VTP is an update methodology. It gives a centralized mechanism intend to make VLANs on one switch and distribute the information across the organization switches
2. 1
1 Table of Contents
1 Table of Contents .............................................................................................................................................. 1
2 VLAN Trunking Protocol (VTP) ........................................................................................................................... 2
2.1 VTP Versions .............................................................................................................................................. 2
2.2 VTP Modes of Operation ........................................................................................................................... 2
2.3 VTP Configurations .................................................................................................................................... 3
3 Configuring Load Balancing and Fail Over on CISCO Switches Through Ether Channel .................................... 6
3.1 Port Channel Configuration ....................................................................................................................... 6
4 Configuring Failover using HSRP (Hot Standby Router Protocol) ...................................................................... 8
5 Configuring Load Balancing using HSRP (Hot Standby Router Protocol) ........................................................ 10
6 Spanning Tree Protocol: .................................................................................................................................. 12
6.1 How STP Works: ...................................................................................................................................... 12
6.2 Going deep, how STP really works: ......................................................................................................... 12
6.3 Spanning Tree Protocol Configurations ................................................................................................... 14
6.3.1 Root Bridge: ..................................................................................................................................... 14
6.3.2 STP Configurations:.......................................................................................................................... 14
7 Advanced Optimization Options of Spanning Tree Protocol ........................................................................... 15
7.1 PortFast: .................................................................................................................................................. 15
7.2 UpLinkFast: .............................................................................................................................................. 15
7.3 BackboneFast: ......................................................................................................................................... 18
7.4 Root Guard: ............................................................................................................................................. 21
7.5 BPDU Guard: ............................................................................................................................................ 21
8 UDLD ( Unidirectional Link Detection) ............................................................................................................ 22
.
9 Loop Guard ...................................................................................................................................................... 23
3. 2
2 VLAN Trunking Protocol (VTP)
VTP is an absolutely fascinating protocol however quite hazardous if not handled with delicacy. I know you may
be suspecting WHY? Let me explain :
VTP is an update methodology. It gives a centralized mechanism intend to make VLANs on one switch and
distribute the information across the organization switches. It is particularly supportive in large organizations
with huge number of switches and VLANS. Assuming that VTP is enabled on the central distribution Cisco switch,
the production of another VLAN on that switch makes that VLAN ready on all switches with the same VTP
administration area.
Take an example , you have a huge system with different switches with multiple VLANs, supporting diverse
clients and suddenly you are asked to accommodate more clients in the network on another switch (es) in
numerous different VLANs. With the augmentation of another switch(es) you need to configure all the VLANs
again, and trust me this is sure to require some serious time and effort. Anyhow don’t be startled, we have VTP
to bail us out. At the switch where VTP is configured, it will do VLAN update on the switches for us .
What about checking the perilous part. Envisage it is a marvelous day and you come to work and happily see the
whole grid , working absolutely fine. You are asked to instate another switch in the arrangement which was
being utilized somewhere else, and you simply add the switch to the system. Suddenly things are not the same
as they were and this seems to me, Well! VTP in action. Why?
See you had VLANs on your grid as e.g. 1, 2,3,4,5 soon after the unique switch(s) was added having VLAN
number 3012. So what VTP is doing, it checks and discover that there is a VLAN 3012 in the system now and all
different switches are on VLAN: 1,2,3,4,5 , it eradicates all of these 1,2,3,4,5 VLANs, makes VLAN:3012 and you
lose your arrangement recognizing blackout till you track the issue.
2.1 VTP Versions
There are numerous variations of VTP.
VTP‐v.1 and 2 are identical with the sole difference that ver 2 incorporates support for token ring frameworks.
2.2 VTP Modes of Operation
Below are the VTP modes of operation that are configured for every VTP unit:
1‐Server: The mechanism having the “Server” mode of operation is fit to design, include and erase
VLANs as well as the design of VTP form, VTP pruning and confirmation.
Note: The default switch VTP mode is ‘Server’
2‐Client: VTP clients are not ready to make any design updates noticing the VLANs. The client apparatus
actually takes parameters from the server and executes it in the database.
