Spanning Tree Extention

Spanning Tree Extention

Posted on Jan 24, 2020 (0)

Spanning Tree Extension

Cisco has provided some STP extension feature to prevent loop in Layer-2 Domain, Error or loop occurred due to user mis configuration. These extension are spanning tree edge ports which is functionality previously known as PortFast, Bridge Assurance, BPDU Guard, BPDU Filtering, Loop Guard, Root Guard.

We will first understand all spanning tree port types and then we will discuss all other features.

STP Port Types:

A port can be configured as three ways in STP, it can be edge port m Normal port, and Network Port.

STP Edge Port: Edge port are those port where host are connected, It worked same as panning-tree port fast, as it transit to forwarding state bypassing listening and learning state. We should not connect switches on port configured as edge port.

STP network Port: These are the ports used to connect the switch as access or trunk ports. These ports can receive and send the BPDU and participate in STP calculation.

STP Normal Port: Any port who are not part of any above port type discussed falls under normal port. When any port have no configuration on it, by default it is the STP normal ports.

Below example shows how to configure all access ports connected to Layer 2 hosts or all ports connected to Layer 2 switches or bridges as spanning tree edge ports:

switch# config t
switch(config)# spanning-tree port type edge default
switch(config)# exit:
switch# config t
switch(config)# spanning-tree port type network default
switch(config)# exit

Below example shows how to configure a particular port in these STP port types.

  • Spanning-tree port type edge—enables edge behavior on the access port.
  • Spanning-tree port type edge trunk—enables edge behavior on the trunk port.

Bridge Assurance

Bridge Assurance is feature which is used to detect and prevent the loop after detecting unidirectional link behavior due to Software failure or control plane issue and not due to physical layer.

Bridge Assurance not only prevent the loop but it continues to send the data traffic. Bridge Assurance is enabled by default on spanning tree port type network that are point to point link. To enable Bridge Assurance, it must be enabled on both end, it only one side is enabled with BA and another side is not enabled or dies not support, and the connecting ort will be blocked.

When BA is enabled, for each hello timer, BPDU will be sent and received on all operation port along with alternate and backup ports. When any port does not receive the BPDU on any connecting ports for specified period, the port moves to blocked state and as soon as port start receiving BPDU it resumes it normal STP state and start participating in STP calculation.

Let’s understand this with below figure

The below figure, all STP is working perfect in Layer-2 topology and loop avoidance has been achieved, Without Bridge Assurance configured. Now let’s suppose SW2 malfunction due to control plane issue and stops sending and receive BPDU, After MAX-Age expires, Blocked port will flush its STP state and will move to Forwarding state which will cause Loop.

Now let’s suppose BA has been enabled  at step 1 , and if loop occurs due to software failures , switch SW-1 and SW-3 connecting ports will stops receiving ports , as BA has been enabled on the receiving those port will be blocked and loop is prevented.

As soon as Switch issue is resolved, Port transition back to normal state and traffic starts flowing.

BPDU Guard:

BPDU guard is the feature which prevents any configured port with BPDU guard to receive any BPDU on it. This feature can be configured at global or interface level.

When BPDU guard is configured globally, it will start working on all ports configured with edge type.When it is configured globally and if edge ports receives BPDU it shut down.

Below commands show how to configure BDDU guard on all edge ports.

switch(confiig)# spanning-tree port type edge bpduguard default
switch(config)# exit

Below commands shows how to configure BPDU guards on specified ports.

switch(config)# interface Ethernet 1/1
switch(config-if)# spanning-tree bpduguard enable
switch(config-if)# exit

BPDU Filtering:      

With BPDU filtering is configured, edge ports stops processing the BPDU on that port. With BPDU filtering configured, ports can neither send nor receive the BPDU on the specified Ports.When BPDU filtering is configured globally, it will be by default enabled to all STP edge ports. When BPDU filtering is configured on edge ports and if any BPDU is received on that ports, BPDU is dropped.

To configured BPDU filtering on all spanning tree edge ports globally:

switch(config)# spanning-tree port type edge bpdufilter default
switch(config)# exit

To configure BPDU filtering on Specified ports use following commands:

switch(config)# interface Ethernet 1/4
switch(config-if)# spanning-tree bpdufilter enable
switch(config-if)# exit

LOOP Guard:

 LOOP guards monitors the activities of BPDU on blocked ports. If any blocked ports stops receiving and after MAX age timer expires, the port transition to Forwarding state and provide a way to for loop

But if the Loop guards is configured, as it monitors the activity of BPDU on blocked ports , if its stops receiving BPDU on blocked ports , LOOP guards gets activated and it put the blocked ports to LOOP inconsistent state to prevent the loop and is disabled or goes in to error-disable state.

As soon as LOOP inconsistence state port starts receiving BPDU, LOOP guards will remove the LOOP inconsistence state of ports and put in its original state (blocked).

To configured LOOP Guard on all normal or network ports globally:

Switch (config) # spanning-tree loop guard default
Switch (config) # exit

Root Guard:

Let’s suppose any new switch is connected to existing L2 Environment whose Bridge ID is smaller than Existing root Bridge. As soon as it gets connected and BPDU is processed, the New Switch with lower Bridge ID becomes a root and STP is recalculated which cause Traffic disruption.

So in order to protect any port become root port, we need to configure all edge ports as root Guard.As soon as any edge ports receives the BPDU where root Guard is configured, the port goes in to root Inconsistence state (blocked state).

Root Guards cannot be configured globally.

switch(config)# interface Ethernet 1/1
switch(config-if)# spanning-tree guard root
switch(config-if)# exit


    You are will be the first.


Please login here to comment.