added BPDU guard
This commit is contained in:
72
21. Root Guard (STP Toolkit).md
Normal file
72
21. Root Guard (STP Toolkit).md
Normal file
@@ -0,0 +1,72 @@
|
||||
---
|
||||
id: 1779981231-AJMV
|
||||
aliases:
|
||||
- Root Guard (STP Toolkit)
|
||||
tags: []
|
||||
---
|
||||
|
||||
# Root Guard (STP Toolkit)
|
||||
|
||||
STP prevents loops by electing a root bridge and ensuring that each other switch has only *one valid path* to reach it.
|
||||
|
||||
YOu shouldn't randomly select the root bridge. Some things you should consider include:
|
||||
- Optimal traffic flow
|
||||
- minimize latency
|
||||
- minimize congestion
|
||||
- Stability and reliability
|
||||
|
||||
## The Problem
|
||||
|
||||
Within your own [[LAN]], you can easily control the root brdige by setting its priority to 0.
|
||||
- But there are cases where you might connect your LAN to other switches outside of your direct control:
|
||||
- A service provider offering Metro Ethernet service to customers
|
||||
- Often used to connect sites within a [[MAN]]
|
||||
- Even if you set your root bridge's priority to 0, its role can be taken by another switch with a lower
|
||||
[[MAC address]] .
|
||||
|
||||
## The solution
|
||||
|
||||
- *Root Guard* can be configured to protect your [[STP]] topology by preventing your switches from
|
||||
accepting superior [[BPDU]]s from switches outside of your control.
|
||||
- Superior BPDUs = a BPDU that is superior in the STP algorith (e.g Claiming a better root bridge ID).
|
||||
If you want to ensure that the root bridge rmains in your [[LAN]], you can configure Root Guard on the ports connected
|
||||
to switches outside of your control
|
||||
|
||||
To enable root Guard on a port
|
||||
|
||||
```Cisco
|
||||
SW1(config-if) spanning-tree guard root
|
||||
```
|
||||
|
||||
There is no command to enable it by default from global config mode
|
||||
|
||||
If a Root Guard-enabled port receives a BPDU, it will enter the *Broken* (Root inconsistent) state
|
||||
effectively disabling it
|
||||
- The port will not able to forward data frames and will discard any frames it receives.
|
||||
|
||||
To re-enable a port disabled by Root Guard, you must solve the issue that disabled the port
|
||||
- the disabled port must stop receiving superior BDPUs.
|
||||
- tell the customer to increase the priority value of their switch.
|
||||
|
||||
Once teh superior BPDUs received age out, the ports will automatically be re-enabled.
|
||||
- A BPDU's Max Age is 20 seconds by default.
|
||||
|
||||
To see the Root guard
|
||||
|
||||
```Cisco
|
||||
SW1(config-if)# do show spanning-tree
|
||||
|
||||
## if it's broken
|
||||
Gi0/1 Desg BKN*4 128.3 P2p *ROOT_Inc
|
||||
|
||||
BKN = Broken
|
||||
ROOT_Inc = Root inconsistent
|
||||
|
||||
## if it's Work
|
||||
Gi0/1 Desg FWD 4 128.3 P2p
|
||||
```
|
||||
|
||||
## Review
|
||||
|
||||
Prevents a port from becoming a Root Port by disabling it if superior BPDUs are received,
|
||||
Thereby enforcing the current [[Root Bridge]]
|
||||
Reference in New Issue
Block a user