STP Protection Mechanism
- Root Guard
- Portfast
- BPDU Guard
- BPDU Filter
- Loop Guard
- UDLD
Why L2 forwarding loop occur
- STP disabled on a switch
- A misconfigured load balancer
- A misconfigured virtual switch
Root guard
- it prevents a configured port from becoming a root port
- root guard is placed on designated ports other switches that never become root bridges
Portfast
- disables TCN generation for access ports
- access port bypass the earlier 802.1D STP states and forwarding traffic immediately
- beneficial in DHCP, PXE
- if BPDU received on portfast-enabled port, the portfast functionally is removed and it progresses through the learning and listening states
BPDU Guard
- STP portfast into an ErrDisabled upon receipt of a BPDU
BPDU Filter
- blocks BPDU
- STP(Spanning Tree Protocol)의 참여 없이 작동
- 네트워크에서 루프(Loop)가 발생하는 이유는 BPDU 필터를 포트별로 활성화했을 때 STP(Spanning Tree Protocol)가 정상적으로 동작하지 않기 때문 포트가 block되지 않는다
- 또한 포트패스트(PortFast)가 활성화된 포트는 즉시 포워딩 상태가 되므로, BPDU 필터가 적용되면 STP 우회 가능성이 커짐. 이렇게 되면 루프가 감지되지 않아 브로드캐스트 스톰(Broadcast Storm)이 발생할 수 있음
Problems with Unidirectional Links
- the interface still shows a line-protocol up state, cannot transmit BPDU
- downstream switch eventually times out the existing root port and identifies a different port as the root port.
- Traffic is then received on the new root port and forwarded out the strand that is still working, thereby creating a forwarding loop.
STP loop guard
- prevents any alternative or root ports from becoming designated ports (ports toward downstream switches) due to loss of BPDUs on the root port
- Loop Guard는 BPDU(Bridge Protocol Data Unit) 수신이 중단되었을 때 해당 포트를 블로킹(Blocking) 상태로 전환하여 루프 발생을 방지
- It is important to note that loop guard should not be enabled on portfast-enabled ports (because it directly conflicts with the root/alternate port logic).
UDLD(Unidirectional Link Detection)
- allows for the bidirectional monitoring of fiber-optic cables.
- in UDLD packets, includes the system ID and port ID of the interface transmitting
- The receiving device including its system ID and port ID, back to the originating device.
- Normal:
- if no ack, port state \= undetermined, remains active
- Aggressive
- frame no ack, send another 8 packets in 1 sec intervals, still no ack, port \= err state
- Normal:
Unidirectional Links와 Loop Guard, UDLD의 상관 관계
- Undirectional Links는 Up 상태이지만 Forwarding은 못하는 상태이므로 이로 발생 가능한 문제를 예방하기 위해 Loop Guard, UDLD 사용
- Loop Guard
- Root/Alternate 상태인데 BPDU를 못 받아서 Timer 만료 되어도 Block 상태로 유지
- UDLD
- 양쪽 장비가 서로 UDLD 메시지를 주고받아 응답 여부를 확인, 응답 없으면 포트를 err-disable로 차단
Future Network Engineer