[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 457
  • Last Modified:

PORT COST 3019

Im aware this port cost of '3019' is some default setting and maybe increase but where does it come from or how is it calculated?

Im aware of out of the box switch is set to default Bridge id of: 32768
Im aware adding the command - spanning-tree vlan 1,20,21 priority 4096 to be set on a master and backup as '8192'

or the alternative method is:

spanning-tree vlan 1-4094 root primary
spanning-tree vlan 1-4094 root secondary

Although i have NOT got a clue as to why there are 2 lots of commands, as they must be for a 'SPECIFIC' scenario but NO ONE KNOWs as the words Ive read only make reference to the both but never specifically say what the diference is, or is it down to a specific IOS being used as to what commands are excepted.

Just would like to know this 'USELESS' piece of information!!
0
mikey250
Asked:
mikey250
  • 12
  • 6
  • 6
12 Solutions
 
Marius GunnerudSenior Systems EngineerCommented:
with the command "spanning-tree vlan 1,20,21 priority 4096" you can manually set the priority to what you want it to be.  If you want the switch to be, almost, guarenteed to be the bridge you can assign a priority of 0.

With the command "spanning-tree vlan 1-4094 root primary" the priority is set to 8192 (2 times lower) below the lowest current priority. using the command "spanning-tree vlan 1-4094 root secondary" the priority is set to 4096 (1 time lower) below the lowest curret priority.

A port cost of 3019 means you have probably enable uplink fast. The calculation for this is 3000 + <port number>.  so in your example 3019 would be port 19.
0
 
Don JohnstonInstructorCommented:
Please clarify if you are asking about "priority" or "cost". They are two different functions.

Priority is concerned with root election and in some cases path selection.

Cost is only used for path selection.
0
 
mikey250Author Commented:
according to my book:

spanning-tree vlan 1-4094 root primary

- assuming that all other switches are at default priority, the root primary command will set a value of 24576.  Otherwise the priority will be set to 4096 less than the current best priority.

spanning-tree vlan 1-4094 root secondary

- root secondary command will set a value of 28672

I wished to know where the 3019 came from which has been answered as it is a cost value through using 'uplinkfast' as mentioned!!!

I wished to know why there were 2 types of priority but im assuming it depends on what ios is being used on what hardware rather than as my book suggests that the command using the 'root primary or root secondary' are another 'ALTERNATIVE' to just using - 'spanning-tree vlan 20,21,22 priority 4096 - for example!?
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 
Marius GunnerudSenior Systems EngineerCommented:
The reason there are two methods is that with the primary command you do not need to figure out what the lowest priority is of another switch, incase you did not know from before. But that will not prevent another switch from becoming the root bridge. This option is more of a hassel-free solution as it is one command and you are done.

with the priority command you can set one switch to be almost guaranteed to become the root bridge by setting it to the lowest priority and all other switches to the highest priority. With this option you have more control over what the priority is of your switches, mainly used in hierarchical set up as you will have several redundant links.  
0
 
Don JohnstonInstructorCommented:
What MAG03 said pretty much sums it up.

My personal philosophy is that if you don't already know the priority of the current root bridge, then you shouldn't be changing anything in the first place. My preference is to manually define the priority value.

0
 
mikey250Author Commented:
Hi, as ive just done my ccnp course there were questions that arose after completion so just trying to fill the gaps!!  But at least now it makes more sense!!  setting the priority to the lowest 4096 makes more sense and the rest accordingly if need more than one switch to be second or 3rd place but if not the others can be left to default settings as I realise this as 32768.
0
 
mikey250Author Commented:
hi MAG03, you say:

"The reason there are two methods is that with the primary command you do not need to figure out what the lowest priority is of another switch, incase you did not know from before.   But that will not prevent another switch from becoming the root bridge. This option is more of a hassel-free solution as it is one command and you are done."??

ok if you say that wouldn't prevent the switch from being the root bridge which I believe the option to be is if a hacker for instance had a lower mac address, due to the election criteria, they could take over.

But if I also add 'Rootguard' this would stop a superior bpdu from taking over a 'root bridge' and becoming the new 'root bridge' ie a hacker!  problem solved!!!?
0
 
Marius GunnerudSenior Systems EngineerCommented:
Even if you set the priority to 0 chances are that the switch will be the root bridge no matter what. But cisco say that this doesn't guarantee that the switch becomes the root.

Root guard will prevent any switch attached to that port from becoming the root bridge. The other options would be to configure either bpduguard or bpdufilter on all access ports. Bpduguard will shutdown the interface if a bpdu is detected, bpdufilter will place the port in a listening, learning, and then forwarding state if bpdu's are detected.

This is why it is part of the best practices to make all ports not connecting switches together as access ports and all unused ports should be shut down.
0
 
mikey250Author Commented:
yes as you say "Even if you set the priority to 0 chances are that the switch will be the root bridge no matter what. But cisco say that this doesn't guarantee that the switch becomes the root."  - I agree because if the hacker for example has a lower mac then due to the election criteria it could resume control!!

Hence 'root guard' according to my book states:

-  Designed to provide a way to enforce the root bridge placement in the network.
-  Ensures that the port on which it is enabled is the designated port.
-  If a port receives a superior BPDU, the port moves to a root-inconsistent state (basically learning state).
-  Does not allow port to become a root.

by adding - config-if#spanning-tree guard root

But are you saying in order for 'root guard' to stay firm then adding 'bpduguard or bpdufilter will stop this?

bpduguard - stops bpdu's from being received on edge ports
-  shuts down the interface that receives any bpdu.
-  port is put into err-disable state.
-  provides a secure response to invalid configurations because the administrator must manually put the interface back in service with the shutdown and no shutdown commands.
- can be set 'globally or at interface level'

bpdufilter - stops the send/receive of bpdu's altogether for edge ports
-  can be set 'globally and at interface level'

0
 
Marius GunnerudSenior Systems EngineerCommented:
Root guard is used to prevent a switch from becoming the bridge.

bpduguard and bpdufilter are used to prevent anyone adding a switch to an unauthorized port.

they are two different commands and should not be used together on a port.
0
 
mikey250Author Commented:
oh yes i forgot 'root guard' used by itself for the reasons stated to protect a 'root port' to stay as one.

