CCNA RnS Article #35: Make STP Better & Secure


CCNA RnS Article #35: Make STP Better & Secure

In this article, we are going to talk about some of the features that are not must but can be used in an Ethernet environment to make STP better and more secure. The list of such features includes EtherChannel, PortFast, and BPDU Guard. Let’s talk about these here today.

⭐ EtherChannel ๐Ÿ‘‡

Let’s say there are multiple parallel connections between two switches as depicted in Figure 1. If one of the links goes down, what do you think is going to happen?

Figure 1: Multiple segments between Switches

In this scenario, these links are independent and as an STP rule, only one of the links will be active and others will be not active (not used). If the active link goes down, STP convergence will happen and will follow the series of steps and timers to expire to make a port active. Which is going to take some time for data transfer.

What if we completely avoid convergence? EtherChannel is the answer to this. In the EtherChannel, multiple physical interfaces are grouped into a single logical link. STP thinks there is a single link between switches and all the members (physical links) in this logical link are in an active state. A single physical link failure which is part of an EtherChannel does not cause STP convergence until one of the physical links is up. If all members go down, then STP convergence will happen. For instance, let’s say one of the physical links between Root Switch (Switch 1) and non-Root Switch (Switch 2) goes down, with EtherChannel configuration there will be no change in the topology and no convergence is required.

Figure 2: No STP Convergence with EtherChannel

One more benefit of using Ethernet is that all the links are forwarding. This results in more bandwidth for a segment. Without STP only one link remains active and others are put into a blocking state by STP (waste of bandwidth).

⭐ BPDU Guard ๐Ÿ‘‡

To understand the BPDU Guard, let’s discuss some scenarios – 1. One of the engineers got a switch from a spare inventory and connected it to the network switch. This spare switch had the lowest MAC address and priority, which resulted in becoming a new Root Switch. This new Root switch can bring down the network to the knee. 2. Scenario 2 is similar to 1, where the customer asked for an extension of the network using a cheap hub that does not support STP or loop prevention mechanism. This potentially causes a loop as if multiple interfaces are connected and forwarding traffic.

All these problems are avoided if the port is configured with BPDU Guard. All ports that are not supposed to receive BPDU (host ports, access ports) should be configured with BPDU Guard. If a BPDU is received on the port configured with a BPDU guard, is disabled at the switch end. This prevents the network from unfortunate situations.

⭐Related : CCNA Switching: Basics about BPDU Guard and Root Guard

⭐ PortFast ๐Ÿ‘‡

Any new connection on a new port or disconnection of the working port, causes STP to converge. Network changes such as adding new connections between switches or adding new switches to the network are not frequent and it is expected that STP should converge as per the new topology to avoid any loop. But do you think that users when they leave the office (shut their desktop or disconnect their laptop) or come to the office the next day should cause STP convergence?

It is not required STP to converge (transition to various port states before allowing forwarding on a port) when a host is connected or disconnected. All ports in a network that are host ports (provide connectivity to end devices) should be configured with PortFast. A port in PortFast immediately forwards the traffic.

So, these were some of the features that augment the network in addition to STP standard features. I hope you find this informative.

Continue Reading...

No comments