CCIE Topic: 1.1e Loop Guard and Root Guard

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone i'm charles judd and in this video i'm wrapping up the first section of the ccie blueprint found under network infrastructure which is the switched campus section we're rounding out this section of videos with the concepts of loop guard and root guard both of which are spanning tree protection mechanisms so in general spanning tree is pretty good at creating a loop-free topology but sometimes it does need some help sometimes we have strange topologies or maybe we've merged a couple of networks together and created an unusual situation or maybe we just have a malfunctioning device whatever the case may be it is still possible to have unexpected loops with spanning tree which is why we have the extra protection offered by loop guard so here we have a simple topology with three switches and we're going to jump into a lab in just a second but i want to talk about what happens here with spanning tree switch 1 is going to be the root bridge in this topology so both of the interfaces here are going to be designated ports in the forwarding state on switch two interface gig zero slash zero is going to be the root port while gig zero slash one is going to be in the alternate role in the blocking state on switch three gig zero slash zero is going to be the root port there and gig zero slash one is going to be a designated port in the forwarding state so under normal conditions the only switch transmitting bpd use is going to be switch 1 the root bridge the reason switch 2 has a blocking port in order to prevent a spanning tree loop is that it has received bpd use from switch 1 which is the root bridge it's received those on interface gig zero slash zero and it's also received those from interface gig zero slash one spanning tree knows this is a problem so it places gig 0-1 into the blocking state in order to prevent a network loop now of course we know that let's say the link between switch 1 and switch 3. let's say that link goes down switch 2 will stop receiving bpd use on the gig 0 1 interface and it will make the assumption that there must no longer be the potential for a network loop here so it would actually move that into the forwarding roll and depending on which iteration of spanning tree you're using and your specific configuration the amount of time for this convergence to take place will of course vary but that's the normal operation of spanning tree however let's assume that we have a malfunction let's say that for some reason switch 3 stops transmitting bpd use over switch 2 and then switch 2 is going to make the exact same assumption it's going to assume okay this link must be down so i'm going to move into the forwarding roll now if switch 3 malfunctions in a way that still allows for the hardware to work this is where we can have a loop condition and what i mean by that is maybe ios isn't creating or processing bpdus as expected but perhaps the actual interface hardware is still able to forward normal data frames in that case we would have switched to forwarding data on both gig zero slash zero and gig zero slash one and it would be relaying frames around and around the topology and that would create a very bad situation in our network it would relay those frames around and around creating a nasty loop and that's exactly why we would use loop guard loop guard is guarding against a situation where an alternate or backup port can become a designated port where it would move into a forwarding state so with loop guard in place if bpdus aren't received on a non-designated port the port would move into a loop inconsistent blocking state instead of transitioning through the listening learning and eventually forwarding state which would create a potential loop it's really easy to configure this and again we want to configure that on a blocking non-designated port which in this topology is the gig zero slash one interface on switch two if we go to switch to and we say show span just to confirm that you'll see that gig zero slash one is in the alternate blocking state and of course gig zero slash zero is our root port the closest to our root bridge let's also just quickly look at switch one just to verify things there we see that this is in fact the root bridge both of our interfaces are in the designated forwarding state and of course switch three if we look at that we'll see that the root port is gig zero slash zero and gig zero slash one is in the designated forwarding state back on switch to let's go under interface gig zero slash one which is our alternate blocking interface and let's say spanning hyphen tree guard loop and a really quick way we can test this out is by just enabling one of the features we looked at in a previous video which is bpdu filtering we can leave our interface operational while filtering out bpdu messages so let's say spanning hyphen tree bpdu filter enable and pretty soon we're going to get a console message letting us know that loop guard has kicked in and there we actually just saw that come in so we see loop guard block loop guard is blocking port gig zero slash one if we break out of here and again say show span we will see that gig zero slash one is in the blocking state so loop guard has kicked in and we see that it is also listed in the loop inconsistent state which is what happens when the loop guard protection mechanism kicks in if we go back under interface gig zero slash one and we arrow up to that bpdu command we can pre-pin that with the no keyword to turn that off and you see that spanning tree is taking things back to normal we're