Route My World!

Protecting STP Topology

I. Root Guard

• The Root Guard feature prevents surrounding switches from announcing themselves as Root Bridges.
  • When configured on a port, this feature forces that port to remain as designated port and prevent it from becoming a root port.
• Imagine a new switch that is introduced into the network with a bridge priority lower than the current root bridge. In a normal STP operation, this new bridge can become the new Root Bridge and disrupt your carefully designed network.
• The way this works is:
  • A switch learns the current Root Bridge’s Bridge ID.
  • If another switch announces a superior (lower) BPDU on a port where root guard is enabled, the local switch will not allow the new switch to become the root.
  • The port that receives the new superior BPDU is then transitioned to a state called root-inconsistent STP state (effectively the same as listening state).
  • No data can be sent or received in this state.
• The recommended design is to enable Root Guard on all access ports so that a root bridge is not established through this port.

Configure Root Guard

• Root Guard can only be enabled on a per-port basis.
  • It affects the entire port. Therefore it applies to all VLANs on that port.
• It is disabled by default.
• Use the following interface configuration command:

Switch(config-if)# spanning-tree guard root

Verification

To verify configuration, use the show running config command on the interface:

Switch#show running-config int Fa0/1
Building Configuration…
!
!
interface FastEthernet0/1
switchport mode access
spanning-tree guard root
end
!

The following command displays switch ports that are in root-inconsistent state.

• Use it to find out if any ports are disabled.

Switch# show spanning-tree inconsistentports

II. BPDU Guard

• BPDU Guard protects ports that have PortFast enabled.
• Theoretically, a port that has PortFast enabled is not expected to be used for another switch or any devices that produces BPDUs. If by mistake or malicious act, a switch is connected to a PortFast enabled port, a potential bridging loop can occur.
  • A BPDU received on this port could potentially advertise a new Root Bridge.
  • BPDU Guard puts the port in err-disable state if a PortFast enabled port receives a BPDU.
• An err-disabled port will have to either be manually enabled or automatically recovered through the err-disable timeout operation.

Configuring BPDU Guard

• BPDU Guard is disabled on all switch ports by default.
  • However, all ports that have PortFast enabled automatically enables BPDU guard.
• It can be enabled:
  1.  Globally so that one command enables all switch ports or;
  2.  On a per-interface basis.

Switch(config)#spanning-tree portfast bpduguard default

Switch(config-if)#[no] spanning-tree bpduguard enable

Verify Configuration

To verify that BPDU Guard is configured:

Switch#show spanning-tree summary total
Root bridge for:Bridge group 10, VLAN1, VLAN6, VLAN1000.
Extended system ID is enabled.
PortFast BPDU Guard is enabled
EtherChannel misconfiguration guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Default pathcost method used is short

III. BPDU Filtering

• BPDU filtering prevents Catalyst switches from sending BPDUs on PortFast-enabled interfaces 
• BPDU Filtering effectively disables STP on the port it is configured on.
• Disabled on all switchports by default.
• According to text, BPDU filtering is not a recommended configuration.

Configuration

• Can be configured globally or per-interface.
  • If configured on an interface, the switch does not send BPDUs and drops all BPDUs it receives.
  • If configured globally, the switch changes the interface back to normal STP operation if the port receives BPDUs on the respective interface.
• To enable globally:

Switch(config)#spanning-tree portfast bpdufilter default

• To enable/disable on specific ports:

Switch(config-if)#spanning-tree bpdufilter {enable | disable}

• To verify:

Switch# show spanning-tree summary totals

Preventing Forwarding Loops and Blackholes

IV. Loop Guard

• With LoopGuard, if a switch stops receiving BPDUs on a non-designated port, the switch places the port into the STP loop-inconsistent blocking state (instead of transitioning through listening, learning and forwarding states.
• A port stops receiving BPDUs in cases like unidirectional link failure.
• When enabled, Loop Guard keeps track of the BPDU activity on non-designated ports.
  • While BPDUs are received, the port is allowed to behave normally.
  • When BPDUs go missing, loop guard moves the port into the loop-inconsistent state.
  • When BPDUs are received on the port again, loop guard allows the port to move through the normal STP states and become active.
• By default, loop guard is disabled on all switch ports.

