1 - 15 CCNP 3: Multilayer Switching v 4.0 - Lab 2.3.7.1 Copyright 2005, Cisco Systems, Inc.

. Modified by Rick Graziani, Cabrillo College for NetLab (9/2/2006)

The following lab is a combination of these labs: Lab 3.2.5.1 Spanning-Tree Protocol (STP) Default Behavior Lab 3.2.5.3 Advanced PVST+ Configuration Lab 3.2.5.4 Per-VLAN Spanning-Tree Load Balancing

Spanning-Tree Protocol (STP)

This lab uses the NetLab Advanced Switch Pod topology. Not all of the equipment or interfaces are used in this lab exercise.

Note: Some STP outputs may differ slightly depending upon IOS version.

Step 1: Initial Configuration

Switch#config terminal Switch(config)#hostname Core Access2(config)#line con 0 Core(config-line)#logging synchronous Core(config-line)#exec-timeout 0 0 Switch#config terminal Switch(config)#hostname Distribution1 Distribution1(config)#line con 0 Distribution1(config-line)#logging synchronous Distribution1(config-line)#exec-timeout 0 0 Switch#config terminal Switch(config)#hostname Distribution2 Distribution2(config)#line con 0 Distribution2(config-line)#logging synchronous Distribution2(config-line)#exec-timeout 0 0 Switch#config terminal Switch(config)#hostname Access1 Access1(config)#line con 0 Access1(config-line)#logging synchronous Access1(config-line)#exec-timeout 0 0 Switch#config terminal Switch(config)#hostname Access2 Access2(config)#line con 0 Access2(config-line)#logging synchronous Access2(config-line)#exec-timeout 0 0

Step 2: Default STP (PVST+) Behavior

After the cables are connected and the switch detects the redundant links, spanning tree will be initiated. By default, spanning tree will run on every port. When a new link becomes active, the port will go through the Listening, Learning, and Forwarding states before it becomes active. During this period, the switch will discover if it is connected to another switch or an end-user device. If another switch is detected, the two switches will begin creating a spanning tree. One of the switches will be elected as the root of the tree. Then an agreement will be established as to which links to keep active and which links to disable if multiple links exist. Notice that between two switches, one of the two ports will be set to blocking. Blocking could occur on the access layer switch or the distribution layer switch. If all ports have their default setting, then the higher MAC address of the two ports is set to blocking. The switch port is in blocking state because it detected two links between the same switches. This would result in a bridge loop if the switch logically disables one link Use show spanning-tree command and show spanning-tree detail to map out which ports are in forwarding mode and which ones are blocking. This will show you the paths Ethernet frames will take within this LAN.

Note: The actual priority value is one less than what is shown. The default priority is 32768, but show spanning-tree will display 32769, priority plus the System ID Extension of 1.

Core
Core#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.7c0b.e7c0 Cost 23 Port 49 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f.2490.1380 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Root Altn Sts --FWD BLK Cost --------4 4 Prio.Nbr -------128.49 128.50 Type -------------------------------P2p P2p

Interface ---------------Gi0/1 Gi0/2 Core#

Core#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 000f.2490.1380 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32769, address 0009.7c0b.e7c0 Root port is 49 (GigabitEthernet0/1), cost of root path is 23 Topology change flag not set, detected flag not set Number of topology changes 0 last change occurred 00:14:21 ago Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300 Port 49 (GigabitEthernet0/1) of VLAN0001 is forwarding Port path cost 4, Port priority 128, Port Identifier 128.49. Designated root has priority 32769, address 0009.7c0b.e7c0 Designated bridge has priority 32769, address 000b.fd13.9080 Designated port id is 128.25, designated path cost 19 Timers: message age 2, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 0, received 430 Port 50 (GigabitEthernet0/2) of VLAN0001 is blocking Port path cost 4, Port priority 128, Port Identifier 128.50. Designated root has priority 32769, address 0009.7c0b.e7c0 Designated bridge has priority 32769, address 000b.fd13.cd80 Designated port id is 128.26, designated path cost 19 Timers: message age 2, forward delay 0, hold 0 Number of transitions to forwarding state: 0 Link type is point-to-point by default BPDU: sent 1, received 432 Core#

Example of Mapping the Core Switch

Distribution1
Distribution1#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.7c0b.e7c0 Cost 19 Port 3 (FastEthernet0/3) Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.fd13.9080 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 BLK 19 32769 000b.befa.eec0 128.1 128.2 19 BLK 19 32769 000b.befa.eec0 128.2 128.3 19 FWD 0 32769 0009.7c0b.e7c0 128.1 128.4 19 BLK 0 32769 0009.7c0b.e7c0 128.2 128.5 19 FWD 19 32769 000b.fd13.9080 128.5 128.25 4 FWD 19 32769 000b.fd13.9080 128.25 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.26 4 BLK 19 32769 000b.befa.eec0 Port ID Prio.Nbr -------128.26

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Gi0/1 Interface Name ---------------Gi0/2

Distribution1#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 000b.fd13.9080

Configured hello time 2, max age 20, forward delay 15 Current root has priority 32769, address 0009.7c0b.e7c0 Root port is 3 (FastEthernet0/3), cost of root path is 19 Topology change flag not set, detected flag not set Number of topology changes 7 last change occurred 00:14:34 ago from GigabitEthernet0/1 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300

Distribution2
Distribution2#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.7c0b.e7c0 Cost 19 Port 3 (FastEthernet0/3) Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.fd13.cd80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 BLK 19 32769 000b.befa.eec0 128.3 128.2 19 BLK 19 32769 000b.befa.eec0 128.4 128.3 19 FWD 0 32769 0009.7c0b.e7c0 128.3 128.4 19 BLK 0 32769 0009.7c0b.e7c0 128.4 128.5 19 BLK 19 32769 000b.fd13.9080 128.5 128.24 19 FWD 19 32769 000b.fd13.cd80 128.24 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.25 4 BLK 19 32769 000b.befa.eec0 128.26 4 FWD 19 32769 000b.fd13.cd80 Port ID Prio.Nbr -------128.25 128.26

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Fa0/24 Interface Name ---------------Gi0/1 Gi0/2

