Configuring Optional Spanning-Tree Features

Configuring Optional Spanning-Tree Features
CH A P T E R
16
Configuring Optional Spanning-Tree Features
This chapter describes how to configure optional spanning-tree features on the Cisco ME 3400 Ethernet
Access switch. You can configure all of these features when your switch is running per-VLAN
spanning-tree plus (PVST+). You can configure only the noted features when your switch is running the
Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+)
protocol. On the Cisco ME switch, STP is supported only on network node interfaces (NNIs). User
network interfaces (UNIs) on the switch do not participate in STP and forward traffic immediately when
they are brought up.
For information on configuring the PVST+ and rapid PVST+, see Chapter 14, “Configuring STP.” For
information about the Multiple Spanning Tree Protocol (MSTP) and how to map multiple VLANs to the
same spanning-tree instance, see Chapter 15, “Configuring MSTP.”
Note
For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release.
This chapter consists of these sections:
•
Understanding Optional Spanning-Tree Features, page 16-1
•
Configuring Optional Spanning-Tree Features, page 16-5
•
Displaying the Spanning-Tree Status, page 16-10
Understanding Optional Spanning-Tree Features
These sections contain this conceptual information:
•
Understanding Port Fast, page 16-2
•
Understanding BPDU Guard, page 16-2
•
Understanding BPDU Filtering, page 16-3
•
Understanding EtherChannel Guard, page 16-3
•
Understanding Root Guard, page 16-3
•
Understanding Loop Guard, page 16-4
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-03
16-1
Chapter 16
Configuring Optional Spanning-Tree Features
Understanding Optional Spanning-Tree Features
Understanding Port Fast
Port Fast immediately brings an NNI configured as an access or trunk port to the forwarding state from
a blocking state, bypassing the listening and learning states. You can use Port Fast on NNIs connected
to a single workstation or server, as shown in Figure 16-1, to allow those devices to immediately connect
to the network, rather than waiting for the spanning tree to converge.
NNIs connected to a single workstation or server should not receive bridge protocol data units (BPDUs).
An NNI with Port Fast enabled goes through the normal cycle of spanning-tree status changes when the
switch is restarted.
Note
Because the purpose of Port Fast is to minimize the time interfaces must wait for spanning tree to
converge, it is effective only when used on NNIs connected to end stations. If you enable Port Fast on
an interface connecting to another switch, you risk creating a spanning-tree loop.
You can enable this feature by using the spanning-tree portfast interface configuration or the
spanning-tree portfast default global configuration command.
Figure 16-1
Port Fast-Enabled Interfaces
Server
Workstations
Workstations
101225
Port
Fast-enabled port
Port
Fast-enabled
ports
Understanding BPDU Guard
The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the
feature operates with some differences.
At the global level, you enable BPDU guard on Port Fast-enabled NNIs by using the spanning-tree
portfast bpduguard default global configuration command. Spanning tree shuts down NNIs that are in
a Port Fast-operational state if any BPDU is received on those NNIs. In a valid configuration, Port
Fast-enabled NNIs do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled NNI signals an
invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature
puts the interface in the error-disabled state.
At the interface level, you enable BPDU guard on any NNI by using the spanning-tree bpduguard
enable interface configuration command without also enabling the Port Fast feature. When the NNI
receives a BPDU, it is put in the error-disabled state.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
16-2
OL-9639-03
Chapter 16
Configuring Optional Spanning-Tree Features
Understanding Optional Spanning-Tree Features
The BPDU guard feature provides a secure response to invalid configurations because you must
manually put the interface back in service. Use the BPDU guard feature in a service-provider network
to prevent an access port from participating in the spanning tree.
You can enable the BPDU guard feature for the entire switch or for an interface.
Understanding BPDU Filtering
The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but
the feature operates with some differences.
At the global level, you can enable BPDU filtering on Port Fast-enabled NNIs by using the
spanning-tree portfast bpdufilter default global configuration command. This command prevents
interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still
send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally
enable BPDU filtering on a switch so that hosts connected to these NNIs do not receive BPDUs. If a
BPDU is received on a Port Fast-enabled NNI, the interface loses its Port Fast-operational status, and
BPDU filtering is disabled.
At the interface level, you can enable BPDU filtering on any NNI by using the spanning-tree bpdufilter
enable interface configuration command without also enabling the Port Fast feature. This command
prevents the interface from sending or receiving BPDUs.
