139 IPExpert Adance Spanning Tree Feautures LoopGuard

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] spanning-tree loop guard is cisco security related enhancement to the traditional spanning tree it is designed to prevent two loops in a case that the PDUs are suddenly lost what I mean by that is that in normal operation in our network ports that are designated ports are going to be forwarding the BP news sent by the route the downstream ports the root port on the downstream switches are going to be receiving these BP news and are going to be treating their ports as either route ports in this case or in a case that this is not the best path to reach the route this port sports are going to transition into the blocking State what maintains this state either the route port or the blocking port is the presence of the BP views coming from the upstream switch if these big videos were to suddenly stop arriving these ports the route ports may become designated ports or the blocking ports may become designated ports as well in a case that route port transitions to become a designated port we don't have much danger in case because this port was forwarding to begin with but if the blocking port was to change state to forwarding and the upstream port was still operational just for some reason we were not receiving be videos being sent by it or they may be filtered by the upstream port we are running the danger of creating the loop in our network so the absence of BP news may signal a problem in our network and the loop card is the feature designed to prevent this particular thing from happening now I should point out that loop guard is a very very complex feature it takes many things into account from a configuration perspective it's a very simple to configure we can configure it either on a per port basis or we can enable it globally which turns it on on all the ports on the switch but the ports on which this feature is actually going to be enabled on are only non designated ports that are already receiving superior people use that means that if port is transitioning from a disabled state say going from shut down and we just simply typed no shut down and we are not getting any BPD use from the downstream device whatever it may be we are not going to transition this port into the blocking state why because we haven't received any BP news and superior BP news to compare them to what we have also if the the device on the other side is sending videos that are inferior to the copy of the BPD that we have from the switch that is route in our network we are also not going to block this port because we are receiving inferior BP do the poor guy on the other side doesn't know who the rotates which better tell him that by forwarding our own BPD news also this feature the loop guard is mutually exclusive with the route guard to do that I'm going to switch to my white port and look at the example network and again going to be using just three switches I'm going to have cat one cat two and cat three in this setup cat one will be configured as the route and the switches are going to be interconnected in a triangle like this this is going to be gigabit zero one on both sides here this is going to be fast internet 22 and this here is going to be fast internet 20 port given this topology here this port will be designated port this port will be designated these two ports will be the root port this would be a designated port and this one here will be the blocking port and the good candidate in this network for the loop card feature would be this port here we want to prevent this port from transitioning into the forwarding state if this port here is up but we are not receiving VP dues from the other side but as you will see actually replicating this is going to get a little bit involved because of all those complex requirements for the loop guards to become active let me show you what I mean in the first example here what I'm going to do is I'm going to start by enabling loop guard on fast internet 20 on cat 3 and then I'm simply going to shut this link down on either cat tube or cat 1 and I want to see what's going to happen before I do that I'm going to enable a simple debug process on cat 3 I'm going to say debug spanning three events this will show me when ports transition between the states or when I start receiving inferior be produced from somewhere as I can see in normal operation this command is going to be relatively silent the next thing that I'm going to do is I'm going to go to interface fast in a 23-20 and I'm going to say spanning tree card loop now I have turned on the loop card on this port I can confirm that if I run show spanning tree interface fastethernet 20 detail I will see here that the loop guard is enabled on this port now I'm going to go to cat - and I'm going to shut the link down between cat 1 and cut - when I do this on cat tree I'm going to start hearing inferior BPD use now the loop guard has been enabled on this port and this port fast it unit 20 was in a blocking State before this operation but if I do show spanning tree now I will see that this port is actually now transitioning to listening and learning phases and is going to become a designated port in a forwarding state in the end so the loop card in this particular scenario here really didn't do anything why didn't he do anything because when this link went down cat too lost its own superior beep news and that because this was a direct failure of the link happens immediately cat - immediately runs its own local route election and it determines it's the route and start sending its own D videos this part here therefore did not experience a sudden loss of reproduce therefore the loop guard won't kick in in this case the next example is also going to be an interesting one what I'm going to have here is I'm going to have loop guard enabled on