With modern architectures and campus designs, you do not need spanning tree anymore. But how could you protect from spanning tree BPDU’s and loops in the access area, e.g. from external devices?

The classical scenario is the cleaner, putting the free cable into the switch because it is in his way. ArubaOS switches have some good answers to this and other scenarios and protect your network from unwanted loops and spanning tree BPDU’s.

Protect from Spanning Tree and Loops: Loop Protection

The first and easiest one is loop protection. This feature protects from unwanted loops in the access area, e.g. someone connects a cable twice to the same switch. Loop protection use control packets and send these packets out to all ports with loop protection enabled. To do this, the port must have an untagged VLAN. If no untagged VLAN is configured for the port, no control packets are sent. If the switch sees such a packet on another port, the loop is detected. The switch can now shut down the port to avoid network problems.

You configure loop protection on a per-port basis:

switch2(config)# loop-protect 9

This command enables loop protection for port 9. You can check this with this command:

switch2(config)# show loop-protect 

 Status and Counters - Loop Protection Information

  Transmit Interval (sec)     : 1           
  Port Disable Timer (sec)    : 100         
  Loop Detected Trap          : Disabled    
  Loop Protect Mode           : Port        
  Loop Protect Enabled VLANs  :             


       Loop    Loop     Detected  Loop   Time Since  Rx            Port   
  Port Protect Detected on VLAN   Count  Last Loop   Action        Status  
  ---- ------- -------- --------- ------ ----------- ------------- --------
  8    Yes     Yes      NA        1      1d,1h,27... send-disable  Down    
  9    Yes     No       NA        0                  send-disable  Up      

This command also shows the “Time Since Last Loop”. The default behavior is to disable the port which sends the control packet. You can change this to do nothing, or you can disable both ports:

switch2(config)# loop-protect 9 receiver-action 
 send-disable          Disable the sending port when a loop is detected.  This is the default.
 no-disable            Do not disable the sending port when a loop is detected.
 send-recv-dis         Disable the sending and receiving port when a loop is detected.

You might also define how long the port stays in the disable mode:

switch2(config)# loop-protect disable-timer  
 <0-604800>            Enter a number.

0 disables the port forever. Any other value disables the port for the time of the value in seconds.

You can also fine tune the interval, the control packets are sent. The default is a value of 5 seconds. You can narrow it down to 1 second or slow it down to 10 seconds:

switch2(config)# loop-protect transmit-interval 
 <1-10>                Enter a number.

For management purpose, you can send a trap when a loop is detected:

switch2(config)# loop-protect trap loop-detected

From the show command above, you see my default values. Those can be adjusted to your environment.

Below is a control packet:

Protect from Spanning Tree and Loops - Control Packet

Protect from Spanning Tree and Loops – Control Packet

What kind of loops are protected now:

A Loop directly on the Switch:

This is the obvious one. Someone connects the same cable twice, to the same switch.

Protect from Spanning Tree and Loops - Local LoopProtect from Spanning Tree and Loops - Local Loop

Protect from Spanning Tree and Loops – Local Loop

A Loop on a Device connected to the Switch:

This is more tricky. Let’s assume someone connects a switch or even a hub (not sure if you can even buy hubs today) to the access switch and produces a loop there. Loop protection can identify this and blocks the port as well.

Protect from Spanning Tree and Loops - Remote Loop

Protect from Spanning Tree and Loops – Remote Loop

From the packet snipped above, you can see that the destination MAC address is a multicast address. Therefore the unmanaged switch/hub forwards the packet on all ports with the help of the loop, the packet comes back to the access switch.

A loop between two Access Switches:

This scenario assumes, you have at least two access switches and they are connected to each other. A user connects an unmanaged switch/hub to both of the switches.

Protect from Spanning Tree and Loops - Between Two Access Switches

Protect from Spanning Tree and Loops – Between Two Access Switches

Loop protection protects you in this scenario as well. Even if the loop on the unmanaged switch/hub is not present, the ports on the access switches are blocked. But only if both access switches have the same VLAN’s. If the unmanaged switch/hub is in VLAN 1 on “Access Switch1” and VLAN 100 on “Access Switch2” the loop is only detected if “Access Swtich2” knows VLAN 1 or “Access Switch1” knows VLAN 100. One of the VLAN’s, preferably both, are configured on the link between both access switches.

