Ben Piper - CCNP Enterprise Certification Study Guide - Implementing and Operating Cisco Enterprise Network Core Technologies

Likewise, SW4 blocks its SW2-facing ports, placing them into a Broken (BKN) status:

SW4(config-if-range)#do show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ------------------------ ------------------ VLAN0001 GigabitEthernet1/0 Root Inconsistent VLAN0001 GigabitEthernet1/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 2 SW4(config-if-range)#do show span vl 1 | i Gi1/0|Gi1/1 Gi1/0 Desg BKN*4 128.5 P2p *ROOT_Inc Gi1/1 Desg BKN*4 128.6 P2p *ROOT_Inc

Although BPDU Guard and BPDU Filter have confusingly similar names, they have opposite effects. BPDU Guard error-disables a port if it receives a BPDU. This is useful if someone accidentally connects a cheap workgroup switch to a port that's meant for an end user. The interface command to enable it is spanning-tree bpduguard enable.

Rather than issuing this command on every interface, you can issue the global command spanning-tree portfast edge bpduguard default. This will automatically enable BPDU Guard for any interface that has PortFast enabled.

When an interface is error-disabled, you must reenable it manually by shutting and unshutting the port. Alternatively, you can have IOS automatically reenable the port after a period of time using the following global configuration commands:

errdisable recovery cause bpduguard errdisable recovery interval 30

BPDU Filter prevents a switch from sending or processing received BPDUs. This effectively ensures that the port is always in a forwarding state, even if it creates a loop. The interface command to unconditionally enable BPDU Filter is spanning-tree bpdufilter enable.

If you want to enable BPDU Filter only on access ports in PortFast mode, you can instead use the global configuration command spanning-tree portfast edge bpdufilter default. This will not enable BPDU Filter if the port is trunked, even if it's in PortFast trunk mode.

The Unidirectional Link Detection (UDLD) protocol detects and shuts down unidirectional links. A unidirectional link is usually caused by one strand of a fiber cable being damaged. When this occurs, a switch may be able to send BPDUs but not receive them. This can destabilize a Spanning Tree topology and cause lost traffic or bridging loops.

UDLD periodically tests for bidirectional communication between switches. It sends Hello packets to its neighbor by default every 15 seconds. The neighbor echoes the packets back. If the sender does not receive the echo, it assumes a unidirectional link and responds according to its configured UDLD mode.

There are two UDLD modes: normal and aggressive. In aggressive mode, UDLD will try eight times to reestablish a bidirectional connection with a neighbor. After that, it will place the entire interface into an error-disabled state. It's important to note that when UDLD disables the interface, it will stop all traffic on that interface.

You can enable UDLD on a per-interface basis, or you can have IOS automatically enable it on fiber-optic ports. The interface command to enable aggressive mode is udld port aggressive. In normal mode, UDLD will only detect a unidirectional link but won't disable the port. To enable normal mode, use the interface command udld port. To have IOS automatically enable UDLD normal or aggressive mode on all fiber-optic ports, use the global configuration command udld enable or udld aggressive, respectively.

Similar to BPDU Guard, if UDLD error-disables a port, you must either recover the port manually or configure error-disable recovery using the following global configuration commands:

errdisable recovery interval 30 errdisable recovery cause udld

Loop Guard is a Spanning Tree extension that places a Spanning Tree port into a loop-inconsistent state if it fails to receive BPDUs for a VLAN. Unlike UDLD aggressive mode, which disables an interface, Loop Guard blocks ports on a per-VLAN basis. You can enable Loop Guard using the interface command spanning-tree guard loop.

As with any networking technology, practice and experience are going to do more to solidify your conceptual understanding of Spanning Tree than simply studying it. Be sure to work through the exercises at the end of this chapter until you feel comfortable completing them on your own without referencing anything else.

Having your VLANs and trunks set up properly is a prerequisite for configuring or troubleshooting Spanning Tree. A VLAN must be configured on a switch before a Spanning Tree instance can exist for it. And for multiple switches to participate in Spanning Tree for a VLAN, they need to have trunks with the VLAN allowed and active.

The most common Spanning Tree mode you'll encounter is RPVST+. It goes by a variety of names, including RSTP and 802.1w. Two things that make for a rapid convergence time are what set it apart from the original PVST+: the absence of timer-based port states and the introduction of link types.

MST is useful when you have a large number of VLANs. Rather than using RPVST+, which creates a separate Spanning Tree instance for each VLAN, MST lets you map multiple VLANs to a single instance.

Be able to determine the root bridge, root ports, and designated ports for any Spanning Tree topology.Because a layer 2 loop can bring down a network, you must be able to understand what Spanning Tree will do before you configure it or add a new switch to an existing network. Experimenting is a recipe for disaster!

Understand the differences among PVST+, RPVST+, and MST.PVST+ is the original Cisco implementation of the timer-based 802.1D Spanning Tree specification. RPVST+ doesn't use timers, introduces link types, and has a faster convergence time. (R)PVST+ creates a separate Spanning Tree instance for each VLAN. MST lets you map multiple VLANs to a single MST instance, which is useful if you have a large number of VLANs.

Know how to manipulate active and allowed VLANs on a trunk.By default, all VLANs (1-4094) are allowed on a trunk. In order for a VLAN to be allowed and active on one end of a trunk, the VLAN must exist on the switch and not be shut down. If a VLAN is shut down, it will show as allowed but not active. If a VLAN is pruned or blocked, it will show as neither allowed nor active.

Be able to configure all Spanning Tree modes.Although PVST+ is deprecated, its configuration commands are similar to RPVST+, and you may still encounter PVST+ on older gear. Be able to configure (R)PVST+ and MST to customize the root bridge, root ports, and designated ports.

Understand the interactions between RPVST+ and MST.Although this is something that you're more likely to see on an exam than in real life, practicing running RPVST+ and MST concurrently in your lab will solidify your understanding of both. In particular, understand how MST simulates RPVST+.

Exercise 2.1

Configure the full-mesh topology in the following figure. Set up 802.1Q trunks among the switches. Configure VLANs 100 and 200 on each switch. Configure one switch to be the primary root for VLAN 100 and another switch to be the primary root for VLAN 200.

Figure 2.8 Physical topology for Exercise 2.1

Exercise 2.2

Configure the primary root for VLAN 100 to be the secondary root for VLAN 200.

Exercise 2.3

Configure the primary root for VLAN 200 to be the secondary root for VLAN 100.