Distribution2#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 000b.fd13.cd80 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32769, address 0009.7c0b.e7c0 Root port is 3 (FastEthernet0/3), cost of root path is 19 Topology change flag not set, detected flag not set Number of topology changes 20 last change occurred 00:15:20 ago from GigabitEthernet0/2 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300

Access1
Access1#show spanning-tree VLAN0001

Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.7c0b.e7c0 Cost 19 Port 5 (FastEthernet0/5) Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.befa.eec0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 FWD 19 32769 000b.befa.eec0 128.1 128.2 19 FWD 19 32769 000b.befa.eec0 128.2 128.3 19 FWD 19 32769 000b.befa.eec0 128.3 128.4 19 FWD 19 32769 000b.befa.eec0 128.4 128.5 19 FWD 0 32769 0009.7c0b.e7c0 128.5 128.25 4 FWD 19 32769 000b.befa.eec0 128.25 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.26 4 FWD 19 32769 000b.befa.eec0 Port ID Prio.Nbr -------128.26

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Gi0/1 Interface Name ---------------Gi0/2

Access1#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 000b.befa.eec0 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32769, address 0009.7c0b.e7c0 Root port is 5 (FastEthernet0/5), cost of root path is 19 Topology change flag not set, detected flag not set Number of topology changes 5 last change occurred 00:36:49 ago from GigabitEthernet0/1 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300

Access2
Access2# show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.7c0b.e7c0 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 0009.7c0b.e7c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Desg Desg Desg Desg Sts --FWD FWD FWD FWD Cost --------19 19 19 19 Prio.Nbr -------128.1 128.2 128.3 128.4 Type -------------------------------P2p P2p P2p P2p

Interface ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4

Fa0/5

Desg FWD 19

128.5

P2p

Access2# show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 0009.7c0b.e7c0 Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Topology change flag not set, detected flag not set Number of topology changes 5 last change occurred 00:16:57 ago from FastEthernet0/3 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300

Step 3: Modifying STP to make the Core Switch the Root Bridge
Configure the Core switch to be the primary Root Bridge. This will also lower the bridge priority automatically. The switch with the lowest Bridge ID (BID) becomes the root bridge. The BID consists of the root bridge priority and the MAC address assigned to the switch. Since all switches default to a root bridge priority of 32768, the switch with the lowest MAC address becomes the Root Bridge. The BID is not a real number. The root bridge priority is expressed in decimal form and the MAC address is expressed in HEX. The default bridge priority has a value of 32768. The current Root Bridge in the above sample output is ALSwitch2 because it has a lower MAC address. The root bridge priority is at the beginning of the BID. The bridge priority is a very large number. The root bridge priority will always determine the length of the BID because the MAC address is a fixed length. Newer Cisco switches default to PVST+. VLAN 1 will be used for this configuration. The available priority value range is 0 to 61440 in increments of 4096. The default value is 32768. The lower the number, the more likely the switch will be chosen as the root switch. Valid priority values are 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. All other values are rejected. For Catalyst 3550 switches with the extended system ID release 12.1(8)EA1 and later, the spanning-tree vlan 1 root primary command can be used to set the switch priority to 24576. If all other switches in the VLAN have the default priority, this switch will become the root bridge for VLAN 1. Verify the current spanning tree information for the Core switch.
Core#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.7c0b.e7c0 Cost 23 Port 49 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f.2490.1380 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Root Altn Sts --FWD BLK Cost --------4 4 Prio.Nbr -------128.49 128.50 Type -------------------------------P2p P2p

Interface ---------------Gi0/1 Gi0/2

Again, all switches default to a root bridge priority of 32768, so the switch with the lowest MAC address becomes the Root Bridge. We can change which switch becomes the Root Bridge by lowering the root bridge priority of the switch we want to be the Root. There are two ways to modify the root bridge priority of a switch to make it the Root Bridge.
Core(config)#spanning-tree vlan 1 ? forward-time Set the forward delay for the spanning tree hello-time Set the hello interval for the spanning tree max-age Set the max age interval for the spanning tree priority Set the bridge priority for the spanning tree root Configure switch as root <cr>

Note: Either one of these commands will configure the Core switch as the Root Bridge
Core(config)#spanning-tree vlan 1 root primary or Core(config)#spanning-tree vlan 1 priority 4096

Use the following command to make the Core switch the Root Bridge. Core(config)#spanning-tree vlan 1 root primary

Use the show spanning-tree command to verify that the Core switch became the Root Bridge and the Bridge Priority changed to 24576 as shown in the sample output below.

Core#show spanning-tree
VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 24577 (priority 24576 sys-id-ext 1) Address 000f.2490.1380 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Role ---Desg Desg Sts --FWD FWD Cost --------4 4 Prio.Nbr -------128.49 128.50 Type -------------------------------P2p P2p

Interface ---------------Gi0/1 Gi0/2 Core#

Core#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 24576, sysid 1, address 000f.2490.1380 Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Topology change flag not set, detected flag not set Number of topology changes 1 last change occurred 00:01:14 ago Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 1, topology change 0, notification 0, aging 300

Make Distribution1 switch the secondary or backup Root Bridge.

Distribution1(config)#spanning-tree vlan 1 root ? primary Configure this switch as primary root for this spanning tree secondary Configure switch as secondary root Distribution1(config)#spanning-tree vlan 1 root secondary vlan 1 bridge priority set to 28672 vlan 1 bridge max aging time unchanged at 20 vlan 1 bridge hello time unchanged at 2 vlan 1 bridge forward delay unchanged at 15

Use show spanning-tree command and show spanning-tree detail to map out which ports are in forwarding mode and which ones are blocking. This will show you the paths Ethernet frames will take within this LAN. (Some parts of the outputs have been omitted for brevity.)

