Monday, January 31, 2011

CCNP - ENTERPRISE - Spanning-tree Protocol - Tools to Prevent Loops

There are a number of tools that can be employed to make the STP topology more stable.

1) Root Guard - prevents an unexpected switch from becoming the Root Bridge. Enable RootGuard on all non-root ports on all switches expect the Root bridge.

If a designated port receives a superior BPDU that could cause the bridge to accept a different switch as the Root Bridge the port enters a 'root-inconsistent' state (instead of transitioning to a Root Port and therefore changing the STP topology).

The 'root-inconsistent' state will remain for as long as there are superior BPDU's being received on the port. Once the BPDU's stop the port cycles through the STP states to return to it's usual function.

Enabled on a per-port basis only:
sw1(config-if)#spanning-tree guard root

2) BPDU Guard - loop prevention mechanism applied to ports using PortFast so that if a BPDU is recieved on the port the port is placed in to an error-disabled state instead of allowing the traffic to be forwarded and potentially creating a loop.

If a BPDU is being received on the port there must, by definition, be another switch on the other end of the link. PortFast enable ports transition to a forwarding state instantly which is a benefit for end-station devices such as PC's which would be requiring a DHCP address as part of it's start up process. If you had a switch connected to a PortFast enable port packets could be forwarded and a loop created. BPDU Guard helps prevent this.

Enabled globally via:
sw1(config)#spanning-tree portfast bpduguard default

Or on per-interface basis via;
sw1(config-if)#spanning-tree bpduguard enable

3) BPDU Filtering - If a BPDU is received on a PortFast Port BPDU Filtering detects this and removes the PortFast status on the port. The port then transitions through the STP stages and the port then takes it place in the STP topology.

It works slightly differently depending on how the command is executed. When applied globally:
sw1(config)#spanning-tree portfast bpdufilter default

The PortFast enabled port loses it's PortFast status and transitions through the STP stages

When applied at interface level:
sw1(config-if)#spanning-tree bpdufilter enable

The PortFast enabled port is prevent from sending and receiving BPDU's entirely.

4) Unidirectional Link Detection - UDLD - A unidirectional link occurs when a physical fault on a link is such that electrical keepalives can pass across the link but can't pass data in both directions. UDLD detects this state by sending periodic hellos across the link which must be acknowledged.

There are 2 modes -
i) Normal - Link state turns to Undetermined State, port is allowed to continue working and UDLD marks the port and generates a syslog message

ii) Aggressive - The port is set to 'error-disabled', manual intervention is then required.

When enabled Globally it ONLY applied to Fibre ports:
sw1(config)#udld {enable | aggressive}

When configured on a per-port basis use the same command however you now have the option to disable it entirely if you are using a fibre optic port.
sw1(config-if)#udld {enable | aggressive | disable}

Re-enable a port shut down due to UDLD:
sw1(config-if)#udld reset

Verifiy UDLD:
sw1#sh udld interface

5) Loop Guard - Prevents loops forming on ports that transition from Blocking to Forwarding due to suddenly not receiving BPDU's from the switch on the other end of the link. If BPDU's stop being received on a blocking port the max-age timer eventually expires (as there haven't been any further BPDU's to refresh the timer) and the port then cycles through the STP states as it thinks there is no longer another switch on the other end of the link.

If the port transitions to a forwarding state then a loop can occur. Loop Guard helps prevent this sequence of events by tracking BPDU activity on non-designated ports.

If BPDU's are suddenly no longer received Loop Guard puts the port in to a 'Loop Inconsistent' blocking state. The port then remains in a blocking state and a loop can be avoided.

Loop Guard automatically enables the port again once BPDU's start being received again.

Enable globally via the command:
sw1(config)#spanning-tree loopguard default

Enable on specific ports using:
sw1(config-if)#spanning-tree guard loop

Loop Guard works on a per VLAN basis so doesn't block the entire port simply the VLAN is blocked.

No comments:

Post a Comment