3‐Transparent: VTP transparent mode gadgets don't tune in VTP as the name states they are
transparent. They actually propagate VTP over the grid.
It is recommended to keep only one switch in VTP server mode.
4. 3
2.3 VTP Configurations
Following are the configurations which need to be done on VTP units
1‐VTP Domain name
2‐VTP Password: VTP stores and displays passwords using MD5 Encryption.
It would be ideal if the Domain name and Password matches on the VTP enabled switches
Alright we are finished with the theory. So how about we begin with our best, “The Configurations”.
VTP Configuration – The Fun Part
In this arrangement we are sure to utilize 4 switches with SWITCH‐1 as the VTP server while the other 3 will
serve as VTP clients. So we should begin then;
In the case of connecting the switches we need to configure trunk mode on the switch ports so that VLAN traffic
can flow through all switches.
SWITCH‐1(config)#inter fa 0/1
SWITCH‐1(config‐if)#switchport trunk encapsulation do
SWITCH‐1(config‐if)#switchport trunk encapsulation dot1q
SWITCH‐1(config‐if)#switchport mode trunk
Note: It is not needed to run the command to initiate the trunk on the neighboring switches as it is auto
initiated when configured on one side.
5. 4
Now we will configure VTP‐Server mode on SWITCH‐1 and VTP‐Client mode on the remaining switches.
Since the default VTP mode on the switches is ‘Server’, we don’t need to update any of the above SWITCH‐1 for
server mode:
SWITCH‐1#show vtp status
The above command will display different VTP parameter status, whether they are enabled or not.
Now, we will enable client mode on the other switches and will move on to configure VTP Domain name,
password and version.
Now we will issue the above mentioned show vtp status command to check whether our switch has been
configured as VTPclient switch or not.
Repeat the steps for all switches and enable VTP client mode of the switches. Now let’s make some change on
the VTP server and check the results on the client.
6. 5
Now let’s check the VLAN and VTP status on the VTP‐clients and feel the magic:
This is all that you need to accomplish to configure VTP on switches. Straight forward right? So attempt it and
have a great time. Just keep one thing in mind , never try to plug any switch in your office cubicle to your live
network, before knowing the complete detail about your network as this enthusiasm can cost you a lot. One
other thing we must keep in mind, never to plug any switch from our corporate lab into our live network, as
mostly we do different sort of experiments on these switches and if anyone of them have a higher revision
number and same domain unluckily then you will have to spend the whole weekend in office troubleshooting
the network! So we have covered one of the major concepts related to switching technologies, we will keep our
journey on, will stay foolish and stay hungry
7. 6
3 Configuring Load Balancing and Fail Over on CISCO Switches Through
Ether Channel
In modern corporate networks, it is highly recommended to connect two distribution switches or even access
switches with multiple links. If a network cable link or the particular physical interface fails, data packets
continue to flow through redundant path. One big problem is that spanning tree protocol (STP) forces only one
link in forwarding state while keeping all other links in blocking state to avoid switching loops. If one of the
active link fails, STP bring only one other backup link in active state. What if you have invested a lot in laying
expensive redundant fiber optic links between switches which are geographically far apart but are part of the
same Local Area Network ( LAN) , and you want to utilize both links for load balancing. Fast Ether Channel (FEC)
on Fast Ethernet segments and Gigabit Ether Channel (GEC) on Gigabit Ethernet segments allow the collective
links to be considered as one link from an STP perspective, so that all the parallel physical segments are used.
Good network design uses two redundant links for trunks, combined with a Port Channel, for better availability.
In this way, as long as at least one of the links in the Ether Channel is up, the STP path cannot fail, and both links
are utilized for data transfer.
When a switch chooses to send a frame out a Port Channel, the switch must also designate which
physical link to utilize to send each frame. To utilize the multiple links, Cisco switches load balance
the traffic over the links in an Ether Channel based on the switch’s global load‐balancing
configuration. The port‐channel load‐balance type command on Cisco switches configures the type of load
balancing. The type options include using source and destination MAC, IP addresses, and TCP and UDP ports—
either a single field or both the source and destination.