Distribution1#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 Cost 4 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 28673 (priority 28672 sys-id-ext 1) Address 000b.fd13.9080 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 FWD 4 28673 000b.fd13.9080 128.1 128.2 19 FWD 4 28673 000b.fd13.9080 128.2 128.3 19 FWD 4 28673 000b.fd13.9080 128.3

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3

10

Fa0/4 Fa0/5 Gi0/1 Interface Name ---------------Gi0/2

128.4 128.5 128.25

19 FWD 19 FWD 4 FWD

4 28673 000b.fd13.9080 128.4 4 28673 000b.fd13.9080 128.5 0 24577 000f.2490.1380 128.49 Port ID Prio.Nbr -------128.26

Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.26 4 FWD 4 28673 000b.fd13.9080

Distribution1#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 28672, sysid 1, address 000b.fd13.9080 Configured hello time 2, max age 20, forward delay 15 Current root has priority 24577, address 000f.2490.1380 Root port is 25 (GigabitEthernet0/1), cost of root path is 4 Topology change flag not set, detected flag not set Number of topology changes 9 last change occurred 00:04:47 ago from FastEthernet0/1 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300

Distribution2#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 Cost 4 Port 26 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.fd13.cd80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 FWD 4 32769 000b.fd13.cd80 128.1 128.2 19 FWD 4 32769 000b.fd13.cd80 128.2 128.3 19 FWD 4 32769 000b.fd13.cd80 128.3 128.4 19 FWD 4 32769 000b.fd13.cd80 128.4 128.5 19 BLK 4 28673 000b.fd13.9080 128.5 128.24 19 BLK 0 24577 000f.2490.1380 128.24 128.25 4 FWD 4 32769 000b.fd13.cd80 128.25 128.26 4 FWD 0 24577 000f.2490.1380 128.50

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Fa0/24 Gi0/1 Gi0/2

Distribution2#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 000b.fd13.cd80 Configured hello time 2, max age 20, forward delay 15 Current root has priority 24577, address 000f.2490.1380 Root port is 26 (GigabitEthernet0/2), cost of root path is 4 Topology change flag not set, detected flag not set Number of topology changes 14 last change occurred 00:09:25 ago from FastEthernet0/1 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300

11

Access1#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 Cost 8 Port 26 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.befa.eec0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 BLK 4 28673 000b.fd13.9080 128.1 128.2 19 BLK 4 28673 000b.fd13.9080 128.2 128.3 19 BLK 4 32769 000b.fd13.cd80 128.1 128.4 19 BLK 4 32769 000b.fd13.cd80 128.2 128.5 19 FWD 8 32769 000b.befa.eec0 128.5 128.25 4 BLK 4 32769 000b.fd13.cd80 128.25 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.26 4 FWD 4 28673 000b.fd13.9080 Port ID Prio.Nbr -------128.26

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Gi0/1 Interface Name ---------------Gi0/2

Access1#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 000b.befa.eec0 Configured hello time 2, max age 20, forward delay 15 Current root has priority 24577, address 000f.2490.1380 Root port is 26 (GigabitEthernet0/2), cost of root path is 8 Topology change flag not set, detected flag not set Number of topology changes 6 last change occurred 00:10:39 ago from FastEthernet0/2 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300

Access2#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.7c0b.e7c0 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 0009.7c0b.e7c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15

Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- --------------------------------

12

Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5

Desg Desg Desg Desg Desg

FWD FWD FWD FWD FWD

19 19 19 19 19

128.1 128.2 128.3 128.4 128.5

P2p P2p P2p P2p P2p

Access2#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 Cost 23 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 0009.7c0b.e7c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Root Altn Altn Altn Altn Sts --FWD BLK BLK BLK BLK Cost --------19 19 19 19 19 Prio.Nbr -------128.1 128.2 128.3 128.4 128.5 Type -------------------------------P2p P2p P2p P2p P2p

Interface ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5

Access2#show spanning-tree detail VLAN0001 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, sysid 1, address 0009.7c0b.e7c0 Configured hello time 2, max age 20, forward delay 15 Current root has priority 24577, address 000f.2490.1380 Root port is 1 (FastEthernet0/1), cost of root path is 23 Topology change flag not set, detected flag not set Number of topology changes 5 last change occurred 00:11:20 ago from FastEthernet0/5 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0, aging 300

13

14

Per-VLAN Spanning Tree Load Balancing

Reset network to make Access2 once again the default Root Bridge.
Core(config)#no spanning-tree vlan 1 root primary

Note: We will make the Core switch the Root Bridge for VLAN 1 once again. The command above is only so we can start from the beginning.
Distribution1(config)#no spanning-tree vlan 1 root secondary

Step 4: Create the VTP Domain and VLANs

Make the Core switch the VTP server and all other switches VTP clients. Create VLANs 10 Accounting and 20 Marketing.
Core#vlan database Core(vlan)#vtp domain CORP Changing VTP domain name from NULL to CORP Core(vlan)#vtp server Device mode already VTP SERVER. Core(vlan)#vlan 10 name Accounting VLAN 10 added: Name: Accounting Core(vlan)#vlan 20 name Marketing VLAN 20 added: Name: Marketing Core(vlan)#exit APPLY completed. Exiting.... Core# Distribution1#vlan database Distribution1(vlan)#vtp client Setting device to VTP CLIENT mode. Distribution1(vlan)#exit In CLIENT state, no apply attempted. Exiting.... Distribution1#

Distribution2#vlan database Distribution2(vlan)#vtp client Setting device to VTP CLIENT mode. Distribution2(vlan)#exit In CLIENT state, no apply attempted. Exiting.... Distribution2# Access1#vlan database Access1(vlan)#vtp client Setting device to VTP CLIENT mode. Access1(vlan)#exit In CLIENT state, no apply attempted. Exiting.... Access1#

15

Access2#vlan database % Warning: It is recommended to configure VLAN from config mode, as VLAN database mode is being deprecated. Please consult user documentation for configuring VTP/VLAN in config mode. Access2(vlan)#vtp client Setting device to VTP CLIENT mode. Access2(vlan)#exit In CLIENT state, no apply attempted. Exiting.... Access2#

Step 5: Configure Three Root Bridges, One for Each VLAN

The Core switch will be the Root Bridge for VLAN 1. Make Distribution1 switch the Root Bridge for VLAN 10 and Distribution2 switch the Root Bridge for VLAN 20.

Core: VLAN 1 Root Bridge

Core(config)#spanning-tree vlan 1 root primary

Distribution1: VLAN 10 Root Bridge

Distribution1(config)#spanning-tree vlan 10 root primary vlan 10 bridge priority set to 24576 vlan 10 bridge max aging time unchanged at 20 vlan 10 bridge hello time unchanged at 2 vlan 10 bridge forward delay unchanged at 15 Distribution1(config)#

Distribution2: VLAN 20 Root Bridge

Distribution2(config)#spanning-tree vlan 20 root primary vlan 20 bridge priority set to 24576 vlan 20 bridge max aging time unchanged at 20 vlan 20 bridge hello time unchanged at 2 vlan 20 bridge forward delay unchanged at 15 Distribution2(config)#

16

Use show spanning-tree command and show spanning-tree detail to map out which ports are in forwarding mode and which ones are blocking for VLAN 1, VLAN 10 and VLAN 20. This will show you the paths Ethernet frames will take within for each VLAN.

