SW4 should never be root bridge

i have 4 switches sw1-sw2-sw3-sw4 they are interconnected through trunk
links . doesn't matter how i have given a task in work book lab ,what
config i do on other switches that sw4 would never be elected as root bridge in
any case if any of this switch is running... that means u can do the
config on sw1,sw2,sw3.....

 

apart from priority is if anyone can suggest me let me know... root gurard i tried but its not working in case sw4 has lower priority confiured ...

 

 

«1

Comments

  • The default priority should be 32768 and since you cannot change SW4 it should be using that number. On all of the other switches you could either use "spanning-tree priority 15000" (or any number lower than 32768), or you could use "spanning-tree vlan 1-10 root primary" (This makes the switch primary for vlan 1-10, you can change this as you like)

  • what if i don't wanna use any priority thing for this task do u think is there any solution ....

  • Manually prune VLAN on all SW4 trunks which deletes instance on SW4 for that VLAN.

  • here i am not talking about any particular vlan ... it for switch if in future any vlan is added it sould not be root .. and how u saying pruing will help can u brief to me

  • fragilemohi,

    Without adjusting priority, you will probably end up with your oldest switch as the root bridge - the lowest MAC address wins with the default priorities.

    If you adjust the priority of the switch you want to be root primary, and optionally of the switch you want to be root secondary, any other switch you deploy in the same spanning-tree domain with default priority will not become root.

    Root-Guard can also be used to prevent another switch from becoming root.

    Pruning could be used to prevent a switch with no ports in a particular vlan from becoming root for that vlan, but would not be usefull if the switch had ports in that vlan.

    here i am not talking about any particular vlan ... it for switch if in future any vlan is added it sould not be root .. and how u saying pruing will help can u brief to me


  • Yeah i think the issue here is how to make SW4 a non root switch, without modifiying the priorty. One way would be as Darrel said, to configure other SW with higher priority.

     

    I dont know about using root guard, it would indeed make SW4 a non-root, but it would also block the ports connected to SW4 :S

  • Enabling UP Linkfast on SW4 will increase it's priority enough to not to allow it to become root bridge

  • I think u have skiped my question ... i hope u read that  ... let me know

     

    thanks for reply

  • All possible answers are given, so unless you give another specific requirement i don't see how can anyone help.

    If you want to make sure SW4 is not root but you can't touch it, then you need to adjust other switches.

  • i was just hoping is there any other method to do this task ..this what i was given by one of my friend when we are preparing

  • I think Requirement here is

    sw4 should not become root for any vlan. this should occur without changing the switch priority.

    what about if we turn off STP on all vlan. "no spanning-tree vlan 1-4094"

  • I would surround SW4 with spanning-tree root guard. In other words, if SW4 has connections to SW1, SW2 and SW3, I would enable root guard on SW1-SW4, SW2-SW4 and SW3-SW4 links.

  • Root Guard will prevent SW4 from becoming Root. in case SW4 become root it will put ports connecting to other switch in root inconsistent state and so SW4 will loose connection to network.

    I have tried Root Guard on home lab and enabled it on SW1,2 ,3 links connecting to SW4. but in case where SW4 is already root (may be with configured lower priority or lower mac address) it looses the connection to network. in this case root gurad is not a solution.

    is there any other solution than disabling STP?

  • Hello, you can configure on each side bpdufilter, hence sw4 will still have connectivity but can't be root since it does not receive or send bpdu.

  • Hi,

    First configure SW1 to be the root and SW2 to become backup root (secondary):

    SW1:

    SW1#conf ter

    SW1(config)#spanning-tree vlan 1-1005 root primary

    SW2:

    SW2#conf ter

    SW2(config)#spanning-tree vlan 1-1005 root secondary

    Second make sure that SW4,SW3,SW2 agree on SW1 becoming the root by:

    1st: check tha BID of SW1:

    SW1:

    SW1#show spanning-tree root

    2nd: go to SW2,SW3,SW4 and check that SW1 is the root for all vlan:

    SW2,SW3,SW4

    SW2,3,4#show spanning-tree root

    3rd: go to SW1,SW2 and configure root guard on the ports connected to SW3,SW4 :

    SW1,SW2:

    conf ter

    inter range fa(link to SW3)

    spanning-tree guard root

    ! you should see this msg: 

    %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port
        FastEthernet?? on VLAN0001

    exit

    inter range fa(link to SW4)

     spanning-tree guard root

    ! you should see this msg: 

    %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port
        FastEthernet?? on VLAN0001

    exit

    Test it by lowering SW4 priority, what would happen is somthing like this on either SW1 or SW2:

    %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port
        FastEthernet?? on VLAN0001.

    Here is the Link, hope you find it usefull.

