STP: Protection Features

Root Guard

The Root Guard feature was developed as a means to control when a candidate root bridge switch connects to the network.

It records the bridge ID of the current root bridge in the topology and does not allow another switch to send higher BPDUs on any port where root guard is enabled. In case a higher BPDU is received, the port goes to root-inconsistent state. This mechanism prevents a new switch added to the network or another switch with a lower bridge id (priority + MAC) than the current root bridge from becoming the new root bridge and thus a new computation in the entire STP topology.

Root Guard designates that a port can only send or retransmit BPDUs but cannot receive BPDUs. Root Guard prevents the port from becoming a root port where BPDUs would normally be received from the root bridge.

In short, if on a port configured with root guard a switch tries to be the root bridge, root guard will block the port.

You can enable Root Guard on a per-port basis only. By default, it is disabled on all switch ports. To enable it, use the following interface configuration command:

Switch(cconfig-if)# spanning-tree guard root

To display the status of a port that root guard has set to root-inconsistent use:

Switch# show spanning-tree inconsistentports

BPDU Guard

Developed to protect access ports configured with Portfast. Remember that portfast passes the port directly to the forwarding state without passing through other states. In case a port configured with BPDU Guard receives a BPDU the port goes to errdisable state.

BPDU Guard avoids any possibility of a switch being added to the port either intentionally or by mistake and thus avoids a possible loop. An obvious application for BPDU Guard is on access layer switch ports where users and other end devices connect.

By default BPDU Guard is disabled on all switch ports. We can configure it globally with the following command:

Switch(cconfig)# spanning-tree portfast bpduguard

The above command will enable bpdu guard on all ports that are portfast.

Another way to enable it is manually on each interface:

Switch(config-if)# spanning-tree bpduguard enable

Loop guard:

Maintains monitoring on undesignated or root ports to validate that BPDUs are being received on these ports. If BPDUs are continuously received, the port operates normally. If BPDUs are no longer received, the port automatically goes to loop-inconsistent state to prevent a possible loop.

For example, suppose we have a link between SwitchA and SwtchB, Switch A has the port Designated-Forwarding and SwitchB in Alternate-Blocking to avoid loops. Let’s suppose that SwitchA presents a problem of memory or cpu overload and for this reason it stops sending BPDU to the Alternate port of SwitchB, then SwitchB with the Alternate port waits its 20 seconds of Max Age, then it will pass to listening 15 sec, learning 15 sec and at the end to forwarding which would provoke a possible loop because SwitchA with overload will have its ports in Forwarding. This is where Loop Guard comes in by placing the alternate port of SwitchB in loop-inconsistent state and blocking it to avoid possible loops.

By default, Loop Guard is disabled on all switch ports. You can enable Loop Guard as a global default, affecting all switch ports, with the following global configuration command:

Switch(config)# spanning-tree loopguard default

You can also enable or disable Loop Guard on a specific switch port using the following interface configuration command:

Switch(config-if)# [ no] spanning-tree guard loop

Although Loop Guard is configured on a switch port, its corrective blocking action is taken per VLAN.

BPDU Filter

This feature allows disabling STP on some ports of the switch, i.e., BPDUs are filtered to prevent BPDUs from being sent or processed on one or more ports. BPDU filter is disabled by default and can be configured globally with the following command:

Switch(config)# spanning-tree portfast bpdufilter default

The default keyword indicates that the BPDU filter will be automatically enabled on all ports configured with PortFast.

Configuration can also be done on specific interfaces:

Switch(config-if)# spanning-tree bpdufilter { enable | disable}

In summary, BPDU filter prevents the specified ports from sending or receiving BPDUs. The interface configuration filters incoming and outgoing BPDUs unconditionally, regardless of PortFast operational state or access/trunk mode. This is effectively the equivalent of turning off STP. This can be very dangerous because a permanent loop can easily be created. Interestingly, IOS does not display a warning message when this command is applied. Enabling PortFast on the wrong interface is not as risky as the BDPU filter, although strangely, IOS considers it important enough to inform the administrator.

More information at:

https://learningnetwork.cisco.com/blogs/vip-perspectives/2016/03/10/advanced-stp-features-portfast-bpdu-guard-and-bpdu-filter

Leave a Comment

Your email address will not be published. Required fields are marked *

en_US