Here are my notes on STP protection methods.
Port never becomes Root Port.
Guards against receiving an unwanted/unexpected Superior BPDU
If received, Port is put into root-inconsistent state. Entire port is disabled.
When superior BPDU is no more received, port cycles back through STP States.
Default disabled on switch ports.
(config-if)# spanning-tree guard root
# show span inconsistent-ports
BPDU Guard
Used on ports that a BPDU would never be received. (eg: Access ports)
If any BPDU is received, port is put into err-disabled state.
You recover either manually or using an errdisable timeout.
Default disabled on switch ports. Enabled on all Portfast ports.
# spanning-tree portfast bpduguard default
(config-if)# [no] span bpduguard enable
Loop Guard
Used to track BPDU activity. If a non-designated port stops receiving BPDUs, instead of transitioning through STP States, port is put into loop-inconsistent state. Port is blocked on per-VLAN-basis, until BPDUs are received again, moves through states.
In EtherChannel, the whole channel is blocked for that VLAN.
Default disabled on switch ports.
# span loopguard default
(config-if)# [no] span guard loop
UDLD
Protects against Unidirectional links. (Fiber TX/RX links)
Echos special Layer 2 UDLD messages in intervals. (Default 15 sec)
Normal mode, only syslog is entered,
aggresive mode, recovery is tried and port is errdisabled.
On EtherChannel only offending link is disabled.
Default disabled on all ports, if globally enabled, only fiber ports are configured.
# udld {enable | aggressive | message time seconds}
(config-if)# udld {enable | aggresive | disable}
# show udld
# reset udld (re-enable errdisabled UDLD ports)
BPDU Filter
Used to prevent BPDUs from being sent and processed on that port.
Effectively disables STP on the port.
Default disabled.
# span portfast bpdufilter default
(config-if)# span bpdufilter {enable | disable}
No comments:
Post a Comment