3.1 Port Channel Configuration
You have to define interfaces that would be in a Port Channel by using the channel‐group number
mode on interface subcommand on cisco switches. Repeat the command on all physical interfaces, which you
want to include in a port channel, keeping the port channel number same.
8. 7
You can also use dynamic protocols to permit neighboring switches to figure out which ports should
be part of the same Port Channel. Those protocols are the Cisco‐proprietary Port Aggregation
Protocol (PAgP) and the IEEE 802.1AD Link Aggregation Control Protocol (LACP). In order to configure a Port
Channel using PAgP, same channel‐group command is used, with a mode of
auto or desirable. For LACP configuration, use a mode of active or
passive.
Following Table gives a detail of different modes.
PAgP LACP 802.1AD Action
Setting Setting
on on Disables PAgP or LACP, and forces the port into the PortChannel
off off Disables PAgP or LACP, and prevents the port from being part of a
PortChannel
auto passive Uses PAgP or LACP, but waits on other side to send first PAgP or
LACP message
desirable active Uses PAgP or LACP, and initiates the negotiation
Several items must be identical on the links in order to dynamically form a Port Channel:
Duplex setting and speed must be same.
Access VlAN must be same, if ports are not trunks .
If ports are trunk, allowed VLANs, native VLAN and trunk type must be identical.
9. 8
4 Configuring Failover using HSRP (Hot Standby Router Protocol)
HSRP is a Cisco proprietary protocol and provides redundancy in the network by allowing two routers to work
together in a redundant configuration. It allows protection against abrupt failover, if the primary interface fails
due to any issue, secondary interface takes over. It is therefore considered as one of the high availability
network services.
As the name says, the concept is fairly simple having active and standby devices, which are requirement of every
modern corporate network. In HSRP there are groups known as HSRP groups having multiple routers. In the
group, one of the routes is the active router which takes the traffic while the other stay in the standby state and
wait to take over the traffic load in case of any failure on the active/primary router. The interesting thing to
note is that the hosts using the HSRP IP address as the Gateway are not aware of the actual physical MAC or IP
address of the HSRP group routers. When configuring the HSRP, virtual IP and MAC address are configured and
hosts are aware of that virtual address which is then used for routing the traffic. To explain further let’s take a
scenario and check how the routers are configured and act accordingly.
In the following scenario we have two routers (R1, R2) for a basic setup. Please note that these routers can be
multi‐layer switches also.
10. 9
Router1 and Router2 are going to be configured in the standby group 1. The IP address of
192.168.1.1/255.255.255.0 will be configured as the HSRP address. So let’s begin;
Router1 (config)#interface fa 0/0
Router 1(config‐if)#ip address 192.168.1.2 255.255.255.0
Router 1(config‐if)#standby 1 ip 192.168.1.1
Router 2 (config)#interface fa 0/0
Router 2 (config‐if)#ip address 192.168.1.3 255.255.255.0
Router 2 (config‐if)#standby 1 ip 192.168.1.1
We can check the status of HSRP with the following command on the router;
Router1#show standby
Fa 0/0 - Group 1
!
!
Local state is Standby, priority 100
!
!
Router2#show standby
!
!
Local state is Active, priority 100
!
!
Please note that the “Local state is active” on Router 2 confirming that it has
been selected as the active router while Router 1 is now in the standby mode and
waiting for its turn in case R2 becomes unavailable.
The standby router takes over once the hold time expires. The priority field is used to elect the active router and
the standby router. If the priority is equal, the router having highest IP address for the respective group is
elected as active.
Now let’s use the priority to change the active and standby routers;
Router 1(config)#interface fa 0/0
Router 1(config-if)#ip address 192.168.1.2 255.255.255.0
Router 1(config-if)#standby 1 ip 192.168.1.1
Router 1(config-if)#standby 1 priority 200
Router 2(config)#interface fa 0/0
Router 2(config-if)#ip address 192.168.1.3 255.255.255.0
R2(config-if)#standby 1 ip 192.168.1.1
Please note that we have increased the priority of R1 to 200 while no priority is
added for R2 so it will take 100 by default making R1 active and R2 as standby
routers in the HSRP group.
