STP guard<\/p>\n\n\n\n
\u9632\u6b62sudden loss of BPDUs<\/strong> \u505c\u6b62\u8655\u7406BPDU<\/strong> ………………………..<\/p>\n\n\n\n Root Guard<\/strong> \u6062\u5fa9\u6b63\u5e38\u6642 enable Root Guard display about root-inconsistent state Look for detailed reasons for inconsistencies. bpdu Guard<\/strong> \u767c\u751f\u7570\u5e38\u6642(bpdu guard\u4ecb\u9762\u6536\u5230bpdu\u6642)<\/strong> \u5c07\u6240\u6709portfast\u4ecb\u9762\u555f\u7528bpdu Guard Display the global BPDU Guard status ………………………….<\/p>\n\n\n\n \u7576blocking port\u6c92\u6536\u5230bpdu\u4e00\u76f4\u5230maxage timer\u5f8c,\u6703\u8a8d\u70ba\u6c92\u6709\u9023\u63a5\u5230stp\u8a2d\u5099,\u56e0\u6b64\u5c31\u6703\u96e2\u958bblocking status,\u4e26\u6839\u64dastp\u898f\u5247\u6703\u8f49\u8b8a\u70baforwarding status \u767c\u751f\u7570\u5e38\u6642(BPDUs go missing and link is up) \u6062\u5fa9\u6b63\u5e38\u6642(BPDUs are received on the port again and link is up) enable Loop Guard as a global default Display the Loop Guard states. …………………………………..<\/p>\n\n\n\n unidirectional link\u554f\u984c<\/strong> unidirectional link\u7684\u5371\u96aa<\/strong> UDLD\u904b\u4f5c\u539f\u7406<\/strong> \u7570\u5e38\u767c\u751f\u6642 UDLD\u6642\u9593<\/strong> UDLD\u555f\u7528\u904e\u7a0b \u8a2d\u5b9audld time intervals Reenable ports that UDLD aggressive mode has errdisabled. ………………………….<\/p>\n\n\n\n BPDU Filtering<\/strong> \u5c07\u6240\u6709portfast\u4ecb\u9762\u555f\u7528bpdu filtering Display the BPDU filter states STP guard \u9632\u6b62\u672a\u8a31\u53ef\u7684BPDU\u91cd\u8981\u6027\u3000\u7576̶ …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[34],"tags":[],"class_list":["post-958","post","type-post","status-publish","format-standard","hentry","category-cisco-layer2"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=958"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/958\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u9632\u6b62\u672a\u8a31\u53ef\u7684BPDU<\/strong>
\u91cd\u8981\u6027
\u3000\u7576”foreign or rogue” switch(\u672a\u7d93\u6388\u6b0a\u7684\u4ea4\u63db\u8a2d\u5099) is connected to the STP network
\u3000\u8a72switch\u53ef\u80fd\u6703\u8b8a\u6210root bridge,\u800c\u9020\u6210\u672a\u9810\u671f\u7684stp\u62d3\u6a38,\u4f7f\u7db2\u8def\u767c\u751f\u8b8a\u52d5
\u907f\u514d\u65b9\u6cd5\u4e3b\u8981\u6709\u4ee5\u4e0b\u5169\u7a2e:
\u3000Root Guard
\u3000BPDU Guard<\/p>\n\n\n\n
\u91cd\u8981\u6027:\u6c92\u6709BPDU\u53ef\u80fd\u6703\u8b93\u8f49\u8b8aport\u72c0\u614b\u6642\u8aa4\u5224,\u800c\u5f62\u6210LOOP
\u907f\u514d\u65b9\u6cd5\u6709\u4ee5\u4e0b\u5169\u7a2e:
\u3000LOOP GUARD
\u3000UDLD<\/p>\n\n\n\n
\u65b9\u6cd5\u70babpdu filtering<\/p>\n\n\n\n
\u4e0d\u5141\u8a31designated port\u51fa\u73fe\u65b0\u7684root bridge
If another switch advertises a superior BPDU, or one with a better bridge ID on “Root Guard port”
the local switch will \u8996\u70ba\u7570\u5e38<\/p>\n\n\n\n
\u767c\u73fe\u7570\u5e38\u6642
\u7576\u67d0\u500bdesignated port\u767c\u73feswitch\u8b8a\u6210root bridge,\u4f5c\u696d\u5982\u4e0b
1. the port that receive superior BPDU will be kept in the root-inconsistent STP state<\/strong>
2. No data can be sent or received<\/strong> in that state, but the switch can listen<\/strong> to BPDUs received on the port to detect a new root advertising itself
\u7576\u767c\u751f\u7570\u5e38\u6642,log\u5927\u81f4\u5982\u4e0b
%SPANTREE-2-ROOTGUARDBLOCK: Port 1\/1 tried to become non-designated in VLAN 2. Moved to root-inconsistent state
ps:
Root Guard affects the entire port<\/strong> so that a root bridge never can be allowed on any VLAN on the port.
