From fd0887a6838e67572397e9a135256baccbd5f966 Mon Sep 17 00:00:00 2001 From: shango-wk Date: Thu, 28 May 2026 18:07:53 +0200 Subject: [PATCH] added BPDU guard --- 00. Jeremy's IT LAB CCNA course.md | 1 + 21. Root Guard (STP Toolkit).md | 72 ++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 21. Root Guard (STP Toolkit).md diff --git a/00. Jeremy's IT LAB CCNA course.md b/00. Jeremy's IT LAB CCNA course.md index 71ef95e..a827c1a 100644 --- a/00. Jeremy's IT LAB CCNA course.md +++ b/00. Jeremy's IT LAB CCNA course.md @@ -33,3 +33,4 @@ tags: [[Protocole Spanning Tree (part2)]] [[PortFast (STP Toolkit)]] [[BPDU Guard & BPDU Filter (STP Toolkit)]] +[[Root Guard (STP Toolkit)]] diff --git a/21. Root Guard (STP Toolkit).md b/21. Root Guard (STP Toolkit).md new file mode 100644 index 0000000..0f9f4ce --- /dev/null +++ b/21. Root Guard (STP Toolkit).md @@ -0,0 +1,72 @@ +--- +id: 1779981231-AJMV +aliases: + - Root Guard (STP Toolkit) +tags: [] +--- + +# Root Guard (STP Toolkit) + +STP prevents loops by electing a root bridge and ensuring that each other switch has only *one valid path* to reach it. + +YOu shouldn't randomly select the root bridge. Some things you should consider include: +- Optimal traffic flow + - minimize latency + - minimize congestion +- Stability and reliability + +## The Problem + +Within your own [[LAN]], you can easily control the root brdige by setting its priority to 0. +- But there are cases where you might connect your LAN to other switches outside of your direct control: + - A service provider offering Metro Ethernet service to customers + - Often used to connect sites within a [[MAN]] +- Even if you set your root bridge's priority to 0, its role can be taken by another switch with a lower + [[MAC address]] . + +## The solution + +- *Root Guard* can be configured to protect your [[STP]] topology by preventing your switches from + accepting superior [[BPDU]]s from switches outside of your control. + - Superior BPDUs = a BPDU that is superior in the STP algorith (e.g Claiming a better root bridge ID). +If you want to ensure that the root bridge rmains in your [[LAN]], you can configure Root Guard on the ports connected +to switches outside of your control + +To enable root Guard on a port + +```Cisco +SW1(config-if) spanning-tree guard root +``` + +There is no command to enable it by default from global config mode + +If a Root Guard-enabled port receives a BPDU, it will enter the *Broken* (Root inconsistent) state +effectively disabling it +- The port will not able to forward data frames and will discard any frames it receives. + +To re-enable a port disabled by Root Guard, you must solve the issue that disabled the port + - the disabled port must stop receiving superior BDPUs. + - tell the customer to increase the priority value of their switch. + +Once teh superior BPDUs received age out, the ports will automatically be re-enabled. + - A BPDU's Max Age is 20 seconds by default. + +To see the Root guard + +```Cisco +SW1(config-if)# do show spanning-tree + +## if it's broken +Gi0/1 Desg BKN*4 128.3 P2p *ROOT_Inc + +BKN = Broken +ROOT_Inc = Root inconsistent + +## if it's Work +Gi0/1 Desg FWD 4 128.3 P2p +``` + +## Review + + Prevents a port from becoming a Root Port by disabling it if superior BPDUs are received, +Thereby enforcing the current [[Root Bridge]]