STP not only provides redundancy and prevents layer 2 loops but it comes jam packed with a ton of additional options that can make a network more secure and functional. Today we are going to dive into all the features that can be enabled on STP.
Portfast- The first feature that I will be talking about is Portfast. Portfast is an STP feature that allows a port to immediately skip both transitional states listening and learning, and go straight into forwarding as soon as the link comes online. When a PC is connected to a switch, it usually has to wait for the listening and learning phase usually for no reason because it has no capability of performing any switchlike functions. As you can tell this can be a huge inconvenience for end users and connecting and disconnecting end devices like PCs can also cause unnecessary topology reacalculations. This is a feature that should only be used on access ports connected to end devices. If this is configured on any switch to switch links, this can cause major layer 2 loops as the switch will automatically go into forwarding without doing any form of calculation.
BPDU Guard- BPDU guard is an STP security feature that prevents BPDU from being received on ports that shouldn’t be participating in the STP topology. BPDU guard is usually configured on portfast enabled interfaces because portfast is usually only enabled on edge ports connected to end devices. Since end devices have no business participating in the STP topology, it is usually configured on those ports connected to them. This prevents a rogue switch from participating in the STP topology. When BPDU guard is enabled on a port, when an BPDU is received on that port, the port automatically goes into an err-disabled state. In this state the port will no longer be working until the port is manually configured to come online, or automatically configured to come online after a certain interval.
BPDU Filter- BPDU filter is an STP security feature that suppresses a port from participating in the sending and receiving of BPDUs. Unlike BPDU guard which shuts down a port when it receives a BPDU, a port with BPDU filter enabled will simply just ignore the BPDU like it doesn’t exist. It will not allow the port to send BPDUs or receive BPDUs not allowing a port to participate in the STP topology at all. BPDU filter’s best practice is to be configured on edge ports and not on switch to switch links to prevent accidental layer 2 loops.
Root Guard- Root guard is an STP security feature to prohibit any new switch coming into the topology or an existing switch in the topology to “claim” that it is the root bridge. Root guard enabled on designated ports prevent designated ports from becoming the root port when it receives superior BPDUs. With root guard enabled no switch can advertise itself as the root bridge and actually become it since the designated ports on non-root switches will refuse to turn into root ports. When a designated port receives a superior BPDU, with root guard enabled the port will enter a “root-inconsistent” state. This state is a temporary blocking state that is dynamic, so while the superior BPDUs are being received the port will be discarded. While it is discarding traffic, it is still listening to BPDUs and once the superior BPDUs stop, the port will transition from the “root-inconsistent’ state back into the forwarding state essentially blocking any switch from becoming a root bridge.
Loop Guard- The last STP feature that I am going to talk about is Loop Guard. In networks that use cables such as copper and fiber that have different wires for transmitting and receiving, unidirectional links are a real threat. A unidirectional link failure is when one wire goes down but the other wire stays alive. For example, if the transmitting wire of a certain cable goes down, the interface on one end will be able to receive traffic but the interface on the other end will not be able to receive any traffic because the transmitting wire is down. When a port stops receiving a BPDU in an STP topology, the switches will recalculate new port roles and states. This is dangerous because it can potentially turn a blocking port into forwarding causing layer 2 loops and broadcast storms. Loop guard is designed to prevent exactly this situation. When a unidirectional link failure occurs and loop guard is enabled on that port, when the port stops receiving BPDUs the max age timer will be running. Before the max age timer expires and triggers recalculation, the port will enter a “loop-inconsistent” state where the port will temporarily discard traffic while continuing to listen for BPDUs. Loop guard acts on it before the timer expires to prevent any potential recalculation. Since it is still listening for BPDUs, once the port starts receiving BPDUs again it will enter the state it was before which was actively blocking.
Leave a Reply