Configuring Optional Spanning-Tree Features


This chapter describes how to configure optional spanning-tree features on the Cisco ME 3400E Ethernet Access switch. You can configure all of these features when your switch is running per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol. On the Cisco ME switch, STP is enabled by default on network node interfaces (NNIs). It is disabled by default, but can be enabled, on enhanced network interfaces (ENIs). User network interfaces (UNIs) on the switch do not participate in STP. UNIs and ENIs on which STP is not enabled immediately forward traffic when they are brought up.

For information on configuring the PVST+ and rapid PVST+, see Chapter 15, "Configuring STP." For information about the Multiple Spanning Tree Protocol (MSTP) and how to map multiple VLANs to the same spanning-tree instance, see Chapter 16, "Configuring MSTP."


Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.


Understanding Optional Spanning-Tree Features

Configuring Optional Spanning-Tree Features

Displaying the Spanning-Tree Status

Understanding Optional Spanning-Tree Features

Understanding Port Fast

Understanding BPDU Guard

Understanding BPDU Filtering

Understanding EtherChannel Guard

Understanding Root Guard

Understanding Loop Guard

Understanding Port Fast

Port Fast immediately brings an STP port configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.


Note By default, STP is enabled on NNIs and disabled on ENIs. UNIs do not support STP. If a port is a UNI, you can configure it as an STP port by changing the port type to NNI or ENI and entering the port-type {nni | eni} interface configuration command. For ENIs, you then need to enter the spanning-tree interface configuration command to configure the port as an STP port.


You can use Port Fast on STP ports connected to a single workstation or server, as shown in Figure 17-1, to allow those devices to immediately connect to the network, rather than waiting for the spanning tree to converge.

STP ports connected to a single workstation or server should not receive bridge protocol data units (BPDUs). An STP port with Port Fast enabled goes through the normal cycle of spanning-tree status changes when the switch is restarted.


Note Because the purpose of Port Fast is to minimize the time interfaces must wait for spanning tree to converge, it is effective only when used on STP ports connected to end stations. If you enable Port Fast on an interface connecting to another switch, you risk creating a spanning-tree loop.


UNIs are typically customer-facing ports and do not participate in the spanning tree of the service provider. However, if you configure a customer-facing port as an ENI and enable spanning tree, the ENI could become the spanning tree root port unless you configure root guard on the port. See the "Understanding Root Guard" section. A customer-facing ENI with STP enabled participates in the same spanning tree as the service-provider facing NNI.


Note Exercise caution when enabling STP on a customer-facing ENI.


You can enable this feature by using the spanning-tree portfast interface configuration or the spanning-tree portfast default global configuration command.

Figure 17-1 Port Fast-Enabled Interfaces

Understanding BPDU Guard

The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.

At the global level, you enable BPDU guard on Port Fast-enabled STP ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down STP ports that are in a Port Fast-operational state if any BPDU is received on those ports. In a valid configuration, Port Fast-enabled STP ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port signals an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the interface in the error-disabled state.

At the interface level, you enable BPDU guard on any STP port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the STP port receives a BPDU, it is put in the error-disabled state.

The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.

You can enable the BPDU guard feature for the entire switch or for an interface.

Understanding BPDU Filtering

The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.

At the global level, you can enable BPDU filtering on Port Fast-enabled STP ports by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these ports do not receive BPDUs. If a BPDU is received on a Port Fast-enabled STP port, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

At the interface level, you can enable BPDU filtering on any STP port by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.


Caution Enabling BPDU filtering on an STP port is the same as disabling spanning tree on it and can result in spanning-tree loops.

You can enable the BPDU filtering feature for the entire switch or for an STP port.

Understanding EtherChannel Guard

You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch STP ports are configured in an EtherChannel, but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel. For EtherChannel configuration guidelines, see the "EtherChannel Configuration Guidelines" section on page 35-10.

If the switch detects a misconfiguration on the other device, EtherChannel guard places the switch STP ports in the error-disabled state, and displays an error message.

You can enable this feature by using the spanning-tree etherchannel guard misconfig global configuration command.

Understanding Root Guard

The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 17-2. You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer's network. If spanning-tree calculations cause an interface in the customer network to be selected as the root port, root guard then places the interface in the root-inconsistent (blocked) state to prevent the customer's switch from becoming the root switch or being in the path to the root.

If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent state), and spanning tree selects a new root switch. The customer's switch does not become the root switch and is not in the path to the root.

