09-18-2024 11:42 AM - edited 09-18-2024 11:43 AM
What is the best practice when it comes to using DAI, UDLD, and BPDU Guard together?
Usually, on trunk ports I set DAI to "trusted" when it is feeding other managed switches or equipment but endpoints I have it set to not trusted for anything else.
With UDLD and BPDU Guard, should these be enabled together on ports that have endpoints and access points? Also, should UDLD be enabled on trunk ports feeding other switches or firewalls?
What is the best way to use UDLD and BPDU Guard together for access ports and trunk ports? I know I wouldn't use BPDU Guard on a trunk port that feeds another switch. Any insight would be greatly appreciated for port security and reliability.
09-18-2024 12:12 PM - edited 09-18-2024 12:13 PM
UDLD works through the exchange of protocol packets between the neighboring devices. it is for fiber optics . In order for UDLD to work, both devices on the link must support UDLD and have it enabled on the respective ports.
Each switch port configured for UDLD sends UDLD protocol packets that contain the port device/port ID, and the neighbor device/port IDs seen by UDLD on that port. Neighboring ports see their own device/port ID (echo) in the packets received from the other side. If the port does not see its own device/port ID in the incoming UDLD packets for a specific duration of time, the link is considered unidirectional. Once the unidirectional link is detected by UDLD, the respective port is disabled and shows an error.
so For UDLD both device should support it and doesn't matter it is access or trunk port.
BPDU Guard is security feature that can use to prevent rogue devices from compromising their network. BPDU Guard should be disabled on Trunk port otherwise the switch disable the port and put in a error.
09-18-2024 05:22 PM
@Senbonzakura wrote:
What is the best practice when it comes to using DAI, UDLD, and BPDU Guard together?
UDLD:
1. Use UDLD on fibre optic ports ONLY -- Never use UDLD on copper ports.
2. Never enable auto-recovery of ports in error-disable due to UDLD. It is counterproductive. Think about it: If auto-recovery is turned on, then why enable UDLD in the first place?
BPDU Guard:
1. BPDU Guard on access ports only.
2. Do not enable auto-recovery of ports in error-disable due to BPDU Guard. If someone wants to enable auto-recovery, then turn OFF BPDU Guard altogether -- An STP storm is better than a straining switch.
09-18-2024 09:41 PM - edited 09-18-2024 09:43 PM
Hello @Senbonzakura
Access Ports:
- DAI: Untrusted (default) for security.
- BPDU Guard: Enabled to prevent rogue devices from introducing loops via BPDUs.
Trunk Ports
- DAI: Trusted. Trunks typically carry legitimate ARP traffic.
- UDLD: Enabled in case of Fiber Optic link (preferably in aggressive mode).
- BPDU Guard: Disabled. Trunk ports should exchange BPDUs to maintain STP.
To go further :
UDLD Aggressive Mode is more suitable for critical links because it will disable a port if it detects a unidirectional condition. Use this on critical links like inter-switch fiber-optic connections
BPDU Guard on Portfast Ports... If you're using PortFast on access ports, enabling BPDU Guard is especially important to avoid misconfigurations from end devices causing network instability.
09-19-2024 06:36 AM
Hello @Senbonzakura ,
>> With UDLD and BPDU Guard, should these be enabled together on ports that have endpoints and access points? Also, should UDLD be enabled on trunk ports feeding other switches or firewalls?
UDLD is a Cisco proprietary protocol that should be used on inter switch links between Cisco switches configured for it.
I don't think UDLD is supported on Firewalls or Routers.
UDLD is not needed on access ports toward end user workstations.
DAI untrusted + bdpu guard is a good choice for access ports.
Usually access ports have to be configured for portfast . This is specially important if you use Rapid PVST or MST it helps to achieve fast convergence.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide