160.196, designated path cost 0
Timers:message age 0, forward delay 0, hold 0
Number of transitions to forwarding state:1
The port is in the portfast mode by portfast trunk configuration
Link type is point-to-point by default
Bpdu filter is enabled
BPDU:sent 0, received 0 Figure lists the possible combinations that result from configuring BPDU filtering globally and on individual ports and on the same switch.
Content 8.4 STP Security Mechanisms 8.4.4 Root Guard Root guard limits the switch ports out of which the root bridge may be negotiated. If a root guard–enabled port receives BPDUs that are superior to those being sent by the current root bridge, that port is moved to a root-inconsistent state, which is effectively equal to an STP listening state. No data traffic will be forwarded across this port. In Figure , switches A and B are the core of the network. Switch A is the root bridge for a VLAN. Switch C is an access layer switch. The link between B and C is blocking on the C side. The flow of STP BPDUs is shown with arrows. On the left, device D begins to participate in STP. If the priority of switch D were any value lower than that of the current root bridge, switch D would be elected the root bridge. This would cause the link connecting switches A and B to block, thus causing all traffic from switch B to flow through switch C in the access layer, which is clearly not advantageous. If root guard were configured on the port of switch C where switch D is attached, switch D would never have been elected the root bridge. Root guard is configured on a per-port basis. If a superior BPDU is received on the port, root guard puts the port into a root-inconsistent state. When switch D stops sending superior BPDUs, the port is unblocked again and transitions through STP states like any other port. Recovery requires no intervention. A root guard port is in an STP-designated port state. When root guard is enabled on a port, the switch does not allow that port to become an STP root port. The port remains an STP-designated port. Root guard should be enabled on all ports where the root bridge is not anticipated. In the example, root guard should be enabled as follows: The following console message appears when root guard blocks a port: %SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77. Moved to root-inconsistent state
Content 8.4 STP Security Mechanisms 8.4.5 Configuring Root Guard Figure lists the commands for configuring and verifying root guard. Figure describes these commands. To enable root guard on a Layer 2 access port (to force it to become a designated port), use the following command. To disable root guard, use the no form of the command. Switch(config-if)#spanning-tree guard root Figure demonstrates how to verify the root guard configuration. To display the interface configuration, use the following command: Switch#show running-config interface fastethernet 5/8 To determine whether any ports are in a root-inconsistent state, use the following command: Switch#show spanning-tree inconsistentports
Name Interface Inconsistency
------------- ------------------ ------------------
VLAN0001 FastEthernet3/1 Port Type Inconsistent
VLAN0001 FastEthernet3/2 Port Type Inconsistent
VLAN1002 FastEthernet3/1 Port Type Inconsistent
VLAN1002 FastEthernet3/2 Port Type Inconsistent
VLAN1003 FastEthernet3/1 Port Type Inconsistent
VLAN1003 FastEthernet3/2 Port Type Inconsistent
VLAN1004 FastEthernet3/1 Port Type Inconsistent
VLAN1004 FastEthernet3/2 Port Type Inconsistent
VLAN1005 FastEthernet3/1 Port Type Inconsistent
VLAN1005 FastEthernet3/2 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :10
Content 8.5 Preventing STP Forwarding Loops 8.5.1 Unidirectional Link Detection A unidirectional link occurs when traffic is transmitted between neighbors in one direction only. Unidirectional links can cause spanning tree topology loops. Unidirectional Link Detection (UDLD) allows devices to detect unidirectional link conditions when Layer 1 mechanisms do not, and provides the ability to shut down the affected interface. UDLD is a Layer 2 protocol that works with the Layer 1 mechanisms to determine the physical status of a link. For example, if one fiber strand in a pair is disconnected, Layer 1 auto-negotiation would not allow the link to become active or stay up. But if both fiber strands are operant, UDLD determines if traffic is flowing bi-directionally between the correct neighbors. The switch periodically transmits UDLD packets on an interface with UDLD enabled. If the packets are not echoed back within a specific time frame, the link is flagged as unidirectional, and the interface is shut down. Devices on both ends of the link must support UDLD for the protocol to successfully identify and disable unidirectional links. The function of UDLD is to prevent one-way communication between adjacent devices. When UDLD detects a one-way conversation, it can do one of two things, depending on whether UDLD is configured in normal or aggressive mode. In normal mode, UDLD changes the UDLD-enabled port to an undetermined state when it stops receiving UDLD messages from its directly connected neighbor. Aggressive mode makes eight attempts to re-establish the UDLD neighbor relation before error disabling the port. Aggressive mode is the preferred method of configuring UDLD and is the only mode that can detect a UDLD condition on twisted-pair cable. UDLD uses destination MAC 01-00-0c-cc-cc-cc with SNAP HDLC protocol type 0x0111. Figure describes the default status for the UDLD on a global and interface basis.
Content 8.5 Preventing STP Forwarding Loops 8.5.2 Loop Guard Like UDLD, loop guard provides protection for STP when a link is unidirectional and BPDUs are being sent, but not received, on a link that is considered operational. Without loop guard, a blocking port transitions to forwarding if it stops receiving BPDUs. If loop guard is enabled and the link is not receiving BPDUs, the interface moves into the STP loop-inconsistent blocking state. When loop guard blocks a port, this message is generated to the console or log file: SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 3/2 in vlan 3. Moved to loop-inconsistent state. When a BPDU is received on a loop guard port that is in a loop-inconsistent state, the port transitions to the appropriate state as determined by the normal functioning of spanning tree. The recovery requires no user intervention. After the recovery, this message is logged: SPANTREE-2-LOOPGUARDUNBLOCK: port 3/2 restored in vlan 3. The loop guard feature protects against possible spanning tree loops by detecting a unidirectional link. With a unidirectional link, a port on one of the link partners is operationally in the up state and transmitting but is not receiving traffic. At the same time, the other link partner is operating correctly. Loop guard is enabled on ports that are participating in spanning tree and are redundant at Layer 2. When the switch stops receiving BPDUs on its root or blocking port, it transitions the port to a loop inconsistent state, which does not pass traffic. Loop guard is configured per port on operating system versions earlier than Catalyst OS 7.1(1). Loop guard is incompatible with root guard. Also, loop guard should not be enabled on PortFast ports. In an EtherChannel bundle, UDLD shuts down only the physical link that has failed. Loop guard, however, behaves differently because the first operational port in an EtherChannel bundle is used for BPDUs and the other ports are not. If the first port has a unidirectional failure, loop guard transitions all the links of the channel to the loop-inconsistent state. This is not a desirable effect, because the inherent redundancy gained