"The other options would be to configure either bpduguard or bpdufilter on all access ports." - so these commands are only for edge ports ok yes when i think your right!!!:))  But are you saying adding the 'bpduguard or bpdufilter' which i realise what they do on all edge ports and aswell as 'unused ports' added to an empty vlan ensures 'root guard' stays as it is, ie a superior bpdu taking over, just for clarification?
0
 
Don JohnstonInstructorCommented:
Actually, Root Guard is used to allow a switch to be added to the network but NOT let it become the root.

BPDU guard is used to prevent adding a switch... period

BPDU filter is used to stop the sending of BPDUs in the event that the connected device would have problems processing those BPDUs.
0
 
mikey250Author Commented:
like i said according to my book and course ive been on it states what i stated earlier:

Hence 'root guard' according to my book states:

-  Designed to provide a way to ENFORCE the root bridge placement in the network.
-  Ensures that the port on which it is enabled is the designated port.
-  If a port receives a SUPERIOR BPDU, the port moves to a root-inconsistent state (basically learning state).
-  Does NOT ALLOW PORT TO BECOME A ROOT.

by adding - config-if#spanning-tree guard root

But are you saying in order for 'root guard' to stay firm then adding 'bpduguard or bpdufilter will stop this?

bpduguard - stops bpdu's from being received on edge ports
-  shuts down the interface that receives any bpdu.
-  port is put into err-disable state.
-  provides a secure response to invalid configurations because the administrator must manually put the interface back in service with the shutdown and no shutdown commands.
- can be set 'globally or at interface level'

bpdufilter - stops the send/receive of bpdu's altogether for edge ports
-  can be set 'globally and at interface level'

but after reading your comments you disagree?
0
 
Don JohnstonInstructorCommented:
>But are you saying in order for 'root guard' to stay firm then adding 'bpduguard or bpdufilter will stop this?

It depends on what your objective is.

If you don't want a switch connected to the port at all, turn on BPDU guard (and port-security if you're really serious).

If there is a switch connected (or there could be) and you don't want that switch to be the root, then turn on root guard.

BPDU filter (IMO) is a very dangerous command in that it effectively disables spanning-tree on that port.
0
 
Marius GunnerudSenior Systems EngineerCommented:
maybe I am not understanding what you are trying to ask, or perhaps you are not understanding what don and I are trying to say.

-->But are you saying in order for 'root guard' to stay firm then adding 'bpduguard or bpdufilter will stop this?
Are you trying to say that having bpduguard or bpdufilter on the same port as root guard will complement root guard? if that is the case then no as the port will be shut down or inactive due to the bpdu commands. It will be useless to have the root guard on the same port as bpduguard or bpdufilter.

I will try to explain it differently:

Root guard is a management command to help you ensure the placement of the root bridge.

Bpduguard and bpdufilter are preventative commands so that if an unauthorized switch is connected to a port with either of these configured the port will be either shutdown completely (bpduguard) or become inactive until no bpdu's are detected (bpdufilter).

0
 
mikey250Author Commented:
I do understand it was because i intepreted 'donjohnston comment - "Actually, Root Guard is used to allow a switch to be added to the network but NOT let it become the root."

I disagreed with this as according to my book it states:

-  Designed to provide a way to ENFORCE the root bridge placement in the network.
-  Ensures that the port on which it is enabled is the designated port.
-  If a port receives a SUPERIOR BPDU, the port moves to a root-inconsistent state (basically learning state).
-  Does NOT ALLOW PORT TO BECOME A ROOT.


Yes i do now realise that 'bpduguard & filter' is not used on 'root guard' switchport as it is used for edge ports and as for filter yes ive been advised by others NOT to use bpdufilter unless specifically required.

I know you all know so was just trying to clear up a few things in my mind but i believe im a ok now!!!

0
 
mikey250Author Commented:
this part - "Does NOT ALLOW PORT TO BECOME A ROOT."  means if a SUPERIOR bpdu was in a position to take over the original and proper 'root port' then adding 'root guard' stops a SUPERIOR bpdu from taking over.
0
 
Marius GunnerudSenior Systems EngineerCommented:
Correct
0
 
Don JohnstonInstructorCommented:
Right.

What's the question?
0
 
mikey250Author Commented:
hi don,   I interpreted your comment - "Actually, Root Guard is used to allow a switch to be added to the network but NOT let it become the root."

meaning the 'root guard' allows a switch to a network
& not to let it become the root

im sure you know what you mean so no big problem but for me that was worded wrong:

a 'root guard' is there to protect a 'root port' to ensure it stays as the elected/selected root bridge.  so even if a SUPERIOR bpdu tried to take over the root ports role, then this could not happend due to adding the command 'root guard'

explaining in words is hard, i know this!!
0
 
mikey250Author Commented:
i will end this thread now and much appreciated for the advice!!!!!!!!!!!!!
0
 
Don JohnstonInstructorCommented:
>meaning the 'root guard' allows a switch to a network & not to let it become the root

That's exactly what I meant.

0
 
mikey250Author Commented:
no problem "don" fair enough!! gona close this thread now and appreciated advice!!!!!!!
0
 
mikey250Author Commented:
apologies my internet has been down but back on now.  thanks for this useful and clearer information.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 12
  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now