Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8203
Views
9
Helpful
6
Replies

Design Question - UDLD , Loopguard, STP

sachinraja
Level 9
Level 9

‎03-08-2010 08:11 PM - edited ‎03-06-2019 10:03 AM

Hi All

I have gone through various documents on UDLD, Loopguard etc, with Rapid STP, normal STP .... Just wanted some kind of confirmation/validation here:

1) UDLD aggressive - will be enabled globally for IOS devices.. for Cat OS it is enabled per interface, as it cannot be enabled globally.. ( cat OS has UDLD normal mode in global mode).. i have also gone thro various scenarios - like enabling UDLD aggressive on one side,and the other side having normal mode or no UDLD enabled !UDLD can be enabled with no issues on one-side.. UDLD normal puts the port on inconsistent state, and UDLD aggressive err-disables the port.. Is that right ?

2) UDLD aggressive with Rapid STP - UDLD takes 45 secs to detect unidirectional link (15 sec message time), and 8 more secs.. With Rapid STP the convergence time is less and UDLD might not be useful in this case .. even with lowest message time 7 secs, it takes 21 secs to converge ... we can then use loopguard to detect unidirectional link with RSTP .. Is that right ? I saw a lot of posts from Francois about UDLD and Rapid STP timers which is of interest...

3) loopguard - as said above, loopguard will be used to detect unidirectinal links with RSTP.. when enabled globally, it enables loopguard on all ports (root, desig, blocked) etc.. is this fine ? also, how much time (in secs) will loopguard take to put the port on "loop inconsistent" mode.. are there any timers involved with loopgurad ?

4) Rapid STP with PVST on other side - when migrating PVST to Rapid PVST, we can have situations where we have Rapid STP in one side, and PVST on other.. In this case the network will work with normal STP timers (50 sec) convergence.. and UDLD would work good in this case.. Is that right ?

5) best practice - enabled loopguard & udld  globally on all ports, whether the STP is rapid or PVST, or the switch is root or designated.. is that right ?

Hoping to hear..

Raj

Labels:
0 Helpful
6 Replies 6

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎03-08-2010 10:55 PM 

Hi All
I
have gone through various documents on UDLD, Loopguard etc, with Rapid
STP, normal STP .... Just wanted some kind of confirmation/validation
here:
1)
UDLD aggressive - will be enabled globally for IOS devices.. for Cat OS
it is enabled per interface, as it cannot be enabled globally.. ( cat
OS has UDLD normal mode in global mode).. i have also gone thro various
scenarios - like enabling UDLD aggressive on one side,and the other
side having normal mode or no UDLD enabled !UDLD can be enabled with no
issues on one-side.. UDLD normal puts the port on inconsistent state,
and UDLD aggressive err-disables the port.. Is that right ?
2)
UDLD aggressive with Rapid STP - UDLD takes 45 secs to detect
unidirectional link (15 sec message time), and 8 more secs.. With Rapid
STP the convergence time is less and UDLD might not be useful in this
case .. even with lowest message time 7 secs, it takes 21 secs to
converge ... we can then use loopguard to detect unidirectional link
with RSTP .. Is that right ? I saw a lot of posts from Francois about
UDLD and Rapid STP timers which is of interest...
3)
loopguard - as said above, loopguard will be used to detect
unidirectinal links with RSTP.. when enabled globally, it enables
loopguard on all ports (root, desig, blocked) etc.. is this fine ?
also, how much time (in secs) will loopguard take to put the port on
"loop inconsistent" mode.. are there any timers involved with loopgurad
?
4)
Rapid STP with PVST on other side - when migrating PVST to Rapid PVST,
we can have situations where we have Rapid STP in one side, and PVST on
other.. In this case the network will work with normal STP timers (50
sec) convergence.. and UDLD would work good in this case.. Is that
right ?
5)
best practice - enabled loopguard & udld  globally on all ports,
whether the STP is rapid or PVST, or the switch is root or designated..
is that right ?
Hoping to hear..
Raj

Hi Raj,

I agree with your most of the point which you have mentioned in your thread just my thoughts and recommendation on the thread.

UDLD is disabled globally and enabled in readiness on fiber ports by default. Because UDLD is an infrastructure protocol that is necessary between switches only, UDLD is disabled by default on copper ports. Copper ports tend to be used for host access.

Note: UDLD must be enabled globally and at the interface level before neighbors can achieve bidirectional status. In CatOS 5.4(3) and later, the default message interval is 15 seconds and is configurable between 7 and 90 seconds.

and yes port goes to err- disable state once any loop is dedected where UDLD is enabled and  normal recommendation for Normal mode UDLD is sufficient in the vast majority of cases if you use it properly and in conjunction with the appropriate features and protocols. These features/protocols include:

    *      FEFI
    *      Autonegotiation
    *      Loop guard

Cisco recommends the enablement of UDLD normal mode on all point-to-point FE/GE links between Cisco switches in which the UDLD message interval is set to the 15-second default. This configuration assumes the default 802.1d spanning tree timers. Additionally, use UDLD in conjunction with loop guard in networks that rely on STP for redundancy and convergence. This recommendation applies to networks in which there are one or more ports in the STP blocking state in the topology and regarding Loop guard is only useful in switched networks where switches are connected by point-to-point links.Loop guard isolates the failure and lets spanning tree converge to a stable topology without the failed link or bridge. Loop guard prevents STP loops with the speed of the STP version in use. There is no dependency on STP itself (802.1d or 802.1w) or when the STP timers are tuned. For these reasons, implement loop guard in conjunction with UDLD in topologies that rely on STP and where the software supports the features.