Core
Core#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 24577 (priority 24576 sys-id-ext 1) Address 000f.2490.1380 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Desg Desg Desg Sts --FWD FWD FWD Cost --------19 4 4 Prio.Nbr -------128.24 128.49 128.50 Type -------------------------------P2p P2p P2p

Interface ---------------Fa0/24 Gi0/1 Gi0/2

VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 4106 Address 000b.fd13.9080 Cost 4 Port 49 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 000f.2490.1380 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300

17

Interface ---------------Fa0/24 Gi0/1 Gi0/2

Role ---Desg Root Desg

Sts --FWD FWD FWD

Cost --------19 4 4

Prio.Nbr -------128.24 128.49 128.50

Type -------------------------------P2p P2p P2p

VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 4116 Address 000b.fd13.cd80 Cost 4 Port 50 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 000f.2490.1380 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Altn Desg Root Sts --BLK FWD FWD Cost --------19 4 4 Prio.Nbr -------128.24 128.49 128.50 Type -------------------------------P2p P2p P2p

Interface ---------------Fa0/24 Gi0/1 Gi0/2

Distribution1
Distribution1#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 Cost 4 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.fd13.9080 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 FWD 4 32769 000b.fd13.9080 128.1 128.2 19 FWD 4 32769 000b.fd13.9080 128.2 128.3 19 FWD 4 32769 000b.fd13.9080 128.3 128.4 19 FWD 4 32769 000b.fd13.9080 128.4 128.5 19 FWD 4 32769 000b.fd13.9080 128.5 128.25 4 FWD 0 24577 000f.2490.1380 128.49 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.26 4 FWD 4 32769 000b.fd13.9080 Port ID Prio.Nbr -------128.26

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Gi0/1 Interface Name ---------------Gi0/2

VLAN0010 Spanning tree enabled protocol ieee

18

Root ID

Priority 4106 Address 000b.fd13.9080 This bridge is the root Hello Time 2 sec Max Age 20 sec

Forward Delay 15 sec

Bridge ID

Priority 4106 (priority 4096 sys-id-ext 10) Address 000b.fd13.9080 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.1 19 FWD 0 4106 000b.fd13.9080 128.2 19 FWD 0 4106 000b.fd13.9080 128.3 19 FWD 0 4106 000b.fd13.9080 128.4 19 FWD 0 4106 000b.fd13.9080 128.5 19 FWD 0 4106 000b.fd13.9080 128.25 4 FWD 0 4106 000b.fd13.9080 128.26 4 FWD 0 4106 000b.fd13.9080 Port ID Prio.Nbr -------128.1 128.2 128.3 128.4 128.5 128.25 128.26

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Gi0/1 Gi0/2

VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 4116 Address 000b.fd13.cd80 Cost 8 Port 26 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 000b.fd13.9080 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 BLK 4 32788 000b.befa.eec0 128.1 128.2 19 BLK 4 32788 000b.befa.eec0 128.2 128.3 19 FWD 8 32788 000b.fd13.9080 128.3 128.4 19 FWD 8 32788 000b.fd13.9080 128.4 128.5 19 BLK 0 4116 000b.fd13.cd80 128.5 128.25 4 BLK 4 32788 000f.2490.1380 128.49 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.26 4 FWD 4 32788 000b.befa.eec0 Port ID Prio.Nbr -------128.26

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Gi0/1 Interface Name ---------------Gi0/2

Distbribution2
Distribution2#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 Cost 4 Port 26 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

19

Bridge ID

Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.fd13.cd80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 FWD 4 32769 000b.fd13.cd80 128.1 128.2 19 FWD 4 32769 000b.fd13.cd80 128.2 128.3 19 FWD 4 32769 000b.fd13.cd80 128.3 128.4 19 FWD 4 32769 000b.fd13.cd80 128.4 128.5 19 BLK 4 32769 000b.fd13.9080 128.5 128.24 19 BLK 0 24577 000f.2490.1380 128.24 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.25 4 FWD 4 32769 000b.fd13.cd80 128.26 4 FWD 0 24577 000f.2490.1380 Port ID Prio.Nbr -------128.25 128.50

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Fa0/24 Interface Name ---------------Gi0/1 Gi0/2

VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 4106 Address 000b.fd13.9080 Cost 8 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 000b.fd13.cd80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 BLK 4 32778 000b.befa.eec0 128.3 128.2 19 BLK 4 32778 000b.befa.eec0 128.4 128.3 19 FWD 8 32778 000b.fd13.cd80 128.3 128.4 19 FWD 8 32778 000b.fd13.cd80 128.4 128.5 19 BLK 0 4106 000b.fd13.9080 128.5 128.24 19 BLK 4 32778 000f.2490.1380 128.24 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.25 4 FWD 4 32778 000b.befa.eec0 128.26 4 BLK 4 32778 000f.2490.1380 Port ID Prio.Nbr -------128.25 128.50

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Fa0/24 Interface Name ---------------Gi0/1 Gi0/2

VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 4116 Address 000b.fd13.cd80 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 4116 (priority 4096 sys-id-ext 20) Address 000b.fd13.cd80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300

20

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Fa0/24 Gi0/1 Interface Name ---------------Gi0/2

Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.1 19 FWD 0 4116 000b.fd13.cd80 128.2 19 FWD 0 4116 000b.fd13.cd80 128.3 19 FWD 0 4116 000b.fd13.cd80 128.4 19 FWD 0 4116 000b.fd13.cd80 128.5 19 FWD 0 4116 000b.fd13.cd80 128.24 19 FWD 0 4116 000b.fd13.cd80 128.25 4 FWD 0 4116 000b.fd13.cd80 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.26 4 FWD 0 4116 000b.fd13.cd80

Port ID Prio.Nbr -------128.1 128.2 128.3 128.4 128.5 128.24 128.25 Port ID Prio.Nbr -------128.26

