With modern architectures and campus designs, you do not need spanning tree anymore. But how could you protect from spanning tree BPDU’s and loops in the access area, e.g. from external devices?
The classical scenario is the cleaner, putting the free cable into the switch because it is in his way. ArubaOS switches have some good answers to this and other scenarios and protect your network from unwanted loops and spanning tree BPDU’s.
Protect from Spanning Tree and Loops: Loop Protection
The first and easiest one is loop protection. This feature protects from unwanted loops in the access area, e.g. someone connects a cable twice to the same switch. Loop protection use control packets and send these packets out to all ports with loop protection enabled. To do this, the port must have an untagged VLAN. If no untagged VLAN is configured for the port, no control packets are sent. If the switch sees such a packet on another port, the loop is detected. The switch can now shut down the port to avoid network problems.
You configure loop protection on a per-port basis:
switch2(config)# loop-protect 9
This command enables loop protection for port 9. You can check this with this command:
switch2(config)# show loop-protect Status and Counters - Loop Protection Information Transmit Interval (sec) : 1 Port Disable Timer (sec) : 100 Loop Detected Trap : Disabled Loop Protect Mode : Port Loop Protect Enabled VLANs : Loop Loop Detected Loop Time Since Rx Port Port Protect Detected on VLAN Count Last Loop Action Status ---- ------- -------- --------- ------ ----------- ------------- -------- 8 Yes Yes NA 1 1d,1h,27... send-disable Down 9 Yes No NA 0 send-disable Up
This command also shows the “Time Since Last Loop”. The default behavior is to disable the port which sends the control packet. You can change this to do nothing, or you can disable both ports:
switch2(config)# loop-protect 9 receiver-action send-disable Disable the sending port when a loop is detected. This is the default. no-disable Do not disable the sending port when a loop is detected. send-recv-dis Disable the sending and receiving port when a loop is detected.
You might also define how long the port stays in the disable mode:
switch2(config)# loop-protect disable-timer <0-604800> Enter a number.
0 disables the port forever. Any other value disables the port for the time of the value in seconds.
You can also fine tune the interval, the control packets are sent. The default is a value of 5 seconds. You can narrow it down to 1 second or slow it down to 10 seconds:
switch2(config)# loop-protect transmit-interval <1-10> Enter a number.
For management purpose, you can send a trap when a loop is detected:
switch2(config)# loop-protect trap loop-detected
From the show command above, you see my default values. Those can be adjusted to your environment.
Below is a control packet:
What kind of loops are protected now:
A Loop directly on the Switch:
This is the obvious one. Someone connects the same cable twice, to the same switch.
A Loop on a Device connected to the Switch:
This is more tricky. Let’s assume someone connects a switch or even a hub (not sure if you can even buy hubs today) to the access switch and produces a loop there. Loop protection can identify this and blocks the port as well.
From the packet snipped above, you can see that the destination MAC address is a multicast address. Therefore the unmanaged switch/hub forwards the packet on all ports with the help of the loop, the packet comes back to the access switch.
A loop between two Access Switches:
This scenario assumes, you have at least two access switches and they are connected to each other. A user connects an unmanaged switch/hub to both of the switches.
Loop protection protects you in this scenario as well. Even if the loop on the unmanaged switch/hub is not present, the ports on the access switches are blocked. But only if both access switches have the same VLAN’s. If the unmanaged switch/hub is in VLAN 1 on “Access Switch1” and VLAN 100 on “Access Switch2” the loop is only detected if “Access Swtich2” knows VLAN 1 or “Access Switch1” knows VLAN 100. One of the VLAN’s, preferably both, are configured on the link between both access switches.
The reason is, that loop protection works with normal multicast L2 frames. As opposed to BPDU’s, those frames are VLAN aware. BPDU’s are always untagged on the port (not true for PVST) and therefore the VLAN does not matter.
In Case of different VLAN’s, you should consider BPDU protection.
Protect from Spanning Tree and Loops: BPDU Filtering
Loop protection helps to protect against loops. But what about misconfigured devices or intruders. Imagine, someone connects a device to the network which is running spanning tree as well. This device is configured to be the root bridge. If you did not have some kind of protection against such devices, they could bring you in trouble by confusing your spanning tree. This could be a denial of service attack to bring you down.
But there is hope. With BPDU filtering you can do something. If you enable BPDU filtering on a port, this port drops all BPDU’s (incoming and outgoing). This means the port is not part of spanning tree at all. And if someone tries to attack you on this port, all BPDU’s are dropped as well. No chance for bad people.
To enable BPDU filtering on a per port basis you enable spanning tree first:
switch2(config)# spanning-tree enable
Afterwards, you enable BPDU filtering:
switch2(config)# spanning-tree 9 bpdu-filter The BPDU filter allows the port to go into a continuous forwarding mode and spanning tree will not interfere, even if the port would cause a loop to form in the network topology. If you suddenly experience high traffic load, disable the port and reconfigure the BPDU filter with the CLI command(s): "no spanning tree PORT_LIST bpdu-filter" "no spanning tree PORT_LIST pvst-filter"
Read the warning carefully, because this is important. A port with BPDU filtering enabled will always forward traffic and stays always in forwarding state. When not carefully thinking what you are doing, you can create loops easily.
