essentially if a bpdu is received on a port with this feature, it will be placed in the root inconsistent state.  Look what happened when I configured it on the port channel connecting DLS1 and DLS2:
dsl2(config-if)#spanning-tree guard root
*Mar  1 00:28:31.159: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Port-channel1.
*Mar  1 00:28:31.163: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Port-channel1 on VLAN0001.
*Mar  1 00:28:40.831: %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Standby -> Active
*Mar  1 00:28:40.879: %HSRP-5-STATECHANGE: Vlan1 Grp 1 state Standby -> Active

Whoa!  Blocked the port, and forced an HSRP statechange.  Now, the port stayed blocked, but DLS 1 took its active HSRP priority back over (Remember this was a redundant switching topology!)  It just took a little bit.  Around 1 minute. 

I think that I have talked about this before...but admins can also enable bpdu guard on ports with portfast enabled.  Because bpdu's are NOT expected to be heard on ports with portfast enabled, why not ensure that if bpdu's are received, that the switchport be shut down?  Do you really want switches plugged in where your not expecting them?  Not me!  Enable it globally on all portfast ports by typing:

dsl2(config)#spanning-tree portfast bpduguard default
*Mar  1 00:44:40.051: %SYS-5-CONFIG_I: Configured from console by console
dsl2#sh spanning summary
Switch is in pvst mode
Root bridge for: VLAN0200
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
EtherChannel misconfig guard is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Configured Pathcost method used is short

No comments:

Post a Comment