Hope to Help !!

Ganesh.H

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-08-2010 11:34 PM

Hello Raj,

1) UDLD has a minimal neighbor state machine, if  UDLD is enabled on only one side it will not be operational on that port in either mode normal or aggressive

2) I had the same doubts about UDLD timing and Rapid STPconvergence: UDLD  looks like too slow. However, as you have noted Francois Tallet has explained that it can be useful with RSTP, because RSTP uses timers in some cases

To be noted it is mentioned a new mechanism available in 12.2(33)SXI for Rapid PVST

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/spantree.html#wp1098785

Using the dispute mechanism included in the IEEE 802.1D-2004 RSTP standard, the switch checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.

3) STP loop guard: this is effective with RSTP we use it in combination with broadcast storm-control 1%

4) yes, backward compatibility of Rapid Per Vlan STP with PVST+ is done on a per port basis: PVST+ STP bpdus with version field set to 1 are detected and set port behaviour to PVST+.

5) yes, spanning tree loop guard and UDLD both directions on each uplink and on L2 links between distribution switches.

Hope to help

Giuseppe

Jon Marshall
Hall of Fame
Hall of Fame

‎03-09-2010 12:26 AM

Raj

4) Rapid STP with PVST on other side - when migrating PVST to Rapid PVST, we can have situations where we have Rapid STP in one side, and PVST on other.. In this case the network will work with normal STP timers (50 sec) convergence.. and UDLD would work good in this case.. Is that right ?

Yes correct although it should be noted that you can limit the effects here by using the "switchport trunk allowed vlan ..." command to only allow vlans that are needed on the PVST+ switch across the link. Any other vlans on the Rapid STP switch that do not go over the trunk will benefit from the Rapid STP timers.

Jon

sachinraja
Level 9
Level 9
In response to Jon Marshall

‎03-09-2010 11:16 AM

Thanks all for replies..

Guiseppe - I still hope the timers calculations are right, but not tested it enough.. Ill have to put it on live network, and look for troubleshooting these issues..

Jon - Thanks ..  most of the setup here has vlans passing through on trunks.. if vlans dont pass thro, it is either the case of Layer 3 edge, or that they are layer 2 vlans.. in both these cases, I dont think there is much of complexity since STP does not affect UDLD operation.. right ?

also, has anyone had any issues with UDLD on pseudowire links ? L2 VPN links ? does the PE router allow UDLD communication to happen, or does the ISP need to transport UDLD packets on MPLS routers ? I remember before with L2 WAN links (either metro eth or MPLS), service providers have to explicitly allow certain protocols like STP, VTP for them to establish the protocol end to end.. how about UDLD packets over MPLS ATOM of L2 VPN links ?

and .. what is the convergence time of loopguard to take effect ? is it 3 times hello ? which is 3 x 2 = 6 secs to put a port on loop inconsistent mode ?

Thanks again for all the explanation..

Raj

0 Helpful

sachinraja
Level 9
Level 9
In response to sachinraja

‎03-09-2010 01:15 PM

Just got a link which speaks about UDLD being used in remote failure detection in pseudowires and L2VPN architectures...

http://www.cisco-secure.com/en/US/docs/solutions/Enterprise/Data_Center/HA_Clusters/HA_IAF_5.html#wp1081885

thought it will be useful here..

Raj

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to sachinraja

‎03-09-2010 09:44 PM

Hello Raj,

EoMPLS point to point service is totally blind I remember in some lab tests (done some years ago on a GSR with 12.0(25)S)  that the L2 PE node was accepting and transferring over the pseudowire even frames with Destination MAC = PE node interface MAC address.

Actually for scalability reasons a L2 PE does not perfom MAC address learning

Every valid ethernet frame should be carried over the point to point pseudowire.

Things can be different with VPLS.

So you should be fine with that. We have deployed an EoMPLS pseudowire to be used as third link  in an LACP based etherchannel to provide redundancy for interconnecting two FWSM that are mounted in two different campuses of the same town.

The link is configured to stay down in normal conditions so I could no check directly but when it comes up LACP frames travel over it.

Edit:

>> and .. what is the convergence time of loopguard to take effect ? is it 3 times hello ? which is 3 x 2 = 6 secs to put a port on loop inconsistent mode ?

your understanding is correct max age is not used in RSTP three hello timers are enough to trigger an STP state change

STP loop guard reacts to missing three STP BDPUs in a row that would cause the port to move to forwarding state.

note: max-age is still used to provide a max number of switch hops in the STP domain, this is important to note for ring topologies

Other note: STP loop guard will re-enable the link as soon as STP BPDUs on network segment are received again.

Be also aware if you are going to use WS-6708 or WS-6716 that is wise to use recent IOS images (from 12.2(33)SXH) we had issues with 12.2(18)SXFxx

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card