11. 10
5 Configuring Load Balancing using HSRP (Hot Standby Router Protocol)
In previous article we configured HSRP to implement failover for the routers (R1
and R2) in the above scenario so that if router1 fails, router 2 takes over. What
do you think? Is this configuration perfect? Trust me it is not perfect. Let me
explain why. See, if Router 1 (R1) goes down, Router 2 (R2) will become active but
when R1 becomes alive again, R2 will keep its state as active. Now you see why it
is not perfect. There are many times when you want R1 to attain its state as active
and for that Cisco has provided a way that I am going to show you now with the use
of Preempt command. Let us name Router 1 as RTR1 and Router 2 as RTR2 and Ethernet
interfaces to be used are Fast Ethernet 0/23 and Fast Ethernet 0/24.
RTR1(config)#interface fa 0/23
RTR1(config-if)#ip address 192.168.1.2 255.255.255.0
RTR1(config-if)#standby 1 ip 192.168.1.1
RTR1(config-if)#standby 1 priority 200
RTR1(config-if)#standby 1 preempt
Router 2 HSRP configuration commands will remain same as of the previous article
The ‘Preempt’ command makes sure that the router1 gets active state when it becomes
alive after a failure.
Now looks perfect right? I still don’t agree with the word perfect. Why? Let me
explain. Just look at the configuration and you will observe that Router1 is active
and taking traffic load but what about Router2? It is just sitting idle, doing
nothing which is not good. This means that our investment on Router 2 is not
getting utilized most of the time. We can solve this problem by configuring HSRP to
load balance the traffic between the routers. Yes, the famous ‘Load balancing’.
12. 11
To achieve our goal we have to configure multiple HSRP groups on the single
interface and it is really simple. Let me show you how it will be done;
RTR1(config)#interface fa 0/23
RTR1(config-if)#ip address 192.168.1.2
RTR1(config-if)#standby 1 ip 192.168.1.1
RTR1(config-if)#standby 1 priority 200
RTR1(config-if)#standby 1 preempt
RTR1(config-if)#standby 1 name network-one
!
RTR1(config)#interface fa 0/24
RTR1(config-if)#ip address 192.168.2.2
RTR1(config-if)#standby 2 ip 192.168.2.1
RTR1(config-if)#standby 2 name network-two
RTR2(config)#interface fa 0/23
RTR2(config-if)# ip address 192.168.1.3
RTR2(config-if)#standby 1 ip 192.168.1.1
RTR2(config-if)#standby 1 name network-one
!
RTR2(config)#interface fa 0/24
RTR2(config-if)#ip address 192.168.2.3
RTR2(config-if)#standby 2 ip 192.168.2.1
RTR2(config-if)#standby 2 priority 200
RTR2(config-if)#standby 2 preempt
RTR2(config-if)#standby 2 name network-two
Please note that fa 0/23 on Router 1 is active for standby group 1 and Router 2 is standby. For fa 0/24, HSRP
group 2, Router 2 is active and Router 1 is standby, if one fails another takes over.
Now on the switch that is connected with the Routers, the content‐addressable memory (CAM) tables gives a
list of HSRP MAC address and corresponding port on which the active Router is present. That’s how switch
determines the status of HSRP. One more interesting thing to note is that you can use the same router to
configure network address translation (NAT) and HSRP.
13. 12
6 Spanning Tree Protocol:
Now we are going to arm ourselves with an amazing protocol, STP! STP (Spanning tree Protocol) is an amazing
protocol to create a loop free topology in a redundant bridge network. STP was created by Dr Radia Perlman of
Sun Microsystems for a loop free bridge (“bridge” can be replaced with switch) network.
