Attributes to improve stability the of spanning-tree

In Networking  we know that we need  to avoid any loops or any problem related to switching architecture.The stability of the Root Bridge is very important as well as the uninterrupted service of spanning-tree. A change in the position of the Root Bridge will cause service disruption on the network.

Let's check these lops prevention mechanism

As we mention before, In an STP environment, switches, end stations, and other Layer 2 devices use Bridge Protocol Data Units (BPDUs) to exchange information that STP will use to determine the best path for data flow. 

 BPDUGuard

You should use BPDUguard in all switch ports where STP Portfast is enable.This prevent a possibility that a switch will be added to the port either intentionally or by mistake.BPDUGuard is on access-layer switch where users and end device connect.BPDU were not expected there, and would be detected if a switch or a hub inadvertently get connected.

1. The BPDU guard, an enhancement to STP, removes a node that reflects BPDUs back in the network and helps preserve the stability of a STP topology by placing a port into error-disable state  if a BPDU is received on that port.
2. BPDUGuard should be enable on ports with Portfast enable and will only connect to end stations 
3. Can be enable globally or on a port-by port basis

Best Practices to enable BPDU Guard only on access ports (access ports lead to end user devices) so that any end user devices on these ports that have BPDU Guard enabled are not able to influence the Spanning-tree topology.

 For example, in the graphic,  if you connect a laptop to the upper switch nothing happens.It will send dhcp broadcast , .But if you connect a switch , it will send bpdu., look what happens

In case that it comes to error-disable state it should come out with a term called "bouncing  the port" (going to interface configuration mode and going from shutdown to not shutdown command


First we will enable by interface ( fa0/20) in this case and later we will enable globally.

BPDU filter

BPDU filter is a feature used to filter sending or receiving BPDUs on a switchport. When configured globally all portfast enabled ports stop sending and receiving BPDUs, but if a BPDU is received on the port it gets out of the portfast state and normally participate in the spanning tree calculations.

1. Prevent a port from sending BPDU
2. Can be implemented on port-by port basic or globally (with port with Portfast enable)
3. Should only be used when necessary for example an autonomous system 
4. Most dangerous when created at the port level because it creates a loop 

We can check if bpdu  filter is enable in that switch

RootGuard

We use it  to prevent somebody from intentionally  or accidentally ading a switch or a hub  to our network  that might send us a superior  bpdu  claiming to be the root.

When root guard is enabled on a port, it keeps the port in a designated role. If the port receives a superior STP  (BPDU), it puts the port into a Root-Inconsistant  state. The Root-Inconsistant  state is equivalent to the BLOCKING state in 802.1D.. No further traffic is forwarded on this port. This allows the bridge to prevent traffic from being forwarded on ports connected to rogue or misconfigured STP bridges.

Once the port stops receiving superior BPDUs, root guard automatically sets the port back to learning, and eventually to a forwarding state through the spanning-tree algorithm.

1. Configured on ports off  where the root bridge is unexpected
2. Ports enable  for RootGuard enter a Root-Inconsistent State when receiving superior BPDU

Loopguard

 Unidirectional link failures may cause a root port or alternate port to become designated as root if BPDUs are absent. Some software failures may introduce temporary loops in the network. The loop guard feature checks if a root port or an alternate root port receives BPDUs. If the port is receiving BPDUs, the loop guard feature puts the port into an inconsistent state until it starts receiving BPDUs again.

1.  Causes a non-designated port to enter the Loop Inconsistent state (blocking state)if it stops receiving Bpdu
2.  Can be enable on a port-by-port basis ( typically in all ports not configured for Rootguard) or globally on all point-to-point links

 Do not enable loop guard on PortFast-enabled or dynamic VLAN ports.

We will disable portfast ,bpdu filter and bpdu guard first..

Now we will configure it..And verify it.

Now you know how to do BPDU guard, BPDU filter, rootguard  and loopguard..This explanation and exercise was successful !