RSTP should be as easy as turning on spanning tree and optionally configure a priority.
switch(config)# spanning-tree switch(config)# spanning-tree priority 0
To configure MSTP properly, you need a config name and revision. Then, you can map VLANs to instances.
switch(config)# spanning-tree <config name> switch(config)# spanning-tree <config-revision> switch(config)# spanning-tree instance 1 vlan 1-10 switch(config)# spanning-tree instance 2 vlan 11-20
BPDU protetion shuts down the port if it receives a BPDU. This is a good idea to have on all of your access ports. Optionally, configure a timeout to re-enable the port automatically. This is used when running RSTP or MSTP.
switch(config)# spanning-tree <post list> bpdu-protection switch(config)# spanning-tree bpdu-protection-timeout 120
BPDU filtering discards BPDUs received on a port. This is a dangerous setup, because the port will always remain in the forwarding state and not participate in spanning tree, potentially allowing looops to occur.
switch(config)# spanning-tree <post list> bpdu-filter
Root guard is supported in MSTP or RPVST+ mode. Root guard is similar to BPDU protection or PVST protection. It ensures the root bridge remains the root bridge. Rather than blocking the port when receiving any BPDUs, the port is blocked when the port receives superior BPDUs that could create a topology change. The switch puts the port into a “root-inconsistent” state when it receives superior BPDUs and does not forward traffic. This configuration is recommended on all ports that are not connected to other switches.
switch(config)# spanning-tree <post list> root-guard
BPDU throttling is enabled by default to prevent a malicious or poorly configured device from DDoS-ing the switch. The default rate is 256 pps but can be changed.
STP Loop Guard
STP loop guard helps detect failures in the case of a unidirectional link. It places the port into a “loop inconsistent” state when this failure mode occurs. This should be typically used on switch-to-switch links. When using loop guard in MST mode, you enable it for the whole port, but it works on a instance-by-instance basis.
Loop protection helps identify and protect your network from loops creating by devices which spanning-tree cannot detect. For example, some small workgroup switches are known to simply drop BPDUs. In this case, this small workgroup switch could create a loop and your network would be unaware.
By default, loop protect uses port mode. The ports send loop protection packets every 5 seconds and if a port receives a loop protection packet that it sent, the switch knows there is a loop in the network. The default action in this case is send-disable which the sending port is disabled. Alternatively, the port can be set in a no-disable option, which logs the infraction but does not disable the port.
Loop protection packets are sent untagged and will only be transmitted on ports where loop protection is enabled and there is an untagged VLAN configured. If you need to send VLAN tagged packets for loop protection, enable loop protect VLAN mode.
switch(config)# loop-protect mode port switch(config)# loop-protect <port list>
switch(config)# loop-protect mode vlan switch(config)# loop-protect <port list>
Unidirectional Link Detection helps identify unidirectional links and shut them down. The switches on either end send the device ID and port ID as well as its neighbor ID and port ID. If the switch detects a unidirectional link, the port will be blocked. By default, these packets are sent untagged. If there are no untagged VLANs on the port with UDLD enabled, you will need to specify which VLAN to transmit them on.
switch(config)# interface <#> link-keepalive switch(config)# interface <#> link-keepalived vlan <vlan id>
Rapid PVST+ Support
To configure RPSVT+ and set some VLAN priorities, execute teh follwoing commands. Remember, you also need to enable spanning-tree itself.
switch(config)# spanning-tree mode rapid-pvst switch(config)# spanning-tree vlan 4 priority 0 switch(config)# spanning-tree vlan 6 priority 1 switch(config)# spanning-tree
PVST protection is similar to BPDU protection, but for switches running RPVST+. It also supports a timeout.
switch(config)# spanning-tree <port list> pvst-protection switch(config)# spanning-tree bpdu-protection-timeout 120