Yes redundancy is one of the important parts of a network design. In a simple Campus Area Network, there is a
lot of redundancy at the Distribution as well as Core layer of the network. The redundant paths are necessary for
the fast convergence and stable operation of a good corporate network.
Before we begin to discuss STP in detail, it’s worth mentioning that it’s based on IEEE 802.1d standard and by
default enabled on each CISCO switch. You can’t imagine the catastrophe it can lead to if you disable STP on a
live production network, so it's strongly recommended not to disable it in any case, yes you can if you want to
play with STP or want to create broadcast storms to blow your switch little brain
6.1 How STP Works:
Figure 1.1
Let’s suppose we have above redundant network. In order to maintain network continuity, we have created
redundant paths in this network. Suppose if there was no STP running, Switch 0 will send its data ( CAM table
etc) to Switch 1 and Switch 1 will send its data back to Switch 0, this loop will continue forever until the switches
get mad So STP is taking care of the network by blocking ports/redundant paths, which stops this switching
loop from occuring. In the above Figure1.1, Switch 1 has blocked its Fa0/2 port to avoid this switching loop; this
was possible because of the magic of STP. It will keep the port in blocked stat until it's needed to be activated in
case of failure of the active link.
6.2 Going deep, how STP really works:
STP uses probes or beacons (technically known as BPDUs, bridge protocol data units) to check switiching loop on
the network. These BPDUs can be considered as echo requests of the switch to its neighbor switch ports, if the
sending switch receives this echo back, it’s a strong indication for loop, STP comes into action and it blocks the
14. 13
port according to its algorithm to prevent the loop. These BPDUs are also used to elect the Root Bridge (we will
discuss it further) and best path from each bridge to reach the RB (Root Bridge) and then block all useless ports.
In order to provide this path redundancy, and to avoid a loop condition, spanning tree algorithm defines a tree
like structure that spans all the switches. Spanning Tree algorithm converts the redundant data paths into a
standby (blocked or non‐designated) state and other paths in a forwarding state (designated state or in other
words root ports). If a link in the designated forwarding state becomes unavailable, Spanning tree algorithm
reconfigures the network and reroutes network traffic through the alternate standby path (i.e. standby ports
are converted into designated or forwarding ports). So far from this discussion we have concluded that STP
algorithm convert the ports into following state:
∙ Designated/root ports
∙ Non‐Designated/Blocked Ports
∙ Forwarding ports
15. 14
6.3 Spanning Tree Protocol Configurations
Have you heard about RSTP? No, okay, let me tell you. RSTP stands for Rapid Spanning Tree Protocol, it was
specially designed to minimize network delays that arise from STP IEEE 802.1d in case of port failure and
diversion of traffic to any other port. Though this minimum delay is not a big deal in a lab network but in a
production network, we need fast and robust convergence. So RSTP is mostly enabled on switches instead of
STP to ensure quick network availability.
6.3.1 Root Bridge:
The root bridge is selected on the bases of lowest bridge ID. Remember, lower is better in STP, the router with
lowest bridge ID is elected as root. The bridge id is composed of Bridge Priority plus MAC address. By default
each switch has bridge priority set to 32768, so the decisive factor is the lowest MAC address. STP looks at the
whole network from the root bridge perspective. So it’s a better network design practice to elect our core
switches as root switch by adjusting the switch priority by bridge priority command. Remember one more thing,
each VLAN has its unique root bridge, so we can nominate different roots for each VLAN, this concept is called
PVST: Per Vlan Spanning Tree protocol. As now you are completely armed with the technical overview of STP,
now we will move toward the configurations, which are quite easy to manipulate and understand.
6.3.2 STP Configurations:
By default STP is enabled on every switch for each VLAN. Suppose we bought some old switch on which STP is
not enabled, simplest way to enable STP would be to issue the following commands on the switch. First go into
the configuration mode, by issuing configure terminal command in the configuration mode, then we need to
enable the STP for our desired VLAN, so the command would be spanning‐tree <vlan ID>, and the a simple end
to complete the configurations. Before configuring Spanning tree protocol, it is best to analyze and nominate
the switch which needed to be elected as the root switch or you can really create a web of complexities in your
switched network.
