Sunday, December 31, 2017

Cisco CCNP:300-115 - 1.6.d Loopguard and Rootguard

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

      - Root Guard 
          - If spanning-tree calculations causes a interface  to be selected as a root when it should not, the interface is placed in "root-inconsistent" blocked state.
          - root-inconsistent prevents the other switch from becoming the root switch or being the parth to the root port
          - Spanning-tree selects a new root switch when an interface goes into root-inconsistent state
          - If the switch is in MST, the root forces the interface to be a designated port
          - When boundary port is blocked in an Internal Spanning Tree (IST) instance because of root guard, the interface becomes blocked for all MST instances
          - Root guard enabled on an interface applies to all VLANs to which the interface belongs
          - Should not be enabled on interfaces to be used by UplinkFast feature
          - If root guard is enabled on backup interfaces used by UplinkFast, those interfaces are placed in a root-inconsistent state (blocked) thus preventing them from reaching the forwarding state
          - Both root guard and loop guard cannot be enabled at the same time
          - To configure use the following:
            spanning-tree guard root
         
    
     -  Loopguard
        - used to prevent alternate or root ports from becoming designated ports
        - Loop guard helps with failures which leads to unidirectional link
        - Most effective when enabled on the entire block
        - Prevents alternate and root ports from becoming designated ports
        - Spanning-tree does not send BPDUs on root or alternate ports
          SW2(CONFI)# spanning-tree loopguard default
        - When the switch is in MST mode, BPDUs are not sent on nonboundary ports
        - On a boundary port, loop guard blocks the interfae in all MST instances
        - Most effective when configured on the entire switch
        - Operates only on interfaces that are considered point-to-point by the spanning-tree
        - Both loop guard and root guard cannot be enabled at the same time
  
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

No comments:

Post a Comment