This is the second part of the series on Spanning Tree Protocol and here we discuss its features that can enhance its operation. More specifically, we will discuss and configure the following features:

  • PortFast
  • Root Guard
  • Loop Guard
  • BPDU Guard
  • BPDU Filter

Below is our topology, with 2 VLANs configured and two hosts in each VLAN:

In the above topology, everything was left at default with regards to the Spanning Tree Protocol. The VLANs and the interfaces from all switches in the respective VLANs were configured. Also, the interfaces between all three switches were configured as trunk allowing all VLANs.

PortFast

Let’s start with the PortFast feature. PortFast is an STP feature that allows a port on which STP is running to transition directly from blocking state to forward state without going through listening and learning states.

To demonstrate this, let’s see what happens when Gi0/0 from SW12 is brought up after it was shut down. The debugging information is captured by the “debug spanning-tree events” and “debug spanning-tree general” commands:

*May 10 02:06:11.595: set portid: VLAN0013 Gi0/0: new port id 8001
*May 10 02:06:11.595: Created spanning tree port Gi0/0 (ACFFE034) for tree VLAN0013 (ADB93CC0) 
*May 10 02:06:11.595: Enabling spanning tree port: GigabitEthernet0/0 (ACFFE034)
*May 10 02:06:11.595: STP: VLAN0013 Gi0/0 -> listening
*May 10 02:06:13.584: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*May 10 02:06:14.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
*May 10 02:06:26.603: STP: VLAN0013 Gi0/0 -> learning
*May 10 02:06:41.610: STP[13]: Generating TC trap for port GigabitEthernet0/0
*May 10 02:06:41.610: STP: VLAN0013 sent Topology Change Notice on Gi0/3
*May 10 02:06:41.610: STP: VLAN0013 Gi0/0 -> forwarding

As you can see, it takes 30 seconds from the moment the port is brought up until it transitions to a forwarding state.

Let’s configure PortFast on Gi0/0 before we bring the port up:

SW12(config-if)#spanning-tree portfast 
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on GigabitEthernet0/0 but will only
 have effect when the interface is in a non-trunking mode.
SW12(config-if)#

Now let’s bring the port up and see what the debug commands are showing:

*May 10 02:32:48.097: set portid: VLAN0013 Gi0/0: new port id 8001
*May 10 02:32:48.097: Created spanning tree port Gi0/0 (ACFFE034) for tree VLAN0013 (ADB93CC0) 
*May 10 02:32:48.097: Enabling spanning tree port: GigabitEthernet0/0 (ACFFE034)
*May 10 02:32:48.097: STP: VLAN0013 Gi0/0 ->jump to forwarding from blocking
*May 10 02:32:50.089: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*May 10 02:32:51.093: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up

You can check if a port has Portfast enabled using this command:

SW12#show spanning-tree interface gi0/0 portfast 
VLAN0013            enabled
SW12# 

As you can see, the port transitioned right away to forwarding state and once the interface comes up, it can start transmitting and receiving traffic.

There is an option to enable PortFast on all access ports like so:

SW12(config)#spanning-tree portfast default 
%Warning: this command enables portfast by default on all interfaces. You
 should now disable portfast explicitly on switched ports leading to hubs,
 switches and bridges as they may create temporary bridging loops.

SW12(config)#

It is recommended to enable PortFast on all ports where hosts or routers (that don’t run any STP form) are connected so that they use only the minimum time to wait before traffic can be sent or received.

Before we move on and discuss other STP features, let’s talk about inconsistent ports. An inconsistent port is a port that was blocked by STP due to an irregularity that was detected by one of the Root Guard, Loop Guard or BPDU Guard features.

Root Guard

The root guard feature provides the ability to enforce the root bridge placement in the network. It ensures that the port configured with this feature is a designated port and will not become a root port.

This feature is useful as a way to prevent users from adding a switch in the network that can become the root bridge.

Let’s configure the feature on our setup. Right now, SW34 is the root bridge and let’s assume that SW3 is an unauthorized switch added that has a lower priority than SW34. Without the feature, SW3 will become the root bridge with undesirable effects on the network.

The feature is configured on SW34 on the interface towards SW3. Also the feature should be configured on SW12 on the interface towards SW3 as well. The configuration is identical:

SW34#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW34(config)#int gi0/4
SW34(config-if)#spanning-tree guard root 
*May 10 04:06:28.478: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet0/4.
SW34(config-if)#end
SW34#

Now let’s modify the priority on SW3 for VLAN 13 (the same can be configured for VLAN 24 as well) and see what is happening on SW34:

SW3(config)#spanning-tree vlan 13 priority  4096
SW3(config)#

Right away, this is detected by SW34 and the port is blocked for VLAN 13:

SW34#
*May 10 04:10:36.879: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet0/4 on VLAN0013.
SW34#

Also, the port is now in inconsistent state for VLAN 13:

SW34#show  spanning-tree vlan 13

===== output cut for brevity =====

Gi0/4               Desg BKN*4         128.5    P2p *ROOT_Inc 

===== output cut for brevity =====


SW34#

You can check what ports are in inconsistent state and why using this:

SW34#show  spanning-tree inconsistentports 

Name                 Interface                Inconsistency
-------------------- ------------------------ ------------------
VLAN0013             GigabitEthernet0/4       Root Inconsistent

Number of inconsistent ports (segments) in the system : 1

SW34#

Once I put back the default priority on SW3, the port is unblocked and removed from inconsistent state:

*May 10 04:16:15.668: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port GigabitEthernet0/4 on VLAN0013.

Loop Guard

Let’s move further with another STP feature, Loop Guard. The Loop Guard feature provides additional protection against Layer 2 loops. If BPDUs are not received on a non-designated port anymore and Loop Guard is enabled, that port will be moved into the STP loop-inconsistent blocking state. Without the Loop Guard feature, the port assumes the designated port role. The port then moves to forwarding state and a loop is created.

We will enable Loop Guard on SW3 on the interface towards SW34:

SW3(config)#int gi0/1
SW3(config-if)#spanning-tree guard loop 
SW3(config-if)#end
SW3#

Now due to a hardware failure on SW34, there are no BPDUs sent for any of the VLANs (1, 13 and 24) from SW34 to SW3. However, the interface on SW3 is still up and expects BPDUs. This is the moment when SW3 can induce an L2 loop.

But because Loop Guard is configured, the port is put in inconsistent state for all VLANs:

*May 10 04:52:03.226: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet0/1 on VLAN0001.
*May 10 04:52:03.342: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet0/1 on VLAN0013.
*May 10 04:52:03.401: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet0/1 on VLAN0024.

This is confirmed by checking the STP state for any of the VLANs. This is for VLAN 13:

SW3#show  spanning-tree vlan 13

===== output cut for brevety brevity =====


Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Root FWD 4         128.1    P2p 
Gi0/1               Desg BKN*4         128.2    P2p *LOOP_Inc 


===== output cut for brevety brevity =====


SW3#

Also, we can see the reasons why the port went in inconsistent state:

SW3#show  spanning-tree inconsistentports 

Name                 Interface                Inconsistency
-------------------- ------------------------ ------------------
VLAN0001             GigabitEthernet0/1       Loop Inconsistent
VLAN0013             GigabitEthernet0/1       Loop Inconsistent
VLAN0024             GigabitEthernet0/1       Loop Inconsistent

Number of inconsistent ports (segments) in the system : 3

SW3#

BPDU Guard

The next feature that we will discuss is BPDU Guard. This is a straightforward feature and ensures that the port will go in errdisable state in case a BPDU is received. This should be configured on ports that should never receive a BPDU.

Let’s test this on our topology and we will configure SW3 Gi0/1 to drop any BPDU received on that interface. SW3 is receiving BPDUs from SW34 on that interface because SW34 is the root bridge.

Once this is configured:

SW3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW3(config)#int gi0/1
SW3(config-if)#spanning-tree bpduguard enable

The port goes down due to errdisable:

*May 10 06:21:16.677: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/1 with BPDU Guard enabled. Disabling port.
*May 10 06:21:16.677: %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/1, putting Gi0/1 in err-disable state
*May 10 06:21:17.681: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down                                    
*May 10 06:21:18.690: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down

If you check the status of the interface, you will see the reason:

SW3# show interfaces gi0/1
GigabitEthernet0/1 is down, line protocol is down (err-disabled)

BPDU Filter

The last STP feature is BPDU Filter. The BPDU Filter feature allows you to supress sending BPDUs on a specific interface. BPDUs might be sent when the interface comes up and if the other side has BPDU Guard enabled, it will bring down the interface. To avoid this, it’s advisable to do everything possible so that you will not send a BPDU.

First let’s confirm that we are sending BPDUs. We will check and configure the feature on SW34 on interface Gi0/4:

SW34#show spanning-tree interface gi0/4 detail  | i BPDU:
   BPDU: sent 2604, received 2
   BPDU: sent 2604, received 2
   BPDU: sent 2604, received 2
SW34#show spanning-tree interface gi0/4 detail  | i BPDU:
   BPDU: sent 2637, received 2
   BPDU: sent 2637, received 2
   BPDU: sent 2637, received 2
SW34#

Now let’s configure BPDU Filter on the interface:

SW34#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW34(config)#int gi0/4
SW34(config-if)#spanning-tree bpdufilter enable
SW34(config-if)#end
SW34#

And let’s capture a few times the number of BPDUs sent and received on this interface:

SW34#show spanning-tree interface gi0/4 detail  | i BPDU:
   BPDU: sent 2674, received 2
   BPDU: sent 2674, received 2
   BPDU: sent 2674, received 2
SW34#show spanning-tree interface gi0/4 detail  | i BPDU:
   BPDU: sent 2674, received 2
   BPDU: sent 2674, received 2
   BPDU: sent 2674, received 2
SW34#show spanning-tree interface gi0/4 detail  | i BPDU:
   BPDU: sent 2674, received 2
   BPDU: sent 2674, received 2
   BPDU: sent 2674, received 2
SW34#

Of course, in this moment, STP is broken and SW3 will switch over to SW12 to reach the root bridge, SW34.

And we have now reached the end of the article and the series regarding Spanning Tree Protocol.

In this article, you saw how to configure the PortFast, Root Guard, Loop Guard, BPDU Guard and BPDU Filter features.

By reaching this point in the series, you should now know the most common features that you can use together with STP and how to configure them.

You should have a good understanding of STP now, at least configuration-wise, and be better prepared for the CCNA exam.

References:

  1. Cisco CCNA Routing and Switching ICND2 200-101 Official Cert Guide – Wendell Odom