Cisco STP Guard

STP guard


防止未許可的BPDU
重要性
 當”foreign or rogue” switch(未經授權的交換設備) is connected to the STP network
 該switch可能會變成root bridge,而造成未預期的stp拓樸,使網路發生變動
避免方法主要有以下兩種:
 Root Guard
 BPDU Guard

防止sudden loss of BPDUs
重要性:沒有BPDU可能會讓轉變port狀態時誤判,而形成LOOP
避免方法有以下兩種:
 LOOP GUARD
 UDLD

停止處理BPDU
方法為bpdu filtering

………………………..

Root Guard
不允許designated port出現新的root bridge
If another switch advertises a superior BPDU, or one with a better bridge ID on “Root Guard port”
the local switch will 視為異常


發現異常時
當某個designated port發現switch變成root bridge,作業如下
1. the port that receive superior BPDU will be kept in the root-inconsistent STP state
2. No data can be sent or received in that state, but the switch can listen to BPDUs received on the port to detect a new root advertising itself
當發生異常時,log大致如下
%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 2. Moved to root-inconsistent state
ps:
Root Guard affects the entire port so that a root bridge never can be allowed on any VLAN on the port.
When a superior BPDU is heard on the port, the entire port, in effect, becomes blocked

恢復正常時
When the superior BPDUs no longer are received, the port is cycled through the normal STP states to return to normal use
ps:預設3個hello-timer周期(6秒)沒在收到則恢復

enable Root Guard
Switch(config-if)# spanning-tree guard root
by default, it is disabled on all switch ports
建議使用的介面:never expect to find the root bridge for a VLAN

display about root-inconsistent state
# show spanning-tree inconsistentports

Look for detailed reasons for inconsistencies.
# show spanning-tree interface < interface > [detail]


……………….

bpdu Guard
防止portfast介面下收到bpdu
ps:
在portfast介面下一般都是接工作站,正常情況下不會收到任何bpdu


Suppose that a switch is connected by mistake to a port where PortFast is enabled.
可能的危害有以下
1. Now there is a potential for a bridging loop to form.
2. the newly connected device to advertise itself and become the new root bridge

發生異常時(bpdu guard介面收到bpdu時)
If any BPDU received on a port where BPDU Guard is enabled, that port immediately is put into the errdisable state
ps:
恢復正常時
bpdu guard介面不再收到bpdu時,the port still remains in the errdisable state


可隔離loop問題,但迴圈仍在
Naturally, BPDU Guard does not prevent a bridging loop from forming if an Ethernet hub
is connected to the PortFast port. This is because a hub doesn’t transmit BPDUs itself
ps:
a loop can be detected only in a finite amount of time-the length of time required to move the port through the normal STP state

將所有portfast介面啟用bpdu Guard
Switch(config)# spanning-tree portfast bpduguard default
By default, BPDU Guard is disabled
建議在所有STP PortFast介面啟用
never should enable BPDU Guard on any switch uplink where the root bridge is located
ps:
enable bpdu Guard on a per-port basis
Switch(config-if)# [no] spanning-tree bpduguard enable

Display the global BPDU Guard status
# show spanning-tree summary [total]

………………………….


Loop Guard
keeps track of the BPDU activity on nondesignated ports(避免Bloack Port成為Forwarding status而導致Loop)
只運作在nondesignated role(root port,block port)

當blocking port沒收到bpdu一直到maxage timer後,會認為沒有連接到stp設備,因此就會離開blocking status,並根據stp規則會轉變為forwarding status
當連接設備為
 開機的pc:可正常傳送流量 
 未傳送bpdu之switch:可傳輸流量因此形成loop

發生異常時(BPDUs go missing and link is up)
Loop Guard moves the port into the loop-inconsistent state
The port is effectively blocking at this point to prevent a loop from forming and to keep it in the nondesignated role
ps: blocking action is taken on a per-VLAN basis ,so Loop Guard doesn’t block the entire port

恢復正常時(BPDUs are received on the port again and link is up)
Loop Guard allows the port to move through the normal STP states and become active

enable Loop Guard as a global default
Switch(config)# spanning-tree loopguard default
ps:
enable Loop Guard on a specific switch port
Switch(config-if)# [no] spanning-tree guard loop
By default, Loop Guard is disabled
ps:
(config-if)#switch mode trunk不會干擾loop guard
ps:
Access ports不會收到BPDUs,若LoopGuard設在access ports,則會一直保持Loop Inconsistent mode並block the port

Display the Loop Guard states.
# show spanning-tree summary

…………………………………..


UDLD(Unidirectional Link Detection)
interactively monitors a port to see whether the link is truly bidirectional
ps:It is recommended that it be used with the “loop guard” feature

unidirectional link問題
if just one side of the link (receive or transmit) had an odd failure, such as malfunctioning transmit circuitry in a GBIC or SFP modules?
In some cases, the two switches still might see a functional bidirectional link, although traffic actually would be delivered in only one direction. This is known as a unidirectional link
ex:switch1可把packet傳給neighbor switch2,但switch2傳的packet無法被switch1收到 
ps:
Twisted-pair or copper media does not suffer from the physical layer conditions that allow a unidirectional link to form
ps:
此情況發生時,在兩邊使用show cdp會發現,只有一邊看的到對方

unidirectional link的危險
A unidirectional link poses a potential danger to STP topologies because BPDUs will not be received on one end of the link. If that end of the link normally would be in the Blocking state, it will not be that way for long. A switch interprets the absence of BPDUs to mean that the port can be moved safely through the STP states so that traffic can be forwarded.
However, if that is done on a unidirectional link, a bridging loop forms and the switch never realizes the mistake

UDLD運作原理
1
A switch sends special Layer 2 UDLD frames identifying its switch port at regular intervals(The default is 15 sec)
Destination MAC為0100:0CCC:CCCC
2
UDLD expects the far-end switch to echo those frames back across the same link, with the far-end switch port’s identification added
3
正常情況下
If a UDLD frame is received in return and both neighboring ports are identified in the frame, the link must be bidirectional

異常發生時
if the echoed frames are not seen, the link must be unidirectional for some reason
UDLD根據不同mode有不同做法
Normal mode :
the port is allowed to continue its operation.
UDLD merely marks the port as having an undetermined state and generates a syslog message
aggressive mode(recommended)
the switch takes action to reestablish the link.
UDLD messages are sent out once a second for 8 seconds.
If none of those messages is echoed back, the port is placed in the Errdisable state so that it cannot be used

UDLD時間
需在blocked port into the Forwarding state之前檢測到unidirectional link condition
ps:
the target time must < “the Max Age timer + two intervals of the Forward Delay timer”, ( default is 50 seconds)
檢測unidirectional link時間不超過 3 times the UDLD message interval (default 45sec total).

UDLD啟用過程
1
UDLD has no record of any neighbor on the link.
It starts sending out messages,
2
case1:the neighboring switch also support UDLD
a neighboring switch will hear them and echo them back
case2:the neighboring switch does not yet have UDLD enabled
UDLD will
 1. keep trying (indefinitely) to detect a neighbor
 2. not disable the link
After the neighbor has UDLD configured also,
a neighboring switch will hear them and echo them back
3
both switches become aware of each other and the bidirectional state of the link through their UDLD message exchanges
if messages are not echoed, the link can accurately be labeled as unidirectional
ps:
This becomes important in an EtherChannel:
If one link within the channel becomes unidirectional, UDLD flags or disables only the offending link in the bundle,not the entire EtherChannel. UDLD sends and echoes its messages on each link within an EtherChannel channel independently


以global設定udld作業模式
(config)# udld < enable | aggressive>
By default,UDLD is disabled on all switch ports
enables UDLD only on ports that use fiber-optic media
各參數說明如下
enable: 預設,使用normal mode
aggressive: 使用aggressive mode
ps:
以port設定udld作業模式
(config-if)# udld < enable | aggressive | disable>
disable是關閉這個port的udld
ps:
建議以global啟動方式代替individual port啟動
ps:
UDLD注意事項
an echo process such as this requires both ends of the link to be configured for UDLD . Otherwise, one end of the link will not echo the frames back to the originator

設定udld time intervals
(config)# udld message time < seconds>
seconds可設範圍為7-90秒
ps:Catalyst 3550 default is 7 sec; Catalyst 4500/6500 default is 15 seconds


Display the UDLD status on one or all ports.
# show udld < interface>

Reenable ports that UDLD aggressive mode has errdisabled.
# udld reset

………………………….

BPDU Filtering
to prevent BPDUs from being sent or processed on one or more switch ports
disable STP on those ports
ps
Enable BPDU filtering only if the connected device cannot allow BPDUs to be accepted or sent. Otherwise, you should permit STP to operate on the switch ports as a precaution.

將所有portfast介面啟用bpdu filtering
(config)# spanning-tree portfast bpdufilter < default | enable >
default:當portfast介面收到bpdu時,該介面portfast會被關閉並enable stp  
If PortFast is disabled on a port, then BPDU filtering will not be enabled there
By default, BPDU filtering is disabled on all switch ports
ps:
you are absolutely sure that a switch port will have a single host connected and that a loop will be impossible
ps:
enable(or disable) bpdu filtering on a per-port basis
(config-if)# spanning-tree bpdufilter < enable | disable>

Display the BPDU filter states
# show spanning-tree summary [ total]