     

    http://www.informit.com/library/content.aspx?b=CCNP_Studies_Switching&seqNum=35

     

  • so Root Gaurd is not the solution in this case as we want SW4 to stay connected to network. what are the options we have now to make sure SW4 donesnt become root for any VLAN without changing swithc priority?

    should we disable STP or enable up link fast on SW4?

  • 1- The thing is SW4 will loose its connectivity to the network only After you test the config by manualy lowering SW4's priority (only for testing PURPOSE) and this will lead SW4 to loose its connection to the network temporarly becuse it is an automated proccess, once SW4 is no longer a root (returns back to its original priority 32768) the connection will be restored and you will get a msg like this:

    %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port FastEthernet?? on
    VLAN0001.

    2- And youv'e already made sure that SW4 is NOT the root by manualy configuring SW1,SW2 as roots for the network, and the Root Guard Feature is only to prevent SW4 from becoming the root in case some one goes to SW4 and changes its priority.

    3- But in the case that SW4 is the root in the first place '' the root guard feature'' will protect SW4 from loosing its role.

    4- UPlinkFast is a feature that finds another best path to the root with fast convergence in case the primary path fails.

    5- Finaly try the config i've posted and give me your feedback.

     

  • I have done the same config that you posted in lab for testing. all results were same as you are explaining. But in the case 3: where SW4 is the ROOT in first place (with default configurations ), when i configure root guard on SW1,2,3 links connecting to SW4, SW4 will loose connectivity to network. so in this case what need to be done to make sure that SW4 dont become root and at the same time it needs connectivity to network. this need to be done without changing switch priority.

  • If you found that SW4 is the root wiht defualt configs, what you need to do is simply taking out the role from SW4 and giving it to either SW1 or SW2 and then protect them with root gurad. this will make sure that SW4 will never ever bocome the ROOT again. I think this is the only way without changing switch priority.

  • You mean after making SW1 or SW2 as root ,putting guard-root command on the root switch on the trunk links between SW1-SW4 and SW2-SW4?

    A good link which recommends such config :

    http://www.informit.com/library/content.aspx?b=CCNP_Studies_Switching&seqNum=35

  • Configure guard root on the linkes between SW1-->SW4(at SW1's side), SW2-->SW4(at SW2's side) and SW3-->SW4(at SW3's side).

  • Dear ,

    i tried it so many times and it doesn't work with root guard on SW1 and SW2 to prevent SW4 to become a root.

    the only way i think to configure uplinkfast on SW4 [:)]

  • The standard STP does not provide any means for enforcing a Layer 2 (switched) topology.  We can influence which switch is selected by manipulating the Bridge ID (priority + VLAN and MAC address).  If the priority + VLAN are the same on two switches, the device with the lowest MAC address is selected.

    Because of this extreme limitation, Cisco developed several STP enhancements, namely Uplinkfast, BPDU Guard, and Root Guard.

     

    Uplinkfast decreases the time it takes to elect a new Root Port (a port that leads to the Root Switch), meaning that the switch that its configured on will have multiple paths to the elected Root Bridge.  It will take a backup port (one that is the blocking state) and transition it to the forwarding state, making it a new root port (port that leads to the Root Bridge).  it will do nothing to prevent the switch from being elected the Root Switch.  

    BPDU Guard is configured on the designated ports of upstream switches, and will disable any PortFast enabled interface upon receipt of a BPDU.  If PortFast is not enabled on the interface, nothing will happen when a BPDU is received.  BPDU Guard is not recommended on links that have connections to multiple switches, as any BPDU received, even if it originated from a downstream switch and not the directly connected switch, will disable the port.  While you can enable PortFast on trunk ports, its definitely not recommended.  



    Root Guard is also configured on designated ports, but only looks for superior BPDUs (ones with a lower Bridge ID).  When one is received it will transition the port to a Root-Inconsistent state, and blocks the port until inferior BPDUs (ones with a higher Bridge ID) are received at which point it will return the port to a forwarding state.


    This means that Uplinkfast and BPDU Guard are not appropriate for this topology -- Uplinkfast won't prevent a switch from becoming root, and BPDU Guard would filter BPDUs that come in from any other switch (i.e., Switch 2 -> Switch 4 -> Switch 3).



    You could disable STP altogether on the switch, if it is allowed.  If they have you configure any other STP features on Switch 4, you can probably rule this out.  If they don't, I would check with the proctor to see if this is acceptable.



    To me, it is a matter of what the task asks -- if it says "Switch 4 should never be the Root Bridge," then I would take that as "it can be selected as the Root Bridge, but if it does, it cannot be used," so I would use Root Guard on every Designated Port that Switch 4 connects to.  If the task says, "Switch 4 can never be elected the Root Bridge," I would take that as, "even attempting to be the Root Bridge is unacceptable," and turn off Spanning Tree entirely.