Access1
Access1#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 Cost 8 Port 26 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000b.befa.eec0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 BLK 4 32769 000b.fd13.9080 128.1 128.2 19 BLK 4 32769 000b.fd13.9080 128.2 128.3 19 BLK 4 32769 000b.fd13.cd80 128.1 128.4 19 BLK 4 32769 000b.fd13.cd80 128.2 128.5 19 FWD 8 32769 000b.befa.eec0 128.5 128.25 4 BLK 4 32769 000b.fd13.cd80 128.25 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.26 4 FWD 4 32769 000b.fd13.9080 Port ID Prio.Nbr -------128.26

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Gi0/1 Interface Name ---------------Gi0/2

VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 4106 Address 000b.fd13.9080 Cost 4 Port 26 (GigabitEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 000b.befa.eec0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300

21

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Gi0/1 Interface Name ---------------Gi0/2

Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 BLK 0 4106 000b.fd13.9080 128.1 128.2 19 BLK 0 4106 000b.fd13.9080 128.2 128.3 19 FWD 4 32778 000b.befa.eec0 128.3 128.4 19 FWD 4 32778 000b.befa.eec0 128.4 128.5 19 FWD 4 32778 000b.befa.eec0 128.5 128.25 4 FWD 4 32778 000b.befa.eec0 128.25 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.26 4 FWD 0 4106 000b.fd13.9080 Port ID Prio.Nbr -------128.26

VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 4116 Address 000b.fd13.cd80 Cost 4 Port 25 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 000b.befa.eec0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Port ID Designated Port ID Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr -------- --------- --- --------- -------------------- -------128.1 19 FWD 4 32788 000b.befa.eec0 128.1 128.2 19 FWD 4 32788 000b.befa.eec0 128.2 128.3 19 BLK 0 4116 000b.fd13.cd80 128.1 128.4 19 BLK 0 4116 000b.fd13.cd80 128.2 128.5 19 FWD 4 32788 000b.befa.eec0 128.5 128.25 4 FWD 0 4116 000b.fd13.cd80 128.25 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.26 4 FWD 4 32788 000b.befa.eec0 Port ID Prio.Nbr -------128.26

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Gi0/1 Interface Name ---------------Gi0/2

Access2
Access2#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000f.2490.1380 Cost 23 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32769 (priority 32768 sys-id-ext 1) Address 0009.7c0b.e7c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role Sts Cost Prio.Nbr Type

Interface

22

---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5

---Root Altn Altn Altn Altn

--FWD BLK BLK BLK BLK

--------19 19 19 19 19

-------128.1 128.2 128.3 128.4 128.5

-------------------------------P2p P2p P2p P2p P2p

VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 4106 Address 000b.fd13.9080 Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32778 (priority 32768 sys-id-ext 10) Address 0009.7c0b.e7c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Root Altn Altn Altn Altn Sts --FWD BLK BLK BLK BLK Cost --------19 19 19 19 19 Prio.Nbr -------128.1 128.2 128.3 128.4 128.5 Type -------------------------------P2p P2p P2p P2p P2p

Interface ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5

VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 4116 Address 000b.fd13.cd80 Cost 19 Port 3 (FastEthernet0/3) Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 32788 (priority 32768 sys-id-ext 20) Address 0009.7c0b.e7c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Altn Altn Root Altn Altn Sts --BLK BLK FWD BLK BLK Cost --------19 19 19 19 19 Prio.Nbr -------128.1 128.2 128.3 128.4 128.5 Type -------------------------------P2p P2p P2p P2p P2p

Interface ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5

23

24

Port Level Tuning with Portfast, BPDU Guard, Uplinkfast, Root Guard and UDLD
The Core switch is still the the VTP server and all other switches are still VTP clients. VLANs 1, 10 Accounting and 20 Marketing are still the valid VLANs. The Core switch is still the Root Bridge for VLAN 1. The Distribution1 switch is still the Root Bridge for VLAN 10 and Distribution2 switch is the Root Bridge for VLAN 20.

Step 6: Portfast
A new redundant switched network has just been implemented. The default behavior of Spanning Tree Protocol (STP) has created some undesirable results. The ports take up to 50 seconds to reach forwarding state. This prevents DHCP clients from receiving an IP address during normal boot-up. PortFast will be used to prevent this problem in the future. Configure PortFast on the switch ports. Configure FastEthernet 0/6 through 0/12 for PortFast on the access layer switches. (We will assume these are the ports which will be used to connect hosts.) PortFast will be configured on eight interfaces with the range command. However, it will only be effective when the interfaces are in a non-trunking mode.
Access1(config)#interface range fa 0/6 - 12 Access1(config-if-range)#switchport mode access Access1(config-if-range)#spanning-tree portfast

Access2(config)#interface range fa 0/6 - 12 Access2(config-if-range)#switchport mode access Access2(config-if-range)#spanning-tree portfast

Warning: PortFast should only be enabled on ports that are connected to a single host. If hubs, concentrators, switches, and bridges. are connected to the interface when PortFast is enabled, temporary bridging loops can occur. Use with caution. Portfast will be configured in 7 interfaces due to the range command, but will only have effect when the interfaces are in a non-trunking mode. To verify that PortFast is operating on the access layer switches, if there were workstations attached, one could remove the workstation from the switch and plug it into any port configured with PortFast. The port should become active immediately. The access layer switch indicator light will become green without the yellow learning and listening period. Use the show spanning-tree command to check the state of each link.

25

Step 7: BPDU Guard

Enabling PortFast can create a security risk in a switched network. A port configured with PortFast will go into blocking state if it receives a Bridge Protocol Data Unit (BPDU). An unauthorized device can send BPDUs into the PortFast interface and set a port to blocking. When the port is in blocking state it will accept all BPDUs. This could lead to false STP information that enters the switched network and causes unexpected STP behavior. Bridge Guard Data Unit (BGDU) will be used to prevent unauthorized BPDUs from entering the switched network through PortFast enabled ports. When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. PortFast-enabled interfaces do not receive BPDUs in a valid configuration. The receipt of a BPDU by a PortFastenabled interface indicates an invalid configuration such as the connection of an unauthorized device. The BPDU guard feature blocks BPDUs by placing the interface in the ErrDisable state. The BPDU guard feature provides a secure response to invalid configurations because the interface must be manually placed back in service. BPDU guard will also keep switches added outside the wiring closet by users from impacting and possibly violating Spanning Tree Protocol. Configure access mode ports, FastEthernet 0/6 through 0/12, on both access switches to with PortFast enabled.
Access1(config)#interface range fa 0/6 - 12 Access1(config-if-range)#spanning-tree bpduguard enable

Access2(config)#interface range fa 0/6 - 12 Access2(config-if-range)#spanning-tree bpduguard enable

If a switch was connected to one of these ports with BPDU guard enabled, the following error would appear.
05:31:56: %SPANTREE-2-RX_PORTFAST: Received BPDU on PortFast enabled port. Disabling FastEthernet0/1. 05:31:56: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/1, putting Fa0/1 in err-disable state 05:31:57: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

The switch receives the error and shuts down the port. This protects the switch from accepting false BPDUs.

