STP root bridge election is based on the priority and MAC address fields of the Bridge ID. The device with the lowest priority value is elected the root. If there is a tie in priority the device with the lowest MAC address is elected root. SW1 with the local priority of one, the configured priority of zero plus the system id extension (VLAN number), shows that This bridge is the root. The root bridge should show the same priority and MAC address for both the Root ID and the Bridge ID, and list all interfaces as Designated (downstream facing).
Example:
#spanning-tree vlan 5 priority 0
Switch#sh spanning-tree vla 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 5
Address 0013.1a06.6580
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 5 (priority 0 sys-id-ext 5)
Address 0013.1a06.6580
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15
This shows that the priority is (0+5(Vlan5)) = 5
Priority + VLAN ID = Root / Bridge ID
________________
Downstream devices from the root bridge inherit the timers configured on the root. With a forward delay of 10 seconds configured on SW1 the downstream switches should take 10 seconds in each of the listening and learning phases during convergence.
________________
spanning-tree portfast default-
Portfast default has the same affect as the interface level portfast command, however it is automatically enabled on all interfaces at the same time. This command is the equivalent of issuing the spanning-tree portfast command under an interface range that encompasses all interfaces.
________________
This is the output after enabling #spanning-tree uplinkfast
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0025.4584.0080
Cost 3019
Port 15 (FastEthernet0/13)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 49153 (priority 49152 sys-id-ext 1)
Address 0017.5900.fe80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15
Uplinkfast enabled
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/9 Desg FWD 3019 128.11 P2p
Fa0/10 Desg LIS 3019 128.12 P2p
Fa0/11 Desg FWD 3019 128.13 P2p
Fa0/12 Desg FWD 3019 128.14 P2p
Fa0/13 Root FWD 3019 128.15 P2p
Fa0/14 Altn BLK 3019 128.16 P2p
Notice the cost was changed from (19) to (3019) and the priority from 32769 to 49153.
sw2(config)#inter fa 0/13
sw2(config-if)#shut
sw2(config-if)#do sh sp
01:04:43: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0001 FastEthernet0/14 moved to Forwarding (UplinkFast).
05:16:45: STP: VLAN0001 sent Topology Change Notice on Fa0/14
With the failure of the root port the next alternate port is immediately transitioned to the root port in forwarding state, and the CAM table is flooded out this new root port to expedite the learning phase of upstream neighbors.
________
The STP BPDU Guard feature is used to enforce access layer security on the termination of the STP domain. When an interface running BPDU Guard receives a BPDU (STP packet), the interface is transitioned into err-disable state. This ensures that unauthorized switches cannot be plugged into the network, for example, to perform a layer 2 man-in-the-middle (MiM) attack. If configured, the errdisable recovery feature can then be used to bring the interface out of err-disable state automatically after a configured interval.
_________
The BPDU Filter feature, like the BPDU Guard feature, is used to terminate the STP domain. The difference between them is that when configured at the interface level the BPDU Filter feature drops all inbound BPDUs and does not send BPDUs out the interface. Unlike BPDU Guard the interface does not go into err-disable when a violation occurs. Other user traffic will continued to be forwarded inbound and outbound the port.
_________
sw1(config)#spanning-tree portfast ?
bpdufilter Enable portfast bdpu filter on this switch
bpduguard Enable portfast bpdu guard on this switch
default Enable portfast by default on all access ports
sw1(config)#spanning-tree portfast
_________
Root Guard is similar to the BPDU Guard feature in the manner that it is used to detect STP packets and disable the interface they were received on. The difference between them is that with Root Guard the interface is only disabled (via root inconsistent state) if a superior BPDU is received. A superior BPDU indicates a better cost to the root bridge than what is currently installed. Therefore design-wise this feature is used to prevent a rogue device from announcing itself as the new root bridge and possibly implementing a layer 2 man-in-the-middle attack.
In the below output SW4 starts announcing superior BPDUs to SW1 by lowering its bridge priority to zero. Once SW1 receives these announcements the forwarding of VLAN 1 is disabled on the links that these BPDUs were received.
__________
STP Loop Guard is used to prevent STP loops from occurring due to unidirectional links. This feature is similar to Unidirectional Link Detection (UDLD), but it uses STP BPDU keepalives to determine if there is a unidirectional link.
