© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-1 Implementing Spanning Tree Describing STP Stability Mechanisms
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-2 Cisco STP Toolkit PortFast: Configures access port as edge ports, which transition directly to forwarding state. BPDUGuard: Disables a PortFast- enabled port if a BPDU is received. BPDUFilter: Suppresses BPDUs on ports (not recommended). RootGuard: Prevents external switches from becoming roots. LoopGuard: Prevents an alternate port or root port from becoming the designated port if no BPDUs are received. UplinkFast*: Provides from 3 to 5 seconds of convergence after link failure. BackboneFast*: Cuts the convergence time by max_age for an indirect failure. * Not required with PVRST+.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-3 Protecting the Operation of STP Protection against switches being added on PortFast ports BPDU Guard shuts down ports if BPDUs are received. –Available both in global mode and per interface. BPDU F ilter blocks transmission and receiving of BPDUs. –When configured in global mode, any PortFast mode receiving BPDU becomes standard port. –When configured at interface level, ignores BPDUs and does not send BPDUs. Root Guard blocks the election of a new root switch on access ports.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-4 BPDUGuard Configuration Enables BPDUGuard Displays BPDUGuard configuration information switch# show spanning-tree summary totals Root bridge for: none. PortFast BPDU Guard is enabled Etherchannel misconfiguration guard is enabled UplinkFast is disabled BackboneFast is disabled Default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active VLANs switch(config)# spanning-tree portfast bpduguard switch# show spanning-tree summary totals
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-5 BPDUFilter Configuration switch# show spanning-tree summary totals Root bridge for:VLAN0010 EtherChannel misconfiguration guard is enabled Extended system ID is disabled Portfast is enabled by default PortFast BPDU Guard is disabled by default Portfast BPDU Filter is enabled by default Loopguard is disabled by default UplinkFast is disabled BackboneFast is disabled Pathcost method used is long Name Blocking Listening Learning Forwarding STP Active vlans switch(config)# spanning-tree portfast bpdufilter default switch# show spanning-tree summary totals Enables BPDUFilter (not recommended; can cause loops) Displays BPDUFilter configuration information
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-6 RootGuard Configuration of RootGuard
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-7 Verifying RootGuard switch# show running-config interface fastethernet 5/8 Building configuration... Current configuration: 67 bytes ! interface FastEthernet5/8 switchport mode access spanning-tree guard root switch# show spanning-tree inconsistentports Name Interface Inconsistency VLAN0001 FastEthernet3/1 Port Type Inconsistent VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent Number of inconsistent ports (segments) in the system :3 switch# show running-config interface type mod/port switch# show spanning-tree inconsistentports Displays interface configuration information Displays information about ports in inconsistent states
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-8 Before LoopGuard
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-9 With LoopGuard
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-10 Configuring LoopGuard Enables LoopGuard globally and on an interface switch(config)# spanning-tree global-default loopguard enable switch(config-if)# [no] spanning-tree guard loop
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-11 Unidirectional Link Failure
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-12 Configuring UDLD switch(config)# udld {enable | aggressive} Enables UDLD globally on all fiber-optic interfaces switch(config-if)# udld port [aggressive] Enables UDLD on an individual interface switch(config-if)# no udld enable Disables UDLD on an individual nonfiber-optic interface switch(config-if)# no udld port Disables UDLD on an individual fiber-optic interface
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-13 Comparing LoopGuard with UDLD LoopGuardUDLD ConfigurationPer port Action granularityPer VLANPer port AutorecoveryYes Yes, with errdisable timeout feature Protection against STP failures caused by unidirectional links Yes, when enabled on all root and alternative ports in redundant topology Yes, when enabled on all links in redundant topology Protection against STP failures caused by problem in software, resulting in designated switch not sending BPDU YesNo Protection against miswiringNoYes
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-14 Recommended Practices—UDLD Configuration Typically, it is deployed on any fiber-optic interconnection. Use UDLD aggressive mode for best protection. Turn on in global configuration to avoid operational errors and misses.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-15 Implementing a Spanning-Tree Protocol Select a spanning-tree implementation: –RSTP—preferred solution. –MSTP. –STP. –PVST+. Recommendations for the Cisco Enterprise Campus Architecture: –Avoid Layer 2 loops, and use Layer 3 protocols to handle load balancing and redundancy. –Keep the spanning-tree domain as simple as possible. –Ensure that all links connecting backbone switches are routed links, not VLAN trunks. –Use multilayer switching to reduce the scope of spanning-tree domains. –Do not disable STP; keep it enabled to protect against loops.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-16 Spanning-Tree Recommendations Use only when you have to! –Required for protection against “user-side” loops –Required when a VLAN spans access layer switches –More common in the data center Use PVRST+ or MSTP for best convergence. Take advantage of the Cisco STP Toolkit. Keep STP domain as simple as possible. Do not disable STP; it protects against unplanned loops. Use routed links if possible.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-17 Spanning-Tree Recommendations (Cont.) Configure the primary and secondary root switch (distribution switch). Root bridge should not change. –LoopGuard –RootGuard –UDLD Only end-station traffic should be seen on an edge port. –PortFast –BPDUGuard –RootGuard –Port security
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-18 FlexLinks in the Access Layer An active/standby link pair is defined on a common access switch: –Pair is configured with the switchport backup interface command. –An interface can belong to only one FlexLink. –Different interface types are allowed. FlexLink pairs have STP off and no BPDUs are propagated. Loops are not detected due to no STP. Failover is in the 1-to-2-second range. Distribution switch is not aware of FlexLinks. Supported 4500 and 6500 switches.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-19 Summary To protect STP operations, several features are available that control the way that BPDUs are sent and received. BPDUGuard protects the operation of STP on PortFast-configured ports. BPDUFilter is a variant that prevents BPDUs from being sent and received while leaving the port in forwarding state. A root switch cannot be elected via BPDUs received on a RootGuard-configured port. LoopGuard detects and disables an interface with Layer 2 unidirectional connectivity, protecting the network from anomalous STP conditions. UDLD detects and disables an interface with unidirectional connectivity, protecting the network from anomalous STP conditions. In most implementations, the Cisco STP Toolkit should be used, in combination with additional factors such as FlexLinks.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—3-20