fastethernet 20 just as I had before but on cat too I'm simply going to turn off the spanning tree what is this going to do to my network now remember that this port here was the root port and this port here was blocking now with this change these BP dues that are arriving from cat 1 are going to be arriving normally but these BP dues that are being sent towards cat 2 are not going to be flooded by cat 2 adding its own cost changing the sender ID to its own addresses but instead they're going to be switched out with the original parameters as they were when they were sent by cat 1 now when this happens when these two frames arrived to cat treat what's going to happen is that these portals are going to be reversed why because this is going to have the same route ID it is going to have the same sender ID which means that we have to go down to the actual port ID for determining which one of these is superior bpdu and gigabit interface will actually win over the fast ethernet 22 so what we should have here is reversal of roles that this is going to become a blocking port and this one here is going to become the root port let's take a look at that so I'm going to go to my terminal and I'm just going to confirm that this is actually the stake now I have two interfaces fast in the 20s blocking in faster than at 22 is forwarding I can also confirm that faster to net 20 has loop guard enabled right here and I'm going to confirm that my debug is still running now I'm going to go to cat - and I'm going to say no spanning tree VLAN 1 let's go to cat 3 and let's see what is happening I can see immediately that fast it 20 is now transitioning into a listening phase because it is receiving a superior big video fast hitting at 22 moved into blocking step so if I repeat my show spanning tree here now I indeed see that the roles have been reversed now let's try to make our loop guard actually do something in our network to do that I'm simply going to shut the link down between cat 1 and cat - now remember I am receiving superior VP news here from cat - and with this link being shut down and spanning tree being turned off on cat - I'm going to have a sudden loss of beep videos but it will take 20 seconds for this to be detected because this is an indirect failure we have to wait for max-age time to expire so I'm going to go to cat - I'm going to say interface gigabit zero one and I'm going to shut it down let's see what happens now remember we have to wait for about 20 seconds now so I'm just going to do show spanning tree now and see what is happening fast it in at 20 still root port it doesn't know that people use are not around well actually the the timer is going around and now this is what we have we got the topology change notice on faceting at 20 but the important message is this one here the loop guard has actually blocked this port why because BPD's suddenly disappeared let me turn off the debug and let's take a look at more details here so I'm going to do show spanning tree inconsistent ports I'm going to see that fast if net 20 is now inner loop inconsistent state how can I recover from a loop inconsistent State well in this scenario here there are two ways one is simply either enable be linked between cat 1 and cat - or turn on spanning tree on cat - I just need to receive a single video from cat - if I receive a single BP do this loop consistency will be cleared but what if that was not an option well one of the things that I can do is I can go to fast internet 20 which is now being blocked anyways if I do show spanning-tree I'm going to see here that it is in a loop inconsistent state there is no traffic going on here so what I can do is I can simply shut it down now when I shut down this port and if I do Sh no shutdown what's going to happen now is when this port now goes up it's going to transition from disabled state into becoming a designated port though show spanning tree now I will see here that the port now operates normally why because when we shut down the port we are going to clear out all the errors that existed on this port as far as loop inconsistency goes when we transition the port up the port is going to listen for incoming beep news if there are no incoming VP news it is going to assume that on the other side there is no switch and we can transition normally to becoming a designated port the important thing that I would like you to note in this example here is that it was the root port that was being affected but can loop guard actually protect the port that is blocking from transitioning into a designated port role yes it can but actually producing this is a little bit involved now let me be absolutely clear and say that actually reproducing this is very very easy but actually testing this particular behavior is going to be involved for one reason let me try to give you an example so a quick reminder loop guard is turned on on this board so how can I create a sudden loss of BPD use here while keeping this port in a blocking state well one of the things that I could do I could shut this link down and turn off spanning tree on this switch here but no matter in which order I do this this port is going to transition into some different state Y if I start by shutting this link down remember what's going to immediately happen on cattitude that was the first example a bpdu is going to be sent by cat two and this will be an inferior bpdu this will cause this port here to transition to become a designated port now what if I started by first turning off spanning tree on this port what's going to happen simply this bpdu here is going to be forwarded and this port is going to transition to become a route port that was our second example no matter how fast I am on my command line the switches are going to be faster than me except if I went down the road of changing the timer's but what I'm going to do here is