- Index
- Preface
- Product Overview
-
- Configuring Ethernet Interfaces
- Configuring VLANs
- Configuring Private VLANs
- Configuring Rapid PVST+
- Configuring Multiple Spanning Tree
- Configuring STP Extensions
- Configuring Port Channels
- Configuring Access and Trunk Interfaces
- Configuring the MAC Address Table
- Configuring IGMP Snooping
- Configuring Traffic Storm Control
-
- Configuring Fibre Channel Interfaces
- Configuring Domain Parameters
- Configuring N-Port Virtualization
- Configuring VSAN Trunking
- Configuring SAN PortChannels
- Configuring and Managing VSANs
- Configuring and Managing Zones
- Distributing Device Alias Services
- Configuring Fibre Channel Routing Services and Protocols
- Managing FLOGI, Name Server, FDMI, and RSCN Databases
- Discovering SCSI Targets
- Advanced Features and Concepts
- Configuring FC-SP and DHCHAP
- Configuring Port Security
- Configuring Fabric Binding
- Configuring Fabric Configuration Servers
- Configuring Port Tracking
- Information About STP Extensions
- Configuring STP Extensions
- STP Extensions Configuration Guidelines
- Configuring Spanning Tree Port Types Globally
- Configuring Spanning Tree Edge Ports on Specified Interfaces
- Configuring Spanning Tree Network Ports on Specified Interfaces
- Enabling BPDU Guard Globally
- Enabling BPDU Guard on Specified Interfaces
- Enabling BPDU Filtering Globally
- Enabling BPDU Filtering on Specified Interfaces
- Enabling Loop Guard Globally
- Enabling Loop Guard or Root Guard on Specified Interfaces
- Verifying STP Extension Configuration
Configuring STP Extensions
Cisco has added extensions to the Spanning Tree Protocol (STP) that make convergence more efficient. In some cases, even though similar functionality may be incorporated into the IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) standard, we recommend using these extensions. All of these extensions can be used with both RPVST+ and MST.
The available extensions are spanning tree port types, Bridge Assurance, BPDU Guard, BPDU Filtering, Loop Guard, and Root Guard. Many of these features can be applied either globally or on specified interfaces.
Note
Spanning tree is used to refer to IEEE 802.1w and IEEE 802.1s. If the text is discussing the IEEE 802.1D Spanning Tree Protocol, 802.1D is stated specifically.
This chapter includes the following sections:
Note See Chapter 1, “Configuring Rapid PVST+” for complete information on STP and Rapid PVST+ and Chapter 1, “Configuring MST” for complete information on MST.
Information About STP Extensions
This section discusses the following topics:
- Understanding STP Port Types
- Understanding Bridge Assurance
- Understanding BPDU Guard
- Understanding BPDU Filtering
- Understanding Loop Guard
- Understanding Root Guard
Understanding STP Port Types
You can configure a spanning tree port as an edge port, a network port, or a normal port. A port can be in only one of these states at a given time. The default spanning tree port type is normal. Depending on the type of device to which the interface is connected, you can configure a spanning tree port as one of these port types.
Spanning Tree Edge Ports
Edge ports, which are connected to hosts, can be either an access port or a trunk port. The edge port interface immediately transitions to the forwarding state, without moving through the blocking or learning states. (This immediate transition was previously configured as the Cisco-proprietary feature PortFast.)
Interfaces that are connected to hosts should not receive STP Bridge Protocol Data Units (BPDUs).
Note If you configure a port connected to another switch set as an edge port, you might create a bridging loop.
Spanning Tree Network Ports
Network ports are connected only to switches or bridges. Bridge Assurance is enabled only on network ports.
Note If you mistakenly configure ports that are connected to hosts or other edge devices, as spanning tree network ports, those ports will automatically move into the blocking state.
Spanning Tree Normal Ports
Normal ports can be connected to either hosts, switches, or bridges. These ports function as normal spanning tree ports.
Understanding Bridge Assurance
You can use Bridge Assurance to protect against certain problems that can cause bridging loops in the network. Specifically, you use Bridge Assurance to protect against a unidirectional link failure and a device that continues to forward data traffic when it is no longer running the spanning tree algorithm.
Note Bridge Assurance is supported only by Rapid PVST+ and MST. Legacy 802.1D spanning tree does not support Bridge Assurance.
Bridge Assurance is enabled by default and can only be disabled globally. Also, Bridge Assurance can be enabled only on spanning tree network ports that are point-to-point links. Finally, both ends of the link must have Bridge Assurance enabled.
With Bridge Assurance enabled, BPDUs are sent out on all operational network ports, including alternate and backup ports, for each hello time period. If the port does not receive a BPDU for a specified period, the port moves into the blocking state and is not used in the root port calculation. Once that port receives a BPDU, it resumes the normal spanning tree transitions.