told that loop guard has now unblocked that port so if we say show span again we'll see things are back to normal we have an alternate blocking port state by the way we can also configure this globally with the command spanning hyphen tree guard loop so it's essentially the same command as we use under interface configuration mode but of course we would do that under global configuration mode the root guard feature is essentially the exact opposite of the loop guard feature and the goal of root guard is to protect the root bridge placement in the network we configure this on designated forwarding ports so we can ensure that they do not become non-designated ports this is fairly commonly seen in a service provider network in order to make sure that the route bridge stays the route bridge if a customer device with a superior bpdu were able to become the root bridge well that would be disastrous in the service provider cloud so this is commonly used as a layer 2 protection mechanism so if we jump back into our topology that we've already been looking at here on switch 1 all of our interfaces are in the designated forwarding state we can again just take a quick look at that by saying show span and gig zero zero and zero slash one are forwarding so what we can do here from global configuration mode we can say interface range gig zero zero through zero slash one and we can enable root guard for both of these interfaces by saying spanning hyphen tree guard root and we're going to start seeing console messages letting us know that this has been enabled on each of those interfaces if we go to switch 2 and let's say show span we'll see that we have a root port and a blocking port so no need to configure root guard on this particular switch let's go to switch three and say show span and we can see that interface gig zero slash one that's in use is a designated port so we can also enable root guard here to protect our switch and by doing that what we're saying is we want to make sure that we're receiving our bpdus from the root bridge connected to gig zero slash zero and if we do receive superior bpdus from a different bridge on gig zero slash one that's not desirable and we want that interface to be shut down so let's go under interface gig zero slash one and again really simply spanning hyphen tree guard root and again we see our console message letting us know we've enabled root guard for that particular interface let's go under interface gig zero slash zero which is going out to our root bridge and let's see what happens when we shut down that interface so we've altered our topology and we're not receiving bpdus over the gig zero slash zero link and we're now receiving bpdus over the gig zero slash one link which of course has root guard enabled because we shut down gig zero slash zero so we see a message here letting us know root guard is now blocking the port on gig zero slash one let's break out and say show span and we can indeed see that the gig zero slash one interface is in the blocking state and we can see a message letting us know that this is in the root inconsistent state as we would expect a few last words about these two mechanisms just to sum things up under normal operations when a non-designated blocking port stops receiving bpdus that port will transition to a designated forwarding state loop guard stops this from happening protecting against network loops also under normal operations if a root bridge receives a superior bpdu from another switch the root bridge will transition its designated ports accordingly and give up its root bridge role root guard prevents this from happening ensuring that the desired root bridge remains in place and you should also know that loop guard and root guard cannot be configured simultaneously on the same interface so that's a look at both loop guard and root guard and that also wraps up the ccie blueprint section dedicated to switched campus technologies i'm looking forward to jumping into routing concepts next so i'll see you soon with another new video about what i'm learning i hope you found this content useful and want to thank you sincerely for watching
Info
Channel: Charles Judd
Views: 4,296
Rating: undefined out of 5
Keywords: cisco, ccie, cisco enarsi, ccie enterprise infrastructure, cisco enarsi 300-410, cisco encor 350-401, ccie lab, my ccie journey, ccie training, ccie blueprint, spanning tree protocol, stp, spanning tree, 1.1e spanning tree protocol, root bridge, spanning-tree, loop guard, root guard, spanning tree loop guard, stp loop guard, spanning tree root guard, stp root guard, section 1.1
Id: wtO1WQsevXM
Channel Id: undefined
Length: 11min 42sec (702 seconds)
Published: Wed Aug 19 2020
Related Videos
Cisco Unidirectional Link Detection (UDLD)
Kevin Wallace Training, LLC
24K
CCIE Topic: 1.2d Policy-Based Routing
Charles Judd
2.4K
CCIE Topic: 1.4c OSPF Path Preference
Charles Judd
1.2K
Root Guard: A Supersized CCNA 5:00 Video Boot Camp!
Chris Bryant
434
CCNP SWITCH 300-115 018 Advanced Spanning Tree Features LoopGuard
Networking Lessons
4.3K
CCIE Topic: 1.2g Route Summarization
Charles Judd
804
CCIE Topic: 1.4e OSPF LSA Throttling, SPF Throttling, and Fast Hello
Charles Judd
1.1K
4.1.2.b. Multiple Spanning-Tree Protocol (MST) Misconfiguration - Trunk Link Pruning
Quecca Tech
246
Master Spanning Tree (STP) Topologies in 3 Steps
Viatto
25K
CCIE Topic: 1.4b OSPF Network and Area Types
Charles Judd
1.6K
CCIE Topic: 1.3a EIGRP Adjacencies
Charles Judd
1K
CCIE Topic: 1.3e EIGRP Named Mode
Charles Judd
979
How STP Elects Root Bridge with Hello BPDU?
Sunny Classroom
41K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.