Caution
Enabling BPDU filtering on an NNI is the same as disabling spanning tree on it and can result in
spanning-tree loops.
You can enable the BPDU filtering feature for the entire switch or for an NNI.
Understanding EtherChannel Guard
You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a
connected device. A misconfiguration can occur if the switch NNIs are configured in an EtherChannel,
but the interfaces on the other device are not. A misconfiguration can also occur if the channel
parameters are not the same at both ends of the EtherChannel. For EtherChannel configuration
guidelines, see the “EtherChannel Configuration Guidelines” section on page 32-10.
If the switch detects a misconfiguration on the other device, EtherChannel guard places the switch NNIs
in the error-disabled state, and displays an error message.
You can enable this feature by using the spanning-tree etherchannel guard misconfig global
configuration command.
Understanding Root Guard
The Layer 2 network of a service provider (SP) can include many connections to switches that are not
owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch
as the root switch, as shown in Figure 16-2. You can avoid this situation by enabling root guard on SP
switch interfaces that connect to switches in your customer’s network. If spanning-tree calculations
cause an interface in the customer network to be selected as the root port, root guard then places the
interface in the root-inconsistent (blocked) state to prevent the customer’s switch from becoming the root
switch or being in the path to the root.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-03
16-3
Chapter 16
Configuring Optional Spanning-Tree Features
Understanding Optional Spanning-Tree Features
If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent
state), and spanning tree selects a new root switch. The customer’s switch does not become the root
switch and is not in the path to the root.
If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the interface to be a
designated port. If a boundary port is blocked in an internal spanning-tree (IST) instance because of root
guard, the interface also is blocked in all MST instances. A boundary port is an interface that connects
to a LAN, the designated switch of which is either an 802.1D switch or a switch with a different MST
region configuration.
Root guard enabled on an interface applies to all the VLANs to which the interface belongs. VLANs can
be grouped and mapped to an MST instance.
You can enable this feature by using the spanning-tree guard root interface configuration command.
Caution
Misuse of the root-guard feature can cause a loss of connectivity.
Figure 16-2
Root Guard in a Service-Provider Network
Customer network
Service-provider network
Potential
spanning-tree root without
root guard enabled
Desired
root switch
101232
Enable the root-guard feature
on these interfaces to prevent
switches in the customer
network from becoming
the root switch or being
in the path to the root.
Understanding Loop Guard
You can use loop guard to prevent alternate or root ports from becoming designated ports because of a
failure that leads to a unidirectional link. This feature is most effective when it is enabled on the entire
switched network. Loop guard prevents alternate and root ports from becoming designated ports, and
spanning tree does not send BPDUs on root or alternate ports.
You can enable this feature by using the spanning-tree loopguard default global configuration
command.
When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root
ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.
When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the
interface is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the
interface in all MST instances.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
16-4
OL-9639-03
Chapter 16
Configuring Optional Spanning-Tree Features
Configuring Optional Spanning-Tree Features
Configuring Optional Spanning-Tree Features
These sections contain this configuration information:
•
Default Optional Spanning-Tree Configuration, page 16-5
•
Optional Spanning-Tree Configuration Guidelines, page 16-5
•
Enabling Port Fast, page 16-5 (optional)
•
Enabling BPDU Guard, page 16-6 (optional)
•
Enabling BPDU Filtering, page 16-7 (optional)
•
Enabling EtherChannel Guard, page 16-8 (optional)
•
Enabling Root Guard, page 16-9 (optional)
•
Enabling Loop Guard, page 16-9 (optional)
Default Optional Spanning-Tree Configuration
Table 16-1 shows the default optional spanning-tree configuration. Only NNIs participate in STP on the
switch. UNIs are always in the forwarding state.
Table 16-1
Default Optional Spanning-Tree Configuration
Feature
Default Setting
Port Fast, BPDU filtering, BPDU guard
Globally disabled (unless they are individually configured
per NNI).
EtherChannel guard
Globally enabled.
Root guard
Disabled on all NNIs.
Loop guard
Disabled on all NNIs.
Optional Spanning-Tree Configuration Guidelines
You can configure PortFast, BPDU guard, BPDU filtering, EtherChannel guard, root guard, or loop
guard if your switch is running PVST+, rapid PVST+, or MSTP.