When a superior BPDU is heard on the port, the entire port, in effect, becomes blocked<\/strong><\/p>\n\n\n\n
When the superior BPDUs no longer are received, the port is cycled through the normal STP states to return to normal use
ps:\u9810\u8a2d3\u500bhello-timer\u5468\u671f(6\u79d2)\u6c92\u5728\u6536\u5230\u5247\u6062\u5fa9<\/p>\n\n\n\n
Switch(config-if)# spanning-tree guard root<\/strong>
by default, it is disabled on all switch ports
\u5efa\u8b70\u4f7f\u7528\u7684\u4ecb\u9762:never expect to find the root bridge for a VLAN<\/p>\n\n\n\n
# show spanning-tree inconsistentports<\/strong><\/p>\n\n\n\n
# show spanning-tree interface < interface > [detail]<\/strong><\/p>\n\n\n\n
……………….<\/p>\n\n\n\n
\u9632\u6b62portfast\u4ecb\u9762\u4e0b\u6536\u5230bpdu
ps:
\u5728portfast\u4ecb\u9762\u4e0b\u4e00\u822c\u90fd\u662f\u63a5\u5de5\u4f5c\u7ad9,\u6b63\u5e38\u60c5\u6cc1\u4e0b\u4e0d\u6703\u6536\u5230\u4efb\u4f55bpdu<\/p>\n\n\n\n
Suppose that a switch is connected by mistake to a port where PortFast is enabled.
\u53ef\u80fd\u7684\u5371\u5bb3\u6709\u4ee5\u4e0b
1. Now there is a potential for a bridging loop to form<\/strong>.
2. the newly connected device to advertise itself and become the new root bridge<\/strong><\/p>\n\n\n\n
If any BPDU<\/strong> received on a port where BPDU Guard is enabled, that port immediately is put into the errdisable state<\/strong>
ps:
\u6062\u5fa9\u6b63\u5e38\u6642
bpdu guard\u4ecb\u9762\u4e0d\u518d\u6536\u5230bpdu\u6642,the port still remains in the errdisable state<\/p>\n\n\n\n
\u53ef\u9694\u96e2loop\u554f\u984c,\u4f46\u8ff4\u5708\u4ecd\u5728<\/strong>
Naturally, BPDU Guard does not prevent a bridging loop<\/strong> from forming if an Ethernet hub
is connected to the PortFast port. This is because a hub doesn’t transmit BPDUs itself
ps:
a loop can be detected only in a finite amount of time-the length of time required to move the port through the normal STP state<\/p>\n\n\n\n
Switch(config)# spanning-tree portfast bpduguard default<\/strong>
By default, BPDU Guard is disabled
\u5efa\u8b70\u5728\u6240\u6709STP PortFast\u4ecb\u9762\u555f\u7528
never should enable BPDU Guard on any switch uplink where the root bridge is located
ps:
enable bpdu Guard on a per-port basis
Switch(config-if)# [no] spanning-tree bpduguard enable<\/strong><\/p>\n\n\n\n
# show spanning-tree summary [total]<\/strong><\/p>\n\n\n\n
Loop Guard<\/strong>
keeps track of the BPDU activity on nondesignated ports(\u907f\u514dBloack Port\u6210\u70baForwarding status\u800c\u5c0e\u81f4Loop)
\u53ea\u904b\u4f5c\u5728nondesignated role(root port,block port)<\/p>\n\n\n\n
\u7576\u9023\u63a5\u8a2d\u5099\u70ba
\u3000\u958b\u6a5f\u7684pc:\u53ef\u6b63\u5e38\u50b3\u9001\u6d41\u91cf\u3000
\u3000\u672a\u50b3\u9001bpdu\u4e4bswitch:\u53ef\u50b3\u8f38\u6d41\u91cf\u56e0\u6b64\u5f62\u6210loop<\/p>\n\n\n\n
Loop Guard moves the port into the loop-inconsistent state<\/strong>
The port is effectively blocking<\/strong> at this point to prevent a loop from forming and to keep it in the nondesignated role