26

Step 8: Uplinkfast
When the active uplink between the two switches is broken, it takes the redundant link 30 seconds to complete the spanning-tree process before bringing up the backup, or blocked, link. This results in a temporary network outage for users. UplinkFast will be used to reduce STP convergence time. Configure Uplinkfast on all switches. Core
Core(config)#spanning-tree ? backbonefast Enable BackboneFast Feature etherchannel Spanning tree etherchannel specific configuration extend Spanning Tree 802.1t extensions loopguard Spanning tree loopguard options mode Spanning tree operating mode mst Multiple spanning tree configuration pathcost Spanning tree pathcost options portfast Spanning tree portfast options uplinkfast Enable UplinkFast Feature vlan VLAN Switch Spanning Tree Core(config)#spanning-tree uplinkfast Core#show spanning-tree uplinkfast UplinkFast is enabled Station update rate set to 150 packets/sec. UplinkFast statistics ----------------------Number of transitions via uplinkFast (all VLANs) : 0 Number of proxy multicast addresses transmitted (all VLANs) : 0 Name -------------------VLAN0001 VLAN0010 VLAN0020 Interface List -----------------------------------Gi0/1(fwd) Gi0/2(fwd), Fa0/24

Distribution1
Distribution1(config)#spanning-tree uplinkfast Distribution1#show spanning-tree uplinkfast UplinkFast is enabled Station update rate set to 150 packets/sec. UplinkFast statistics ----------------------Number of transitions via uplinkFast (all VLANs) : 1 Number of proxy multicast addresses transmitted (all VLANs) : 4 Name -------------------VLAN0001 VLAN0010 VLAN0020 Interface List -----------------------------------Gi0/1(fwd) Fa0/5(fwd), Fa0/1, Fa0/2, Fa0/3, Fa0/4, Gi0/1, Gi0/2

27

Distribution2
Distribution2(config)#spanning-tree uplinkfast Distribution2#show spanning-tree uplinkfast UplinkFast is enabled Station update rate set to 150 packets/sec. UplinkFast statistics ----------------------Number of transitions via uplinkFast (all VLANs) : 0 Number of proxy multicast addresses transmitted (all VLANs) : 0 Name -------------------VLAN0001 VLAN0010 VLAN0020 Interface List -----------------------------------Gi0/2(fwd), Fa0/5, Fa0/24 Fa0/5(fwd), Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/24, Gi0/1 Gi0/2

Access1
Access1(config)#spanning-tree uplinkfast Access1#show spanning-tree uplinkfast UplinkFast is enabled Station update rate set to 150 packets/sec. UplinkFast statistics ----------------------Number of transitions via uplinkFast (all VLANs) : 2 Number of proxy multicast addresses transmitted (all VLANs) : 0 Name -------------------VLAN0001 VLAN0010 VLAN0020 Interface List -----------------------------------Gi0/2(fwd), Fa0/1, Fa0/2, Fa0/3, Fa0/4, Gi0/1 Gi0/2(fwd), Fa0/1, Fa0/2 Gi0/1(fwd), Fa0/3, Fa0/4

Access2
Access2(config)#spanning-tree uplinkfast Access2#show spanning-tree uplinkfast UplinkFast is enabled Station update rate set to 150 packets/sec. UplinkFast statistics ----------------------Number of transitions via uplinkFast (all VLANs) : 0 Number of proxy multicast addresses transmitted (all VLANs) : 0 Name -------------------VLAN0001 VLAN0010 VLAN0020 Interface List -----------------------------------Fa0/1(fwd), Fa0/2, Fa0/3, Fa0/4, Fa0/5 Fa0/1(fwd), Fa0/2, Fa0/5 Fa0/3(fwd), Fa0/4, Fa0/5

28

Step 9: Root Guard

Access2 is connected with a slower and more unreliable connection. The network administrator wants to prevent the Access2 from becoming the root bridge or from being in the path to the root bridge. Access2 should be avoided as much as possible. Root guard will be used to prevent Access2 from becoming the root bridge.

Prevent Access2 from becoming the root or from being in the path to the root. The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. STP can reconfigure itself in this type of topology and select a customer switch as the STP root switch. The root-guard feature can be configured on interfaces that connect to switches outside of the customer network. STP calculations can be used to identify an interface in the customer network as the root port. Root guard will place this interface in the root-inconsistent or blocked state to prevent the customer switch from becoming the root switch or from being in the path to the root. UplinkFast must be disabled because it cannot be used with root guard.
Access2(config)#no spanning-tree uplinkfast

Configure all the Distribution1, Distribution2 and Access1 ports that connect to Access2 with root guard.
Distribution1(config)#interface range fa 0/3 - 4 Distribution(config-if-range)#spanning-tree guard root

Distribution2(config)#interface range fa 0/3 - 4 Distribution(config-if-range)#spanning-tree guard root

Access1(config)#interface fa 0/5 Access1(config-if)#spanning-tree guard root

Configure Access2 with a lower STP priority than Distribution1 for VLAN 10. Access2 would become the root for VLAN10 without root guard.
Access2(config)#spanning-tree vlan 10 priority 0

Verify that Distribution1 is still the Root Bridge for VLAN 10.
01:35:47: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/3 on VLAN0010. 01:35:47: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/4 on VLAN0010. Distribution1#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 24586 Address 000b.fd13.9080 This bridge is the root Hello Time 2 sec Max Age 20 sec