Understanding BPDU Guard
Enabling BPDU Guard shuts down that interface if a BPDU is received.
You can configure BPDU Guard at the interface level. When configured at the interface level, BPDU Guard shuts the port down as soon as the port receives a BPDU, regardless of the port type configuration.
When you configure BPDU Guard globally, it is effective only on operational spanning tree edge ports. In a valid configuration, LAN edge interfaces do not receive BPDUs. A BPDU that is received by an edge LAN interface signals an invalid configuration, such as the connection of an unauthorized host or switch. BPDU Guard, when enabled globally, shuts down all spanning tree edge ports when they receive a BPDU.
BPDU Guard provides a secure response to invalid configurations, because you must manually put the LAN interface back in service after an invalid configuration.
Note When enabled globally, BPDU Guard applies to all operational spanning tree edge interfaces.
Understanding BPDU Filtering
You can use BPDU Filtering to prevent the switch from sending or even receiving BPDUs on specified ports.
When configured globally, BPDU Filtering applies to all operational spanning tree edge ports. You should connect edge ports only to hosts, which typically drop BPDUs. If an operational spanning tree edge port receives a BPDU, it immediately returns to a normal spanning tree port type and moves through the regular transitions. In that case, BPDU Filtering is disabled on this port, and spanning tree resumes sending BPDUs on this port.
In addition, you can configure BPDU Filtering by the individual interface. When you explicitly configure BPDU Filtering on a port, that port does not send any BPDUs and drops all BPDUs that it receives. You can effectively override the global BPDU Filtering setting on individual ports by configuring the specific interface. This BPDU Filtering command on the interface applies to the entire interface, whether the interface is trunking or not.
Use care when configuring BPDU Filtering per interface. If you explicitly configuring BPDU Filtering on a port that is not connected to a host, it can result in bridging loops because the port will ignore any BPDU that it receives and go to forwarding.
If the port configuration is not set to default BPDU Filtering, then the edge configuration will not affect BPDU Filtering. Table 1-1 lists all the BPDU Filtering combinations.
|
|
|
|
|
|---|---|---|---|
Enable1 |
|||
|
1.The port transmits at least 10 BPDUs. If this port receives any BPDUs, the port returns to the spanning tree normal port state and BPDU Filtering is disabled. |
Understanding Loop Guard
Loop Guard protects networks from loops that are caused by the following:
An STP loop occurs when a blocking port in a redundant topology erroneously transitions to the forwarding state. This transition usually happens because one of the ports in a physically redundant topology (not necessarily the blocking port) stops receiving BPDUs.
Loop Guard is only useful in switched networks where devices are connected by point-to-point links. On a point-to-point link, a designated bridge cannot disappear unless it sends an inferior BPDU or brings the link down.
Note Loop Guard can be enabled only on network and normal spanning tree port types.
You can use Loop Guard to determine if a root port or an alternate/backup root port receives BPDUs. If the port does not receive BPDUs, Loop Guard puts the port into an inconsistent state (blocking) until the port starts to receive BPDUs again. A port in the inconsistent state does not transmit BPDUs. If the port receives BPDUs again, the protocol removes its loop-inconsistent condition, and the STP determines the port state because such recovery is automatic.
Loop Guard isolates the failure and allows STP to converge to a stable topology without the failed link or bridge. Disabling Loop Guard moves all loop-inconsistent ports to the listening state. (See Chapter 1, “Configuring Rapid PVST+” for information on STP port states.)
You can enable Loop Guard on a per-port basis. When you enable Loop Guard on a port, it is automatically applied to all of the active instances or VLANs to which that port belongs. When you disable Loop Guard, it is disabled for the specified ports.
Understanding Root Guard
When you enable Root Guard on a port, Root Guard does not allow that port to become a root port. If a received BPDU triggers an STP convergence that makes that designated port become a root port, that port is put into a root-inconsistent (blocked) state. After the port stops send superior BPDUs, the port is unblocked again. Through STP, the port moves to the forwarding state. Recovery is automatic.
Root Guard enabled on an interface applies this functionality to all VLANs to which that interface belongs.
You can use Root Guard to enforce the root bridge placement in the network. Root Guard ensures that the port on which Root Guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more of the ports of the root bridge are connected. If the bridge receives superior BPDUs on a Root Guard-enabled port, the bridge moves this port to a root-inconsistent STP state. In this way, Root Guard enforces the position of the root bridge.
You cannot configure Root Guard globally.
Note You can enable Root Guard on all spanning tree port types: normal, edge, and network ports.
