What You’ll Learn

• Why it is important to ensure a stable root bridge in the network
• How the root guard feature provides stability and security to a spanning-tree network
• How to enable root guard and verify its functionality

What You’ll Need

• Access to a Cisco Modeling Labs (CML) system to run the provided topology
  • If you don’t have access to a Cisco Modeling Labs server, you can reserve and use a DevNet Cisco Modeling Labs Sandbox
• The spanning-tree-root-guard network topology for Cisco Modeling Labs

1. Log into your Cisco Modeling Labs server web interface and click the IMPORT button.

2. Browse to find the network topology spanning-tree-root-guard.yaml file downloaded for this lab. IMPORT it into the system, and then click GO TO LAB.

3. From the SIMULATE panel below the topology, click the START LAB button.

Note: Be sure that you do not have any switches in the topology selected or you’ll only start that one node.

4. Wait for all nodes to get green check marks indicating they are started. This can take 1 to 5 minutes, depending on the Cisco Modeling Labs server’s load.

We will be entering commands into the console for network devices and nodes throughout this lab. Follow these steps to access the console for any node in the topology.

1. Select the node whose console you need to interact with. From the CONSOLE panel below the topology, click the OPEN CONSOLE button.

2. Click within the console window and press Enter to activate the terminal and begin interacting with the console.

3. Type commands into the window, or copy and paste into the terminal.

Before we connect the bad-root switch to the topology, we will look at the starting spanning-tree state.

1. Access the console for the root switch and enter the command show spanning-tree to view the current state.

root>show spanning-tree

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    16385
            Address     5254.001c.e0ef
            This bridge is the root
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    16385  (priority 16384 sys-id-ext 1)
            Address     5254.001c.e0ef
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
            Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Desg FWD 4         128.2    P2p
Gi0/2               Desg FWD 4         128.3    P2p

Note: The values for Address in your output will likely differ from the lab example. This address is based on the MAC addresses assigned by Cisco Modeling Labs when the lab nodes were started.

2. Notice the statement This bridge is the root in the output. As expected, the root switch is currently the root for the spanning tree.

3. Now access the console for the switch-1 switch and enter the command show spanning-tree to view the current state on another switch.

switch-1>show spanning-tree

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    16385
            Address     5254.001c.e0ef
            Cost        4
            Port        2 (GigabitEthernet0/1)
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
            Address     5254.001f.cb42
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
            Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Root FWD 4         128.2    P2p
Gi0/2               Altn BLK 4         128.3    P2p

4. Notice how the address and priority listed for the root is the same as we saw on the root switch. This shows that switch-1 also considers root to be the spanning-tree root.

5. Look at the Role assigned to each of the interfaces on switch-01.

6. Interface Gi0/1 has the Root role and is actively forwarding (State of FWD). This is to be expected because it is directly connected to the root switch port Gi0/1.

7. Interface Gi0/2 has the Altn (Alternate) role and is currently blocking (State of BLK).

   • It is by blocking traffic on Gi0/2 on switch-1 that spanning tree prevents any bridging loops from occurring.
   • However, the port is also identified as an Alternate root port should Gi0/1 stop working correctly. Ports identified as Alternate can immediately become active to limit network disruption when a link in the network goes down.

Note: If interface Gi0/2 on switch-1 shows a role of Desg and a state of forwarding, check switch-2. The election of the designated port on a link depends on factors that could prefer switch-2 in your lab instance. This election process is out of scope for this tutorial.

Why This Matters

Users and network administrators both desire and expect a stable and well-performing network. One aspect of such a network is that the root bridge in the spanning-tree network is well placed to provide the most efficient path through the network. A second aspect is that the root bridge doesn’t change often (preferably ever).

When a new root bridge is elected in a network, every switch in the network must redetermine which of their ports is the “root port” and then determine which interfaces are the forwarding “designated port” on links. While this process is occurring, links are put into a “blocking” state, preventing network communications. This is disruptive to users and even with “rapid” spanning tree can be noticeable to users and applications.

