What is STP Protection-BPDU Guard, Root Guard

Spanning Tree Protocol (STP) plays a crucial role in LAN Switching, there are multiple devices are connected with their uplink or downlink devices as a part of Distribution and access layer till Core layer and as we always recommend having redundancy in the network in the form of Link, hardware or power.

In previous Blog, we have discussed about Spanning Tree Basics functionality and features. In this article we will discuss about Spanning Tree Convergence and advance Features. So, let’s start.

 

What is STP Protection-BPDU Guard, Root Guard
What is STP Protection-BPDU Guard, Root Guard

Why need to Protecting STP

Now as we have discussed Port convergence in case of link failure like PortFast, UplinkFast and BackboneFast. Also, we understood that by these features default STP converge time will reduce and port will come in forwarding state immediately. But it also has consequences like it will not protect fully by STP loop, there are a chance to create loop, because these features are not waiting for complete STP process.

So, we need to another feature to protect for creating Loop while we are using PortFast, UplinkFast and BackboneFast.

What is the possibilities to create loop:

  1. If BPDU is missed or manipulated in Topology changes.
  2. Switch declare their self as Root with lowest bridge ID.

Cisco implemented three mechanisms to protect the STP topology:

  • Root Guard
  • BPDU Guard

Root Guard

Root Guard prevents an unauthorized switch from advertising itself as a Root Bridge.

BPDUGaurd, RootGaurd, UDLD

The above command will prevent the switch from accepting a new Root Bridge off of the fa0/05 interface. If a Root Bridge advertises itself to this port, the port will enter a root-inconsistent state (a pseudo-blocking state):

Root Guard also Cisco feature which is helps to prevent the any switches from becoming the root bridge and maintains the stability of the network topology.

Root Guard starts monitoring the incoming BPDUs and avoids switches to assuming the role of the root bridge on that port. If a superior BPDU is received on a Root Guard-enabled port, then it will be put into a Root-Inconsistent state.

How Root Guard Works:

  • It is typically enabled on designated ports that are expected to receive BPDUs from the root bridge, such as root ports or designated ports.
  • If port receives a superior BPDU, indicating that another switch is trying to declare to be root bridge, then Root Guard takes action to protect the current root bridge.
  • When a superior BPDU is detected, the Root Guard-enabled port is put their self into a Root-Inconsistent state to becoming the root bridge, even if it has a lower bridge ID.

 

To understand How STP redundant Link can be Converged and avoid delay to make in forwarding mode, pls visit http://Best Guide-Part-3-STP-Redundant Link Convergence(PortFast, UplinkFast, BackboneFast)

BPDU Guard

Above, we have discussed about PortFast feature and explained why PortFast is required and how it works.  On PortFast we need to configure one more feature called BPDU Guard.

BPDU Guard configured on interfaces that are PortFast-enabled. As we discussed, a PortFast-enabled interface connects to a host device/end device, and that interface should never receive a BPDU.

Also, if my mistake someone connects any Switch on PortFast port then BPDU Guard will put that interface into an errdisable state.

STP-Spanning Tree protocol- Advance- BPDUGaurd Config

Unidirectional Link Detection (UDLD)

As we know that most of communication in a switching network is bi-directional ( RX & TX) STP requires that switches send BPDU’s bi-directionally to build the topology database as well. But If a malfunctioning switch port only allows traffic one way (Rx or TX only), and the switch still sees that port as up, then it will send the data and  a loop can form without the switch realizing it.

Unidirectional Link Detection (UDLD) is periodically test that whether bi-directional communication is  or not.

UDLD sends out ID frames on a port, and waits for the remote switch to respond with its own ID frame. If the remote switch does not respond, UDLD assumes the interface has malfunctioned and become unidirectional.

By default, UDLD sends out ID frames every 15 seconds, and must be enabled on both sides of a link.

UDLD can run in two modes:

  • Normal Mode – If a unidirectional link is detected, the port is not shut down, but merely flagged as being in an undetermined state
  • Aggressive Mode – If a unidirectional link is detected, the port is placed in an errdisable state.

UDLD can be enabled globally (but only for Fiber ports on the switch).

Root Guard Vs BPDU Guard Vs UDLD

RootGaurd BPDU Guard UDLD
·  Root Guard is a feature used in Spanning Tree Protocol (STP) environments to protect by electing or making any new switch as Root Guard. ·  BPDU Guard is a security feature that, PortFast-enabled interface connects to a host device/end device, and that interface should never receive a BPDU. ·  UDLD is a protocol designed to detect unidirectional links, Unidirectional Link Detection (UDLD) is periodically test that whether bi-directional communication is or not.
·  It prevents a port from becoming the root port. ·  BPDU Guard configured on interfaces that are PortFast-enabled. ·  UDLD sends out ID frames on a port, and waits for the remote switch to respond with its own ID frame. If the remote switch does not respond, UDLD assumes the interface has malfunctioned and become unidirectional.
·  When enabled on a port, Root Guard ensures that the port cannot participate in the election of the root bridge. If the port receives superior BPDU messages, then port will be placed into a “Root-inconsistent” ·  if my mistake someone connects any Switch on PortFast port then BPDU Guard will put that interface into an errdisable state.

 

 

·  UDLD operates by exchanging special frames between directly connected devices. By default, UDLD sends out ID frames every 15 seconds, and must be enabled on both sides of a link.

If the expected UDLD frames are not received within a certain time frame, the link is considered unidirectional, and the affected ports are put into an “err-disabled” state to prevent one-way traffic.

Visit to our site : https://www.kbrosistechnologies.com/

Watch more Video  https://www.youtube.com/channel/UCpcd6IshE1caAbf9EdJd3gw 

https://www.youtube.com/channel/UCTbOmLTSlHggEBkt5wFGNRA

Please Share