Spanning Tree protection

BPDU Guard

• Prevent loops if another switch is attached to Portfast port enabled port.

• When enabled on interface,  port goes in error-disabled state if BPDU is received
  • Switch(config-if)#spanning-tree bpduguard enable

               (note portfast may not be configured)

• Can be enabled on global configuration mode
  • Switch(config)#spanning-tree portfast bpduguard default

BPDU Filter:

• If  enabled on interface mode it prevents the port from sending or  receiving BPDU
  • Switch(cofig-if)#spanning-tree bpdufilter enable

• If  enabled globally if portfast interface receive the BPDU it take out  portfast status
  • Switch(config)#spanning-treee portfast bpdufilter  default

Root Guard

• Prevent other switch becoming root bridge
• Enabled on  ports other than the root port and on the switches other than root switch
• Root guard port  receives a BPDU that might cause it to become a root port, then the  port is put into “root inconsistent” state and does not pass traffic through it.
• But if port stops  receiving these BPDU, it automatically re-enables itself
  • Switch(config)#spanning-tree guard root.

UDLD (Unidirectional Link Detection)

• Detects physical broken physical link in absence of layer 1 electrical  keepalives (Ethernet calls this a link beat).However, sometimes a cable  is intact enough to maintain keepalives, but no to pass data in both  directions. This is unidirectional link.

• UDLD detects a unidirectional link by sending periodic hellos out to  the interface. It also uses porbes, which must be acknowledged by the  devices on the other end of the link. UDLD operates at Layer 2. The port  is shutdown if a unidirectional link is found.

• UDLD will not consider a link eligible for disabling until it has seen  a neighbor on the interface already.This prevents it from disabling an  interface when only one end of the link has been configured to support  UDLD.

• The default UDLD message timer is 7 or 15 seconds (depending on the  platform), allowing it to detect a unidirectional link before STP has  time to transition the interface to forwarding mode

• UDLD has two modes of operation:
  • Normal mode – UDLD will notice and log a unidirectional link condition, but the interface is allowed to continue operating.
  • Aggressive mode – UDLD will transmit 8 additional messages (1 per  second); if none of these are echoed back the interface is placed in the  error-disabled state.
  • UDLD can be enabled globally for all fiber interfaces, or per-interface

• Global command but it applies only to fiber ports
  • Switch(config)# udld { enable | aggressive | message time }

• The UDLD message time can be from 7 to 90 seconds

• To enable udld for non fiber port enable same command on interface mode
  • Switch(config-if)# udld { enable | aggressive | disable }

• To disable UDLD on a specific fiber port, use the following command:
  • Switch(config-if)# udld disable

• To disable UDLD on a specific non-fiber port, use the following command:
  • Switch(config-if)#no udld enable

• To re-enable all interfaces shut by UDLD, use the following:    
  • Switch#udld reset

• To verify UDLD status, use the following:
  • Switch#show udld interface

Loop guard

• Loop guard prevents form loop which occurs as  result of blocking port transiting to forwarding state
  • If no  Bpdu are received on a blocked port for a specific length of  time. Loop guard puts that port into “loop inconsistent”  blocking state
  • Loop Guard automatically re-enables the port if it starts receiving BPDUs again.
  • It is most effective when enabled in the entire switched network in conjunction with UDLD.

• To enable Loop Guard for all point-to-point links on the switch, use the following command:
  • Switch(config)# spanning-tree loopguard default

• To enable Loop Guard on a specific interface, use the following:
  • Switch(config-if)# spanning-tree guard loop