Unidirectional link detection
UDLD detects unidirectional links, either fiber or twisted pair. It can be in normal mode which leaves layer 1 to try to do its job or it can be in aggressive mode and do layer 1 tasks also. It can be configured globally or per interface. Note: this description is badly written because i want to get this post over with and go shave my scrubby face. :)
Configuration
SW1(config)#udld enable
SW1(config)#udld aggressive
STP Loop Guard
LoopGuard prevents alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. It works best when it is enabled on all switches. When switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if interface is blocked by loopguard in all MST instances.On boundary port, loopguard blocks interface in all MST instances.
Configuration
SW1(config)#spanning-tree loopguard default
STP RootGuard
RootGuard protects from other switches becoming the root from a “root” perspective. If STP determines one of your ports should be the root port when connecting to non-root-wanted switch, it places the port in a root-inconsistent state (blocked) to prevent customers site from being root bridge or being in the path to the root. If switch is operating in MST mode, then the port is forced to be a designated port. Root guard applies to all vlans on the interface.
Configuration
SW1(config-if-range)#spanning-tree guard root
Verification
SW1(config-if-range)# do sh run int g0/13 Building configuration... Current configuration : 98 bytes ! interface GigabitEthernet0/13 switchport mode dynamic desirable spanning-tree guard root end
Lets try to make SW2 as the root bridge on vlan 1..
SW2(config)#spanning-tree vlan 1 root primary
..and the result.
*Mar 1 01:23:57.627: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet0/13 on VLAN0001.
then we disable SW2 as the root
*Mar 1 01:26:26.953: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port GigabitEthernet0/13 on VLAN0001.
It works! :)
BPDU Filtering
BPDU filtering is similar to BPDU guard, but prevents an interface from sending or receiving BPDUs. The port still sends a few BPDUs at link-up before it starts filtering the outbound BPDUs. If BPDU is received on a portfast interface, the interface is shutdown and BPDU filtering is disabled. This can be enabled globally (on portfast interfaces) or on an interface level without portfast. The difference between this and BPDU Guard is the action. BDPU filtering removes portfast whereas BPDU Guard errdisables the port. (Thanks Brian McGahan from GS!)
Configuration globally
SW1(config)#span portfast bpdufilter default
Configuration on interface
SW1(config-if)#spanning-tree bpdufilter enable
Verification
SW1#sh run int g0/5 Building configuration... Current configuration : 144 bytes ! interface GigabitEthernet0/5 switchport access vlan 58 switchport mode access spanning-tree portfast spanning-tree bpdufilter enable end
STP BPDU Guard
BPDU guard listens for BPDUs received on access ports and if one is received then it shuts down the port. This can be beneficial in most all situations since received BPDUs means there is a bridge/switch of some sort on that port, which is bad. We do not want access ports receiving BPDUs. This can be enabled on a global level or per interface. It can be used with or without portfast, however in a global configuration it is only applied to portfast ports. You can also optionally choose for the vlan to be shutdown, instead of the port, by using the command errdisable detect cause bpduguard shutdown vlan globally.
Configuration globally
SW1(config)#spanning-tree portfast bpduguard default
Configuration on interface
SW1(config-if)#spanning-tree bpduguard enable
Verification
SW1(config)#do sh run int g0/1 Building configuration... Current configuration : 144 bytes ! interface GigabitEthernet0/1 switchport access vlan 146 switchport mode access spanning-tree portfast spanning-tree bpduguard enable end
STP Backbonefast
BackboneFast detects indirect link failures and starts the spanning-tree reconfiguration sooner. It has to be enabled on all switches to function correctly.
Configuration
SW1(config)#spanning-tree backbonefast
Verification
SW1#sh spanning-tree backbonefast BackboneFast is enabled BackboneFast statistics ----------------------- Number of transition via backboneFast (all VLANs) : 0 Number of inferior BPDUs received (all VLANs) : 0 Number of RLQ request PDUs received (all VLANs) : 0 Number of RLQ response PDUs received (all VLANs) : 0 Number of RLQ request PDUs sent (all VLANs) : 0 Number of RLQ response PDUs sent (all VLANs) : 0 SW1#sh spanning-tree backbonefast BackboneFast is enabled BackboneFast statistics ----------------------- Number of transition via backboneFast (all VLANs) : 0 Number of inferior BPDUs received (all VLANs) : 0 Number of RLQ request PDUs received (all VLANs) : 0 Number of RLQ response PDUs received (all VLANs) : 0 Number of RLQ request PDUs sent (all VLANs) : 0 Number of RLQ response PDUs sent (all VLANs) : 0
STP Uplinkfast
Uplinkfast provides a way for a previously blocking port to skip learning and listening states and transition directly to forwarding when the root port goes down. The station update rate can be set optionally with the max-update-rate command.
Configuration
SW2(config)#spanning-tree uplinkfast
Verification
SW2#sh spanning-tree uplinkfast UplinkFast is enabled Station update rate set to 150 packets/sec. UplinkFast statistics ----------------------- Number of transitions via uplinkFast (all VLANs) : 0 Number of proxy multicast addresses transmitted (all VLANs) : 0 Name Interface List -------------------- ------------------------------------ VLAN0001 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0005 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0007 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0008 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0009 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0010 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0022 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0043 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0058 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0067 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0079 Gi0/13(fwd), Gi0/14, Gi0/15 VLAN0146 Gi0/13(fwd), Gi0/14, Gi0/15
STP Portfast
Portfast allows for ports to skip the learning and listening phase and go right into forwarding. This should not be used on ports other than end devices/routers. You can enable this globally or on an interface level.
Configuration on interface
SW1(config-if-range)#spanning-tree portfast
Configuration globally
SW1(config)#spanning-tree portfast default
STP Convergence Timers
You can tune STP to better suit your environment by changing the timers. I will demonstrate how to change the timers.
We want to change forwarding time to no more than 20 seconds, the hello timer to 3 seconds, the aging timer to 10 seconds. We want to apply this to all active vlans as well as any that may be used in the future.
Configuration
SW1(config)#spanning-tree vlan 1-4094 forward-time 20 SW1(config)#spanning-tree vlan 1-4094 max-age 10 SW1(config)#spanning-tree vlan 1-4094 hello-time 3
Verification
SW1#sh spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0015.2b12.4a80
This bridge is the root
Hello Time 3 sec Max Age 10 sec Forward Delay 20 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 0015.2b12.4a80
Hello Time 3 sec Max Age 10 sec Forward Delay 20 sec
Aging Time 300 sec
SW1#sh spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0015.2b12.4a80
This bridge is the root
Hello Time 3 sec Max Age 10 sec Forward Delay 20 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 0015.2b12.4a80
Hello Time 3 sec Max Age 10 sec Forward Delay 20 sec
Aging Time 300 sec
output omitted