Describing STP
Stability
Mechanisms
Implementing Spanning Tree
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-1
Cisco STP Toolkit
 PortFast: Configures access port
as edge ports, which transition
directly to forwarding state.
 BPDUGuard: Disables a PortFastenabled port if a BPDU is received.
 BPDUFilter: Suppresses BPDUs
on ports (not recommended).
 RootGuard: Prevents external
switches from becoming roots.
 LoopGuard: Prevents an alternate
port or root port from becoming the
designated port if no BPDUs are
received.
 UplinkFast*: Provides from 3 to 5
seconds of convergence after link
failure.
 BackboneFast*: Cuts the
convergence time by max_age for
an indirect failure.
* Not required with PVRST+.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-2
Protecting the Operation of STP
Protection against switches being added on PortFast ports
 BPDUGuard shuts down ports if BPDUs are received.
– Available both in global mode and per interface.
 BPDUFilter blocks transmission and receiving of BPDUs.
– When configured in global mode, any PortFast mode receiving BPDU
becomes standard port.
– When configured at interface level, ignores BPDUs and does not send
BPDUs.
 RootGuard blocks the election of a new root switch on access ports.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-3
BPDUGuard Configuration
switch(config)# spanning-tree portfast bpduguard
 Enables BPDUGuard
switch# show spanning-tree summary totals
 Displays BPDUGuard configuration information
switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
Etherchannel misconfiguration guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Default pathcost method used is short
Name
Blocking Listening Learning Forwarding STP Active
-------------------- -------- --------- -------- ---------- ---------34 VLANs 0
0
0
36
36
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-4
BPDUFilter Configuration
switch(config)# spanning-tree portfast bpdufilter default
 Enables BPDUFilter (not recommended; can cause loops)
switch# show spanning-tree summary totals
 Displays BPDUFilter configuration information
switch# show spanning-tree summary totals
Root bridge for:VLAN0010
EtherChannel misconfiguration guard is enabled
Extended system ID
is disabled
Portfast
is enabled by default
PortFast BPDU Guard is disabled by default
Portfast BPDU Filter is enabled by default
Loopguard
is disabled by default
UplinkFast
is disabled
BackboneFast
is disabled
Pathcost method used is long
Name
Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ---------2 vlans
0
0
0
3
3
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-5
RootGuard
 Configuration of RootGuard
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-6
Verifying RootGuard
switch# show running-config interface type mod/port
 Displays interface configuration information
switch# show spanning-tree inconsistentports
 Displays information about ports in inconsistent states
switch# show running-config interface fastethernet 5/8
Building configuration...
Current configuration: 67 bytes
!
interface FastEthernet5/8
switchport mode access
spanning-tree guard root
switch# show spanning-tree inconsistentports
Name
Interface
Inconsistency
-------------------- ---------------------- -----------------VLAN0001
FastEthernet3/1
Port Type Inconsistent
VLAN0001
FastEthernet3/2
Port Type Inconsistent
VLAN1002
FastEthernet3/1
Port Type Inconsistent
Number of inconsistent ports (segments) in the system :3
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-7
Before LoopGuard
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-8
With LoopGuard
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-9
Configuring LoopGuard
switch(config)# spanning-tree global-default loopguard enable
switch(config-if)# [no] spanning-tree guard loop
 Enables LoopGuard globally and on an interface
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-10
Unidirectional Link Failure
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-11
Configuring UDLD
switch(config)# udld {enable | aggressive}
 Enables UDLD globally on all fiber-optic interfaces
switch(config-if)# udld port [aggressive]
 Enables UDLD on an individual interface
switch(config-if)# no udld enable
 Disables UDLD on an individual nonfiber-optic interface
switch(config-if)# no udld port
 Disables UDLD on an individual fiber-optic interface
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-12
Comparing LoopGuard with UDLD
LoopGuard
UDLD
Per port
Per VLAN
Per port
Per port
Autorecovery
Yes
Yes, with
errdisable
timeout feature
Protection against STP failures
caused by unidirectional links
Yes, when enabled
on all root and
alternative ports in
redundant topology
Yes, when enabled on
all links in redundant
topology
Yes
No
No
Yes
Configuration
Action granularity
Protection against STP failures
caused by problem in software,
resulting in designated switch
not sending BPDU
Protection against miswiring
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-13
Recommended Practices—UDLD
Configuration
 Typically, it is deployed on any
fiber-optic interconnection.
 Use UDLD aggressive mode
for best protection.
 Turn on in global configuration
to avoid operational errors and
misses.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-14
Implementing a Spanning-Tree Protocol
 Select a spanning-tree implementation:
– RSTP—preferred solution.
– MSTP.
– STP.
– PVST+.
 Recommendations for the Cisco Enterprise Campus Architecture:
– Avoid Layer 2 loops, and use Layer 3 protocols to handle load
balancing and redundancy.
– Keep the spanning-tree domain as simple as possible.
– Ensure that all links connecting backbone switches are routed
links, not VLAN trunks.
– Use multilayer switching to reduce the scope of spanning-tree
domains.
– Do not disable STP; keep it enabled to protect against loops.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-15
Spanning-Tree Recommendations
 Use only when you have to!
– Required for protection
against “user-side” loops
– Required when a VLAN
spans access layer
switches
– More common in the
data center
 Use PVRST+ or MSTP for best
convergence.
 Take advantage of the Cisco
STP Toolkit.
 Keep STP domain as simple as
possible.
 Do not disable STP; it protects
against unplanned loops.
 Use routed links if possible.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-16
Spanning-Tree Recommendations
(Cont.)
 Configure the primary and
secondary root switch
(distribution switch).
 Root bridge should not
change.
– LoopGuard
– RootGuard
– UDLD
 Only end-station traffic should
be seen on an edge port.
– PortFast
– BPDUGuard
– RootGuard
– Port security
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-17
FlexLinks in the Access Layer
 An active/standby link pair is
defined on a common access
switch:
– Pair is configured with the
switchport backup interface
command.
– An interface can belong to only
one FlexLink.
– Different interface types are
allowed.
 FlexLink pairs have STP off and no
BPDUs are propagated.
 Loops are not detected due to no
STP.
 Failover is in the 1-to-2-second
range.
 Distribution switch is not aware of
FlexLinks.
 Supported 4500 and 6500
switches.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-18
Summary
 To protect STP operations, several features are available that
control the way that BPDUs are sent and received.
 BPDUGuard protects the operation of STP on PortFast-configured
ports.
 BPDUFilter is a variant that prevents BPDUs from being sent and
received while leaving the port in forwarding state.
 A root switch cannot be elected via BPDUs received on a
RootGuard-configured port.
 LoopGuard detects and disables an interface with Layer 2
unidirectional connectivity, protecting the network from anomalous
STP conditions.
 UDLD detects and disables an interface with unidirectional
connectivity, protecting the network from anomalous STP
conditions.
 In most implementations, the Cisco STP Toolkit should be used,
in combination with additional factors such as FlexLinks.
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-19
© 2009 Cisco Systems, Inc. All rights reserved.
SWITCH v1.0—3-20