ps: blocking action is taken on a per-VLAN basis ,so Loop Guard doesn’t block the entire port<\/strong><\/p>\n\n\n\n
Loop Guard allows the port to move through the normal STP states<\/strong> and become active<\/p>\n\n\n\n
Switch(config)# spanning-tree loopguard default<\/strong>
ps:
enable Loop Guard on a specific switch port
Switch(config-if)# [no] spanning-tree guard loop<\/strong>
By default, Loop Guard is disabled
ps:
(config-if)#switch mode trunk\u4e0d\u6703\u5e72\u64feloop guard
ps:
Access ports\u4e0d\u6703\u6536\u5230BPDUs,\u82e5LoopGuard\u8a2d\u5728access ports,\u5247\u6703\u4e00\u76f4\u4fdd\u6301Loop Inconsistent mode\u4e26block the port<\/p>\n\n\n\n
# show spanning-tree summary<\/strong><\/p>\n\n\n\n
UDLD(Unidirectional Link Detection)<\/strong>
interactively monitors a port to see whether the link is truly bidirectional<\/strong>
ps:It is recommended that it be used with the “loop guard” feature<\/p>\n\n\n\n
if just one side of the link (receive or transmit) had an odd failure, such as malfunctioning transmit circuitry in a GBIC or SFP modules?
In some cases, the two switches still might see a functional bidirectional link, although traffic actually would be delivered in only one direction. This is known as a unidirectional link
ex:switch1\u53ef\u628apacket\u50b3\u7d66neighbor switch2,\u4f46switch2\u50b3\u7684packet\u7121\u6cd5\u88abswitch1\u6536\u5230
ps:
Twisted-pair or copper media does not suffer from the physical layer conditions that allow a unidirectional link to form
ps:
\u6b64\u60c5\u6cc1\u767c\u751f\u6642,\u5728\u5169\u908a\u4f7f\u7528show cdp\u6703\u767c\u73fe,\u53ea\u6709\u4e00\u908a\u770b\u7684\u5230\u5c0d\u65b9<\/p>\n\n\n\n
A unidirectional link poses a potential danger to STP topologies because BPDUs will not be received on one end of the link. If that end of the link normally would be in the Blocking state, it will not be that way for long. A switch interprets the absence of BPDUs to mean that the port can be moved safely through the STP states so that traffic can be forwarded.
However, if that is done on a unidirectional link, a bridging loop forms<\/strong> and the switch never realizes the mistake<\/p>\n\n\n\n
1
A switch sends special Layer 2 UDLD frames<\/strong> identifying its switch port at regular intervals(The default is 15 sec)<\/strong>
Destination MAC\u70ba0100:0CCC:CCCC
2
UDLD expects the far-end switch to echo those frames back across the same link, with the far-end switch port’s identification added
3
\u6b63\u5e38\u60c5\u6cc1\u4e0b
If a UDLD frame is received in return and both neighboring ports are identified in the frame, the link must be bidirectional<\/p>\n\n\n\n
if the echoed frames are not seen, the link must be unidirectional for some reason
UDLD\u6839\u64da\u4e0d\u540cmode\u6709\u4e0d\u540c\u505a\u6cd5
Normal mode :<\/strong>
the port is allowed to continue its operation.
UDLD merely marks the port as having an undetermined state and generates a syslog message<\/strong>
aggressive mode(recommended)<\/strong>
the switch takes action to reestablish the link.