In this step, we will simulate the situation where a new switch is connected to the network by adding links in Cisco Modeling Labs from bad-root to switch-1 and switch-2.

Creating Interface Links in Cisco Modeling Labs

Note: In versions of Cisco Modeling Labs before 2.4, interface links were created by clicking and holding the button while dragging from one link icon on a node to another node. These instructions are for Cisco Modeling Labs 2.4+, where holding the button and dragging is no longer used.

1. Hover your mouse over switch-1 and click the blue “link” section of the circular node overlay.

2. Move your mouse over the top of bad-root and click it.

3. In the source/target interfaces dialog, be sure to select the correct interfaces for each side of the link.

4. Repeat the above for the switch-2 -> bad-root link.

Activating the Interfaces on the Switches

Complete the addition of bad-root to the network by enabling the connected interfaces on switch-1 and switch-2.

5. Access the console for switch-1 and configure interface Gi0/3 with no shutdown.

switch-1>
switch-1>en
switch-1#config terminal

Enter configuration commands, one per line.  End with CNTL/Z.
switch-1(config)#interface GigabitEthernet 0/3
switch-1(config-if)#no shut
switch-1(config-if)#end
switch-1#

*Oct 24 14:30:25.157: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
*Oct 24 14:30:26.157: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up

6. Repeat on switch-2.

switch-2>
switch-2>en
switch-2#config terminal

Enter configuration commands, one per line.  End with CNTL/Z.
switch-2(config)#interface GigabitEthernet 0/3
switch-2(config-if)#no shut
switch-2(config-if)#end
switch-2#

*Oct 24 14:31:56.146: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
*Oct 24 14:31:57.146: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up

Now that bad-root has been connected to the network, let’s explore what changed in the network state.

Checking on the root Switch

1. Access the console for the root switch and enter the command show spanning-tree to view the current state.

root>show spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    4097
            Address     5254.000b.ef22
            Cost        8
            Port        3 (GigabitEthernet0/2)
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    16385  (priority 16384 sys-id-ext 1)
            Address     5254.001c.e0ef
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
            Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Altn BLK 4         128.2    P2p
Gi0/2               Root FWD 4         128.3    P2p

2. Notice that there is no This bridge is the root in the output anymore. Also, the priority of the Root ID is now 4097, a lower value than the configured priority of 16385 on our intended root switch.

Note: The final priority value for a spanning-tree bridge is the configured priority + the VLAN ID number.

3. Look at the interfaces and their roles.
   • GigabitEthernet 0/2 is the Root port on the root switch. Our intended root should have no root ports at all. All ports should be designated ports.
   • GigabitEtherent 0/1 is not even forwarding traffic because it has the “Alternate” role.

Note: Your output might be slightly different regarding which ports are Root and Altn based on the MAC addresses assigned to the switches by your Cisco Modeling Labs server.

Checking on switch-1

4. Access the console for the switch-1 switch and enter the command show spanning-tree to view the current state on another switch.

switch-1>show spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    4097
            Address     5254.000b.ef22
            Cost        4
            Port        4 (GigabitEthernet0/3)
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
            Address     5254.001f.cb42
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
            Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Desg FWD 4         128.2    P2p
Gi0/2               Altn BLK 4         128.3    P2p
Gi0/3               Root FWD 4         128.4    P2p

5. Notice that switch-1 also shows a change in the Root ID for the network, and it matches what was seen on root.
6. Interface GigabitEthernet0/3 is now the Root port for switch-1.

Why This Matters

If you are fast enough in running show spanning-tree after enabling the interfaces, you may catch the election process while it is running and see interfaces on each switch with a state of BLK, during which traffic in the network would be disrupted.

And this disruption will happen any time this new edge switch is connected or removed from the network. A switch intended to be at the edge of the network has less operational expectations than a core or distribution switch. Engineers may disconnect, reboot, or make changes on such a switch without the same level of checks and verifications as the switch that is expected to be the root bridge for the network.