     

  • The standard STP does not provide any means for enforcing a Layer 2 (switched) topology.  We can influence which switch is selected by manipulating the Bridge ID (priority + VLAN and MAC address).  If the priority + VLAN are the same on two switches, the device with the lowest MAC address is selected.

    Because of this extreme limitation, Cisco developed several STP enhancements, namely Uplinkfast, BPDU Guard, and Root Guard.

     

    Uplinkfast decreases the time it takes to elect a new Root Port (a port that leads to the Root Switch), meaning that the switch that its configured on will have multiple paths to the elected Root Bridge.  It will take a backup port (one that is the blocking state) and transition it to the forwarding state, making it a new root port (port that leads to the Root Bridge).  it will do nothing to prevent the switch from being elected the Root Switch.  

    BPDU Guard is configured on the designated ports of upstream switches, and will disable any PortFast enabled interface upon receipt of a BPDU.  If PortFast is not enabled on the interface, nothing will happen when a BPDU is received.  BPDU Guard is not recommended on links that have connections to multiple switches, as any BPDU received, even if it originated from a downstream switch and not the directly connected switch, will disable the port.  While you can enable PortFast on trunk ports, its definitely not recommended.  



    Root Guard is also configured on designated ports, but only looks for superior BPDUs (ones with a lower Bridge ID).  When one is received it will transition the port to a Root-Inconsistent state, and blocks the port until inferior BPDUs (ones with a higher Bridge ID) are received at which point it will return the port to a forwarding state.


    This means that Uplinkfast and BPDU Guard are not appropriate for this topology -- Uplinkfast won't prevent a switch from becoming root, and BPDU Guard would filter BPDUs that come in from any other switch (i.e., Switch 2 -> Switch 4 -> Switch 3).



    You could disable STP altogether on the switch, if it is allowed.  If they have you configure any other STP features on Switch 4, you can probably rule this out.  If they don't, I would check with the proctor to see if this is acceptable.



    To me, it is a matter of what the task asks -- if it says "Switch 4 should never be the Root Bridge," then I would take that as "it can be selected as the Root Bridge, but if it does, it cannot be used," so I would use Root Guard on every Designated Port that Switch 4 connects to.  If the task says, "Switch 4 can never be elected the Root Bridge," I would take that as, "even attempting to be the Root Bridge is unacceptable," and turn off Spanning Tree entirely.


    This seems to be a correct idea.As both said make SW1-3 with better priority and use root guard on these ports on the connection between them and SW4.

  • Ok, I think we need to DEFINE exactly what you are attempting to achieve. I think the answer to this is within the requirements needed for the task. As your answer form anything you are going to do is all in this thread. I haven't seen anything in my eyes that looks like a wrong answer. Everyones answered the question with the right information to manipulate the root value for SW4. The requirements I feel need to be more clearly defined. When you say you cannot change the priorities is it that you cannot change the priorities on SW4? Or is it that you cannot change them on all switches? Lets truly define our requirements and constraints clearly. Otherwise we are just stabbing at it with guesses as to what you are trying to achieve.

     

    My opinion, you cannot change priority on SW4, this doesn't mean SW1-3 cannot be adjusted. Just means SW4 cannot be changed. In which case you need to adjust sw1-3 to be root. Apply guard-root on links from SW1-3 to SW4.

  • What are the valid options if task says " make sure SW4 BECOME root for any VLAN without changing the switch priority"? I dont think we can use root primary command on SW4 as task says dont change switch priority?

  •  

     

    What are the valid options if task says " make sure SW4 BECOME root for any VLAN without changing the switch priority"? I dont think we can use root primary command on SW4 as task says dont change switch priority?


     

    Well again where is it saying you cannot change the priority? If you are told you cannot change the priority of SW4 you can again go to all other switches and manipulate them from their points. Then once SW4 is root apply guard-root.

     

    To myself, granted I say myself here because it's how I percieve the information. The line " make sure SW4 BECOME root for any VLAN without changing the switch priority" is telling me I cannot change the priority value of SW4. It doesn't say anything about SW1-3. It doesn't say without changing ANY switch priority (because aside from not having STP you aren't going to get there). It says without changing THE switch prirority meaning switch 1-3 is open for business just leave SW4 priority alone.

  • understood. but what if task says,

    " make sure SW4 BECOME root for ALL VLAN without changing ANY switch priority"? what are the valid options?

  • Unplug it and walk away shaking your head while crying. :)

     

    Because you aren't going to be doing it that I know of, anyhow. The only other thing I can think to do would be to use bpdu filters. Manually set vlans and call it a day. But I'm not sure that would really get you where you want.

Sign In or Register to comment.