If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the interface to be a designated port. If a boundary port is blocked in an internal spanning-tree (IST) instance because of root guard, the interface also is blocked in all MST instances. A boundary port is an interface that connects to a LAN, the designated switch of which is either an 802.1D switch or a switch with a different MST region configuration.

Root guard enabled on an interface applies to all the VLANs to which the interface belongs. VLANs can be grouped and mapped to an MST instance.

You can enable this feature by using the spanning-tree guard root interface configuration command.


Caution Misuse of the root-guard feature can cause a loss of connectivity.

Figure 17-2 Root Guard in a Service-Provider Network

Understanding Loop Guard

You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is enabled on the entire switched network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.

You can enable this feature by using the spanning-tree loopguard default global configuration command.

When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.

When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MST instances.

Configuring Optional Spanning-Tree Features

Default Optional Spanning-Tree Configuration

Optional Spanning-Tree Configuration Guidelines

Enabling Port Fast (optional)

Enabling BPDU Guard (optional)

Enabling BPDU Filtering (optional)

Enabling EtherChannel Guard (optional)

Enabling Root Guard (optional)

Enabling Loop Guard (optional)

Default Optional Spanning-Tree Configuration

Table 17-1 shows the default optional spanning-tree configuration. Only NNIs or ENIs with STP enabled participate in STP on the switch. UNIs and ENIs that have not been configured for STP are always in the forwarding state.

Table 17-1 Default Optional Spanning-Tree Configuration 

Feature
Default Setting

Port Fast, BPDU filtering, BPDU guard

Globally disabled (unless they are individually configured per STP port).

EtherChannel guard

Globally enabled.

Root guard

Disabled on all STP ports.

Loop guard

Disabled on all STP ports.


Optional Spanning-Tree Configuration Guidelines

You can configure PortFast, BPDU guard, BPDU filtering, EtherChannel guard, root guard, or loop guard if your switch is running PVST+, rapid PVST+, or MSTP.

Optional spanning-tree configuration commands are not supported on UNIs or on ENIs on which STP has not been enabled.

Enabling Port Fast

An STP port with the Port Fast feature enabled is moved directly to the spanning-tree forwarding state without waiting for the standard forward-time delay.


Caution Use Port Fast only when connecting a single end station to an access or trunk port. Enabling this feature on an interface connected to a switch or hub could prevent spanning tree from detecting and disabling loops in your network, which could cause broadcast storms and address-learning problems.

You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP.

Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify an STP interface to configure, and enter interface configuration mode.

If the interface is a UNI, before you enable Port Fast, you must change the port type to NNI or ENI to enable STP:

Enter the port-type nni interface configuration command to change the port to an NNI with STP enabled by default.

Or enter the port-type eni and spanning-tree interface configuration commands to configure the port as an ENI STP port.

Step 3 

spanning-tree portfast [trunk]

Enable Port Fast on an access port connected to a single workstation or server. By specifying the trunk keyword, you can enable Port Fast on a trunk port.

Note To enable Port Fast on trunk ports, you must use the spanning-tree portfast trunk interface configuration command. The spanning-tree portfast command does not work on trunk ports.


Caution Make sure that there are no loops in the network between the trunk port and the workstation or server before you enable Port Fast on a trunk port.

By default, Port Fast is disabled on all STP ports.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show spanning-tree interface interface-id portfast

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.


Note You can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking STP ports.


To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration command.

Enabling BPDU Guard

When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port Fast-operational state), spanning tree continues to run on the ports. They remain up unless they receive a BPDU.

In a valid configuration, Port Fast-enabled interfaces do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled interface signals an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the interface in the error-disabled state. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.


Caution Configure Port Fast only on STP ports that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation.

You also can use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any STP port without also enabling the Port Fast feature. When the interface receives a BPDU, it is put in the error-disabled state.

You can enable the BPDU guard feature if your switch is running PVST+, rapid PVST+, or MSTP.

Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU guard feature. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

spanning-tree portfast bpduguard default

Globally enable BPDU guard. (By default, BPDU guard is disabled.)

Note Globally enabling BPDU guard enables it only on STP ports; the command has no effect on ports that are not running STP.

Step 3 

interface interface-id

Specify the interface connected to an end station, and enter interface configuration mode.

If the interface is a UNI, before you enable Port Fast, you must change the port type to NNI or ENI to enable STP:

Enter the port-type nni interface configuration command to change the port to an NNI with STP enabled by default.