Optional spanning-tree configuration commands are not supported on UNIs.
Enabling Port Fast
An NNI with the Port Fast feature enabled is moved directly to the spanning-tree forwarding state
without waiting for the standard forward-time delay.
Caution
Use Port Fast only when connecting a single end station to an access or trunk port. Enabling this feature
on an interface connected to a switch or hub could prevent spanning tree from detecting and disabling
loops in your network, which could cause broadcast storms and address-learning problems.
You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-03
16-5
Chapter 16
Configuring Optional Spanning-Tree Features
Configuring Optional Spanning-Tree Features
Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Specify an interface to configure, and enter interface configuration
mode. If the interface is not an NNI, you must enter the port-type nni
interface configuration command before enabling Port Fast.
Step 3
spanning-tree portfast [trunk]
Enable Port Fast on an access port connected to a single workstation or
server. By specifying the trunk keyword, you can enable Port Fast on a
trunk port.
Note
Caution
To enable Port Fast on trunk ports, you must use the
spanning-tree portfast trunk interface configuration command.
The spanning-tree portfast command does not work on trunk
ports.
Make sure that there are no loops in the network between the
trunk port and the workstation or server before you enable
Port Fast on a trunk port.
By default, Port Fast is disabled on all NNIs. UNIs do not participate in
STP.
Step 4
end
Return to privileged EXEC mode.
Step 5
show spanning-tree interface
interface-id portfast
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Note
You can use the spanning-tree portfast default global configuration command to globally enable the
Port Fast feature on all nontrunking NNIs.
To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration
command.
Enabling BPDU Guard
When you globally enable BPDU guard on NNIs that are Port Fast-enabled (the interfaces are in a Port
Fast-operational state), spanning tree shuts down Port Fast-enabled NNIs that receive BPDUs.
In a valid configuration, Port Fast-enabled interfaces do not receive BPDUs. Receiving a BPDU on a
Port Fast-enabled interface signals an invalid configuration, such as the connection of an unauthorized
device, and the BPDU guard feature puts the interface in the error-disabled state. The BPDU guard
feature provides a secure response to invalid configurations because you must manually put the interface
back in service. Use the BPDU guard feature in a service-provider network to prevent an access port
from participating in the spanning tree.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
16-6
OL-9639-03
Chapter 16
Configuring Optional Spanning-Tree Features
Configuring Optional Spanning-Tree Features
Caution
Configure Port Fast only on NNIs that connect to end stations; otherwise, an accidental topology loop
could cause a data packet loop and disrupt switch and network operation.
You also can use the spanning-tree bpduguard enable interface configuration command to enable
BPDU guard on any NNI without also enabling the Port Fast feature. When the interface receives a
BPDU, it is put in the error-disabled state.
You can enable the BPDU guard feature if your switch is running PVST+, rapid PVST+, or MSTP.
Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU guard feature. This
procedure is optional.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
spanning-tree portfast bpduguard default
Globally enable BPDU guard. (By default, BPDU guard is
disabled.)
Note
Globally enabling BPDU guard enables it only on NNIs;
the command has no effect on UNIs.
Step 3
interface interface-id
Specify the interface connected to an end station, and enter
interface configuration mode. If the interface is not an NNI, you
must enter the port-type nni interface configuration command
before enabling Port Fast.
Step 4
spanning-tree portfast
Enable the Port Fast feature.
Step 5
end
Return to privileged EXEC mode.
Step 6
show running-config
Verify your entries.
Step 7
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration
command.
You can override the setting of the no spanning-tree portfast bpduguard default global configuration
command by using the spanning-tree bpduguard enable interface configuration command on an NNI.
Enabling BPDU Filtering
When you globally enable BPDU filtering on Port Fast-enabled NNIs, it prevents interfaces that are in
a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs
at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering
on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on
a Port Fast-enabled NNI, the interface loses its Port Fast-operational status, and BPDU filtering is
disabled.
Caution
Configure Port Fast only on NNIs that connect to end stations; otherwise, an accidental topology loop
could cause a data packet loop and disrupt switch and network operation.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-03
16-7
Chapter 16
Configuring Optional Spanning-Tree Features
Configuring Optional Spanning-Tree Features
You can also use the spanning-tree bpdufilter enable interface configuration command to enable
BPDU filtering on any NNI without also enabling the Port Fast feature. This command prevents the NNI
from sending or receiving BPDUs.
