Improvements in STP
PortFast
Welcome back to a new article. This article would be quite short and focuses on improvements in STP. As discussed in previous articles, STP takes 30 seconds to converge, 15 seconds in the Listening state, and 15 seconds in the Learning state. So, a small change in the network would take 30 seconds to recover and will have a heavy number of broadcast frames to re-learn the new MAC addresses, as every switch that receives TCN BPDU will change its MAC address table timings from 300 seconds to 15 seconds. This means that each time I plug in or unplug the cable of an end device, spanning-tree will generate a topology change notification and will follow the process as mentioned above as well as in the previous article. This doesn’t seem alright as the end device doesn't affect the spanning-tree topology and therefore changes in it shouldn’t lead to recalculation/re-convergence of spanning-tree. To solve this issue, we have a feature known as Portfast. It basically does two things: A switch will never generate a TCN for an interface that has Portfast enabled, and interfaces with Portfast enabled that come up will go to the forwarding state immediately. They won’t go through the listening and learning state and therefore would save the re-convergence time. Therefore, it’s best to enable Portfast on the interfaces that are connected to the end devices.
UplinkFast
This feature will make the non-designated port go to the forwarding state immediately if the root port fails. Do you remember the Direct Topology change which we discussed in the previous article? If not, you can find it here:
By using this feature, we can save the 2*Forward_Time which the switch takes to re-converge.
领英推荐
BackboneFast
The feature which can be used for an Indirect Topology Change is Backbone Fast. We know that it takes Max-age + 2*Forward_Time to re-converge. If you are confused about what I am talking about, please go through the link provided above. I have tried to explain it in the simplest language possible. The switch waits for the old information to expire and then starts considering inferior BPDU. By enabling the BackboneFast feature, the switch will start accepting the inferior BPDU immediately, and this will help us save the Max-age time during the re-convergence.
Security Features in STP
Suppose we have a completely working Spanning-tree topology, and an attacker connects its host device to one of the switches and starts a tool that generates BPDUs with a superior bridge ID. After looking at this BPDU, switches in our network will believe that this is our new root and will start re-converging. This can lead to a man-in-the-middle attack, and the attacker could see all our data. To stop such kind of attack, there is a feature called BPDU guard. It will ensure that when we receive a BPDU on a BPDU guard-enabled interface, it will make that interface go into the error-disable state. You can also enable BPDU guard globally; it will be activated on all the interfaces that have Portfast enabled. There is one more feature known as BPDU Filter; the difference between these two is that BPDU Filter will just filter the BPDU, it will not make the port go into the error-disable state. RootGuard feature will make sure that you don’t accept any other switch as a root switch.
Thank you so much for reading this and I hope you enjoyed it! Feel free to comment with questions or additional insights! Let’s keep learning together.