Or enter the port-type eni and spanning-tree interface configuration commands to configure the port as an ENI STP port.

Step 4 

spanning-tree portfast

Enable the Port Fast feature.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show running-config

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration command.

You can override the setting of the no spanning-tree portfast bpduguard default global configuration command by using the spanning-tree bpduguard enable interface configuration command on an STP port.

Enabling BPDU Filtering

When you globally enable BPDU filtering on Port Fast-enabled STP ports, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled STP port, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.


Caution Configure Port Fast only on STP ports that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation.

You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any STP port without also enabling the Port Fast feature. This command prevents the STP port from sending or receiving BPDUs.


Caution Enabling BPDU filtering on an STP port is the same as disabling spanning tree on it and can result in spanning-tree loops.

You can enable the BPDU filtering feature if your switch is running PVST+, rapid PVST+, or MSTP.

Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

spanning-tree portfast bpdufilter default

Globally enable BPDU filtering. (By default, BPDU filtering is disabled.)

Note Globally enabling BPDU filtering enables it only on STP ports; the command has no effect on UNIs or ENIs on which STP is not enabled.

Step 3 

interface interface-id

Specify the interface connected to an end station, and enter interface configuration mode.

If the interface is a UNI, before you enable Port Fast, you must change the port type to NNI or ENI to enable STP:

Enter the port-type nni interface configuration command to change the port to an NNI with STP enabled by default.

Or enter the port-type eni and spanning-tree interface configuration commands to configure the port as an ENI STP port.

Step 4 

spanning-tree portfast

Enable the Port Fast feature.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show running-config

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration command.

You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command on an STP port.

Enabling EtherChannel Guard

You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is running PVST+, rapid PVST+, or MSTP.

Beginning in privileged EXEC mode, follow these steps to enable EtherChannel guard. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

spanning-tree etherchannel guard misconfig

Enable EtherChannel guard.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show spanning-tree summary

Verify your entries.

Step 5 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable the EtherChannel guard feature, use the no spanning-tree etherchannel guard misconfig global configuration command.

You can use the show interfaces status err-disabled privileged EXEC command to show which switch STP ports are disabled because of an EtherChannel misconfiguration. On the remote device, you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration.

After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands on the port-channel interfaces that were misconfigured.

Enabling Root Guard

Root guard enabled on an STP port applies to all the VLANs to which the port belongs.


Note You cannot enable both root guard and loop guard at the same time.


You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP.

Beginning in privileged EXEC mode, follow these steps to enable root guard on an interface. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify an interface to configure, and enter interface configuration mode.

If the interface is a UNI, before you enable root guard, you must change the port type to NNI or ENI to enable STP:

Enter the port-type nni interface configuration command to change the port to an NNI with STP enabled by default.

Or enter the port-type eni and spanning-tree interface configuration commands to configure the port as an ENI STP port.

Step 3 

spanning-tree guard root

Enable root guard on the STP port.

By default, root guard is disabled on all interfaces.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show running-config

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable root guard, use the no spanning-tree guard interface configuration command.

Enabling Loop Guard

You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is configured on the entire switched network. Loop guard operates only on STP ports that are considered point-to-point by the spanning tree.


Note You cannot enable both loop guard and root guard at the same time.


You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP.

Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional.

 
Command
Purpose

Step 1 

show spanning-tree active

or

show spanning-tree mst

Verify which interfaces are alternate or root ports.

Step 2 

configure terminal

Enter global configuration mode.

Step 3 

spanning-tree loopguard default

Enable loop guard. By default, loop guard is disabled.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show running-config

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To globally disable loop guard, use the no spanning-tree loopguard default global configuration command. You can override the setting of the no spanning-tree loopguard default global configuration command by using the spanning-tree guard loop interface configuration command on an NNI.

Displaying the Spanning-Tree Status

To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 17-2:

Table 17-2 Commands for Displaying the Spanning-Tree Status 

Command
Purpose

show spanning-tree active

Displays spanning-tree information on active interfaces only.

show spanning-tree detail

Displays a detailed summary of interface information.

show spanning-tree interface interface-id

Displays spanning-tree information for the specified interface.

show spanning-tree mst interface interface-id

Displays MST information for the specified interface.

show spanning-tree summary [totals]

Displays a summary of interface states or displays the total lines of the spanning-tree state section.


You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command.

For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release.