Configuring STP Extensions
This section includes the following topics:
- STP Extensions Configuration Guidelines
- Configuring Spanning Tree Port Types Globally
- Configuring Spanning Tree Edge Ports on Specified Interfaces
- Configuring Spanning Tree Network Ports on Specified Interfaces
- Enabling BPDU Guard Globally
- Enabling BPDU Guard on Specified Interfaces
- Enabling BPDU Filtering Globally
- Enabling BPDU Filtering on Specified Interfaces
- Enabling Loop Guard Globally
- Enabling Loop Guard or Root Guard on Specified Interfaces
STP Extensions Configuration Guidelines
When configuring STP extensions, follow these guidelines:
- Configure all access and trunk ports connected to hosts as edge ports.
- Bridge Assurance runs only on point-to-point spanning tree network ports. You must configure each side of the link for this feature.
- Loop Guard does not run on spanning tree edge ports.
- Enabling Loop Guard on ports that are not connected to a point-to-point link will not work.
- You cannot enable Loop Guard if Root Guard is enabled.
Configuring Spanning Tree Port Types Globally
The spanning tree port type designation depends on the type of device the port is connected to, as follows:
- Edge—Edge ports are connected to hosts and can be either an access port or a trunk port.
- Network—Network ports are connected only to switches or bridges.
- Normal—Normal ports are neither edge ports nor network ports; they are normal spanning tree ports. These ports can be connected to any type of device.
You can configure the port type either globally or per interface. By default, the spanning tree port type is normal.
Before you configure the spanning port type, you should do the following:
- Ensure that STP is configured.
- Ensure that you are configuring the ports correctly for the type of device to which the interface is connected.
To configure the spanning tree port types globally, perform this task:
This example shows how to configure all access and trunk ports connected to hosts as spanning tree edge ports:
This example shows how to configure all ports connected to switches or bridges as spanning tree network ports:
Configuring Spanning Tree Edge Ports on Specified Interfaces
You can configure spanning tree edge ports on specified interfaces. Interfaces configured as spanning tree edge ports immediately transition to the forwarding state, without passing through the blocking or learning states, on linkup.
- spanning-tree port type edge —This command explicitly enables edge behavior on the access port.
- spanning-tree port type edge trunk —This command explicitly enables edge behavior on the trunk port.
Note If you enter the spanning-tree port type edge trunk command, the port is configured as an edge port even in the access mode.
- spanning-tree port type normal —This command explicitly configures the port as a normal spanning tree port and the immediate transition to the forwarding state is not enabled.
- no spanning-tree port type —This command implicitly enables edge behavior if you define the spanning-tree port type edge default command in global configuration mode. If you do not configure the edge ports globally, the no spanning-tree port type command is equivalent to the spanning-tree port type disable command.
Before you configure the spanning port type, you should do the following:
To configure spanning tree edge ports on a specified interface, perform this task:
This example shows how to configure the Ethernet access interface 1/4 to be a spanning tree edge port:
Configuring Spanning Tree Network Ports on Specified Interfaces
You can configure spanning tree network ports on specified interfaces.
Bridge Assurance runs only on spanning tree network ports.
This command has three states:
- spanning-tree port type network —This command explicitly configures the port as a network port. If you enable Bridge Assurance globally, it automatically runs on a spanning tree network port.
- spanning-tree port type normal —This command explicitly configures the port as a normal spanning tree port and Bridge Assurance cannot run on this interface.
- no spanning-tree port type —This command implicitly enables the port as a spanning tree network port if you define the spanning-tree port type network default command in global configuration mode. If you enable Bridge Assurance globally, it automatically runs on this port.
Note A port connected to a host that is configured as a network port automatically moves into the blocking state.
Before you configure the spanning port type, you should do the following:
To configure spanning tree network ports on a specified interface, perform this task:
This example shows how to configure the Ethernet interface 1/4 to be a spanning tree network port:
Enabling BPDU Guard Globally
You can enable BPDU Guard globally by default. In this condition, the system shuts down an edge port that receives a BPDU.
Note We recommend that you enable BPDU Guard on all edge ports.
Before you configure this feature, you should do the following:
To enable BPDU Guard globally, perform this task:
|
|
|
|
|---|---|---|
switch(config)# spanning-tree port type edge bpduguard default |
Enables BPDU Guard by default on all spanning tree edge ports. By default, global BPDU Guard is disabled. |
This example shows how to enable BPDU Guard on all spanning tree edge ports:
Enabling BPDU Guard on Specified Interfaces
You can enable BPDU Guard on specified interfaces. Enabling BPDU Guard shuts down the port if it receives a BPDU.
You can configure BPDU Guard on specified interfaces as follows:
- spanning-tree bpduguard enable — Unconditionally enables BPDU Guard on the interface.
- spanning-tree bpduguard disable — Unconditionally disables BPDU Guard on the interface.