In normal STP operation in a redundant topology some links will be designated forwarding while the other end will be blocking. If one of these blocking links transitions to forwarding state erroneously, a loop can occur. Specifically this can happen if there is a unidirectional link and the blocking port stops receiving the BPDUs that the designated port it sending. Loop guard prevents this by transitioning blocking ports into loop-inconsistent state instead of forwarding if BPDUs stop being received from the designated port.
sw1(config-if)#spanning-tree guard ?
loop Set guard mode to loop guard on interface
none Set guard mode to none
root Set guard mode to root guard on interface
__________
sw1(config)#do sh spann inter f 0/1 det
Port 3 (FastEthernet0/1) of VLAN0001 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.3.
Designated root has priority 32769, address 000c.ceab.bc80
Designated bridge has priority 32769, address 0025.4584.0080
Designated port id is 128.3, designated path cost 19
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Bpdu guard is enabled
BPDU: sent 1953, received 0
____________________
UDLD, like Loop Guard, is used to prevent loops due to unidirectional links. The difference between the features is that Loop Guard uses STP BPDUs to detect these failures, while UDLD uses its own keepalive.
UDLD is a Cisco proprietary feature in which peers discover each other by exchanging frames sent to the well-known MAC address 01:00:0C:CC:CC:CC
In “Normal” mode if the physical state of port (as reported by Layer 1) is still up UDLD marks this port as “Undetermined”, but does NOT shut down or disable the port, and it continues to operate under its current STP status. This mode of operation is informational and potentially less disruptive (though it does not prevent STP loops).
If UDLD is set to “Aggressive” mode, once the switch loses its neighbor it actively tries to re-establish the relationship by sending a UDLD frames 8 times every 1 second. If the neighbor does not respond after that the port is considered to be unidirectional and sent to err-disable state.
Saturday, October 9, 2010
Thursday, October 7, 2010
Lab Notes - 10.7.10
If you are going to enable mac-notification on an interface, you must enable it globally.
interface FastEthernet0/18
snmp trap mac-notification change added
snmp trap mac-notification change removed
!
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.1.2 Private
!
mac-address-table notification change
_______________
IP Source Guard - Filters traffic on manually configured source bindings.
#ip dhcp snooping
#ip dhcp snooping vlan 2
interface fastethernet 0/2#ip verify source
=>enables source IP address filtering
#ip source binding 0000.1111.1111 vlan 2 10.1.1.1 interface fast 0/2
With those commands entered into the switch, it does not check to make sure that the mac address is correct.
If you change the IP on the router interface and the switchport that has ip verify source, the switch will check the IP DHCP snooping binding table, manual binding and if there is no match, the packet will be dropped.
If you add the commands referenced below, the switch will check the mac-address and IP address.
int fa 0/2#switchport port-security
int fa 0/2#ip verify source port-security
show ip source binding
show ip verify source
____________________
Learned something new, why its new I am not sure...
If configuring OSPF over FR Physical interfaces. If you use the "neighbor" command under the OSPF process, you do not need the "broadcast" command with the FR map statements. It makes total sense but for some reason never thought of it.
interface FastEthernet0/18
snmp trap mac-notification change added
snmp trap mac-notification change removed
!
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.1.2 Private
!
mac-address-table notification change
_______________
IP Source Guard - Filters traffic on manually configured source bindings.
#ip dhcp snooping
#ip dhcp snooping vlan 2
interface fastethernet 0/2#ip verify source
=>enables source IP address filtering
#ip source binding 0000.1111.1111 vlan 2 10.1.1.1 interface fast 0/2
With those commands entered into the switch, it does not check to make sure that the mac address is correct.
If you change the IP on the router interface and the switchport that has ip verify source, the switch will check the IP DHCP snooping binding table, manual binding and if there is no match, the packet will be dropped.
If you add the commands referenced below, the switch will check the mac-address and IP address.
int fa 0/2#switchport port-security
int fa 0/2#ip verify source port-security
show ip source binding
show ip verify source
____________________
Learned something new, why its new I am not sure...
If configuring OSPF over FR Physical interfaces. If you use the "neighbor" command under the OSPF process, you do not need the "broadcast" command with the FR map statements. It makes total sense but for some reason never thought of it.
Subscribe to:
Posts (Atom)