Okay, an interesting twist, if we want spanning tree to adjust the bridge priority itself so we don’t need to issue
bridge priority command, and make it a root bridge, there is a solution. We just need to issue spanning‐tree
<vlan #> root primary command, this command will magically adjust the bridge priority on our switch and will
turn it into a root bridge.
Okay, as you go deeper into an STP and you want to change STP mode, its achievable by simple issuing following
command with our required mode :
spanning‐tree mode {pvst | rapid‐pvst}
hmm, we have enabled STP, enable our root switch, enabled PVST/RSPT. What else is needed to be done? Yes, if
you want to check the STP status, you can use show spanning‐tree command with its different provided option,
which I encourage you to explore.
16. 15
7 Advanced Optimization Options of Spanning Tree Protocol
As for now we are well equipped with STP, now we turn to STP optimization techniques. STP optimization is
necessary for fast convergence times in the network, as the standard 4 step convergence of STP can cause a lot
of havoc in the real time network. In this article we would like to discuss STP: Port fast, Uplink fast, and
Backbone fast.
7.1 PortFast:
When a switch powers up or when some device is connected to a switch, STP immediately comes into action. In
the initial phase the port enters into a spanning tree listening state. Listening state is just like a network
topology exploration, this state lasts for a certain time, and then the port transitioned into a learning state. After
an STP forward timer threshold, the port state changes into either blocking mode or forwarding mode. In a real
time network, most of the time we can’t afford the switch port to transition through all these 4 stages. We want
the port to immediately shift into a forwarding state, once a network is alive, to avoid un‐necessary packet
delays in the network. For this purpose we use an STP PortFast feature. Once PortFast is enabled on a
switch/trunk port, the port skips the listening and learning phases and immediately shifts into the forwarding
state. So one important point we need to remember is:
Only enable PortFast on End Stations, because it can create network loops if used carelessly (as it turns the
port into a forwarding state immediately)!
So it was easy? Yes it was, now we move towards a new strange concept UpLink Fast.
7.2 UpLinkFast:
By using UpLink fast on a port, fast convergence is achieved via creating UpLink Groups. Once a topology change
occurs, convergence is achieved using these UpLink groups, which activate the redundant links (ports) instantly.
This redundancy is achieved without the hassle of passing the redundant link through all STP transition phases
(i.e. listening, learning), within 1‐5 seconds: redundant link (port) is in forwarding state. An UpLink group
consists of the root port and set of blocked ports. This UpLink group consists of alternate path if the active root
port fails. Some of the worth remembering points regarding UpLink fast are:
It cannot be configured on a root switch.
When Uplink Fast is enabled, it’s enabled globally and for all VLANs residing on the switch.
The designated port (root port) will retain its status, once it detects that the failed link has been restored
and fully operational.
The wait interval for the port to become a root port again is determined by: (2 x FwdDelay) + 5 seconds.
UF will take immediate action to prevent the switch (in which Uplink Fast is enabled) from becoming
the root switch by: changing the switch priority to 49,152, making it the last option in a network
topology for becoming a root switch.
17. 16
I think that much theory is enough, now we will do some configurations to solidify our concepts. For our
example scenario we are using GNS3 and emulating C2961 router as a switch .
For our scenario we will take the famous 3 switch topology:
Suppose we want to enable PortFast on SW1 Fast Ethernet 1/5. First of all, we will enter Fast Ethernet 1/5
interface and will then enable port fast on this interface. The following commands illustrate it :
As we have enabled port fast on our FastEthernet 1/5, in the next step we are going to enable Uplink Fast on
SW3 as its one port is in forwarding state and other port is in blocking state:
18. 17
We can assign SW3 FastEthernet1/0 port to our UpLink group for fast convergence in our topology, we use
following commands to enable UpLink fast on our switch:
We use the following command to check that our FastEthernet1/0 port has been added to uplink port list:
19. 18
Great! Our Fa1/0 port has been added into UpLink interface list and Bridge ID on SW3 also changed to 49152!