To check the configuration use this command:
switch2(config)# show spanning-tree 9 Multiple Spanning Tree (MST) Information STP Enabled : Yes Force Version : MSTP-operation IST Mapped VLANs : 1-4094 Switch MAC Address : 009c02-5dd230 Switch Priority : 32768 Max Age : 20 Max Hops : 20 Forward Delay : 15 Topology Change Count : 10 Time Since Last Change : 1 secs CST Root MAC Address : 000b86-be8400 CST Root Priority : 32768 CST Root Path Cost : 20000 CST Root Port : 10 IST Regional Root MAC Address : 009c02-5dd230 IST Regional Root Priority : 32768 IST Regional Root Path Cost : 0 IST Remaining Hops : 20 Root Guard Ports : Loop Guard Ports : TCN Guard Ports : BPDU Protected Ports : BPDU Filtered Ports : 9 PVST Protected Ports : PVST Filtered Ports : Root Inconsistent Ports : Loop Inconsistent Ports : | Prio | Designated Hello Port Type | Cost rity State | Bridge Time PtP Edge ---- --------- + --------- ---- ------------ + ------------- ---- --- ---- 9 100/1000T | 20000 128 Forwarding | 009c02-5dd230 2 Yes Yes
If you do a trace on the port, you will see no BPDU’s. If you send BPDU’s to the port, they are dropped without notice.
Protect from Spanning Tree and Loops: BPDU Protection
As opposed to BPDU filtering, BPDU protection protects against incoming BPDU’s. If a BPDU is received, the port is disabled. This makes it a more secure option to protect against external misconfigured devices or bad people, trying to confuse your spanning tree.
To use BPDU protection, you need to enable spanning tree first, like BPDU filtering above. Afterwards, you enable BPDU protection with this command on a per-port basis:
switch2(config)# spanning-tree 9 bpdu-protection
To check the configuration, use the command below:
switch2(config)# show spanning-tree 9 Multiple Spanning Tree (MST) Information STP Enabled : Yes Force Version : MSTP-operation IST Mapped VLANs : 1-4094 Switch MAC Address : 009c02-5dd230 Switch Priority : 32768 Max Age : 20 Max Hops : 20 Forward Delay : 15 Topology Change Count : 28 Time Since Last Change : 12 mins CST Root MAC Address : 000b86-be8400 CST Root Priority : 32768 CST Root Path Cost : 20000 CST Root Port : 10 IST Regional Root MAC Address : 009c02-5dd230 IST Regional Root Priority : 32768 IST Regional Root Path Cost : 0 IST Remaining Hops : 20 Root Guard Ports : Loop Guard Ports : TCN Guard Ports : BPDU Protected Ports : 9 BPDU Filtered Ports : PVST Protected Ports : PVST Filtered Ports : Root Inconsistent Ports : Loop Inconsistent Ports : | Prio | Designated Hello Port Type | Cost rity State | Bridge Time PtP Edge ---- --------- + --------- ---- ------------ + ------------- ---- --- ---- 9 100/1000T | 20000 128 Forwarding | 009c02-5dd230 2 Yes Yes
If you trace the port, you see a lot of STP messages. But, if you answer them or send BPDU’s the port gets into the “BPDU Error” state:
switch2(config)# show spanning-tree 9 Multiple Spanning Tree (MST) Information STP Enabled : Yes Force Version : MSTP-operation IST Mapped VLANs : 1-4094 Switch MAC Address : 009c02-5dd230 Switch Priority : 32768 Max Age : 20 Max Hops : 20 Forward Delay : 15 Topology Change Count : 28 Time Since Last Change : 19 mins CST Root MAC Address : 000b86-be8400 CST Root Priority : 32768 CST Root Path Cost : 20000 CST Root Port : 10 IST Regional Root MAC Address : 009c02-5dd230 IST Regional Root Priority : 32768 IST Regional Root Path Cost : 0 IST Remaining Hops : 20 Root Guard Ports : Loop Guard Ports : TCN Guard Ports : BPDU Protected Ports : 9 BPDU Filtered Ports : PVST Protected Ports : PVST Filtered Ports : Root Inconsistent Ports : Loop Inconsistent Ports : | Prio | Designated Hello Port Type | Cost rity State | Bridge Time PtP Edge ---- --------- + --------- ---- ------------ + ------------- ---- --- ---- 9 100/1000T | 20000 128 BpduError | 2 Yes No
Any port in this state will be disabled forever. Or until you enable the port manually:
switch2(config)# interface 9 enable
To change this behavior you can set a global timeout period:
switch2(config)# spanning-tree bpdu-protection-timeout 60
The command above set the timeout for the port. If the port receives a BPDU, the port is set to “BpduError” state for the time in the timeout. Afterwards, the port is set into the enable state again.
The last option is for monitoring. With the command below you tell the switch to send a trap upon receiving a BPDU:
switch2(config)# spanning-tree trap errant-bpdu
My recommendation is to use BPDU filter on all ports to other switches. So, on all uplinks. And BPDU protection on all other ports. This protects you from bad BPDU from outside of your environment. I assume that you do not use STP in your environment for loop protection between switches, because of technologies like VSF or IRF. If you do not use such technologies but STP, do not use BPDU filter on uplinks.
Do you use STP in your environment? Why, or why not? Tell me in the comment section below.
If you find this post interesting, leave me a comment and share it with your friends. If you don’t like the post, leave me a comment and share it with your enemy. But whatever you do, leave me a comment, now.
Hello !
In my company, we do not use STP and Loop Protection, but in clients, I always enable it, because I do not have control of possible configuration errors or adding new devices.