I'm going to use a feature that I'm going to talk about in greater detail in my next video and that feature is simply going to prevent cat two from sending any BPD use so I'm going to use a feature called bpdu filter on cat twos fasted unit 20 interface as I said I'll talk about it in greater detail this feature is also very complex and you need to understand it in great detail but for now let's just assume it simply blocks any outgoing bit videos I don't care about the incoming VP news to cut to so if I configure the BPD filter on cat - suddenly cat three-sport which was a blocking port here is going to stop receiving VP use when it stops receiving the videos it should transition to become a designated port unless loop guard prevents it from doing so so let's jump into our terminal and confirm that spanning tree operates as we expected I can see here that fast ethernet 20 on cat tree is blocking port and on cat - everything is as normal gigabit 0 1 is the root port and Fastnet 20 is the designated port on cat 3 here I have no debug turned on but on the interface fast minute 20 show spanning tree sorry show spanning tree interface fast net 20 detail type of typos I can see that loop guard is enabled on the port so now on cat - I'm going to say spanning tree bpdu filter enable this is going to cause the BP news to suddenly stop being sent if I do show spanning tree interface fast may 20 detailed I'm going to see here that the received count for BPD's is not increasing you can see that I'm not receive any BP dues and after 20 seconds simply the loop guard kicks in I can also see here that the port when this happened was actually in a blocking state so the sudden loss of BP news that were there caused this port to now move into a loop inconsistent state so let's remove the filter here and let's see what happens on cat 3 now we can see that almost immediately port actually was unblocked by the loop guard but this doesn't mean that the port is immediately forwarding the port now needs to go through its usual motions it is either going to go into becoming a listening and learning port if it needs to transition to forwarding state but that's very unlikely to happen unless we received an inferior beep video if we received an inferior BPD from cat - this would happen but we received a superior BPD which means that this port needs to going to block instead let's repeat this exercise here so I'm going to configure the BPD Oh filter I'm going to cause cat tree to start blocking this port but in the meantime I'm going to shut the link down between cat 1 and cat - so now we can see the loop card actually blocked the port as the result of my DP do filter configured so now let's remove the BPD filter from this port and when we receive the first BPD oh this will be the BPD generated by cat 2 which is going to be an inferior BPD you and we can see that this also caused the port to move to become to move out of the loop inconsistent State but now these portals to become a designated port and we can see that it is going to transition through the normal spanning tree phases the next thing that I'm going to show you is going to be very quick and simple on cat 3 I have enabled spanning tree loop guard on a port and I can see and confirm that this is actually running if I do show spanning tree interface faceting at 20 detail I will see that the loop guard is enabled on the port let me turn it off so I'm going to say no spanning tree card look if I rerun my show spanning tree interface fastener 20 detail command I will see that there is no mention of the loop guard anymore I can enable spanning tree loop guard globally the command for that is spanning tree loop guard default now I have turned on to loop guard on all the ports if I do show spanning tree interface pathway 20 detail I will see that loop guard is enabled on the port but you will also remember that I mentioned that loop guard and the root guard are mutually exclusive so which one wins well the last one that is configured on a per port basis will win in that case of a competition there so to show you this I'm going to turn this off the global configuration of the loop card and I'm going to go to interface fastener 20 and I'm going to say spanning tree guard and I will show you that I have three options none loop and root well none is very simple I'm going to turn off Hydra guard so if I configure the loop guard I'm going to end up with the loop guard enabled if I configure root I will going to end up I will end up with the spanning tree root guard enabled but what happens if for example I have a root guard configured on a per port basis like this and this is the only way to an inn to configure the root guard and I have a loop guard enabled globally well in that particular case the local configuration on a port will win that means that the more specific configuration that one of the root guard will defeat the globally configured loop guard if that is the situation and on a particular port you still want to use the loop guard you simply have to remove the loop the root guard configuration simple as that
Info
Channel: CCIEORDIE.COM
Views: 817
Rating: undefined out of 5
Keywords:
Id: CeauwJV6o74
Channel Id: undefined
Length: 21min 53sec (1313 seconds)
Published: Thu Feb 08 2018
Related Videos
137 IPExpert Advance Spanning Tree Features PortFast
CCIEORDIE.COM
794
136 IPExpert Advance Spanning Tree Features BackboneFast
CCIEORDIE.COM
1.2K
83 IPExpert Supplemental Strategy Part 1
CCIEORDIE.COM
861
151 IPExpert EIGRP Neighbor Formation and ntenance
CCIEORDIE.COM
504
145 IPExpert Multiple Spanning Tree MST
CCIEORDIE.COM
8.3K
144 IPExpert Rapid And Rapid Per VLAN Spanning Tree Converge
CCIEORDIE.COM
1K
140 IPExpert Advace Spanning Tree Features BPDUGuard
CCIEORDIE.COM
451
Governments are Cancelling Passports
Nomad Capitalist
63K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.