Forward Delay 15 sec

29

Bridge ID

Priority 24586 (priority 24576 sys-id-ext 10) Address 000b.fd13.9080 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Port ID Designated Prio.Nbr Cost Sts Cost Bridge ID -------- --------- --- --------- -------------------128.1 19 FWD 0 24586 000b.fd13.9080 128.2 19 FWD 0 24586 000b.fd13.9080 128.3 19 BKN* 0 24586 000b.fd13.9080 128.4 19 BKN* 0 24586 000b.fd13.9080 128.5 19 FWD 0 24586 000b.fd13.9080 128.25 4 FWD 0 24586 000b.fd13.9080 128.26 4 FWD 0 24586 000b.fd13.9080 Port ID Prio.Nbr -------128.1 128.2 128.3 128.4 128.5 128.25 128.26

Interface Name ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5 Gi0/1 Gi0/2

Access2#show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 10 Address 0009.7c0b.e7c0 This bridge is the root Hello Time 2 sec Max Age 20 sec Bridge ID

Forward Delay 15 sec

Priority 10 (priority 0 sys-id-ext 10) Address 0009.7c0b.e7c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Role ---Desg Desg Desg Desg Desg Sts --FWD FWD FWD FWD FWD Cost --------19 19 19 19 19 Prio.Nbr -------128.1 128.2 128.3 128.4 128.5 Type -------------------------------P2p P2p P2p P2p P2p

Interface ---------------Fa0/1 Fa0/2 Fa0/3 Fa0/4 Fa0/5

30

Step 10: UDLD

ALSwitch1 is connected to the distribution layer with Gigabit Ethernet links. If the transmit or receive link in a fiber cable is disconnected or cut, then it could lead to a unidirectional link. Unidirectional links can transmit or receive data, but not both. Unidirectional links have an adverse effect on the network. Use UniDirectional Link Detection (UDLD) protocol to prevent unidirectional links from occurring. Disconnect one of the connectors between ALSwitch1 and DLSwitch1. Observe the line status on the switches. A unidirectional link has just been created. A unidirectional link occurs when traffic sent by the local device is received by the neighbor but traffic from the neighbor is not received by the local device. This indicates that the transmit or receive part of the connection is broken. This can be caused by a cut or disconnected cable. UDLD is a Layer 2 protocol that enables devices connected through fiber-optic or twisted-pair Ethernet cables to monitor the physical configuration of the cables and detect a unidirectional link. All connected devices must support UDLD for the protocol to identify and disable unidirectional links. When UDLD detects a unidirectional link, it shuts down the affected port and sends out an alert. Unidirectional links can cause a variety of problems such as spanning-tree topology loops. Now reconnect the transmit or receive cable to the switch. (Of course you cannot really do this with NetLab.) Enable UDLD with the global configuration command udld enable on the Core, Distribution1, Distribution2, and Access1 siwtches. Note: This command only affects fiber-optic interfaces. Use the udld interface configuration command to enable UDLD on other interface types. Configure UDLD enable on all switches with fiber optic interfaces.
Core(config)#udld enable Distribution1(config)#udld enable Distribution2(config)#udld enable Access1(config)#udld enable

If the one of the fiber connecters between ALSwitch1 and DLSwitch1 was disconnected, you could observe what happens to the line status on the two switches. UDLD will administratively shut down the port.

31

Final Running-Configs
Core#show running-config Building configuration... Current configuration : 4419 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Core ! ! ip subnet-zero ! udld enable ! ! spanning-tree mode pvst spanning-tree extend system-id spanning-tree uplinkfast spanning-tree vlan 1 priority 24576 ! ! ! interface FastEthernet0/1 switchport mode dynamic desirable no ip address ! interface FastEthernet0/2 switchport mode dynamic desirable no ip address ! interface FastEthernet0/3 switchport mode dynamic desirable no ip address ! interface FastEthernet0/4 switchport mode dynamic desirable no ip address ! interface FastEthernet0/5 switchport mode dynamic desirable no ip address ! interface FastEthernet0/6 switchport mode dynamic desirable no ip address ! interface FastEthernet0/7 switchport mode dynamic desirable no ip address ! interface FastEthernet0/8 switchport mode dynamic desirable no ip address ! interface FastEthernet0/9 switchport mode dynamic desirable

32

no ip address ! interface FastEthernet0/10 switchport mode dynamic desirable no ip address ! interface FastEthernet0/11 switchport mode dynamic desirable no ip address ! interface FastEthernet0/12 switchport mode dynamic desirable no ip address ! interface FastEthernet0/13 switchport mode dynamic desirable no ip address ! interface FastEthernet0/14 switchport mode dynamic desirable no ip address ! interface FastEthernet0/15 switchport mode dynamic desirable no ip address ! interface FastEthernet0/16 switchport mode dynamic desirable no ip address ! interface FastEthernet0/17 switchport mode dynamic desirable no ip address ! interface FastEthernet0/18 switchport mode dynamic desirable no ip address ! interface FastEthernet0/19 switchport mode dynamic desirable no ip address ! interface FastEthernet0/20 switchport mode dynamic desirable no ip address ! interface FastEthernet0/21 switchport mode dynamic desirable no ip address ! interface FastEthernet0/22 switchport mode dynamic desirable no ip address ! interface FastEthernet0/23 switchport mode dynamic desirable no ip address ! interface FastEthernet0/24 switchport mode dynamic desirable no ip address ! interface FastEthernet0/25 switchport mode dynamic desirable

33

no ip address ! interface FastEthernet0/26 switchport mode dynamic desirable no ip address ! interface FastEthernet0/27 switchport mode dynamic desirable no ip address ! interface FastEthernet0/28 switchport mode dynamic desirable no ip address ! interface FastEthernet0/29 switchport mode dynamic desirable no ip address ! interface FastEthernet0/30 switchport mode dynamic desirable no ip address ! interface FastEthernet0/31 switchport mode dynamic desirable no ip address ! interface FastEthernet0/32 switchport mode dynamic desirable no ip address ! interface FastEthernet0/33 switchport mode dynamic desirable no ip address ! interface FastEthernet0/34 switchport mode dynamic desirable no ip address ! interface FastEthernet0/35 switchport mode dynamic desirable no ip address ! interface FastEthernet0/36 switchport mode dynamic desirable no ip address ! interface FastEthernet0/37 switchport mode dynamic desirable no ip address ! interface FastEthernet0/38 switchport mode dynamic desirable no ip address ! interface FastEthernet0/39 switchport mode dynamic desirable no ip address ! interface FastEthernet0/40 switchport mode dynamic desirable no ip address ! interface FastEthernet0/41 switchport mode dynamic desirable