The reason is, that loop protection works with normal multicast L2 frames. As opposed to BPDU’s, those frames are VLAN aware. BPDU’s are always untagged on the port (not true for PVST) and therefore the VLAN does not matter.

In Case of different VLAN’s, you should consider BPDU protection.

Protect from Spanning Tree and Loops: BPDU Filtering

Loop protection helps to protect against loops. But what about misconfigured devices or intruders. Imagine, someone connects a device to the network which is running spanning tree as well. This device is configured to be the root bridge. If you did not have some kind of protection against such devices, they could bring you in trouble by confusing your spanning tree. This could be a denial of service attack to bring you down.

But there is hope. With BPDU filtering you can do something. If you enable BPDU filtering on a port, this port drops all BPDU’s (incoming and outgoing). This means the port is not part of spanning tree at all. And if someone tries to attack you on this port, all BPDU’s are dropped as well. No chance for bad people.

To enable BPDU filtering on a per port basis you enable spanning tree first:

switch2(config)# spanning-tree enable

Afterwards, you enable BPDU filtering:

switch2(config)# spanning-tree 9 bpdu-filter 
The BPDU filter allows the port to go into a continuous
forwarding mode and spanning tree will not interfere, even if
the port would cause a loop to form in the network topology.
If you suddenly experience high traffic load, disable the port
and reconfigure the BPDU filter with the CLI command(s):
"no spanning tree PORT_LIST bpdu-filter"
"no spanning tree PORT_LIST pvst-filter"

Read the warning carefully, because this is important. A port with BPDU filtering enabled will always forward traffic and stays always in forwarding state. When not carefully thinking what you are doing, you can create loops easily.

To check the configuration use this command:

switch2(config)# show spanning-tree 9               

 Multiple Spanning Tree (MST) Information

  STP Enabled   : Yes
  Force Version : MSTP-operation
  IST Mapped VLANs : 1-4094
  Switch MAC Address : 009c02-5dd230
  Switch Priority    : 32768
  Max Age  : 20
  Max Hops : 20   
  Forward Delay : 15

  Topology Change Count  : 10          
  Time Since Last Change : 1 secs      

  CST Root MAC Address : 000b86-be8400
  CST Root Priority    : 32768       
  CST Root Path Cost   : 20000       
  CST Root Port        : 10                 

  IST Regional Root MAC Address : 009c02-5dd230
  IST Regional Root Priority    : 32768       
  IST Regional Root Path Cost   : 0           
  IST Remaining Hops            : 20          

  Root Guard Ports     : 
  Loop Guard Ports     : 
  TCN Guard Ports      : 
  BPDU Protected Ports :                                        
  BPDU Filtered Ports  : 9                                        
  PVST Protected Ports :                                         
  PVST Filtered Ports  :                                         

  Root Inconsistent Ports  :             
  Loop Inconsistent Ports  :             

                 |           Prio              | Designated    Hello         
  Port Type      | Cost      rity State        | Bridge        Time PtP Edge
  ---- --------- + --------- ---- ------------ + ------------- ---- --- ----
  9    100/1000T | 20000     128  Forwarding   | 009c02-5dd230 2    Yes Yes 

If you do a trace on the port, you will see no BPDU’s. If you send BPDU’s to the port, they are dropped without notice.

Protect from Spanning Tree and Loops: BPDU Protection

As opposed to BPDU filtering, BPDU protection protects against incoming BPDU’s. If a BPDU is received, the port is disabled. This makes it a more secure option to protect against external misconfigured devices or bad people, trying to confuse your spanning tree.

