Dell EMC SmartFabric OS10 User Guide Release 10.5.1

STP extensions provide a means to ensure efficient network convergence by securely enforcing the active network topology. OS10 supports BPDU filtering, BPDU guard, root guard, and loop guard STP extensions.

The system discards regular data traffic after a BPDU violation.

BPDU filtering

Stops sending or receiving BPDUs from a faulty device, there by protecting the network from unexpected flooding of BPDUs. Enabling BPDU Filtering on an interface causes the system to stop sending or receiving BPDUs.

BPDU guard

Blocks the L2 bridged ports and LAG ports connected to end hosts and servers from receiving any BPDUs. When you enable BPDU guard and when the BPDU frames are being received on the interface, the bridge or LAG is placed in the blocking state. In case of a LAG, ports are either STP blocked or shutdown based on the error disable command action. The data traffic is dropped but the port continues to forward BPDUs to the CPU that are later dropped. To prevent further reception of BPDUs, configure a port to shut down using the error disable command. For more information on this command.

Root guard

Preserves the root bridge position during network transitions. STP selects the root bridge with the lowest priority value. During network transitions, another bridge with a lower priority may attempt to become the root bridge and cause unpredictable network behavior. To avoid such an attempt and to preserve the position of the root bridge, configure the spanning-tree guard root command. This configuration places the port in an inconsistent state if the port receives superior BPDU. Root guard is enabled only on designated ports. The root guard configuration applies to all VLANs configured on the port.

Loop guard

Prevents L2 forwarding loops caused by a cable or interface hardware failure. When a hardware failure occurs, a participating spanning-tree link becomes unidirectional and the port stops receiving BPDUs. When the blocked port stops receiving BPDUs, it transitions to a Forwarding state causing spanning-tree loops in the network. Enable loop guard using the spanning-tree guard loop command on an interface so that it transitions to the Loop-Inconsistent state until it receives BPDUs. After BPDUs are received, the port moves out of the Loop-Inconsistent or Blocking state and transitions to an appropriate state determined by STP. Enabling loop guard on a per-port basis enables it on all VLANs configured on the port.

1. Enable spanning-tree BPDU filter in INTERFACE mode.

   spanning-tree bpdufilter enable

2. Enable STP BPDU guard in INTERFACE mode.

   spanning-tree bpduguard enable

   BPDU guard violation causes the system to perform the following actions in the port channel:

   • The interface and all member ports are disabled in the hardware.
   • When the port is added to the port channel that is in the Error Disable state, the new member port is disabled in the hardware.
   • When the port is removed from the port channel that is in the Error Disable state, the system clears the Error_Disabled state on the physical port and enables it in the hardware.

   To clear the Error Disabled state:

   • Use the shutdown command on the interface.
   • Use the spanning-tree bpduguard disable command to disable the BPDU guard on the interface.
   • Use the spanning-tree disable command to disable STP on the interface.
3. Set the guard types to avoid loops in INTERFACE mode.

   spanning-tree guard {loop | root | none}

   • loop — Set the guard type to loop.
   • root — Set the guard type to root.
   • none — Set the guard type to none.
   Port enabled with loop guard conditions
   • Loop guard is supported on any STP-enabled port or port-channel interface.
   • You cannot enable root guard and loop guard at the same time on an STP port. The loop guard configuration overwrites an existing root guard configuration and vice versa.
   • Enabling BPDU guard and loop guard at the same time on a port results in a port that remains in blocking state and prevents traffic from flowing through it. For example, when you configure both Portfast BPDU guard and loop guard:
     • If a BPDU is received from a remote device, BPDU guard places the port in the Err-Disabled Blocking state and no traffic forwards on the port.
     • If no BPDU is received from a remote device which was sending BPDUs, loop guard places the port in the Loop-Inconsistent Blocking state and no traffic forwards on the port.
   • When used in a Rapid-PVST network, STP loop guard performs per-port or per port-channel at a VLAN level. If no BPDUs are received on a port-channel interface, the port or port-channel transitions to a Loop-Inconsistent or Blocking state only for this VLAN.

BPDU filter

os10(conf-if-eth1/1/7)# spanning-tree bpdufilter enable
os10(conf-if-eth1/1/7)# do show spanning-tree interface ethernet 1/1/7
ethernet1/1/7 of vlan 1 is Designated Forwarding
Edge port: No (default)
Link type: point-to-point (auto)
Boundary: No, Bpdu-filter: Enable, Bpdu-Guard: Disable, Shutdown-on-Bpdu-Guard-violation: No
Root-Guard: Disable, Loop-Guard: Disable
Bpdus (MRecords) Sent: 6, Received: 6410
Interface                                                 Designated
Name              PortID    Prio   Cost   Sts     Cost    Bridge ID                PortID
-------------------------------------------------------------------------------------------
ethernet1/1/7     128.56    128    500    FWD     500     32769    90b1.1cf4.a625  128.56

BPDU guard

os10(config)# interface ethernet 1/1/7
os10(conf-if-eth1/1/7)# spanning-tree bpduguard enable
os10(conf-if-eth1/1/7)# do show spanning-tree interface ethernet 1/1/7
ethernet1/1/7 of vlan 1 is Designated Forwarding
Edge port: No (default)
Link type: point-to-point (auto)
Boundary: No, Bpdu-filter: Enable, Bpdu-Guard: Enable, Shutdown-on-Bpdu-Guard-violation: Yes
Root-Guard: Disable, Loop-Guard: Disable
Bpdus (MRecords) Sent: 6, Received: 6410
Interface                                                  Designated
Name              PortID    Prio   Cost   Sts     Cost     Bridge ID                PortID
---------------------------------------------------------------------------------------------
ethernet1/1/7     128.56    128    500    FWD     500      32769    90b1.1cf4.a625  128.56

Loop guard

OS10(config)# interface ethernet 1/1/4
OS10(conf-if-eth1/1/4)# spanning-tree guard loop
OS10(conf-if-eth1/1/4)# do show spanning-tree interface ethernet 1/1/4
ethernet1/1/4 of vlan1 is root Forwarding
Edge port:no (default) port guard :none (default)
Link type is point-to-point (auto)
Boundary: NO  bpdu filter : bpdu guard :  bpduguard shutdown-on-
violation :disable  RootGuard:  disable LoopGuard  enable
Bpdus (MRecords) sent 7, received 20
Interface                                                 Designated
Name           PortID  Prio  Cost Sts  Cost Bridge ID           PortID
-------------------------------------------------------------------------
ethernet1/1/4  128.272 128   500  FWD  0    32769    90b1.1cf4.9d3b 128.272

Root guard

os10(conf-if-eth1/1/7)# spanning-tree guard root
os10(conf-if-eth1/1/7)# do show spanning-tree interface ethernet 1/1/7
ethernet1/1/7 of vlan 1 is Designated Forwarding
Edge port: No (default)
Link type: point-to-point (auto)
Boundary: No, Bpdu-filter: Enable, Bpdu-Guard: Enable, Shutdown-on-Bpdu-Guard-violation: Yes
Root-Guard: Enable, Loop-Guard: Disable
Bpdus (MRecords) Sent: 6, Received: 6410
Interface                                                   Designated
Name              PortID    Prio   Cost   Sts     Cost      Bridge ID                PortID
---------------------------------------------------------------------------------------------
ethernet1/1/7     128.56    128    500    FWD     500       32769    90b1.1cf4.a625  128.56