UDLD messages are sent out once a second for 8 seconds.<\/strong>
If none of those messages is echoed back, the port is placed in the Errdisable state<\/strong> so that it cannot be used<\/p>\n\n\n\n
\u9700\u5728blocked port into the Forwarding state\u4e4b\u524d\u6aa2\u6e2c\u5230unidirectional link condition
ps:
the target time must < “the Max Age timer + two intervals of the Forward Delay timer”, ( default is 50 seconds)
\u6aa2\u6e2cunidirectional link\u6642\u9593\u4e0d\u8d85\u904e 3 times the UDLD message<\/strong> interval (default 45sec total).<\/p>\n\n\n\n
1
UDLD has no record of any neighbor on the link.
It starts sending out messages,
2
case1:the neighboring switch also support UDLD<\/strong>
a neighboring switch will hear them and echo them back
case2:the neighboring switch does not yet have UDLD enabled<\/strong>
UDLD will
\u30001. keep trying (indefinitely) to detect a neighbor
\u30002. not disable the link
After the neighbor has UDLD configured also,
a neighboring switch will hear them and echo them back
3
both switches become aware of each other and the bidirectional state of the link through their UDLD message exchanges
if messages are not echoed, the link can accurately be labeled as unidirectional
ps:
This becomes important in an EtherChannel:
If one link within the channel becomes unidirectional, UDLD flags or disables only the offending link in the bundle,not the entire EtherChannel. UDLD sends and echoes its messages on each link within an EtherChannel channel independently<\/p>\n\n\n\n
\u4ee5global\u8a2d\u5b9audld\u4f5c\u696d\u6a21\u5f0f
(config)# udld < enable | aggressive><\/strong>
By default,UDLD is disabled on all switch ports
enables UDLD only on ports that use fiber-optic media<\/strong>
\u5404\u53c3\u6578\u8aaa\u660e\u5982\u4e0b
enable<\/strong>: \u9810\u8a2d,\u4f7f\u7528normal mode
aggressive<\/strong>: \u4f7f\u7528aggressive mode
ps:
\u4ee5port\u8a2d\u5b9audld\u4f5c\u696d\u6a21\u5f0f
(config-if)# udld < enable | aggressive | disable><\/strong>
disable\u662f\u95dc\u9589\u9019\u500bport\u7684udld
ps:
\u5efa\u8b70\u4ee5global\u555f\u52d5\u65b9\u5f0f\u4ee3\u66ffindividual port\u555f\u52d5
ps:
UDLD\u6ce8\u610f\u4e8b\u9805
an echo process such as this requires both ends of the link to be configured for UDLD<\/strong> . Otherwise, one end of the link will not echo the frames back to the originator<\/p>\n\n\n\n
(config)# udld message time < seconds><\/strong>
seconds\u53ef\u8a2d\u7bc4\u570d\u70ba7-90\u79d2
ps:Catalyst 3550 default is 7 sec; Catalyst 4500\/6500 default is 15 seconds<\/p>\n\n\n\n
Display the UDLD status on one or all ports.
# show udld < interface><\/strong><\/p>\n\n\n\n
# udld reset<\/strong><\/p>\n\n\n\n
to prevent BPDUs from being sent or processed on one or more switch ports
disable STP on those ports
ps
Enable BPDU filtering only if the connected device cannot allow BPDUs to be accepted or sent. Otherwise, you should permit STP to operate on the switch ports as a precaution.<\/p>\n\n\n\n
(config)# spanning-tree portfast bpdufilter < default | enable ><\/strong>
default:\u7576portfast\u4ecb\u9762\u6536\u5230bpdu\u6642,\u8a72\u4ecb\u9762portfast\u6703\u88ab\u95dc\u9589\u4e26enable stp
If PortFast is disabled on a port, then BPDU filtering will not be enabled there
By default, BPDU filtering is disabled on all switch ports
ps:
you are absolutely sure that a switch port will have a single host connected and that a loop will be impossible
ps:
enable(or disable) bpdu filtering on a per-port basis
(config-if)# spanning-tree bpdufilter < enable | disable><\/strong><\/p>\n\n\n\n
# show spanning-tree summary [ total]<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"