We’ve now seen the problem connecting a switch to the network can cause if the switch has a bad spanning-tree configuration applied. Now let’s see how the root guard feature can prevent the problem.

Consider the notes on the topology above. The intended design for the network is that the directly connected ports from switch-1 and switch-2 would be the “root port.” The link connecting switch-1 and switch-2 together provide an “alternate” path to root should the primary links go down. However, the links going toward bad-root should never become root ports. These interfaces on the switches connect toward the “edge” of the network.

It is on these “edge” ports where we can enable root guard to prevent a disruption to the spanning-tree network.

1. Access the console for switch-1 and enable spanning-tree guard root on interface GigabitEthernet 0/3.

switch-1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

switch-1(config)#
switch-1(config)#interface GigabitEthernet 0/3
switch-1(config-if)#spanning-tree guard root

2. Repeat this configuration on switch-2.

switch-2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

switch-2(config)#
switch-2(config)#interface GigabitEthernet 0/3
switch-2(config-if)#spanning-tree guard root

3. You will see messages like this on the console very quickly after enabling this configuration.

*Oct 24 15:15:06.082: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet0/3.
*Oct 24 15:15:07.813: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet0/3 on VLAN0001.

With the configuration applied, we can now check the updated spanning-tree state on the network.

Checking on the root Switch

1. Access the console for the root switch and enter the command show spanning-tree to view the current state.

root>show spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    16385
            Address     5254.001c.e0ef
            This bridge is the root
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    16385  (priority 16384 sys-id-ext 1)
            Address     5254.001c.e0ef
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
            Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Desg FWD 4         128.2    P2p
Gi0/2               Desg FWD 4         128.3    P2p

2. Notice that the output now matches the output from the starting state. The root switch is once again the spanning-tree root for the network.

Checking on switch-1

3. Access the console for the switch-1 switch and enter the command show spanning-tree to view the current state on another switch.

switch-1#show spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    16385
            Address     5254.001c.e0ef
            Cost        4
            Port        2 (GigabitEthernet0/1)
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
            Address     5254.001f.cb42
            Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
            Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Root FWD 4         128.2    P2p
Gi0/2               Altn BLK 4         128.3    P2p
Gi0/3               Desg BKN*4         128.4    P2p *ROOT_Inc

4. Notice that the directly connected interface to the root switch is once again the Root port, and the interface connecting to switch-2 is again the Altn (alternate) port.
5. Interface Gi0/3, which connects to bad-root, has a role of Desg (designated) but a state of BKN* (broken).
   • The * is given more details after the type. It indicates ROOT_Inc or “root inconsistent”.
   • This is an indication that the switch has identified that enabling this port would result in a disruption to the intended state of the spanning-tree network.
6. There is one more show command useful for investigating the state of the network when a bad-root is attached. Run show spanning-tree inconsistentports on switch-1.

switch-1#show spanning-tree inconsistentports

Name                 Interface                Inconsistency
-------------------- ------------------------ ------------------
VLAN0001             GigabitEthernet0/3       Root Inconsistent

Number of inconsistent ports (segments) in the system : 1

Building a reliable and stable Layer 2 network is an important job for every network engineer. Understanding when and how to use features like root guard for spanning tree is essential to this work!

Learn More

If you’d like to dive deeper into this topic, I pulled a few links together for you:

• Understanding spanning tree and how it works is part of the CCNA blueprint. The Implementing and Administering Cisco Solutions (CCNA) v1.0 course is a great resource to get started.
• Knowing how to implement spanning tree is part of the Enterprise Core blueprint and is covered in the Implementing and Operating Cisco Enterprise Network Core Technologies (ENCOR) v1.2 course.
• The root guard feature has been available in Cisco software for a very long time. This tech note discusses it and provides a great description.
• I found this post over on Cisco Learning Network that discusses many of the spanning-tree features that should be part of every network design.