Configuring Loop Guard

• Loop guard can be enabled on a global or per-interface basis:

Switch(config)#spanning-tree loopguard default

Switch(config-if)#[no] spanning-tree guard loop

• Even when configured on a switchport, it only blocks on a per-VLAN basis instead of blocking the whole port.
• Follow these guidelines when using loop guard:
  • Do not enable loop guard on PortFast-enabled or dynamic VLAN ports.
  • Do not enable PortFast on loop guard-enabled ports.
  • Do not enable loop guard if root guard is enabled.
  • Do not enable loop guard on ports that are connected to a shared link.

V. Uni-Directional Link Detection (UDLD)

• Cisco-proprietary UDLD STP feature helps prevent a situation where a uni-directional traffic causes loops to occur.
• A  unidirectional link is a condition on switch ports where a link remains in the up state but the interface is not passing traffic.
  • A typical occurrence of this happens on GBIC interfaces or Small Form-Factor Pluggable (SFP) modules where.
  • When there is uni-directional link, one end of the link (the one in Blocking state) will not receive BPDUs. When BPDUs are not received on the blocked ports, they will transition through the STP states and start forwarding – when they shouldn’t. This can eventually cause instability on the network or bridging loops to occur.
•  UDLD interactively monitors a port to see if the link is truly bidirectional.
• The goal for UDLD is to detect a unidirectional link condition before STP has time to move a blocked port into the Forwarding state.
  • In order to accomplish this, the target time must be less than the Max age timer plus two intervals of the Forward Delay timer
    •  20 + 15 + 15 = 50 seconds.
  • UDLD can detect a unidirectional link after about three times the UDLD message interval
    • 15 x 3 = 45 seconds
• How it works:
  • The switch will send a special Layer 2 UDLD frame identifying its swtich port at regular interval (15 seconds).
  • UDLD expects the other end of the link to echo back those frames, with the far-end switch’s port identification added with it. 
    • The echo must be received within 15 seconds. For 3550s, the default is 7 seconds.
    • If not, the switch determines the link to be unidirectional and err-disables the port.
• UDLD requires both ends of the link to be configured for UDLD.

UDLD modes:

• Normal Mode – when a unidirectional link is detected, the port is allowed to continue operation. UDLD merely marks the port state as undetermined and sends a syslog message.
• Aggressive Mode – The switch takes action to re-establish the link. UDLD sends a message out once a second for 8 seconds. If there is no response (echo) the port is transitioned to err-disabled.

Configuring UDLD

• UDLD is disabled by default.
• It can be configured globally or per-interface.

To enable globally:

• This method enables UDLD on fiber-optic ports only. Enable UDLD on interface configuration if configuring on other port types.

Switch(config)#udld {enable | aggressive} | message time seconds}

• enable – use for normal mode
• aggressive – for aggressive mode
• message time – set the message interval between 7 to 90 seconds.

To enable on the interface:

Switch(config-if)#udld port [aggressive]

References:

1. Spanning-Tree Root Guard Enhancement
2. STP Portfast BPDU Guard Enhancement
3. Understanding How Portfast BPDU Guard Works
4. Understanding How PortFast BPDU Filtering Works
5. Understanding How Loop Guard Works
6. Understanding and Configuring the Unidirectional Link Detection Protocol
7. Configuring UDLD – Catalyst 2960 Software Config Guide 12.2(46)SE

This entry is not an authoritative guide. These are merely notes and rehash of the primary text materials and resources that I use. For a thorough guide of the BCMSN course, consider purchasing Building Cisco Multilayer Switched Networks (BCMSN) (Authorized Self-Study Guide) (4th Edition)by Richard Froom, Balaji Sivasubramanian, and Erum Frahim and CCNP BCMSN Official Exam Certification Guide (4th Edition) by Dave Hucaby ; as well as following the links on the reference section of this entry.