Multiple-Instance Spanning Tree Protocol (MSTP)
Lab 3-11: Spanning Tree Loop Guard
F0/23
Figure 3-18 Spanning Tree Loop Guard
Loop Guard provides additional protection against forwarding loops in our Layer 2 topology. A bridging loop most commonly happens when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually occurs because one of the ports of a physically redundant topology has stopped receiving STP BPDUs. In STP, switches rely on continuous reception or transmission of BPDUs, depending on the port role. Specifically, a designated port will transmit BPDUs, whereas a nondesignated port will expect to receive BPDUs.
If the switch link is up and no BPDUs are received, the switch assumes that it is safe to bring this link up, and then the port transitions to the forwarding state and begins relaying received BPDUs. If a switch is connected to the other end of the link, this effectively cre-ates the loop condition we are discussing.
ptg19878261 With the Loop Guard feature enabled, switches do an additional check before
transitioning to the STP forwarding state. If switches stop receiving BPDUs on a nondes-ignated port with the Loop Guard feature enabled, the switch places the port into loop-inconsistent blocking state instead of moving through the listening, learning, and forward-ing states. If a switch receives a BPDU on a port in the loop-inconsistent STP state, the port will transition through STP states in accordance with the received BPDU. As a result, recovery is automatic, and no manual intervention is necessary.
When implementing Loop Guard, you should be aware of the following implementa-tion guidelines:
■ Loop Guard cannot be enabled simultaneously with Root Guard on the same device.
■ Loop Guard does not affect UplinkFast or Backbone Fast operation.
■ Loop Guard must be enabled on point-to-point links only.
■ Loop Guard operation is not affected by the spanning tree timers.
■ Loop Guard cannot actually detect a unidirectional link.
■ Loop Guard cannot be enabled on PortFast or dynamic VLAN ports.
You configure the Loop Guard feature on a per-port basis, even though the feature is designed to block inconsistent ports on a per-VLAN basis. In other words, on a given trunk port, if BPDUs are not received for only one particular VLAN, the switch will only block that VLAN (by moving the port for that VLAN to the loop-inconsistent state).
However, in a case where we are dealing with an aggregated link between two devices, all of the links in the aggregate will transition into the inconsistent state for the particular VLAN that is no longer receiving BPDUs.
This raises the question, where do we enable the Loop Guard feature? Loop Guard should be enabled on root and alternative ports for all possible combinations of active topologies. This means that before enabling Loop Guard, we need to carefully consider all possible failover scenarios in our topology.
Task 1
Configure the switches according to Figure 3-18. The unused ports should be configured in the administratively down state:
On All Switches:
SWx(config)# interface range FastEthernet0/1-24 SWx(config-if-range)# shut
ptg19878261
On SW1:
SW1(config)# spanning-tree vlan 1 root primary
SW1(config)# interface range FastEthernet0/19 , FastEthernet0/21 SW1(config-if-range)# switchport trunk encapsulation dot1q SW1(config-if-range)# switchport mode trunk
SW1(config-if-range)# no shut
On SW2:
SW2(config)# spanning-tree vlan 1 root secondary
SW2(config)# interface range FastEthernet0/19 , FastEthernet0/23 SW2(config-if-range)# switchport trunk encapsulation dot1q SW2(config-if-range)# switchport mode trunk
SW2(config-if-range)# no shut
On SW3:
SW3(config)# interface range FastEthernet0/21 , FastEthernet0/23 SW3(config-if-range)# switchport trunk encapsulation dot1q SW3(config-if-range)# switchport mode trunk
SW3(config-if-range)# no shut
Task 2
Configure the F0/23 interface of SW3 such that if it does not receive BPDUs from SW2’s F0/23 interface, Layer 2 loops do not occur.
If the Spanning Tree Protocol is running, why would we ever run into loops? Well, let’s think about the following scenario:
■ SW1 is configured as the root bridge, and SW2 is the backup root bridge.
■ SW3 does not receive BPDUs from SW2 due to unidirectional link failure.
■ The F0/23 interface of SW3 does not receive BPDUs from SW2. Therefore, it will transition into the spanning tree listening and learning states. When the max-age timer expires, the F0/23 interface of SW3 will transition into the forwarding state.
■ This situation creates a spanning tree loop.
ptg19878261 The spanning tree Loop Guard feature can prevent spanning tree loops from occurring.
