Manualshelf

Technical data

ManualsBrandsMB QUART ManualsAmplifierMLX-100
51525354555657585960
46 Brocade MLX Series and NetIron Family Documentation Updates
53-1002805-03
Root Guard
1
Root Guard
NOTE
This enhancement is to synchronize the “root protect CCEP” ports states to the peer MCT.
In NetIron 05.4.00c, a new security feature has been added that allows a CCEP port to run STP, but
not allow the connected device to become the Root. The Root Guard feature provides a way to
enforce the root bridge placement in the network and allows STP to interoperate with user network
bridges while still maintaining the bridged network topology that the administrator requires. Errors
are triggered if any change from the root bridge placement is detected.
NOTE
The feature is also available for RSTP.
When Root Guard is enabled on a port, it keeps the port in designated FORWARDING state. If the
port receives a superior BPDU, which is a Root Guard violation, it sets the port into BLOCKING state
and triggers a Syslog message and an SNMP trap. No further traffic will be forwarded on this port.
This allows the bridge to prevent traffic from being forwarded on ports connected to rogue or
misconfigured STP or RSTP bridges.
NOTE
Root protect should be configured on CCEP ports of both the peers to sync the state properly.
Root Guard should be configured on all ports where the root bridge should not appear. In this way,
the core bridged network can be cut off from the user network by establishing a protective
perimeter around it.
Once the port stops receiving superior BPDUs, Root Guard will automatically set the port back to a
FORWARDING state after the timeout period has expired.
NOTE
Root Guard may prevent network connectivity if improperly configured. It needs to be configured on
the perimeter of the network rather than the core. Also, Root Guard should be configured only on the
primary port of a LAG. If a port configured with Root Guard is made a secondary port, the LAG
deployment will be vetoed.
Enabling Root Guard
Root Guard is configured on a per interfaces basis. To enable Root Guard, enter a command such
as the following.
Brocade(config)# interface ethernet 5/5
Brocade(config-if-e10000-5/5) spanning-tree root-protect
Syntax: [no] spanning-tree root-protect
Enter the no form of the command to disable Root Guard on the port.
Refer to the Root Guard section of the NetIron 5.4.00 Configuration Guide for information and
procedures including:
Setting the Root Guard timeout period
Checking if Root Guard is configured
Displaying the Root Guard state