160.196, designated path cost 0
Timers:message
age 0, forward delay 0, hold 0
Number of transitions to
forwarding state:1
The port is in the portfast mode by
portfast trunk configuration
Link type is point-to-point by
default
Bpdu filter is enabled
BPDU:sent 0, received 0
Figure lists the possible combinations that result from
configuring BPDU filtering globally and on individual ports and
on the same switch.
Content 8.4 STP Security
Mechanisms 8.4.4 Root Guard Root guard
limits the switch ports out of which the root bridge may be
negotiated. If a root guard–enabled port receives BPDUs that
are superior to those being sent by the current root bridge,
that port is moved to a root-inconsistent state, which is
effectively equal to an STP listening state. No data traffic
will be forwarded across this port. In Figure , switches A and
B are the core of the network. Switch A is the root bridge for
a VLAN. Switch C is an access layer switch. The link between B
and C is blocking on the C side. The flow of STP BPDUs is shown
with arrows. On the left, device D begins to participate in
STP. If the priority of switch D were any value lower than that
of the current root bridge, switch D would be elected the root
bridge. This would cause the link connecting switches A and B
to block, thus causing all traffic from switch B to flow
through switch C in the access layer, which is clearly not
advantageous. If root guard were configured on the port of
switch C where switch D is attached, switch D would never have
been elected the root bridge. Root guard is configured on a
per-port basis. If a superior BPDU is received on the port,
root guard puts the port into a root-inconsistent state. When
switch D stops sending superior BPDUs, the port is unblocked
again and transitions through STP states like any other port.
Recovery requires no intervention. A root guard port is in an
STP-designated port state. When root guard is enabled on a
port, the switch does not allow that port to become an STP root
port. The port remains an STP-designated port. Root guard
should be enabled on all ports where the root bridge is not
anticipated. In the example, root guard should be enabled as
follows: - Switch A: port connecting to switch
C
- Switch B: port connecting to switch C
- Switch C: port connecting to switch D
The
following console message appears when root guard blocks a
port: %SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become
non-designated in VLAN 77. Moved to root-inconsistent state
Content 8.4 STP Security Mechanisms
8.4.5 Configuring Root Guard Figure lists the
commands for configuring and verifying root guard. Figure
describes these commands. To enable root guard on a Layer 2
access port (to force it to become a designated port), use the
following command. To disable root guard, use the no
form of the command. Switch(config-if)#spanning-tree guard
root Figure demonstrates how to verify the root guard
configuration. To display the interface configuration, use the
following command: Switch#show running-config interface
fastethernet 5/8 To determine whether any ports are in a
root-inconsistent state, use the following command:
Switch#show spanning-tree inconsistentports
Name
Interface Inconsistency
------------- ------------------
------------------
VLAN0001 FastEthernet3/1 Port Type
Inconsistent
VLAN0001 FastEthernet3/2 Port Type
Inconsistent
VLAN1002 FastEthernet3/1 Port Type
Inconsistent
VLAN1002 FastEthernet3/2 Port Type
Inconsistent
VLAN1003 FastEthernet3/1 Port Type
Inconsistent
VLAN1003 FastEthernet3/2 Port Type
Inconsistent
VLAN1004 FastEthernet3/1 Port Type
Inconsistent
VLAN1004 FastEthernet3/2 Port Type
Inconsistent
VLAN1005 FastEthernet3/1 Port Type
Inconsistent
VLAN1005 FastEthernet3/2 Port Type
Inconsistent
Number of inconsistent ports (segments) in the
system :10
Content 8.5 Preventing STP
Forwarding Loops 8.5.1 Unidirectional Link
Detection A unidirectional link occurs when traffic is
transmitted between neighbors in one direction only.
Unidirectional links can cause spanning tree topology loops.
Unidirectional Link Detection (UDLD) allows devices to detect
unidirectional link conditions when Layer 1 mechanisms do not,
and provides the ability to shut down the affected interface.
UDLD is a Layer 2 protocol that works with the Layer 1
mechanisms to determine the physical status of a link. For
example, if one fiber strand in a pair is disconnected, Layer 1
auto-negotiation would not allow the link to become active or
stay up. But if both fiber strands are operant, UDLD determines
if traffic is flowing bi-directionally between the correct
neighbors. The switch periodically transmits UDLD packets on an
interface with UDLD enabled. If the packets are not echoed back
within a specific time frame, the link is flagged as
unidirectional, and the interface is shut down. Devices on both
ends of the link must support UDLD for the protocol to
successfully identify and disable unidirectional links. The
function of UDLD is to prevent one-way communication between
adjacent devices. When UDLD detects a one-way conversation, it
can do one of two things, depending on whether UDLD is
configured in normal or aggressive mode. In normal mode, UDLD
changes the UDLD-enabled port to an undetermined state when it
stops receiving UDLD messages from its directly connected
neighbor. Aggressive mode makes eight attempts to re-establish
the UDLD neighbor relation before error disabling the port.
Aggressive mode is the preferred method of configuring UDLD and
is the only mode that can detect a UDLD condition on
twisted-pair cable. UDLD uses destination MAC 01-00-0c-cc-cc-cc
with SNAP HDLC protocol type 0x0111. Figure describes the
default status for the UDLD on a global and interface basis.
Content 8.5 Preventing STP Forwarding
Loops 8.5.2 Loop Guard Like UDLD, loop
guard provides protection for STP when a link is unidirectional
and BPDUs are being sent, but not received, on a link that is
considered operational. Without loop guard, a blocking port
transitions to forwarding if it stops receiving BPDUs. If loop
guard is enabled and the link is not receiving BPDUs, the
interface moves into the STP loop-inconsistent blocking state.
When loop guard blocks a port, this message is generated to the
console or log file: SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were
received on port 3/2 in vlan 3. Moved to loop-inconsistent
state. When a BPDU is received on a loop guard port that is in
a loop-inconsistent state, the port transitions to the
appropriate state as determined by the normal functioning of
spanning tree. The recovery requires no user intervention.
After the recovery, this message is logged:
SPANTREE-2-LOOPGUARDUNBLOCK: port 3/2 restored in vlan 3. The
loop guard feature protects against possible spanning tree
loops by detecting a unidirectional link. With a unidirectional
link, a port on one of the link partners is operationally in
the up state and transmitting but is not receiving traffic. At
the same time, the other link partner is operating correctly.
Loop guard is enabled on ports that are participating in
spanning tree and are redundant at Layer 2. When the switch
stops receiving BPDUs on its root or blocking port, it
transitions the port to a loop inconsistent state, which does
not pass traffic. Loop guard is configured per port on
operating system versions earlier than Catalyst OS 7.1(1). Loop
guard is incompatible with root guard. Also, loop guard should
not be enabled on PortFast ports. In an EtherChannel bundle,
UDLD shuts down only the physical link that has failed. Loop
guard, however, behaves differently because the first
operational port in an EtherChannel bundle is used for BPDUs
and the other ports are not. If the first port has a
unidirectional failure, loop guard transitions all the links of
the channel to the loop-inconsistent state. This is not a
desirable effect, because the inherent redundancy gained