Solved

PORT COST 3019

Posted on 2011-02-27
25
387 Views
Last Modified: 2012-05-11
Im aware this port cost of '3019' is some default setting and maybe increase but where does it come from or how is it calculated?

Im aware of out of the box switch is set to default Bridge id of: 32768
Im aware adding the command - spanning-tree vlan 1,20,21 priority 4096 to be set on a master and backup as '8192'

or the alternative method is:

spanning-tree vlan 1-4094 root primary
spanning-tree vlan 1-4094 root secondary

Although i have NOT got a clue as to why there are 2 lots of commands, as they must be for a 'SPECIFIC' scenario but NO ONE KNOWs as the words Ive read only make reference to the both but never specifically say what the diference is, or is it down to a specific IOS being used as to what commands are excepted.

Just would like to know this 'USELESS' piece of information!!
0
Comment
Question by:mikey250
  • 12
  • 6
  • 6
25 Comments
 
LVL 17

Accepted Solution

by:
MAG03 earned 250 total points
Comment Utility
with the command "spanning-tree vlan 1,20,21 priority 4096" you can manually set the priority to what you want it to be.  If you want the switch to be, almost, guarenteed to be the bridge you can assign a priority of 0.

With the command "spanning-tree vlan 1-4094 root primary" the priority is set to 8192 (2 times lower) below the lowest current priority. using the command "spanning-tree vlan 1-4094 root secondary" the priority is set to 4096 (1 time lower) below the lowest curret priority.

A port cost of 3019 means you have probably enable uplink fast. The calculation for this is 3000 + <port number>.  so in your example 3019 would be port 19.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
Comment Utility
Please clarify if you are asking about "priority" or "cost". They are two different functions.

Priority is concerned with root election and in some cases path selection.

Cost is only used for path selection.
0
 

Author Comment

by:mikey250
Comment Utility
according to my book:

spanning-tree vlan 1-4094 root primary

- assuming that all other switches are at default priority, the root primary command will set a value of 24576.  Otherwise the priority will be set to 4096 less than the current best priority.

spanning-tree vlan 1-4094 root secondary

- root secondary command will set a value of 28672

I wished to know where the 3019 came from which has been answered as it is a cost value through using 'uplinkfast' as mentioned!!!

I wished to know why there were 2 types of priority but im assuming it depends on what ios is being used on what hardware rather than as my book suggests that the command using the 'root primary or root secondary' are another 'ALTERNATIVE' to just using - 'spanning-tree vlan 20,21,22 priority 4096 - for example!?
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 250 total points
Comment Utility
The reason there are two methods is that with the primary command you do not need to figure out what the lowest priority is of another switch, incase you did not know from before. But that will not prevent another switch from becoming the root bridge. This option is more of a hassel-free solution as it is one command and you are done.

with the priority command you can set one switch to be almost guaranteed to become the root bridge by setting it to the lowest priority and all other switches to the highest priority. With this option you have more control over what the priority is of your switches, mainly used in hierarchical set up as you will have several redundant links.  
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
Comment Utility
What MAG03 said pretty much sums it up.

My personal philosophy is that if you don't already know the priority of the current root bridge, then you shouldn't be changing anything in the first place. My preference is to manually define the priority value.

0
 

Author Comment

by:mikey250
Comment Utility
Hi, as ive just done my ccnp course there were questions that arose after completion so just trying to fill the gaps!!  But at least now it makes more sense!!  setting the priority to the lowest 4096 makes more sense and the rest accordingly if need more than one switch to be second or 3rd place but if not the others can be left to default settings as I realise this as 32768.
0
 

Author Comment

by:mikey250
Comment Utility
hi MAG03, you say:

"The reason there are two methods is that with the primary command you do not need to figure out what the lowest priority is of another switch, incase you did not know from before.   But that will not prevent another switch from becoming the root bridge. This option is more of a hassel-free solution as it is one command and you are done."??

ok if you say that wouldn't prevent the switch from being the root bridge which I believe the option to be is if a hacker for instance had a lower mac address, due to the election criteria, they could take over.

But if I also add 'Rootguard' this would stop a superior bpdu from taking over a 'root bridge' and becoming the new 'root bridge' ie a hacker!  problem solved!!!?
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 250 total points
Comment Utility
Even if you set the priority to 0 chances are that the switch will be the root bridge no matter what. But cisco say that this doesn't guarantee that the switch becomes the root.

Root guard will prevent any switch attached to that port from becoming the root bridge. The other options would be to configure either bpduguard or bpdufilter on all access ports. Bpduguard will shutdown the interface if a bpdu is detected, bpdufilter will place the port in a listening, learning, and then forwarding state if bpdu's are detected.

This is why it is part of the best practices to make all ports not connecting switches together as access ports and all unused ports should be shut down.
0
 

Author Comment

by:mikey250
Comment Utility
yes as you say "Even if you set the priority to 0 chances are that the switch will be the root bridge no matter what. But cisco say that this doesn't guarantee that the switch becomes the root."  - I agree because if the hacker for example has a lower mac then due to the election criteria it could resume control!!

Hence 'root guard' according to my book states:

-  Designed to provide a way to enforce the root bridge placement in the network.
-  Ensures that the port on which it is enabled is the designated port.
-  If a port receives a superior BPDU, the port moves to a root-inconsistent state (basically learning state).
-  Does not allow port to become a root.

by adding - config-if#spanning-tree guard root

But are you saying in order for 'root guard' to stay firm then adding 'bpduguard or bpdufilter will stop this?

bpduguard - stops bpdu's from being received on edge ports
-  shuts down the interface that receives any bpdu.
-  port is put into err-disable state.
-  provides a secure response to invalid configurations because the administrator must manually put the interface back in service with the shutdown and no shutdown commands.
- can be set 'globally or at interface level'

bpdufilter - stops the send/receive of bpdu's altogether for edge ports
-  can be set 'globally and at interface level'

0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 250 total points
Comment Utility
Root guard is used to prevent a switch from becoming the bridge.

bpduguard and bpdufilter are used to prevent anyone adding a switch to an unauthorized port.

they are two different commands and should not be used together on a port.
0
 

Author Comment

by:mikey250
Comment Utility
oh yes i forgot 'root guard' used by itself for the reasons stated to protect a 'root port' to stay as one.

"The other options would be to configure either bpduguard or bpdufilter on all access ports." - so these commands are only for edge ports ok yes when i think your right!!!:))  But are you saying adding the 'bpduguard or bpdufilter' which i realise what they do on all edge ports and aswell as 'unused ports' added to an empty vlan ensures 'root guard' stays as it is, ie a superior bpdu taking over, just for clarification?
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
Comment Utility
Actually, Root Guard is used to allow a switch to be added to the network but NOT let it become the root.

BPDU guard is used to prevent adding a switch... period

BPDU filter is used to stop the sending of BPDUs in the event that the connected device would have problems processing those BPDUs.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:mikey250
Comment Utility
like i said according to my book and course ive been on it states what i stated earlier:

Hence 'root guard' according to my book states:

-  Designed to provide a way to ENFORCE the root bridge placement in the network.
-  Ensures that the port on which it is enabled is the designated port.
-  If a port receives a SUPERIOR BPDU, the port moves to a root-inconsistent state (basically learning state).
-  Does NOT ALLOW PORT TO BECOME A ROOT.

by adding - config-if#spanning-tree guard root

But are you saying in order for 'root guard' to stay firm then adding 'bpduguard or bpdufilter will stop this?

bpduguard - stops bpdu's from being received on edge ports
-  shuts down the interface that receives any bpdu.
-  port is put into err-disable state.
-  provides a secure response to invalid configurations because the administrator must manually put the interface back in service with the shutdown and no shutdown commands.
- can be set 'globally or at interface level'

bpdufilter - stops the send/receive of bpdu's altogether for edge ports
-  can be set 'globally and at interface level'

but after reading your comments you disagree?
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
Comment Utility
>But are you saying in order for 'root guard' to stay firm then adding 'bpduguard or bpdufilter will stop this?

It depends on what your objective is.

If you don't want a switch connected to the port at all, turn on BPDU guard (and port-security if you're really serious).

If there is a switch connected (or there could be) and you don't want that switch to be the root, then turn on root guard.

BPDU filter (IMO) is a very dangerous command in that it effectively disables spanning-tree on that port.
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 250 total points
Comment Utility
maybe I am not understanding what you are trying to ask, or perhaps you are not understanding what don and I are trying to say.

-->But are you saying in order for 'root guard' to stay firm then adding 'bpduguard or bpdufilter will stop this?
Are you trying to say that having bpduguard or bpdufilter on the same port as root guard will complement root guard? if that is the case then no as the port will be shut down or inactive due to the bpdu commands. It will be useless to have the root guard on the same port as bpduguard or bpdufilter.

I will try to explain it differently:

Root guard is a management command to help you ensure the placement of the root bridge.

Bpduguard and bpdufilter are preventative commands so that if an unauthorized switch is connected to a port with either of these configured the port will be either shutdown completely (bpduguard) or become inactive until no bpdu's are detected (bpdufilter).

0
 

Author Comment

by:mikey250
Comment Utility
I do understand it was because i intepreted 'donjohnston comment - "Actually, Root Guard is used to allow a switch to be added to the network but NOT let it become the root."

I disagreed with this as according to my book it states:

-  Designed to provide a way to ENFORCE the root bridge placement in the network.
-  Ensures that the port on which it is enabled is the designated port.
-  If a port receives a SUPERIOR BPDU, the port moves to a root-inconsistent state (basically learning state).
-  Does NOT ALLOW PORT TO BECOME A ROOT.


Yes i do now realise that 'bpduguard & filter' is not used on 'root guard' switchport as it is used for edge ports and as for filter yes ive been advised by others NOT to use bpdufilter unless specifically required.

I know you all know so was just trying to clear up a few things in my mind but i believe im a ok now!!!

0
 

Author Comment

by:mikey250
Comment Utility
this part - "Does NOT ALLOW PORT TO BECOME A ROOT."  means if a SUPERIOR bpdu was in a position to take over the original and proper 'root port' then adding 'root guard' stops a SUPERIOR bpdu from taking over.
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 250 total points
Comment Utility
Correct
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
Comment Utility
Right.

What's the question?
0
 

Author Comment

by:mikey250
Comment Utility
hi don,   I interpreted your comment - "Actually, Root Guard is used to allow a switch to be added to the network but NOT let it become the root."

meaning the 'root guard' allows a switch to a network
& not to let it become the root

im sure you know what you mean so no big problem but for me that was worded wrong:

a 'root guard' is there to protect a 'root port' to ensure it stays as the elected/selected root bridge.  so even if a SUPERIOR bpdu tried to take over the root ports role, then this could not happend due to adding the command 'root guard'

explaining in words is hard, i know this!!
0
 

Author Comment

by:mikey250
Comment Utility
i will end this thread now and much appreciated for the advice!!!!!!!!!!!!!
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
Comment Utility
>meaning the 'root guard' allows a switch to a network & not to let it become the root

That's exactly what I meant.

0
 

Author Comment

by:mikey250
Comment Utility
no problem "don" fair enough!! gona close this thread now and appreciated advice!!!!!!!
0
 

Author Closing Comment

by:mikey250
Comment Utility
apologies my internet has been down but back on now.  thanks for this useful and clearer information.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now