The blocked port (F0/23) on SW3 will transition into the loop-inconsistent state after the max-age timer expires, thus avoiding a spanning tree loop.
To demonstrate the loop, configure the switches as follows:
Note SW2 is constantly sending BPDUs.
On SW2:
SW2# show spanning-tree interface FastEthernet0/23 detail | include BPDU
BPDU: sent 227, received 0
To stop SW2’s F0/23 interface from sending BPDUs, configure spanning tree BPDU Filter:
SW2(config)# interface FastEthernet0/23 SW2(config-if)# shut
SW2(config-if)# spanning-tree bpdufilter enable SW2(config-if)# no shut
Once the preceding command is entered, SW2 will no longer send any BPDUs out of its F0/23 interface. Let’s verify this fact:
SW2# show spanning-tree interface FastEthernet0/23 detail | include BPDU
BPDU: sent 0, received 0
SW2# show spanning-tree interface FastEthernet0/23 detail | include BPDU
BPDU: sent 0, received 0
SW2# show spanning-tree interface FastEthernet0/23 detail | include BPDU
BPDU: sent 0, received 0
Let’s test the configuration:
On SW1:
SW1# show spanning-tree vlan 1 | include Fa
Fa0/19 Desg FWD 19 128.21 P2p Fa0/21 Desg FWD 19 128.23 P2p
ptg19878261
On SW2:
SW2# show spanning-tree vlan 1 | include Fa0
Fa0/19 Root FWD 19 128.21 P2p Fa0/23 Desg FWD 19 128.25 P2p
On SW3:
SW3# show spanning-tree vlan 1 | include Fa0
Fa0/21 Root FWD 19 128.21 P2p Fa0/23 Desg FWD 19 128.23 P2p
Note We have a spanning tree loop because all ports are in the forwarding state.
Let’s remove the BPDU Filter command from the F0/23 interface of SW2:
On SW2:
SW2(config)# interface FastEthernet0/23 SW2(config-if)# no spanning bpdufilter enable
Let’s verify the configuration:
On SW3:
SW3# show spanning-tree vlan 1 | include Fa0
Fa0/21 Root FWD 19 128.21 P2p Fa0/23 Altn BLK 19 128.23 P2p
Let’s configure spanning tree Loop Guard on SW3’s F0/23 interface and enable debug spanning-tree events:
On SW3:
SW3# debug spanning events
SW3(config)# interface FastEthernet0/23 SW3(config-if)# shut
SW3(config-if)# spanning-tree guard loop SW3(config-if)# no shut
ptg19878261 Let’s verify the configuration:
On SW3:
SW3# show spanning-tree vlan 1 | include Fa0
Fa0/21 Root FWD 19 128.21 P2p Fa0/23 Altn BLK 19 128.23 P2p
Let’s configure BPDU Filter on the F0/23 interface of SW2:
On SW2:
SW2(config)# interface FastEthernet0/23
SW2(config-if)# spanning-tree bpdufilter enable
You should see the following console message on SW3 within 30 seconds:
On SW3:
%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/23 on VLAN0001
Let’s verify the configuration:
On SW3:
SW3# show spanning-tree vlan 1 | include Fa0
Fa0/21 Root FWD 19 128.21 P2p
Fa0/23 Desg BKN*19 128.23 P2p *LOOP_Inc
SW3 places the F0/23 interface in a loop-inconsistent state.
Loop Guard can also be configured in the global configuration mode. Once it’s config-ured, the feature’s protection is applied to all interfaces on the local switch. This can be achieved by using the following command:
SWx(config)# spanning-tree loopguard default
Erase the configuration on all routers and switches and reload them before proceeding to the next lab.
ptg19878261
This page intentionally left blank
ptg19878261 Point-to-Point Protocol (PPP) is one of the most ubiquitous and arguably well-designed
data-link layer protocols still in use. Originally designed for dialed and permanent point-to-point WAN links running over serial interfaces, PPP has been reused in a number of other protocols, such as PPTP, L2TP, and PPPoE. Despite its open nature and wide adoption, though, understanding of PPP operations is often superficial—an administrator usually just activates the PPP encapsulation and optionally configures authentication parameters. This chapter therefore provides a more involved insight into the workings of PPP.