That’s it! We are done with our PortFast and UpLink Fast Configurations.
7.3 BackboneFast:
In order to detect indirect link failure and to optimize network convergence time, Backbone Fast feature of STP
is used. Backbone fast (BF, in short) is a CISCO proprietary feature. The term indirect link failure needs a little
explanation. The link which is not directly connected to the core switch and which fails, such a link failure is
called indirect failure. This indirect link failure is detected by a switch when it receives Inferior BPDUs! In order
to understand Inferior and Superior BPDUs, we take following scenario:
Please note: f1/1 is in Blocking state and f1/2 is in Forwarding state
20. 19
Suppose normal STP is running in our above topology. SW2 has been elected as our root bridge, BPDUs are
continually being sent from SW2 to SW1 and SW3 every 2 seconds such that SW2 has the lowest Bridge ID and
it’s the root Bridge. SW1 has second lowest bridge ID.
Now just imagine that the link between SW1 and SW2 goes down. As SW1 has second lowest bridge ID, and is
now disconnected from SW2, it will proclaim itself as the root Bridge and will begin to advertise the same in its
BPDUs, sending BPDUs to SW3, telling SW3 that it has the lowest bridge ID and it’s the root! At the same time
SW3 is also receiving BPDUs from SW2, SW2 claims in its BPDUs that it has the lowest priority and is the ultimate
root bridge . Now to clear this confusion, SW3 compares both (SW1 and SW2) BPDUs, and it quickly realizes
that BPDUs from SW1 are Inferior BPDUs and simply discards it. It only considers the Superior BPDUs from SW2 !
Once Maxage Timer Expires on f1/1 port on SW3, it transitions into listening and after a certain time it begins to
relay Superior BPDU data to SW1.
21. 20
Now what role will back bone fast play, if it is enabled on all these switches? Back bone fast will minimize this
Max age timer interval. By enabling Backbone fast this Max age stage is skipped, the delay is minimized from 50
seconds to 30 seconds! It sounds not a big deal but in a live network, such delay minimization at core switches
greatly optimizes network performance. All this magic is done by using Root Link Query protocol by switch, once
Backbonefast is enabled.
Please remember one important thing, Backbonefast is always enabled on core switches, and to make all
switches in a topology understand RLQ protocol, Back bonefast must be enabled on all switches in that
topology!
The configuration of Back bonefast is quite simple. It's enabled globally by going into global configuration mode.
The command to verify and configure Back bone fast is as follows:
22. 21
7.4 Root Guard:
As the name suggests, in order to prevent entry of any new root switch into the network, Root Guard feature of
STP is enabled on the interface to which new switch is going to be connected. Once Root Guard is enabled on an
interface, it will discard all the superior BPDUs coming into that port and will change the port into Root‐
Inconsistent state; it will also discard Superior BPDUs until it stops receiving it.
Suppose in our above network topology we are going to connect a new switch to SW3 fa0/24. The Root Guard
will be enabled as following on SW3 fa0/24:
If our new switch will send any Superior BPDU towards fast 0/24 of SW3, it will be discarded and port will be
changed into Root‐Inconsistent state until it stops such packets!
7.5 BPDU Guard:
In order to protect our network from loops, BPDU guard is configured on all ports on which Portfast is enabled.
Because it’s expected that we can accidently plug any switch into our port fast enabled interface and can totally
ruin our network by creating loops. Once BPDU Guard is enabled on an interface, it will discard any BPDU
received and will instantly shut down, and will put the interface into err‐disabled state.
To configure BPDU Guard on a specific interface, say SW1 fast 0/5 we use following commands:
To configure it on all ports, which by default must be running on portfast:
23. 22
8 UDLD ( Unidirectional Link Detection)
Just imagine, you have connected two switches via a fiber optic media and suddenly the network is congested
and after some time all the system goes down. So what has happened? In fiber optic media, it's expected that
sometimes two way communication is not possible on the link, the link is able to transmit data in one direction
but not able to communicate in the reverse direction, such a condition can cause loops in the network and can
totally ruin our day. In order to detect this uni‐directional behavior of the link, we use UDLD ( uni‐directional
link detection) protocol to avoid loops in our network and to disable the loop creating interfaces instantly.
