Inconsistent state. For example, let's try to make SW2 the root for VLAN 1:
SW2(config)#spanning-tree vlan 1 priority 0 ! SW1 will block the port that's connected to SW2 and place it into a broken state, resulting in no traffic traversing the link: *Sep 15 01:01:21.412: %SPANTREE-2-PVSTSIM_FAIL: Blocking root port Gi0/0: Inconsistent inferior PVST BPDU received on VLAN 7, claiming root 32775:0015.fa88.4e80 SW1#show spanning-tree int gi0/0 Mst Instance Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- MST0 Root BKN*20000 128.1 P2p Bound(PVST) *PVST_Inc MST1 Mstr BKN*20000 128.1 P2p Bound(PVST) *PVST_Inc MST2 Mstr BKN*20000 128.1 P2p Bound(PVST) *PVST_Inc SW1#show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ------------------------ ------------------ MST0 GigabitEthernet0/0 PVST Sim. Inconsistent MST1 GigabitEthernet0/0 PVST Sim. Inconsistent MST2 GigabitEthernet0/0 PVST Sim. Inconsistent Number of inconsistent ports (segments) in the system : 3
Native VLAN
On any 802.1Q trunk, the native VLAN is the VLAN whose traffic isn't tagged. By default, this is VLAN 1. VLAN 1 is a special VLAN that plays a crucial role in many protocols, including Spanning Tree. If you're using an 802.1Q trunk, by default VLAN 1 traffic is sent untagged. You can force a switch to tag native VLAN traffic using the global configuration command vlan dot1q tag native. This is useful to prevent untagged traffic from inadvertently slipping into VLAN 1, as well as to prevent VLAN hopping attacks.
VLAN 1 always exists on all switches, and you can't disable it. But you can prune it from a trunk. If you prune VLAN 1 from a trunk on a switch running (R)PVST+, the switch won't forward any BPDUs for VLAN 1. However, if the switch is running MST, it will continue to forward BPDUs for VLAN 1—untagged—to maintain compatibility with switches that don't support 802.1Q trunks.
Topology Change Detection
When a non-edge port on a bridge transitions to the forwarding state—something that can happen if a new switch is added, for example—it notifies other bridges in the topology in order to trigger a reconvergence. The bridge flushes any MAC addresses associated with the port and begins sending BPDUs with the topology change (TC) bit set. It also begins a timer called the TC While timer that's twice the value of its Hello time (by default, the Hello time is 2 seconds, so the TC While timer would be 4 seconds). It continues sending BPDUs with the TC bit set until the TC While timer expires.
When another bridge receives a BPDU with the TC bit set, it clears its MAC address table for all ports except the port on which it received the BPDU. It begins its own TC While timer and sends BPDUs with the TC bit set out of all of its designated ports and its root port. Eventually, all bridges become aware of the topology change.
Spanning Tree Extensions
Cisco has added a few extra features to IOS that let you customize Spanning Tree behavior and prevent loops in certain edge cases:
Root Guard
BPDU Guard
BPDU Filter
Unidirectional Link Detection and Loop Guard
Root Guard
Root Guard is a Spanning Tree extension that prevents another switch from becoming root. This can happen if someone adds a new switch with a lower bridge priority. You configure Root Guard on a per-interface basis. If the switch receives a superior BPDU on the port, it will place the port into a Root Inconsistent state and stop forwarding traffic to or from that port. Enable Root Guard by executing the interface command spanning-tree guard root on any ports that you do not want to become root ports.
For an example of how Root Guard works, refer to Figure 2.5 from our discussion on RSTP. SW3 is the current root. To prevent SW2 from becoming the root, we can configure Root Guard on the following ports:
SW1:Gi0/0Gi0/1
SW4:Gi1/0Gi1/1
Let's configure Root Guard on SW1:
SW1(config)#int range gi0/0-1 ! Enable root guard on the interfaces SW1(config-if-range)#spanning-tree guard root ! Enable Spanning Tree events debugging SW1(config-if)#do debug spanning-tree events
And on SW4:
SW4(config)#int range gi1/0-1 ! Enable root guard on the interfaces SW4(config-if-range)#spanning-tree guard root SW4(config-if-range)# *Sep 13 21:40:28.908: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet1/0. *Sep 13 21:40:28.921: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet1/1.do SW4(config-if-range)#do debug spanning-tree events Spanning Tree event debugging is on
SW3 is the current root. Let's attempt to make SW2 the root:
SW2(config)#spanning-tree vlan 1 priority 0
SW1 marks its ports facing SW2—Gi0/0 and Gi0/1—as Root Inconsistent:
SW1(config-if)# *Sep 13 21:46:17.848: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet0/0 on VLAN0001. SW1(config-if)#do show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ------------------------ ------------------ VLAN0001 GigabitEthernet0/0 Root Inconsistent VLAN0001 GigabitEthernet0/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 2
Likewise, SW4 blocks its SW2-facing ports, placing them into a Broken (BKN) status:
SW4(config-if-range)#do show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ------------------------ ------------------ VLAN0001 GigabitEthernet1/0 Root Inconsistent VLAN0001 GigabitEthernet1/1 Root Inconsistent Number of inconsistent ports (segments) in the system : 2 SW4(config-if-range)#do show span vl 1 | i Gi1/0|Gi1/1 Gi1/0 Desg BKN*4 128.5 P2p *ROOT_Inc Gi1/1 Desg BKN*4 128.6 P2p *ROOT_Inc
BPDU Guard and BPDU Filter
Although BPDU Guard and BPDU Filter have confusingly similar names, they have opposite effects. BPDU Guard error-disables a port if it receives a BPDU. This is useful if someone accidentally connects a cheap workgroup switch to a port that's meant for an end user. The interface command to enable it is spanning-tree bpduguard enable.
Rather than issuing this command on every interface, you can issue the global command spanning-tree portfast edge bpduguard default. This will automatically enable BPDU Guard for any interface that has PortFast enabled.
When an interface is error-disabled, you must reenable it manually by shutting and unshutting the port. Alternatively, you can have IOS automatically reenable the port after a period of time using the following global configuration commands:
errdisable recovery cause bpduguard errdisable recovery interval 30
BPDU Filter prevents a switch from sending or processing received BPDUs. This effectively ensures that the port is always in a forwarding state, even if it creates a loop. The interface command to unconditionally enable BPDU Filter is spanning-tree bpdufilter enable.
If you want to enable BPDU Filter only on access ports in PortFast mode, you can instead use the global configuration
