CCNP Switch Lab 6-2 Securing Spanning Tree Protocol

CCNP Switch Lab 6-2, Securing Spanning Tree Protocol




  • Secure the Layer 2 spanning-tree topology with BPDU guard.
  • Protect the primary and secondary root bridge with root guard.
  • Protect switch ports from unidirectional links with UDLD.


This lab is a continuation of Lab 6-1 and uses the network configuration set up in that lab. In this lab, you will secure the network against possible spanning-tree disruptions, such as rogue access point additions and the loss of stability to the root bridge by the addition of switches to the network. The improper addition of switches to the network can be either malicious or accidental. In either case, the network can be secured against such a disruption.

Note: This lab uses Cisco WS-C2960-24TT-L switches with the Cisco IOS image c2960-lanbasek9-mz.122- 46.SE.bin, and Catalyst 3560-24PS switches with the Cisco IOS image c3560-advipservicesk9-mz.122- 46.SE.bin. You can use other switches (such as 2950 or 3550) and Cisco IOS Software versions if they have comparable capabilities and features. Depending on the switch model and Cisco IOS Software version, the commands available and output produced might vary from what is shown in this lab.

Required Resources

  • 2 switches (Cisco 2960 with the Cisco IOS Release 12.2(46)SE C2960-LANBASEK9-M image or comparable)
  • 2 switches (Cisco 3560 with the Cisco IOS Release 12.2(46)SE C3560-ADVIPSERVICESK9-mz image or comparable)
  • Ethernet and console cables

Note: Be sure to save your final device configurations to use with the next lab.

Step 1: Load or verify the configurations from Lab 6-1.

a. Verify that the configurations from Lab 6-1 are loaded on the devices by issuing the show vtp status command. The output should show that the current VTP domain is SWPOD, and VLANs 100 and 200 should be represented in the number of existing VLANs. The output from switch ALS2 is shown as an example. If the switches are not configured properly, erase the startup config, delete the vlan.dat file, and load the configurations saved at the end of lab 6-1.

Note: If you are loading the configurations from Lab 6-1, they do not include VLAN and VTP commands. You must first configure ALS1 and ALS2 as VTP clients and then create VLANs 100 (staff) and 200 (student) and the VTP domain name on DLS1. Refer to Lab 6-1 for assistance.

How many VLANs exist in the network? How many of these are defaults?
There are seven VLANs in the network; five of these are built in.

b. Issue the show vlan brief command on DLS1. The student and staff VLANs should be listed in the
output of this command.

Which ports are not listed for VLAN 1? Why is this?
Ports Fa0/7 through Fa0/12 are not listed because they were configured as trunk ports.

c. Issue the show interfaces trunk command on DLS2. If trunking was configured properly in Lab 6-1, interfaces Fast Ethernet 0/7–0/12 should be in trunking mode on all switches.

Are any VLANs being pruned from these trunks? How can you tell?
Yes. All the VLANs that are not being used and, therefore, do not need to be trunked, are pruned. The last section of the output of the show interfaces trunk command shows the VLANs that are not pruned.

d. Issue the show spanning-tree vlan 1 command on DLS2. The results from this command might vary, and DLS2 might not be the root in your topology. In the following output, this bridge is currently the root of the spanning tree.


Where is the spanning-tree root in your lab network? Is this root bridge optimal for your network?
In the example shown, the root is DLS2. It would be optimal for the distribution layer switches to be root switches.

What is the priority of the current root bridge?
The priority is 32769.

Step 2: Configure the primary and secondary root bridges for the VLANs.

In most cases, you must manually configure the spanning-tree root to ensure optimized paths throughout the Layer 2 network. This topic is covered in Module 3. For this scenario, DLS1 acts as the root for VLANs 1 and 100 and performs the secondary function for VLAN 200. In addition, DLS2 is the primary root bridge for VLAN 200 and secondary bridge for VLANs 1 and 100.

a. Configure STP priority for the primary and secondary roots using the spanning-tree vlan vlan ID root

b. Verify the configuration on both DLS1 and DLS2 using the show spanning-tree command.

According to the output, what is the root for VLAN 100? For VLAN 200?
The root bridge for VLAN 100 is DLS1. The root bridge for VLAN 200 is DLS2.

Step 3: Configure root guard.

To maintain an efficient STP topology, the root bridge must remain predictable. If a foreign or rogue switch is maliciously or accidentally added to the network, the STP topology could be changed if the new switch has a lower BID than the current root bridge. Root guard helps prevent this by putting a port that hears these BPDUs in the root-inconsistent state. Data cannot be sent or received over the port while it is in this state, but the switch can listen to BPDUs received on the port to detect a new root advertising itself. Root guard is enabled on a per-port basis with the spanning-tree guard root command. You should use root guard on switch ports where you would never expect to find the root bridge for a VLAN.

a. In the topology diagram, Fast Ethernet ports 0/13 and 0/14 on each switch are not being used as trunk or access ports. It is possible that a switch could be accidentally or maliciously added to those ports. Configure root guard on these ports to ensure that if a switch is added, it is not allowed to take over as root.

b. Configure root guard on the same ports for DLS2, ALS1, and ALS2.

What will happen if a switch is connected to Fa0/13 via a crossover cable?
The port could go into an inconsistent state if the new switch tries to become the root bridge.

Step 4: Demonstrate root guard functionality.

Verify your configuration to make sure that root guard was not accidentally configured on a port that should hear root advertisements, such as a port on ALS2 that is connected to the root bridge.

a. Use the show spanning-tree vlan 1 command on ALS2 to look for a root port. In the following example,

b. Configure root guard on the root port that you found. Note that this configuration is for teaching purposes only. This would not be done in a production network.

Notice that as soon as you issue this command, you receive a message that root guard has been enabled and that the port is now in the blocking state for the specific VLANs configured. This port has been transitioned to this state because it receives a BPDU that claims to be the root.

c. Verify which ports are in this inconsistent state with the show spanning-tree inconsistentports command.

d. Because this configuration is not intended for normal operation, remove it using the no spanning-tree guard root command.

When the configuration is removed, a message indicates that the port is being unblocked.

Step 5: Configure BPDU guard.

Because PortFast is enabled on all user access ports on ALS1 and ALS2, BPDUs are not expected to be heard on these ports. Any BPDUs that are heard could result in a disruption of the STP topology, so you should protect these ports from any type of accidental or malicious behavior which leads to BPDUs arriving at the port. If a rogue access point or switch is placed on these ports, BPDUs would most likely be heard. BPDU guard protects ports from this type of situation by placing the interface in the error-disable state. The BPDU guard feature provides a secure response to invalid configurations because the network administrator must manually put the interface back in service.

a. To enable BPDU guard on PortFast-enabled ports, use the spanning-tree portfast bpduguard default global configuration command.

b. Verify your configuration using the show spanning-tree summary command.


Which action will be taken if a wireless access point sending BPDUs is connected to Fa0/15 on ALS1?
If the port was configured as an access port, it should go into an error-disabled state. If the port was configured as a trunk port, BPDU guard should not take effect.

Step 6: Enable broadcast storm control on trunk ports.

If a basic unmanaged switch is connected to an access port, a broadcast storm can result, which can lead to network failure. Implementing broadcast storm protection on trunk interfaces can help prevent this.

a. Enable storm control for broadcasts on Fast Ethernet ports 0/7 and 0/8 on ALS1 with a 50 percent rising suppression level using the storm-control broadcast command. ALS1 trunk ports Fa0/7 and Fa0/8 are shown here as an example.

b. Verify the configuration of interface Fa0/7 with the show running-config command.

Step 7: Configure UDLD.

A unidirectional link occurs when traffic is transmitted between neighbors in one direction only. Unidirectional links can cause spanning-tree topology loops. UDLD allows devices to detect when a unidirectional link exists and shut down the affected interface.

You can configure UDLD on a per-port basis or globally for all fiber-optic gigabit interfaces. The aggressive keyword places the port in the error-disable state when a violation occurs on the port.

a. Enable UDLD protection on Fast Ethernet ports 1 –24 on all switches using the udld port aggressive command. Configure UDLD globally for all fiber-optic gigabit interfaces for future use using the udld enable command.

Note: This lab assumes the existence of fiber-optic gigabit ports, although this might not be the case with your lab equipment.

b. Verify your configuration using the show udld interface-id command.

What is the operation state of this interface?
The operational state of this interface is link down.

Note: Although not configured in this lab, loop guard can be configured as an alternative or in addition to UDLD. The functionality overlaps, partly in the sense that both protect against STP failures caused by unidirectional links. Based on the various design considerations, you can choose UDLD or the loop guard feature or both. In regards to STP, the most noticeable difference between the two features is the absence of protection in UDLD against STP failures caused by problems in software. As a result, the designated switch does not send BPDUs. However, this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links. In return, UDLD might be more flexible in the case of unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a failure, loop guard puts it into loop-inconsistent state to block the whole channel.

Note: Save your final device configurations for use with the next lab.

Device Configurations (Instructor version)

Switch DLS1

Switch DLS2

Switch ALS1

Switch ALS2

More Resources

About the author


Leave a Comment