#Protecting Against Unexpected BPDUs
Cisco add two STP features that help prevent the unexpected
* Root Guard
* BPDU Guard
# Root Guard
After an STP topology has converged and becomes loop free, switch ports are assigned the following roles:
* Root Port
* Designated Port
* Blocking Port
* Alternate Port
* Forwarding Port
* With Root Guard feture a switch learns the current root briedge´s bridge ID.
* If another switch advertises a superior BPDU, or one with a better bridge ID, on a port where Root Guard is enabled,
the local switch will not allow the new switch to become the root. Port will be kept in the root-inconsistent STP state
No data can be sent or recived in that state, but the switch can listen to BPDUs recived on the port to detect a new root advertising itself.
* You can only enable Root Guard only on a per-port basis. (By Default it is disabled)
#To enable Root Guard use the following command
R3(config-if)#spanning-tree guard root
#To displaying inconsistentports
S3#show spanning-tree inconsistentports
* When the superior BPDUs no longer are recived, the port is cycled through the normal STP states to return to normal use.
* Use Root Guard on switch ports where you never expect to find the root bridge for a VLAN.
# BPDU Guard
* If any BPDU (whether superior to the current root or not) is recived on a port where BPDU Guard is enabled,
that port immediatly is put into the errdisable state. You need re-enable port manually or set automatic recovery
errdisable timeout function.
*By default BPDU Guard is disabled on all switch ports.
#To Enable BPDU Guard by Default use following command
S3(config)#spanning-tree portfast bpduguard default
#To Enable BPDU Guard per-port basis use following command
S3(config-if)#spanning-tree portfast bpduguard enable
*When the BPDUs no longer are recived, the port still remains in the errdisable state.
*You should use BPDU Guard on all switch ports where STP PortFast is enabled.
#Protecting Against Sudden Loss of BPDUs
Cisco has added two STP features that help detect or prevent the unexpected loss of BPDUs
* Loop Guard
* Undirectional Link Detection (UDLD)
# Loop Guard
* If BPDUs are being sent over a link but the flow of BPDUs stops for some reason, the last-known BPDU is kept until the Max Age
timer expires.Then that BPDU is flushed, and the switch thinks there is no longer a need to block the port.
* When enable, Loop Guard keeps track of the BPDU activity on nondesignated ports.
* When BPDUs go missing, Loop Guard moves the port into the loop-inconsistent state.
* The port is effectively blocking at this point to prevent a loop from forming and keep it in the nondesignated role.
* When BPDUs are recived on the port again, Loop Guard allows the port to move through the normal STP states and become active.
*By default Loop Guard is disabled on all switch ports.
#To Enable LooP Guard By Default Use The Following Command
S3(config)#spanning-tree loopguard default
#To Enable LooP Guard on Specific Switch Port The Following Command
S3(config-if)#spanning-tree guard loop
*Nondesignated ports are generally the alternative root ports and ports that normally are blocking.
#UDLD (Unidirectional Link Detection)
UDLD has two modes of operation
* Normal Mode - When a undirectional link condition is detected, the port is allowed to continue its operation.
UDLD merely marks the port as having an undetermined state and generates a syslog message.
* Aggressive Mode - When a undirectional link condition is detected, the switch takes action to reestablish the link.
UDLD messages are sent out onec a second for 8 seconds. If none of those messages is echoed back, the port is placed
in the errdisable state so that it cannot be used.
#To Enable UDLD Globally Use The Following Command
S3(config)#udld [ enable | aggressive | message time SECONDS ] !(Ranging from 7 to 90 sec)
#To Enable UDLD on Specific Switch Port Use The Following Command
S3(config-if)#udld [ enable | aggressive | disable ]
#Reenable ports that UDLD aggressive mode has errdisabled
S3#udld reset
#Using BPDU Filtering To Disable STP On a Port
* You always should allow STP to run on a switch to prevent loops. However, in special cases when you need to prevent
BPDUs from being sent or processed on one or more switch ports, you can use BPDU filtering to effectively disable STP on those ports.
* By defauld BPDU filtering is disabled on all switch port.
#Configure BPDU filtering Global Default
S3(config)#spanning-tree portfast bpdufilter default
*Note: The default keyword indicates that BPDU filtering will be enabled automaticlly on all ports that have PortFast enabled.If PortFast is disabled on a port, then BPDU filtering will not be enabled there.
#To Enable BPDU filtering on Specific Switch Port Use The Following Command
S3(config-if)#spanning-tree bpdufilter [ enable | disable ]
*Note: Be very cearful to enable BPDU filtering only under controlled circumstances in witch you are absolutely sure that a switch port will have a single host connected and that a loop will be impossible.
*Note: Enable BPDU filtering only if the connected device cannot allow BPDUs to be accepted or sent. Otherwise, you should permit STP to operate on the switch ports as a precaution.
#Display the global BPDU Guard, BPDU filter and Loop Guard States
S3#show spanning-tree summary