STP Protection

Root Guard

When a new switch is connected to the existing switch network there is a possibility that the new switch will become the root bridge if it has a lower bridge id than the current root bridge.Then the existing topology will change and this might not be recommended for some reasons.
In such cases, there is a need to prevent the newly connected switch from becoming the root bridge.
Root guard feature prevents any new switch connected to the port from becoming the root. Root guard feature when enabled on a port ignores the received superior BPDUs.

By default, Rootguard is disabled on all the switchports.To enable it we can use the below command.

Switch(config-if)#spanning-tree guard root

BPDU guard

The BPDU guard tool is useful for the switchports where portfast is enabled.When enabled on a switchport, BPDU guard will move the switchport in to errdisable state if any BPDU is received on the port.Later the port is shutdown and can be re-enabled manually or automatically enabled if the timeout is set on the switchport.

BPDU guard is disbaled on all switchports by default.

we can enable BPDU guard on all the switchport at once, through global configuration mode using the below command

switch(config)#spanning-tree portfast bpduguard default

when we enable portfast, the BPDU guard is also enabled automatically.

If we want to enable the BPDU guard seperately on each interface, then we can use the below command

switch(config-if)#spanning-tree bpduguard enable

Loop Guard

If a port which is in the blocking state is not receiving the BPDUs for some reason, the switch might change the state of the port from blocking to forwarding. When loop guard is enabled and if there is a sudden break in the receiving of BPDUs, then the port will be moved to loop-inconsistent state.This way the switch is preventing the loops formation. When the BPDUs are received again the port will be moved to active state.

Loop guard can be enabled by the below command. Switch(config)# spanning-tree loopguard default

UDLD

The links used in the companies are bidirectional, which means the traffic can flow in both directions.Because of some problem if the traffic flows in only one direction then there would be a risk for the STP topologies.

To avoid this problem we can use the UDLD(Unidirectional Link Detection) feature. This is a STP feature which is cisco-proprietary.

UDLD monitors a switchport if it is bidirectional or not.

UDLD operates in two modes:

Normal mode:


If the link becomes unidirectional then UDLD sends a syslog message about the link condition.

Aggressive mode:


If the link becomes unidirectional then the switch tries to troubleshoot the link. If the link does not become bidirectional then the port will be changed to errdisable state so that it cannot be used.

we can enable UDLD on all interfaces using the global configuration mode or seperately on each interface using the interface configuration mode.

switch(config)# udld{enable| aggressive| message time (seconds)}

switch(config-if)# udld {enable| aggressive|disable}