34

no ip address ! interface FastEthernet0/42 switchport mode dynamic desirable no ip address ! interface FastEthernet0/43 switchport mode dynamic desirable no ip address ! interface FastEthernet0/44 switchport mode dynamic desirable no ip address ! interface FastEthernet0/45 switchport mode dynamic desirable no ip address ! interface FastEthernet0/46 switchport mode dynamic desirable no ip address ! interface FastEthernet0/47 switchport mode dynamic desirable no ip address ! interface FastEthernet0/48 switchport mode dynamic desirable no ip address ! interface GigabitEthernet0/1 switchport mode dynamic desirable no ip address ! interface GigabitEthernet0/2 switchport mode dynamic desirable no ip address ! interface Vlan1 no ip address shutdown ! ip classless ip http server ! ! ! line con 0 exec-timeout 0 0 logging synchronous line vty 0 4 login line vty 5 15 login ! end Core#

Distribution1#show running-config Building configuration...

35

Current configuration : 1653 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Distribution1 ! ! ip subnet-zero ! udld enable ! ! spanning-tree extend system-id spanning-tree uplinkfast spanning-tree vlan 10 priority 24576 ! ! ! interface FastEthernet0/1 no ip address ! interface FastEthernet0/2 no ip address ! interface FastEthernet0/3 no ip address spanning-tree guard root ! interface FastEthernet0/4 no ip address spanning-tree guard root ! interface FastEthernet0/5 no ip address ! interface FastEthernet0/6 no ip address ! interface FastEthernet0/7 no ip address ! interface FastEthernet0/8 no ip address ! interface FastEthernet0/9 no ip address ! interface FastEthernet0/10 no ip address ! interface FastEthernet0/11 no ip address ! interface FastEthernet0/12 no ip address ! interface FastEthernet0/13 no ip address !

36

interface FastEthernet0/14 no ip address ! interface FastEthernet0/15 no ip address ! interface FastEthernet0/16 no ip address ! interface FastEthernet0/17 no ip address ! interface FastEthernet0/18 no ip address ! interface FastEthernet0/19 no ip address ! interface FastEthernet0/20 no ip address ! interface FastEthernet0/21 no ip address ! interface FastEthernet0/22 no ip address ! interface FastEthernet0/23 no ip address ! interface FastEthernet0/24 no ip address ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 no ip address shutdown ! ip classless ip http server ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line vty 0 4 login line vty 5 15 login ! end Distribution1#

Distribution2#show running-config

37

Building configuration... Current configuration : 1653 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Distribution2 ! ! ip subnet-zero ! udld enable ! ! spanning-tree extend system-id spanning-tree uplinkfast spanning-tree vlan 20 priority 24576 ! ! ! interface FastEthernet0/1 no ip address ! interface FastEthernet0/2 no ip address ! interface FastEthernet0/3 no ip address spanning-tree guard root ! interface FastEthernet0/4 no ip address spanning-tree guard root ! interface FastEthernet0/5 no ip address ! interface FastEthernet0/6 no ip address ! interface FastEthernet0/7 no ip address ! interface FastEthernet0/8 no ip address ! interface FastEthernet0/9 no ip address ! interface FastEthernet0/10 no ip address ! interface FastEthernet0/11 no ip address ! interface FastEthernet0/12 no ip address ! interface FastEthernet0/13

38

no ip address ! interface FastEthernet0/14 no ip address ! interface FastEthernet0/15 no ip address ! interface FastEthernet0/16 no ip address ! interface FastEthernet0/17 no ip address ! interface FastEthernet0/18 no ip address ! interface FastEthernet0/19 no ip address ! interface FastEthernet0/20 no ip address ! interface FastEthernet0/21 no ip address ! interface FastEthernet0/22 no ip address ! interface FastEthernet0/23 no ip address ! interface FastEthernet0/24 no ip address ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 no ip address shutdown ! ip classless ip http server ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line vty 0 4 login line vty 5 15 login ! end Distribution2#

39

Access1#show running-config Building configuration... Current configuration : 2142 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Access1 ! ! ip subnet-zero udld enable ! ! spanning-tree extend system-id spanning-tree uplinkfast ! ! interface FastEthernet0/1 no ip address ! interface FastEthernet0/2 no ip address ! interface FastEthernet0/3 no ip address ! interface FastEthernet0/4 no ip address ! interface FastEthernet0/5 no ip address spanning-tree guard root ! interface FastEthernet0/6 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/7 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/8 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/9 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable !

40

interface FastEthernet0/10 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/11 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/12 switchport mode access no ip address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/13 no ip address ! interface FastEthernet0/14 no ip address ! interface FastEthernet0/15 no ip address ! interface FastEthernet0/16 no ip address ! interface FastEthernet0/17 no ip address ! interface FastEthernet0/18 no ip address ! interface FastEthernet0/19 no ip address ! interface FastEthernet0/20 no ip address ! interface FastEthernet0/21 no ip address ! interface FastEthernet0/22 no ip address ! interface FastEthernet0/23 no ip address ! interface FastEthernet0/24 no ip address ! interface GigabitEthernet0/1 no ip address ! interface GigabitEthernet0/2 no ip address ! interface Vlan1 no ip address no ip route-cache shutdown

41

! ip http server ! ! line con 0 exec-timeout 0 0 logging synchronous line vty 0 4 login line vty 5 15 login ! end Access1#

Access2#show running-config Building configuration... Current configuration : 1733 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Access2 ! ! ip subnet-zero ! ! ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id spanning-tree vlan 10 priority 0 ! ! ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 switchport mode access spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/7 switchport mode access spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/8

42

switchport mode access spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/9 switchport mode access spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/10 switchport mode access spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/11 switchport mode access spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/12 switchport mode access spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface Vlan1 no ip address no ip route-cache shutdown ! ip http server ! line con 0 exec-timeout 0 0 logging synchronous line vty 0 4 login line vty 5 15 login ! !

43

end Access2#

44