Protecting The Spanning Tree Protocol Topology
There are 2 conditions that can occur to disrupt the loop free topology even when STP is running:
- BPDU’s suddenly being received on a port that shouldn’t be receiving them – can result in unexpected re-convergence results
- BPDU’s suddenly stop being received on a port that should be receiving them – a switch can then make incorrect assumptions about the topology and unintentionally create loops
Protecting against unexpected BPDU’s
Root Guard
- protects against a rogue switch connecting to the network and becoming the root bridge
- controls where candidate root bridges can be connected and found on a netwok
- if superior BPDU’s are received on a switch port with Root Guard enabled, the local switch will not allow the new switch to become the root
- puts the port in the root-inconsistent STP state while superior BPDU’s are being received, meaning no data can be sent or received on that port, but the port can listen to BPDU’s received to detect a new root advertising itself
- a root guard protected port can only forward or relay BPDU’s, it cannot be used to receive them
- prevents a port from ever becoming a root port
- is disabled by default, and is enabled only on a per port basis with the command: Switch(config-if)# spanning-tree guard root
- port goes back to it’s normal state after it stops receiving superior BPDU’s
- show ports in the state of root-inconsistent by issuing: Switch# show spanning-tree inconsistentports
BPDU Guard
- protects ports that PortFast enabled, to prevent loops forming if a switch was accidentally connected to a port that should only be used by a workstation
- should be enabled on all port that have PortFast enabled
- if any BPDU (superior to the current root or not) is received on a port running BPDU guard, the port is put into errdisable state
- disabled on all ports by default
- can be configured as a global default, meaning that all ports that have PortFast enabled will also have BPDU Guard automatically enabled. Command: Switch(config)# spanning-tree portfast bpdugaurd default
- can be enabled or disabled on a per port basis: Switch(config-if)# [no] spanning-tree bpduguard enable
- port remains in the errdisble state even after BPDU’s have stopped being received
- never enable on any switch uplink where the root bridge is located, as a switch with multiple uplinks may receive BPDU’s on any of those ports
Protecting against sudden loss of BPDU’s
Loop Guard
- blocking port + BPDU’s stop being received + last received BPDU ages out = port starts forward + bridging loop occurs
- loop guard keeps track of BPDU activity on non-designated ports
- moves port to loop-inconsistent state when BDPU’d stop being received, which effectively puts the port in the blocking state
- port is allowed to move through the normal STP states when BPDU’s start being received again (automatically)
- disabled by default on all switch ports
- enable as a global default: Switch(config)# spanning-tree loopguard default
- enable or disable per port: Switch(config-if)# [no] spanning-tree guard loop
- although configured on a port the loop guard corrective action is limited only to the VLAN affected, it doesn’t block the entire port
- you can enable on all switch ports and the switch will figure out which ports are non-designated (usually alternative root ports and blocking ports)
UDLD (Unidirectional Link Detection)
- if a switch link becomes uni-directional perhaps due to faulty hardware in a GBIC of SFP, then this can cause a bridging loop as BPSU’d may not be received at on end of the link
- Cisco only
- monitors ports to see if a link is truly bidirectional
- switch sends layer 2 UDLD frames identifying its switch port at regular intervals, and UDLD expects the frame to be echoed back with the far end switch port’s identification addded. if received, all is OK, but if the echoed frames are not seen then the link must be unidirectional
- message interval is configurable, and the default is 15 seconds
- aim is to detect before STP has time to move a blocked port into a forwarding state
- 2 modes of operation:
- normal – action is to mark the port as having an undetermined state and generate a syslog message
- aggressive – switch takes action to re-establish the link by sending out UDLD frames once a second for 8 seconds, if no echo fame received back then the port is moved to errdisable state
- configured on a per port basis, although can be enabled globally for all fibre optic switch ports
- disabled by default
- to enable globally: Switch(config)# udld {enable | aggressive | message time seconds}
- enable or disable per port: Switch(config-if)# udld {enable | aggressive | disable}
- can be safely enabled on all switch ports as UDLD is only enabled globally on fibre optic ports because copper/twisted pair connections do not have the physical layer conditions that allow unidirectional links to occur
- UDLD operates on each link of an etherchannel indpendently
Using BPDU Filtering to diable STP on a port
- used in special cases where you want to prevent BPDU’s from being sent or processed on one or more ports
- disabled on all switch ports by default
- configure as a global default for all ports: Switch(config)# spanning-tree portfast bpdufilter default
- enable or disable per port: Switch(config-if)# spanning-tree bpdufilter {enable | disable}
- only enable on ports where a single host is connected making loops impossible