Friday, March 22, 2013

STP Enhancements Part 1





STP Enhancements Part 1 - BDPU Guard, BPDU Filter, BPDU Root Guard



BPDU Guard - BPDU is guarding your switch against BPDUs.  Wait, I thought BPDUs were a good thing?  Yes but only on ports uplinked to other switches, ports you expect to have BPDUs.

Why:  When you configure your switch to connect to hosts (PCs and Servers) you are probably using portfast.  If a user ever connected a switch, or some wires got crossed and a switch got plugged in to a host port, or a linux user enabled a software bridge etc. etc.... you could have a network loop 

What:  BPDU guard is a port setting that will shut down a port if it ever sees any BPDU

How:
Globally:
spanning-tree portfast edge bpduguard default
*make sure you disable bpduguard on the uplink ports you expect to have switches plug into: the global command affects all ports with portfast enabled*

Per Interface:
spanning-tree bpduguard enable


Recovery:  if BPDU guard triggers (sees a BPDU) it places the port in an error-disabled state, and the port is effectively shut down.  You can recover by (first removing the offending device), then logging into the switch, and issuing a shut command, followed by no shut.

If you would like the switch to be able to re-enable the port by itself, you can use error-disabled's regular methods:

errdisable recovery cause bpduguard
errdisable recovery interval 400

This will cause the switch to shut down the port for 400 seconds, then if it isn't receiving BPDUs, re-enable the interface.

*Note that BPDU Guard is triggered by BPDUs, so if a user plugs in a home/residential switch, it will not trigger as small home switches do not send BPDUs or participate in spanning tree at all.  This will not have any effect on home switches or hubs. (unless there is a loop and the cisco switch see's it's own BPDU sent back to itself, but then you already have a problem!)

BPDU Filter:

Why: Filter is slightly trickier as the global command and the interface command perform two different functions.  
1. First the interface method.  If you apply BPDU filtering to a specific interface, it effectively turns off spanning-tree.  
2. The global method is intended to save on bandwidth/proc overhead by not sending BPDUs out host ports.


What:
1. Interface Method: When turned on for a specific interface, that interface will ignore BPDUs sent to it, and it will not send any BPDUs.  It will continue forwarding traffic and not participate in spanning-tree.
2. In global mode: all interfaces in portfast mode will be put in filtering mode.  They will send out 10 BPDUs when the port comes up, and assuming no incoming BPDUs the switch will stop sending any BPDUs.  If a port ever receives a BPDU at any time, it will lose it's BPDU filter mode, removes the portfast status, and begins regular spanning tree listening/learning process.

How:
global mode
config)# spanning-tree portfast bpdufilter default

interface mode
(config-if)# spanning-tree bpdufilter enable


*note - enabling both BPDU guard and BPDU filtering on the same interface - BPDU filtering takes precedence and BPDU guard has no effect

Root Guard:


Why: ensure an interface will never be used as a root port, increasing STP stability.  Now at first it is tempting to think you should add root guard to all non-root ports but don't forget, you have a redundant topology for a reason.  You need your STP domain to be able to reconverge in the case of a failure and elect a new root bridge/use a different root port.  When you choose what ports get root guard, take into consideration any paths you might ever want your traffic to traverse and do not implement root guard on them.  The easiest and preferred way might be to just use this on edge/access ports and leave it off for all switch-to-switch connections, but perhaps your topology has a "leaf loop" off of your primary STP loop that you never want to use as an STP root, and would rather stop forwarding traffic than allow a switch out there to become root... maybe.

Anyway, root guard is designed so that if anyone plugs a new or non-corporate switch into your network, and it happens to have a low priority, it won't become root.


What:  If the root guard port receives a BPDU with superior priority to what the LOCAL switch is seeing (not the root's own priority) the port will move to a "root-inconsistent state" and stop forwarding traffic.  If the switch is removed or the priority is raised, the port will move out of root inconsistent state on it's own and begin forwarding traffic (after moving through listening/learning states).  No user intervention or config changes needed to unblock the port.

This feature does not have a global function, only a per-interface function.


config# int fa0/2
config-if)# spanning-tree guard root


*note - if you are just enabling this on host ports to protect your STP topology, just use BPDU guard instead.  The only useful time I can think of using root guard: if you want to create a policy that all un-used uplink ports have root guard configured to protect the topology.  When a new switch is added the root is protected, and once the switch is up and operational you can remove the root guard feature.

Spanning Tree Portfast



Portfast - didn't think I would have enough for a whole post, but there are a few items worth mentioning.


What is it - Typically, if a host (server, PC, etc.) plugs into a port, spanning tree will run to ensure there is not a network loop before allowing the host to talk.  If you are running the default, Cisco per-vlan spanning tree 802.1d, this takes 30 seconds for both listening and learning mode to run.

The problem - Thirty seconds is a long time to wait, especially when it means you are not getting DHCP responses and your computer is deciding that it must not be on a real network so it doesn't need to run all the network startup scripts.

The solution - configuring portfast on an interface tells that switch that only a host (nothing that could cause a loop) is connected.  The switch then allows the port to immediately transition to forwarding (but will loose it's portfast status if a BPDU is recieved)

The dangers - if you mis-configure this, and turn portfast on for an uplink to another switch, hub, etc. a loop could form and crash your network before spanning tree ever has a chance to prevent it.

The terms:  in rapid spanning tree protocol (802.1w) they are called "edge ports" but are still configured with the same portfast command. 

The commands:

interface fa0/1
spanning-tree portfast
exit

or

interface fa0/1
switchport host
 *This turns on portfast and also disables channeling and trunk negotiation*

or globally from privileged exec mode

#spanning-tree portfast default
*In the global form of portfast, immediate forwarding is enabled for all access ports (NOT ANY TRUNK PORTS) but you should still manually input the command no spanning-tree portfast for any ports that may be connected to other switches*


spanning-tree portfast trunk
*This command is to turn portfast on for a trunk.  You would typically have a trunk enabled for a host such as a server that needs multiple vlans, or a VoIP phone*


If a BPDU is ever recieved on an edge/portfast port, it loses it's portfast status AND sends a Topology Change Notification to all other switches in the STP domain.