CCNP Enterprise Certification Study Guide: Implementing and Operating Cisco Enterprise Network Core Technologies. Ben Piper
Читать онлайн книгу.
Link Detection and Loop Guard
Root Guard
Root Guard is a Spanning Tree extension that prevents another switch from becoming root. This can happen if someone adds a new switch with a lower bridge priority. You configure Root Guard on a per-interface basis. If the switch receives a superior BPDU on the port, it will place the port into a Root Inconsistent state and stop forwarding traffic to or from that port. Enable Root Guard by executing the interface command spanning-tree guard root on any ports that you do not want to become root ports.
For an example of how Root Guard works, refer to Figure 2.5 from our discussion on RSTP. SW3 is the current root. To prevent SW2 from becoming the root, we can configure Root Guard on the following ports:
SW1:Gi0/0Gi0/1
SW4:Gi1/0Gi1/1
Let's configure Root Guard on SW1:
SW1(config)#int range gi0/0-1 ! Enable root guard on the interfaces SW1(config-if-range)#spanning-tree guard root ! Enable Spanning Tree events debugging SW1(config-if)#do debug spanning-tree events
And on SW4:
SW4(config)#int range gi1/0-1 ! Enable root guard on the interfaces SW4(config-if-range)#spanning-tree guard root SW4(config-if-range)# *Sep 13 21:40:28.908: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet1/0. *Sep 13 21:40:28.921: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet1/1.do SW4(config-if-range)#do debug spanning-tree events Spanning Tree event debugging is on
SW3 is the current root. Let's attempt to make SW2 the root:
SW2(config)#spanning-tree vlan 1 priority 0
SW1 marks its ports facing SW2—Gi0/0 and Gi0/1—as Root Inconsistent:
SW1(config-if)# *Sep 13 21:46:17.848: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet0/0 on VLAN0001. SW1(config-if)#do show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ------------------------ ------------------ VLAN0001 GigabitEthernet0/0 Root Inconsistent VLAN0001 GigabitEthernet0/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 2
Likewise, SW4 blocks its SW2-facing ports, placing them into a Broken (BKN) status:
SW4(config-if-range)#do show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ------------------------ ------------------ VLAN0001 GigabitEthernet1/0 Root Inconsistent VLAN0001 GigabitEthernet1/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 2 SW4(config-if-range)#do show span vl 1 | i Gi1/0|Gi1/1 Gi1/0 Desg BKN*4 128.5 P2p *ROOT_Inc Gi1/1 Desg BKN*4 128.6 P2p *ROOT_Inc
BPDU Guard and BPDU Filter
Although BPDU Guard and BPDU Filter have confusingly similar names, they have opposite effects. BPDU Guard error-disables a port if it receives a BPDU. This is useful if someone accidentally connects a cheap workgroup switch to a port that's meant for an end user. The interface command to enable it is spanning-tree bpduguard enable.
Rather than issuing this command on every interface, you can issue the global command spanning-tree portfast edge bpduguard default. This will automatically enable BPDU Guard for any interface that has PortFast enabled.
When an interface is error-disabled, you must reenable it manually by shutting and unshutting the port. Alternatively, you can have IOS automatically reenable the port after a period of time using the following global configuration commands:
errdisable recovery cause bpduguard errdisable recovery interval 30
BPDU Filter prevents a switch from sending or processing received BPDUs. This effectively ensures that the port is always in a forwarding state, even if it creates a loop. The interface command to unconditionally enable BPDU Filter is spanning-tree bpdufilter enable.
If you want to enable BPDU Filter only on access ports in PortFast mode, you can instead use the global configuration command spanning-tree portfast edge bpdufilter default. This will not enable BPDU Filter if the port is trunked, even if it's in PortFast trunk mode.
Unidirectional Link Detection
The Unidirectional Link Detection (UDLD) protocol detects and shuts down unidirectional links. A unidirectional link is usually caused by one strand of a fiber cable being damaged. When this occurs, a switch may be able to send BPDUs but not receive them. This can destabilize a Spanning Tree topology and cause lost traffic or bridging loops.
UDLD periodically tests for bidirectional communication between switches. It sends Hello packets to its neighbor by default every 15 seconds. The neighbor echoes the packets back. If the sender does not receive the echo, it assumes a unidirectional link and responds according to its configured UDLD mode.
There are two UDLD modes: normal and aggressive. In aggressive mode, UDLD will try eight times to reestablish a bidirectional connection with a neighbor. After that, it will place the entire interface into an error-disabled state. It's important to note that when UDLD disables the interface, it will stop all traffic on that interface.
You can enable UDLD on a per-interface basis, or you can have IOS automatically enable it on fiber-optic ports. The interface command to enable aggressive mode is udld port aggressive. In normal mode, UDLD will only detect a unidirectional link but won't disable the port. To enable normal mode, use the interface command udld port. To have IOS automatically enable UDLD normal or aggressive mode on all fiber-optic ports, use the global configuration command udld enable or udld aggressive, respectively.
Similar to BPDU Guard, if UDLD error-disables a port, you must either recover the port manually or configure error-disable recovery using the following global configuration commands:
errdisable recovery interval 30 errdisable recovery cause udld
Loop Guard
Loop Guard is a Spanning Tree extension that places a Spanning Tree port into a loop-inconsistent state if it fails to receive BPDUs for a VLAN. Unlike UDLD aggressive mode, which disables an interface, Loop Guard blocks ports on a per-VLAN basis. You can enable Loop Guard using the interface command spanning-tree guard loop.
Summary
As with any networking technology, practice and experience are going to do more to solidify your conceptual understanding of Spanning Tree than simply studying it. Be sure to work through the exercises at the end of this chapter until you feel comfortable completing them on your own without referencing anything else.
Having your VLANs and trunks set up properly is a prerequisite for configuring or troubleshooting Spanning Tree. A VLAN must be configured on a switch before a Spanning Tree instance can exist for it. And for multiple switches to participate in Spanning Tree for a VLAN, they need to have trunks with the VLAN allowed and active.
The most common Spanning Tree mode you'll encounter is RPVST+. It goes by a variety of names, including RSTP and 802.1w. Two things that make for a rapid convergence time are what set it apart from the original PVST+: the absence of timer-based port states and the introduction of link types.
MST is useful when you have a large number of VLANs. Rather than using RPVST+, which creates a separate Spanning Tree instance for each VLAN, MST lets you map multiple VLANs to a single instance.
Exam Essentials
Be able to determine the root bridge, root ports, and designated ports for any Spanning Tree topology. Because a layer 2 loop can bring down a network, you must be able to understand what Spanning Tree will do before