UDLD algorithm working functionality is quite simple. The echoes are exchanged between the connected
interfaces ( as UDLD needed to be enabled on both of the interfaces) if either of the interface don't get back
echo for a certain amount of time, the interface status is changed according to the UDLC mode applied. There
are two types of UDLD mode :
In UDLD normal mode, once uni‐directionality of the link is detected, the port is changed into an
unknown state, instead of disabling it. UDLD nominate the port with an unknown state and generated a
system level log message.
UDLD Aggressive, as the name suggests, the UDLD will aggressively try 8 times to re‐establish the
connection, if all in vain, the port will be changed into err‐disabled state by UDLD algorithm and then we
need to manually re‐enable it.
The preferred choice for most of the network engineers in UDLD aggressive mode.
UDLD configuration is quite simple. To implement UDLD normal mode, we use following commands:
Switch (config) # interface Fast Ethernet 0/13
Switch ( config‐if) # udld port
The thing to remember is: UDLD must be enabled on both sides of the link. Because if not enabled on one side,
the local switch would not be able to communicate using udld with the remote switch. One of the handy
command to check UDLD in action is debug udld events command. This command will show all the action in
form of sys log messages in case of a link failure.
Don’t keep running debug commands on a production network, as it can cause havoc!
The aggressive mode of UDLD can be implemented as follows :
Switch (config) # interface Fast Ethernet 0/13
Switch ( config‐if) # udld port aggressive
To check udld status, we can simply issue show udld <interface> command and it will show all the information
regarding the UDLD protocol like link operational status and its current bidirectional state!
24. 23
9 Loop Guard
We have had a discussion on Root Guard, BPDUs Guard, and now Loop Guard! Why do we need a Loop Guard
and how it is used?
Unidirectional Link Detection (UDLD) and Loop Guard prevent a switch trunk port from
Entering into loops. Both features prohibits switch ports from changing the states from a blocking to a
The forwarding state mistakenly, in case a unidirectional link is present in the network. We have discussed
unidirectional link detection in details in previous articles and it's time to discuss loop guard, both protocols are
used in conjunction with each other.
In case UDLD in enabled on switches globally and normal BPDUs are not being received, the switch port does not
follow the normal Spanning Tree Protocol (STP) convergence process, but enters into an STP loop‐inconsistent
state. Suppose we have our famous 3 switch topology:
All three switches are in continuous coordination with each other. SW3 is receiving BPDUs from SW2 and SW1.
In this topology SW3 interface facing SW2 is in BLK state and all other interfaces are in FWD state. Suppose a
unidirectional link state takes place in which SW3 can communicate with SW2 but no communication can take
place vice versa. In such a condition SW3 BLK interface will wait for BPDUs from SW2 till Max‐Age Timer on its
port timeout. Once the timer goes off, and no BPDU is received from SW2 ( as the link is uni‐directional) SW3
transition its interface to the forwarding state, so all six interfaces in the topology change into FWD state hence
creating STP loops.
25. 24
In order to prevent such loops in a network, Loop Guard feature of the spanning tree is used. If the loop guard
feature is enabled on SW3 interface facing SW2, it will turn the interface into loop‐inconsistent state till the
issue is resolved at link and SW3 is able to get BPDUs from SW2.
The loop Guard configuration is quite simple; we can enable it on a single port or can enable it globally by using
the following commands
Switch‐2 ( config – if ) # interface Fast Ethernet 0/5
Switch ‐2 ( config –if ) # spanning‐tree guard loop
Switch ‐1 ( config ) spanning‐tree loop guard default
Above commands on switch 2 (in interface configuration mode) will enable the loop guard only on Fast Ethernet
Interface 0/5 which is connected to switch 1, while the commands in configuration mode of switch 1 will enable
the loop guard globally.