- no spanning-tree bpduguard —E nables BPDU Guard on the interface if it is an operational edge port and if the spanning-tree port type edge bpduguard default command is configured.
Before you configure this feature, you should do the following:
To enable BPDU Guard on an interface, perform this task:
This example shows how to explicitly enable BPDU Guard on the Ethernet edge port 1/4:
To disable BPDU Guard on an interface, perform this task:
|
|
|
|---|---|
E nables BPDU Guard on the interface if it is an operational edge port and if you enter the spanning-tree port type edge bpduguard default command. |
Enabling BPDU Filtering Globally
You can enable BPDU Filtering globally by default on spanning tree edge ports.
If an edge port with BPDU Filtering enabled receives a BPDU, it loses its operation status and as edge port and resumes the regular STP transitions. However, this port maintains it configuration as an edge port.
Be careful when using this command. Using this command incorrectly can cause bridging loops.
Before you configure this feature, you should do the following:
Note When enabled globally, BPDU Filtering is applied only on ports that are operational edge ports. Ports send a few BPDUs at linkup before they effectively filter outbound BPDUs. If a BPDU is received on an edge port, it immediately loses its operational edge port status and BPDU Filtering is disabled.
To enable BPDU Filtering globally, perform this task:
This example shows how to enable BPDU Filtering on all operational spanning tree edge ports:
Enabling BPDU Filtering on Specified Interfaces
You can apply BPDU Filtering to specified interfaces. When enabled on an interface, that interface does not send any BPDUs and drops all BPDUs that it receives. This BPDU Filtering functionality applies to the entire interface, whether trunking or not.
Be careful when you enter the
spanning-tree bpdufilter enable command on specified interfaces. Explicitly configuring BPDU Filtering on a port that is not connected to a host can result in bridging loops as the port will ignore any BPDU it receives and go to forwarding.
You can enter this command to override the port configuration on specified interfaces.
This command has three states:
- spanning-tree bpdufilter enable — Unconditionally enables BPDU Filtering on the interface.
- spanning-tree bpdufilter disable — Unconditionally disables BPDU Filtering on the interface.
- no spanning-tree bpdufilter — Enables BPDU Filtering on the interface if the interface is in operational edge port and if you configure the spanning-tree port type edge bpdufilter default command.
Before you configure this feature, you should do the following:
Note When you enable BPDU Filtering locally on a port, this feature prevents the device from receiving or sending BPDUs on this port.
To enable BPDU Filtering on an interface, perform this task:
This example shows how to explicitly enable BPDU Filtering on the Ethernet spanning tree edge port 1/4:
To disable BPDU Filtering on an interface, perform this task:
|
|
|
|---|---|
Enables BPDU Filtering on the interface if the interface is an operational spanning tree edge port and if you enter the spanning-tree port type edge bpdufilter default command. |
Enabling Loop Guard Globally
You can enable Loop Guard globally by default on all point-to-point spanning tree normal and network ports. Loop Guard does not run on edge ports.
Loop Guard provides additional security in the bridge network. Loop Guard prevents alternate or root ports from becoming the designated port because of a failure that could lead to a unidirectional link.
Note Entering the Loop Guard command for the specified interface overrides the global Loop Guard command.
Before you configure this feature, you should do the following:
- Ensure that STP is configured.
- Ensure that you have spanning tree normal ports or have configured some network ports.
To enable Loop Guard globally, perform this task:
|
|
|
|
|---|---|---|
Enables Loop Guard by default on all spanning tree normal and network ports. By default, global Loop Guard is disabled. |
This example shows how to enable Loop Guard on all spanning tree normal or network ports:
Enabling Loop Guard or Root Guard on Specified Interfaces
Note You can run Loop Guard on spanning tree normal or network ports. You can run Root Guard on all spanning tree ports: normal, edge, or network.
You can enable either Loop Guard or Root Guard on specified interfaces.
Enabling Root Guard on a port means that port cannot become a root port, and LoopGuard prevents alternate or root ports from becoming the designated port because of a failure that could lead to a unidirectional link.
Both Loop Guard and Root Guard enabled on an interface apply to all VLANs to which that interface belongs.
Note Entering the Loop Guard command for the specified interface overrides the global Loop Guard command.
Before you configure this feature, you should do the following:
- Ensure that STP is configured.
- Ensure that you are configuring Loop Guard on spanning tree normal or network ports.
To enable Loop Guard or Root Guard on an interface, perform this task:
This example shows how to enable Root Guard on Ethernet port 1/4:
Verifying STP Extension Configuration
To display the configuration information for the STP extensions, perform one of the following tasks:
|
|
|
|---|---|
Displays selected detailed information for the current spanning tree configuration. |
Feedback