To use BPDU protection, you need to enable spanning tree first, like BPDU filtering above. Afterwards, you enable BPDU protection with this command on a per-port basis:

switch2(config)# spanning-tree 9 bpdu-protection

To check the configuration, use the command below:

switch2(config)# show spanning-tree 9

 Multiple Spanning Tree (MST) Information

  STP Enabled   : Yes
  Force Version : MSTP-operation
  IST Mapped VLANs : 1-4094
  Switch MAC Address : 009c02-5dd230
  Switch Priority    : 32768
  Max Age  : 20
  Max Hops : 20   
  Forward Delay : 15

  Topology Change Count  : 28          
  Time Since Last Change : 12 mins     

  CST Root MAC Address : 000b86-be8400
  CST Root Priority    : 32768       
  CST Root Path Cost   : 20000       
  CST Root Port        : 10                 

  IST Regional Root MAC Address : 009c02-5dd230
  IST Regional Root Priority    : 32768       
  IST Regional Root Path Cost   : 0           
  IST Remaining Hops            : 20          

  Root Guard Ports     : 
  Loop Guard Ports     : 
  TCN Guard Ports      : 
  BPDU Protected Ports : 9                                       
  BPDU Filtered Ports  :                                         
  PVST Protected Ports :                                         
  PVST Filtered Ports  :                                         

  Root Inconsistent Ports  :             
  Loop Inconsistent Ports  :             

                 |           Prio              | Designated    Hello         
  Port Type      | Cost      rity State        | Bridge        Time PtP Edge
  ---- --------- + --------- ---- ------------ + ------------- ---- --- ----
  9    100/1000T | 20000     128  Forwarding   | 009c02-5dd230 2    Yes Yes

If you trace the port, you see a lot of STP messages. But, if you answer them or send BPDU’s the port gets into the “BPDU Error” state:

switch2(config)# show spanning-tree 9

 Multiple Spanning Tree (MST) Information

  STP Enabled   : Yes
  Force Version : MSTP-operation
  IST Mapped VLANs : 1-4094
  Switch MAC Address : 009c02-5dd230
  Switch Priority    : 32768
  Max Age  : 20
  Max Hops : 20   
  Forward Delay : 15

  Topology Change Count  : 28          
  Time Since Last Change : 19 mins     

  CST Root MAC Address : 000b86-be8400
  CST Root Priority    : 32768       
  CST Root Path Cost   : 20000       
  CST Root Port        : 10                 

  IST Regional Root MAC Address : 009c02-5dd230
  IST Regional Root Priority    : 32768       
  IST Regional Root Path Cost   : 0           
  IST Remaining Hops            : 20          

  Root Guard Ports     : 
  Loop Guard Ports     : 
  TCN Guard Ports      : 
  BPDU Protected Ports : 9                                       
  BPDU Filtered Ports  :                                         
  PVST Protected Ports :                                         
  PVST Filtered Ports  :                                         

  Root Inconsistent Ports  :             
  Loop Inconsistent Ports  :             

                 |           Prio              | Designated    Hello         
  Port Type      | Cost      rity State        | Bridge        Time PtP Edge
  ---- --------- + --------- ---- ------------ + ------------- ---- --- ----
  9    100/1000T | 20000     128  BpduError    |               2    Yes No  

Any port in this state will be disabled forever. Or until you enable the port manually:

switch2(config)# interface 9 enable

To change this behavior you can set a global timeout period:

switch2(config)# spanning-tree bpdu-protection-timeout 60

The command above set the timeout for the port. If the port receives a BPDU, the port is set to “BpduError” state for the time in the timeout. Afterwards, the port is set into the enable state again.

The last option is for monitoring. With the command below you tell the switch to send a trap upon receiving a BPDU:

switch2(config)# spanning-tree trap errant-bpdu

My recommendation is to use BPDU filter on all ports to other switches. So, on all uplinks. And BPDU protection on all other ports. This protects you from bad BPDU from outside of your environment. I assume that you do not use STP in your environment for loop protection between switches, because of technologies like VSF or IRF. If you do not use such technologies but STP, do not use BPDU filter on uplinks.

Do you use STP in your environment? Why, or why not? Tell me in the comment section below.

If you find this post interesting, leave me a comment and share it with your friends. If you don’t like the post, leave me a comment and share it with your enemy. But whatever you do, leave me a comment, now.