Spanning Tree Protection

Document

Jan 27, 2012 7:14 PM
Jan 27th, 2012

Introduction:

This document describes five switch configuration tools that protect STP from different types of problems or attacks, depending on whether a port is a trunk or access port.

A) BPDU Guard:

Enable per port; error disable the port upon receipt of any BPDU 

1) When enabled on interface,  port goes in error-disabled state if BPDU is received

Switch(config-if)#spanning-tree bpduguard enable

(note portfast may not be configured)

2) Can be enabled on global configuration mode

Switch(config)#spanning-tree portfast bpduguard default

B) BPDU Filter:

Restricts the switch from sending unnecessary BPDUs out access ports.

1) When enabled on an individual port, BPDU filtering has the following affects;

   > It ignores all BPDUs received.

   > It sends no BPDUs.

Switch(cofig-if)#spanning-tree bpdufilter enable

2) When enabled globally, BPDU filtering has the following affects;

    a) It affects all operational PortFast ports on switches that do not have BPDU filtering configured on the individual ports.

    b) If BPDUs are seen, the port loses its PortFast status, BPDU filtering is disabled, and the STP sends and receives BPDUs on the port as it would with any other STP port on the switch.

    c) Upon startup, the port transmits ten BPDUs. If this port receives any BPDUs during that time, PortFast and PortFast BPDU filtering are disabled.       

Switch(config)#spanning-treee portfast bpdufilter  default

C) Root Guard: 

Root Guard is useful in avoiding Layer 2 loops during network anomalies. The Root Guard feature forces an interface to become a designated port to prevent surrounding switches from becoming a root switch. In other words, Root Guard provides a way to enforce the root bridge placement in the network. The Root Guard feature prevents a Designated Port from becoming a Root Port. If a port on which the Root Guard feature receives a superior BPDU, it moves the port into a root-inconsistent state (effectively equal to a listening state), thus maintaining the current Root Bridge status.

It can enable on ports other than the root port and on the switches other than root switch using following command.

Switch(config)#spanning-tree guard root

D) UDLD (Unidirectional Link Detection):

Detects physical broken physical link in absence of layer 1 electrical  keepalives (Ethernet calls this a link beat).However, sometimes a cable  is intact enough to maintain keepalives, but no to pass data in both  directions. This is unidirectional link.

UDLD detects a unidirectional link by sending periodic hellos out to  the interface. It also uses porbes, which must be acknowledged by the  devices on the other end of the link. UDLD operates at Layer 2. The port  is shutdown if a unidirectional link is found.

UDLD will not consider a link eligible for disabling until it has seen  a neighbor on the interface already.This prevents it from disabling an  interface when only one end of the link has been configured to support  UDLD.

The default UDLD message timer is 7 or 15 seconds (depending on the  platform), allowing it to detect a unidirectional link before STP has  time to transition the interface to forwarding mode

UDLD has two modes of operation: 

1) Normal mode – UDLD will notice and log a unidirectional link condition, but the interface is allowed to continue operating.

2) Aggressive mode – UDLD will transmit 8 additional messages (1 per  second); if none of these are echoed back the interface is placed in the  error-disabled state.

UDLD can be enabled globally for all fiber interfaces, or per-interface

Global command but it applies only to fiber ports

Switch(config)# udld { enable | aggressive | message time }

The UDLD message time can be from 7 to 90 seconds

To enable udld for non fiber port enable same command on interface mode

Switch(config-if)# udld { enable | aggressive | disable }

To disable UDLD on a specific fiber port, use the following command:

Switch(config-if)# udld disable

To disable UDLD on a specific non-fiber port, use the following command:

Switch(config-if)#no udld enable

To re-enable all interfaces shut by UDLD, use the following:      

Switch#udld reset

To verify UDLD status, use the following:  

Switch#show udld interface

Fast UDLC:

Like UDLD, Fast UDLD is used to detect and disable P2P LAN links that have failed at L2 for any number of reasons and are unable to exchange FDX traffic.  Shorter keep-alive timers are used to detect failures.  Use of short timers in any protocol needs to be approached with caution.  As the timer interval is reduced, the chance of false-positives increase, especially as traffic load on the link or CPU load on the system increases.Release 12.2(33)SXI4 and later releases support fast UDLD.By default Fast UDLD is disable.Please Refer to hyperlink for Fast UDLD .

Configuring Fast UDLD on a Port

1) To Configures the fast UDLD probe message interval on a port use "udld fast-hello interval" command under interface mode.

2) By default, fast UDLD error-disables ports with unidirectional links. You can globally enable fast UDLD to report unidirectional links with a message displayed on the console instead of error-disabling ports with unidirectional links.

To enables fast UDLD error reporting use "udld fast-hello error-reporting" command under config mode.

3) Verification:

To displays fast UDLD configuration and operational state use "show udld fast-hello" command.

To  reset all LAN ports that have been shut down by UDLD, use "udld reset" command under exec mode.


E) Loop guard:

Loop guard prevents form loop which occurs as result of blocking port transiting to forwarding state.

If no BPDU are received on a blocked port for a specific length of time. Loop guard puts that port into “loop inconsistent” blocking state. Loop Guard automatically re-enables the port if it starts receiving BPDUs again. It is most effective when enabled in the entire switched network in conjunction with UDLD.

When implementing Loop Guard, you should be aware of the following implementation guidelines;

    1) Loop Guard cannot be enabled on a switch that also has Root Guard enabled

    2) Loop Guard does not affect Uplink Fast or Backbone Fast operation

    3) Loop Guard must be enabled on point-to-point links only

    4) Loop Guard operation is not affected by the Spanning Tree timers

    5) Loop Guard cannot actually detect a unidirectional link

    6) Loop Guard cannot be enabled on Port Fast or Dynamic VLAN ports

To enable Loop Guard for all point-to-point links on the switch, use the following command: 

Switch(config)# spanning-tree loopguard default

To enable Loop Guard on a specific interface, use the following:

Switch(config-if)# spanning-tree guard loop

Related Information:

Spanning Tree Protocol Root Guard Enhancement

Spanning Tree PortFast BPDU Guard Enhancement

Spanning-Tree Protocol Enhancements using Loop Guard and BPDU Skew Detection Features

Configuring UDLD

Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Document

Posted January 27, 2012 at 7:14 PM
Stats:
Comments:0 Avg. Rating:0
Views:3686 Contributors:0
Shares:0

Related Content

Documents Leaderboard

Rank Username Points
1 177
2 64
3 60
4 50
5 23
Rank Username Points
5
0