Caution
Enabling BPDU filtering on an NNI is the same as disabling spanning tree on it and can result in
spanning-tree loops.
You can enable the BPDU filtering feature if your switch is running PVST+, rapid PVST+, or MSTP.
Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature.
This procedure is optional.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
spanning-tree portfast bpdufilter default
Globally enable BPDU filtering. (By default, BPDU filtering is
disabled.)
Note
Globally enabling BPDU filtering enables it only on
NNIs; the command has no effect on UNIs.
Step 3
interface interface-id
Specify the interface connected to an end station, and enter
interface configuration mode. If the interface is not an NNI, you
must enter the port-type nni interface configuration command
before enabling Port Fast.
Step 4
spanning-tree portfast
Enable the Port Fast feature.
Step 5
end
Return to privileged EXEC mode.
Step 6
show running-config
Verify your entries.
Step 7
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration
command.
You can override the setting of the no spanning-tree portfast bpdufilter default global configuration
command by using the spanning-tree bpdufilter enable interface configuration command on an NNI.
Enabling EtherChannel Guard
You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is
running PVST+, rapid PVST+, or MSTP.
Beginning in privileged EXEC mode, follow these steps to enable EtherChannel guard. This procedure
is optional.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
spanning-tree etherchannel guard misconfig
Enable EtherChannel guard.
Step 3
end
Return to privileged EXEC mode.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
16-8
OL-9639-03
Chapter 16
Configuring Optional Spanning-Tree Features
Configuring Optional Spanning-Tree Features
Command
Purpose
Step 4
show spanning-tree summary
Verify your entries.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable the EtherChannel guard feature, use the no spanning-tree etherchannel guard misconfig
global configuration command.
You can use the show interfaces status err-disabled privileged EXEC command to show which switch
NNIs are disabled because of an EtherChannel misconfiguration. On the remote device, you can enter
the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration.
After the configuration is corrected, enter the shutdown and no shutdown interface configuration
commands on the port-channel interfaces that were misconfigured.
Enabling Root Guard
Root guard enabled on an NNI applies to all the VLANs to which the NNI belongs.
Note
You cannot enable both root guard and loop guard at the same time.
You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP.
Beginning in privileged EXEC mode, follow these steps to enable root guard on an interface. This
procedure is optional.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Specify an interface to configure, and enter interface configuration mode. If
the interface is not an NNI, you must enter the port-type nni interface
configuration command before enabling root guard.
Step 3
spanning-tree guard root
Enable root guard on the NNI.
By default, root guard is disabled on all interfaces.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.
To disable root guard, use the no spanning-tree guard interface configuration command.
Enabling Loop Guard
You can use loop guard to prevent alternate or root ports from becoming designated ports because of a
failure that leads to a unidirectional link. This feature is most effective when it is configured on the entire
switched network. Loop guard operates only on NNIs that are considered point-to-point by the spanning
tree.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-03
16-9
Chapter 16
Configuring Optional Spanning-Tree Features
Displaying the Spanning-Tree Status
Note
You cannot enable both loop guard and root guard at the same time.
You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP.
Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional.
Step 1
Command
Purpose
show spanning-tree active
Verify which interfaces are alternate or root ports.
or
show spanning-tree mst
Step 2
configure terminal
Enter global configuration mode.
Step 3
spanning-tree loopguard default
Enable loop guard. By default, loop guard is disabled.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To globally disable loop guard, use the no spanning-tree loopguard default global configuration
command. You can override the setting of the no spanning-tree loopguard default global configuration
command by using the spanning-tree guard loop interface configuration command on an NNI.
Displaying the Spanning-Tree Status
To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 16-2:
Table 16-2
Commands for Displaying the Spanning-Tree Status
Command
Purpose
show spanning-tree active
Displays spanning-tree information on active interfaces only.
show spanning-tree detail
Displays a detailed summary of interface information.
show spanning-tree interface interface-id
Displays spanning-tree information for the specified interface.
show spanning-tree mst interface interface-id
Displays MST information for the specified interface.
show spanning-tree summary [totals]
Displays a summary of interface states or displays the total lines of the
spanning-tree state section.
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id]
privileged EXEC command.
For information about other keywords for the show spanning-tree privileged EXEC command, see the
command reference for this release.
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
16-10
OL-9639-03
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising