You are on page 1of 79

Implementing Spanning Tree

Ch 3

Topics
Describing STP
Transparent Bridges & Identifying Traffic Loops 802.1D Spanning Tree Protocol Root Bridge & Port Roles Enhancements to STP

Implementing MSTP
Explaining MSTP & MST Regions Extended System ID I Interacting Between MST R i i B Regions and 802.1D Networks MSTP Implementation Commands Configuring and Verifying MSTP

Implementing RSTP
Rapid Spanning Tree Protocol RSTP Port States & RSTP Port Roles Edge Ports & RSTP Link Types RSTP BPDU Proposal and Agreement Process RSTP Topology Change Rapid PVST+ Implementation & Commands
9/3/2011

Spanning Tree Enhancements


BPDU Guard BPDU Filtering Root Guard Loop Guard UDLD Flex Links

Recommended Practices Troubleshooting STP

Ch3 Implementing STP

Spanning Tree History

STP was invented in 1985 by Radia Perlman at the Digital Equipment Corporation In 1990, IEEE published the first standard for the protocol as 802 1D 1990 802.1D Common Spanning Tree (CST) -> Cisco PVST+ -> Rapid STP (RSTP) or IEEE 802.1w -> Cisco PVRST+ -> Multiple Spanning Tree (MST) or IEEE 802.1s -> STP security enhancements

9/3/2011

Ch3 Implementing STP

Overview of the Spanning Tree Protocol


STP functionality of a switch is identical to that of a transparent bridge Behavior of a switch without spanning tree Does not modify the frames that are forwarded Learns addresses by "listening" on a port for the source MAC address of a device
Builds a MAC address table that indicates which MAC addresses are learned on specific ports Switches use this table to forward frames based on the destination MAC address

Forwards packets with a destination multicast or broadcast MAC address out all ports except for the port that initially received the p p p y broadcast
Referred to as flooding

Forwards a frame out all ports except for the port it entered if the destination MAC address is unknown
Referred to as unknown unicast packets
9/3/2011 Ch3 Implementing STP 4

Functions of a Bridge

Flooding Forwarding Filtering Learning Aging

9/3/2011

Ch3 Implementing STP

Transparent Bridging
Switch treats each port as an individual segment Both ports belong to the same layer 2 broadcast domain Switch learns the MAC addresses
Station A on port 1/1 Station B on port 1/2

Transparent to the attached devices Allows bridges to forward different packet types Without redundant links, transparent bridging works Problems, as soon as bridged networks have redundant paths
9/3/2011 Ch3 Implementing STP 6

B will receive 2 copies of frame from A Each bridge will also receive the others copy E h bridge will Each b id ill update its table to say that A is on LAN Y
Neither bridge can forward a packet to A

Loop Behavior

If Bridges dont know where B is, each will flood i h fl d it, then receive it i i from the other and transmit it back on LAN X
This can repeat indefinitely
9/3/2011 Ch3 Implementing STP 7

Bridges with Loops


1. Station A sends a frame to station D. Both forward the frame and update their tables based on the source address A. 2. Now there are two copies of the frame on LAN 2. f th f 2
The copy sent out by bridge 1 is received by bridge 2 and is flooded The copy sent out by bridge 2 is received by bridge 1 and is flooded Note that each frame is handled separately The tables of both bridges are updated, but still there is no information for destination D. D

3. Now there are two copies of the frame on LAN 1. Step 2 is repeated, and both copies flood the network. 4. The process continues on and on.

9/3/2011

Ch3 Implementing STP

Spanning Tree Protocol (STP)


Part of 802.1d bridging specification Can convert a loop into a tree by disabling links Physical vs Active Topology vs.
Physical Network includes all connected bridges and Ports Active Network are the paths that are in use

Inactive Routes are ports of Bridges in a blocking state


Would form an illegal path if active Can be placed in an active state if a primary route should fail

From Graph Theory: p y


For any Connected Graph, consisting of nodes and edges, there is a spanning tree of edges that maintains the connectivity of the graph but contains no closed loops Removal of certain edges forms a structure that spans or connects subnetworks
9/3/2011 Ch3 Implementing STP 9

Spanning Trees

9/3/2011

Ch3 Implementing STP

10

Preventing Bridging Loops with STP


STA Spanning Tree Algorithm To find the redundant links
STA chooses a reference point Locates the redundant paths to that reference point

Reference point is the root of the spanning tree If the STA finds a redundant path
Selects a single path back to the root Blocks any other redundancy paths

STP puts one of the switch ports in blocking mode


Preventing the bridging loop
9/3/2011

Bl k d port continues to Blocked i receive bridge protocol data units (BPDU) Switch forwards through that port if a failure occurs on the current forwarding link
Ch3 Implementing STP 11

Spanning Tree Example

A was selected as root and the spanning tree was l t d t d th i t created from that root

9/3/2011

Ch3 Implementing STP

12

STP (IEEE 802.1D)


STP uses the concepts of root bridges, root ports, and designated ports Basic STP is defined in the STP-defining IEEE 802.1D Bridge Identifier identifier, Spanning tree assigns each bridge or switch a unique identifier called a bridge ID
2-byte priority value and the 6-byte MAC address make up the bridge ID

Default priority specified by IEEE 802.1D


32,768 (1000 0000 0000 0000 in binary, or 0x8000 in hex) Midpoint value of possible values from 0 through 65,535

Bridge ID is always unique by virtue of a unique MAC address

9/3/2011

Ch3 Implementing STP

13

STP Concepts

9/3/2011

Layer 2 information between adjacent switches by exchanging bridge protocol data unit (BPDU) messages Single root bridge is chosen to serve as the reference point Each switch, except for the root bridge, selects a root port th t provides the best path to the root t t that id th b t th t th t bridge On the link between the two nonroot switch ports, a port on one switch becomes a designated port, and the port on the other switch is in a blocking state and does not forward frames Typically, the designated port is on the switch with the best path to the root bridge
Ch3 Implementing STP 14

Spanning-Tree Path Cost


Spanning-tree path cost is an accumulated total path cost based on the bandwidth of all the links in the path Specified in the IEEE 802.1D specification
Prior to 802.1D-1998, different media, such as FDDI, ATM-155, and ATM-622, had t ATM 622 h d to manually scale costs ll l t Revised path cost of IEEE 802.1D-1998

Older specification calculated cost based on 1000-Mbps bandwidth


New specification adjusts the calculation by using a nonlinear scale to accommodate higher-speed interfaces Cost (Revised IEEE Spec) 2 4 19 100 Cost (Previous IEEE Spec) 1 1 10 100
Ch3 Implementing STP 15

Link Speed 10 Gbps 1 Gbps 100 Mbps 10 Mbps


9/3/2011

Bridge Protocol Data Units


Switches exchange control messages: BPDUs Relay LAN topology information to other switches
Refreshed at regular intervals 2 seconds by default Multicast destination address for BPDUs is 01-80-c2-00-00-00

BPDUs are used to d


Elect a root bridge Determine the location of redundant paths Block certain ports to prevent loops Notify the network of topology changes Monitor the state of the spanning tree

Two types of BPDUs Configuration BPDU


Sent S at periodic intervals by the root bridge on all its ports i di i l b h b id ll i Includes the STP parameters guarantees no mismatch in the timers Used to elect the root bridge and to keep the topology stable If not received from the root topology change may occur

Topology Change Notification (TCN) BPDU


Generated by the switch when it detects a topology change
9/3/2011 Ch3 Implementing STP 16

BPDUs

Two types: Configuration and Topology Change Notification Transmission of configuration BPDU is triggered by the root bridge
Or one that considers itself the root Passed by each bridge onto a LAN that it considers itself to be the designated bridge Cascades throughout the spanning tree g p g Collection is referred to as a configuration message

If a port does not receive a configuration message in its root port and times out, it will change the topology and send a topology change notification BPDU
9/3/2011 Ch3 Implementing STP 17

Key BPDU Information


Root ID: The lowest bridge ID (BID) in the topology Cost of path: Cost of all links from the transmitting switch to the root bridge i i i h h b id BID: BID of the transmitting switch Port ID: Transmitting switch port ID STP timer values: Maximum age, hello time, forward delay BPDUs contain the required information for STP configuration Type field for the BPDU message is 0x00, and it uses the multicast MAC address 01-80-C2-00-00-00

9/3/2011

Ch3 Implementing STP

18

STP Root Bridge

9/3/2011

Ch3 Implementing STP

19

Startup

9/3/2011

Ch3 Implementing STP

20

10

Root Bridge Election


On boot up a switch assumes that it is the root bridge and sets the bridge ID equal to the root ID
Bridge ID is always unique by using a unique switch MAC address Used to determine which switch becomes the root bridge

By exchanging BPDUs the switches determine which switch is the root Example of the combination of the priority and bridge ID
08.00.00.00.0c.12.34.56 First 2 bytes are the priority Last 6 bytes are the MAC address of the switch

Both switches are using the same default priority


Lowest MAC address becomes the root bridge

9/3/2011

Ch3 Implementing STP

21

PVST Extension to BID


Spanning tree operation requires that each switch have a unique BID I th original 802.1D standard, the BID was composed of In the i i l 802 1D t d d th d f the Priority Field and the MAC address of the switch
All VLANs were represented by a CST (Common Spanning Tree)

PVST (Per VLAN Spanning Tree) requires separate instance of spanning tree for each VLAN
BID field is required to carry VLAN ID (VID) information A Accomplished by reusing a portion of the Priority field as the li h d b i ti f th P i it fi ld th extended system ID

9/3/2011

Ch3 Implementing STP

22

11

MAC Address Allocation and Reduction


Catalyst switches typically have a pool of up to 1024 MAC addresses some have fewer
Pool acts as the MAC address component of the bridge IDs for p g VLAN spanning trees Number of MAC addresses available depends on the switch model

Switch allocates MAC addresses sequentially


First MAC address in the range assigned to VLAN 1 Second MAC address in the range assigned to VLAN 2 and so on Assigns the Supervisor Engine in-band (sc0) management interface g the last MAC address in its range

Some switches that have fewer MAC addresses than the number of supported VLANs
MAC address reduction feature is the solution Catalyst 6500 supports up to 4094 VLANs: needs MAC address reduction to support 4094 STP instances
9/3/2011 Implementing STP Ch3 Implementing STP 23

Extended System ID

802.1D 16 bit Bridge Priority field is split into two fields 16-bit Bridge Priority: 4-bit field that carries the bridge priority
Priority is conveyed in discrete values in increments of 4096 rather than discrete values in increments of 1 Default priority is 32,768, which is the mid-range value

Extended System ID: 12-bit field that carries the VID for PVST MAC address: A 6-byte field with the MAC address of a single switch
9/3/2011 Ch3 Implementing STP STP Implementing 24

12

Priority Values for Extended System ID

9/3/2011

Ch3 Implementing STP

25

Bridge ID with MAC Address Reduction


Bridge ID contains an additional field called the system ID extension
System ID extension with the bridge priority functions as the unique identifier for a VLAN or an MST instance (MSTI) see later Always the number of the VLAN or the MST instance System ID extension for VLAN 100 is 100, and the system ID extension for MST instance 2 is 2

Bridge priority becomes a multiple of 4096 plus the VLAN ID if MAC address reduction is enabled
Switch can specify the switch priority only as a multiple of 4096

Only the following values are possible: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440

9/3/2011

Ch3 Implementing STP Implementing STP

26

13

Root Bridge Election

9/3/2011

Ch3 Implementing STP Implementing STP

27

Configuring the Root Bridge


Configure a switch to become the root bridge for a VLAN
Lower its priority from the default value spanning-tree vlan vlan-id priority value

Suggest a root priority value of 4096 to for the root bridge Secondary root bridge
Priority between the value of the root bridge (4096) and the default value (32,768) Generally the priority value 8192 is used

Automatically detect the current root switch and lower the priority value of the respective switch so that it becomes the root
spanning-tree vlan vlan-id root primary

Secondary root lowers the priority of the switch to a nondefault value but a higher value than the current root
spanning-tree vlan vlan-id root secondary

9/3/2011

Ch3 Implementing STP

28

14

Root Bridge Commands

9/3/2011

Ch3 Implementing STP

29

Planning Root Bridge Selection


Locate the root bridge in the center of the network
Keep path costs minimal

Traditional STP does not allow securely enforcing the topology


Bridge priority does not guarantee a bridge will be root

If a new switch with a lower bridge ID connects


STP topology changes

Cisco root guard feature


Protects switch from accepting better BPDUs on specifically b BPDU ifi ll configured ports

Enable root guard on


Access-layer client ports Distribution switch ports leading to the access switches
9/3/2011 Ch3 Implementing STP Implementing STP 30

15

Spanning-Tree Port States and BPDU Timers


Propagation delays exist in switched networks
Topology changes occur at different times and at different segments

Ports wait for new topology information to propagate before starting to forward frames Five states for Layer 2 interface Blocking interface does not participate in frame forwarding but listens to incoming BPDUs
Does not learn MAC addresses of received frames

Listening switch resolves the root and selects the root port, the designated port, and the nondesignated ports
Does not learn the unicast address of any received frames

Learning interface prepares to participate in frame forwarding interface


Learns MAC addresses of incoming frames but does not forward frames

Forwarding interface forwards frames


Port learns source MAC addresses and forwards frames based on the destination MAC address

Disabled interface does not participate in spanning tree and does not forward frames
9/3/2011 Ch3 Implementing STP 31

Three Timers In BPDU Frames


Hello time between each BPDU that is sent on a port by the root bridge
2 seconds by default but configurable between 1 and 10

Forward delay in the listening and learning states


Default is 15 seconds but is configurable between 4 and 30

Max age maximum length of time a bridge port saves its configuration BPDU information
20 seconds by default but is configurable between 6 and 40

Spanning-tree topology of the network adheres to the i l f h k dh h timers of the root bridge
Root bridge passes the times in BPDUs to all switches

9/3/2011

Ch3 Implementing STP

32

16

STP State Machine

9/3/2011

Ch3 Implementing STP

33

State Transitions
When powered on bridge assumes it is the root bridge
Transitions to the listening state

Two transitions occur when a bridge sees a change in topology


Port implements listening and learning states for the forward delay

During the listening state the bridge processes the BPDU received
Ports that remain as designated or root ports transition to the learning state after the forward delay Ports that are not the designated or root ports transition back to the blocking state

Port in the learning state populates its MAC address table


Does not forward user data frames Learning state lasts the value of the forward delay timer Learning state reduces the amount of flooding when forwarding begins

If a port is a designated or root port at the end of the learning state the port transitions to the forwarding state
Capable of sending and receiving user data

Ports that are not the designated or root ports transition back to the blocking state
9/3/2011 Ch3 Implementing STP 34

17

State Transitions

Typical 30+ seconds before forwarding

9/3/2011

Ch3 Implementing STP

35

STP Operation

1. Elects one root bridge per VLAN based on lowest priority


All ports designated ports send and receive traffic and BPDUs

2. Selects the root port on all nonroot bridges lowest-cost path to the root
Root ports send and receive traffic If equal-cost paths to the root selects the port that connects to the lowest bridge ID If all bridge IDs are the same bridge selects the lowest port ID From switch Y t e lowest-cost path to t e root is t oug t e Fast Ethernet o sw tc the owest cost pat the oot s through the ast t e et

3. Selects the designated port on each segment on the bridge with the lowest path cost to the root

9/3/2011

Designated port for both segments is on the root bridge 10BASE-T port on switch Y is a nondesignated port and Blocks Switch chooses a designated port as the least-cost path to the root bridge Bridge ID acts as the tiebreaker
Ch3 Implementing STP 36

18

Enforcing the Topology


Place the root bridge manually in the Building Distribution Submodule
Keeps the forwarding topology optimal

Even if the administrator sets the root bridge priority to 0


No guarantee of security of the root bridge position

Selecting the root bridge and enforcing the topology is vital to complex networks Step 1. Configure the root and secondary root bridges Step 2. Set the port priorities Step 3. Set the port costs Step 4. Enable root guard on access-layer switches (see later)

9/3/2011

Ch3 Implementing STP

37

Selection of Root and Designated Port on Nonroot Bridges


Five criteria in the decision-making process
Lowest root bridge ID Lowest path cost to the root bridge p g Lowest sender bridge ID Lowest port priority Lowest port ID

Determining the root port of a switch that has equal-cost paths to the root
STP looks at the bridge ID of the switches that sent the BPDUs If equal, STP l k at th priority of the ports l looks t the i it f th t Port with the lowest port priority (cost) would be selected as the root port If equal, STP uses the port identifiers and selects the port with the lowest port priority as the root port

9/3/2011

Ch3 Implementing STP

38

19

STP Root Port Selection


Switch Y receives a BPDU from the root switch X
From a Fast Ethernet segment From an Ethernet segment g

Root path cost in both cases is 0 Local path cost on the Fast Ethernet port is 19 Local path cost on the Ethernet port is 100 Port on the Fast Ethernet segment has the lowest path cost to the root bridge and is elected the root port for switch Y

9/3/2011

Ch3 Implementing STP

39

STP Designated Port Selection


STP selects one designated port per segment to forward traffic
Other ports on the segment receive traffic but do not forward

Elects the port on the segment with the lowest path cost to the root bridge If multiple ports on the same bridge have the same cost, the port with the lowest port priority is chosen If the port priority is the same, then the port with the lowest port ID becomes the designated port Because all ports on the root bridge have a root path cost of 0
STP designates all ports on the root bridge as designated ports Root bridge ports act as designated ports in both the segments

9/3/2011

Ch3 Implementing STP

40

20

Primary and Backup Root Bridges


For each VLAN the switch with the lowest bridge ID becomes the root bridge for that VLAN Primary root bridge is the actual root bridge of a VLAN
Choose a centrally located or core switch in the network Has enough CPU power and switching capacity to forward traffic between various distribution-layer and access-layer switches

Backup or secondary root bridges are selected in the event of a failure of the primary root bridge
Selection is done intentionally With primary root bridge failure the new root bridge is still i t b id f il th t b id i till centrally located

In a production network
Backup root bridge must have the same capacity as the primary No degradation of performance with a primary root bridge failure
9/3/2011 Ch3 Implementing STP 41

Sample Scenario of STP Election Process


Root Bridge Selection

Three switches have the same priority Bridge with the lowest MAC address becomes the root bridge ASW11 is the root bridge with a bridge ID of 00:00:0c:aa:aa:aa Other two switches are non-root bridges Root bridges designate all ports as designated ports

9/3/2011

Ch3 Implementing STP

42

21

Root Port Selection

DSW111 and DSW112 are non-root bridges


Each elects a single root port

R i a BPDU on segment 1 f DSW111 or segment 2 f Receive t for t for DSW112


Root path cost of 0, local path cost of 19, total cost of 19

Also receive a BPDU from the other on segment 3


Root path cost of 19, local path cost of 100

Switch elects the port on segment 1 for DSW111 or segment 2 for DSW112 as the root port
9/3/2011 Ch3 Implementing STP 43

Designated Port Selection

Port on either DSW111 or DSW112 ends up as designated port for segment 3 DSW111 and DSW112 examine the root bridge ID in the BPDUs
Root bridge IDs are the same

S Second step th bridges examine the root path cost d t the b id i th t th t


Cost is the same for both ports

Third step is to check the sender bridge ID


Both bridges have the same priority, so the bridge with the lower of the two MAC addresses has the lowest bridge ID, DSW111

Port on DSW111 becomes the designated port on segment 3 Port on DSW112 becomes the non-designated port put into blocking state
9/3/2011 Ch3 Implementing STP 44

22

STP Convergence: Summary


Recall that switches go through three steps for their initial convergence: STP Convergence Step 1 Elect one Root Bridge Step 2 Elect Root Ports Step 3 Elect Designated Ports Also, all STP decisions are based on a the following predetermined sequence: FiveFive-Step decision Sequence Step 1 - Lowest BID Step 2 - Lowest Path Cost to Root Bridge Step 3 - Lowest Sender BID Step 4 Lowest Port Priority Step 5 - Lowest Port ID

9/3/2011

Ch3 Implementing STP

45

STP Example Physical Topology

9/3/2011

Ch3 Implementing STP

46

23

Active Topology After STP

RPC=4

RPC=2 RPC=2

RPC=4

9/3/2011

Ch3 Implementing STP

47

Another Spanning Tree Example Network


From 802.1d Spec

9/3/2011

Ch3 Implementing STP

48

24

Resultant Spanning Tree

9/3/2011

Ch3 Implementing STP

49

STP Topology Changes


Bridge sends the TCN BPDU if either:
Port in forwarding or listening state transitions to blocking (link failure) Port moves to forwarding state and the bridge already has a designated port Non-root bridge receives a TCN on its designated port

TCN is a simple BPDU with three fields i i l i h h fi ld


Same as the first three fields of a configuration BPDU Type field in a TCN BPDU is 0x80

Designated bridge receives the TCN and acknowledges it


Sends back a configuration BPDU with the Topology Change Acknowledgement (TCA) bit set Bridge notifying change continues TCN BPDU until the designated bridge acknowledges it

Designated bridge generates another TCN for its own root port
So on until the TCN BPDU reaches the root bridge

Root bridge is aware there has been a topology change in the network
Starts sending out its configuration BPDUs with the Topology Change (TC) bit set Every bridge in the network relays these BPDUs with this bit set Each bridge reduces its MAC address table aging time to the value of the forward delay timer
9/3/2011 Ch3 Implementing STP 50

25

Topology Change Notification from Source Bridge


Link to Switch a fails

9/3/2011

Ch3 Implementing STP

51

Root Switch Sets TC Flag Due to TCN

9/3/2011

Ch3 Implementing STP

52

26

Steps from Sample TCN


1. Switch B notices link failure has occurred when switch A fails 2. Switch B sends a TC BPDU out the root port
Continues to send the TC BPDU until switch C responds with a TCA

3. Switch C sends a TCA to switch B


Sends a TC BPDU out the root port Propagation TCN

4. When the root switch receives the topology change message


Acknowledges the TC BPDU with a TCA to the sending bridge

5. Root switch changes its configuration BPDU to indicate topology change


Sets the topology change for a period equal to the sum of the the forward delay timer and the max age timer

6. Switch receiving the TC configuration BPDU message from the root switch uses the value of the forward delay timer to age out entries in the address table h l f h f dd l i i i h dd bl
Age out MAC address entries faster than the 300-second default Ensures MAC addresses no longer available due to the topology change age out quickly Switch continues until it no longer receives TC BPDU messages from the root

9/3/2011

Ch3 Implementing STP

53

Enhancements to STP

9/3/2011

Ch3 Implementing STP

54

27

Per VLAN Spanning Tree Plus


PVST+ maintains a separate spanning-tree instance for each VLAN By default a single spanning tree runs on each VLAN
STP enabling and disabling on a per-VLAN basis

Plus sign indicates that STP 802.1D has been enhanced by Cisco with 802 1D proprietary features PVST+ provides for load balancing on a per-VLAN basis
Allows creation of different logical topologies using the VLANs on a switched network Ensure that all links can be used and that one link is not oversubscribed

Typical Building Access submodule switch connected to two Building Distribution submodule switches
One Building Distribution submodule switch is root for one VLAN Other Building Distribution submodule switch is root for the second VLAN Building Access submodule switch in this scenario would use both the links, one for each VLAN, achieving load balancing

Each instance of PVST+ on a VLAN has a single root bridge


Provide different STP root switches per VLAN Allows for the load balancing of root bridge responsibilities and link paths
9/3/2011 Ch3 Implementing STP 55

PVST+

One spanning-tree instance exists for the primary VLAN p g p y Second instance for the alternate VLAN Single switch and a single trunking port can serve different roles for each VLAN On the access-layer switch, a port forwards for one VLAN while blocking for the other VLANs Desired STP configuration and resulting layer 2 topology is not necessarily automatic Network administrator needs to plan and configure manually
Ch3 Implementing STP 56

9/3/2011

28

PVST+ Load Balancing Scenario

PVST+ is implemented for ten VLANs


Ports in different states for the different instances

Each port is participating in all ten VLANs


Actively forwarding traffic for only half of them

Each switch maintains ten spanning-tree instances


9/3/2011 Ch3 Implementing STP 57

Configuring the Basic Parameters of PVST+


Default mode for STP on Catalyst switches is PVST+
Possible to disable STP on a per-VLAN basis

Enable STP:
spanning-tree vlan vlan-id

9/3/2011

Ch3 Implementing STP

58

29

Configuring Port Cost


Assign lower cost values to interfaces to make spanning tree select those first STP uses the port cost value when the interface is an access port Uses VLAN port cost values when the interface is a trunk port

9/3/2011

Ch3 Implementing STP

59

Verifying the STP Configuration


Display the STP information for a specific VLAN
show spanning-tree vlan vlan-id

Priority field is 8193 even though the configured priority value is 8192
Switch uses MAC address reduction feature P i it fi ld i l d th VLAN ID i f Priority fields include the information (8192 + 1 = 8193) ti

??
9/3/2011 Ch3 Implementing STP 60

30

How can this be? Arent all ports Of a root bridge Designated Ports?

9/3/2011

Ch3 Implementing STP

61

Detailed STP Information for a Trunk Interface

9/3/2011

Ch3 Implementing STP

62

31

Spanning-Tree Bridge Information


show spanning-tree bridge Useful in verifying the STP parameters for all VLANs

9/3/2011

Ch3 Implementing STP

63

IEEE Documents on STP

9/3/2011

Ch3 Implementing STP

64

32

Rapid Spanning Tree Protocol


Rapid Spanning Tree Protocol (IEEE 802.1w referred to as RSTP) Significantly speeds recalculation of spanning tree with topology changes
Defines additional port roles of Alternate and Backup Defines three port states: discarding, learning, or forwarding

Cisco enhanced 802.1D with features such as UplinkFast, BackboneFast, and PortFast to speed up the convergence time
Proprietary and need additional configuration

IEEE 802.1w standard (RSTP) is an evolution of 802.1D standard


802.1D terminology primarily the same and most parameters are u c a ged unchanged

In most cases RSTP performs better than the Cisco proprietary extensions 802.1w is capable of reverting to 802.1D to interoperate with legacy bridges on a per-port basis
Reverting negates the benefits of 802.1w for that segment
9/3/2011 Ch3 Implementing STP 65

RSTP
RSTP selects one switch as the root of an active topology
Assigns port roles to individual ports on the switch

P id rapid connectivity following the failure of a Provides id ti it f ll i th f il f switch, port, or LAN New root port and the designated port of the connecting bridge transition to forwarding through an explicit handshake protocol Allows switch-port configuration
Ports transition to forwarding directly when the switch reinitializes

Cisco Catalyst switches RPVST+ is the per-VLAN version of the RSTP implementation
Current generation Catalyst switches support RPVST+
9/3/2011 Ch3 Implementing STP 66

33

RSTP Ports

9/3/2011

Ch3 Implementing STP

67

RSTP Port States


Three port states in RSTP:
Discarding Learning Forwarding

Discarding state is a merger of g g


Disabled Blocking Listening

STP mixes the state of a port with the role it plays in the active topology RSTP considers no difference between a port in blocking state and a port in listening state: both discard frames, and neither learns MAC addresses RSTP decouples the role of a port from the state of a port
9/3/2011 Ch3 Implementing STP 68

34

RSTP Operation Port States


Port State Discarding Learning Forwarding Description
This state is seen in both a stable active topology and during topology synchronization and changes. The discarding state prevents the forwarding of data frames, thus breaking the continuity of a Layer 2 loop. This state is seen in both a stable active topology and during topology synchronization and changes. The learning state accepts data frames to populate the MAC table to limit flooding of unknown unicast frames. This state is seen only in stable active topologies. The forwarding switch ports determine the topology. Following a topology change, or during synchronization, the forwarding of data frames occurs only after a proposal and agreement process.

Operational Status Enabled Enabled Enabled Enabled Disabled

STP Port State Blocking Listening Learning Forwarding Disabled

RSTP Port State Discarding Discarding Learning Forwarding Discarding

Port Included in Active Topology No No Yes Yes No

9/3/2011

Ch3 Implementing STP

69

RSTP Port Roles


Port role defines Purpose of a p switch port The way it handles data frames Port roles and port states transition independent of each other

Different switch
9/3/2011 Ch3 Implementing STP

Same switch
70

35

RSTP Operation Port Roles


STP Port Role Root port Designated port Nondesignated port Disabled Transition RSTP Port Role Root port Designated port Alternate or backup port Disabled Transition STP Port State Forwarding Forwarding Blocking Listening Learning RSTP Port State Forwarding Forwarding Discarding Discarding Learning

9/3/2011 9/3/2011

Ch3 Implementing STP Ch3 Implementing STP

7171

RSTP Port Roles


Root closest port to the root bridge in terms of path cost
Single root bridge for the whole bridged network Root bridge is the only bridge that does not have a root p g y g port

Designated port bridge sending the best BPDU is the designated bridge for the segment
Corresponding port on that bridge is the designated port

Alternate port blocked from receiving root BPDUs from another bridge
Becomes the designated port if the active designated port fails

Backup port blocked from receiving root BPDUs from the designated port for a shared LAN segment from the same bridge on which the port is located
Becomes the designated port if the existing designated port fails

Disabled port has no role within spanning tree


9/3/2011 Ch3 Implementing STP 72

36

RSTP Port Roles

9/3/2011

Ch3 Implementing STP

73

Rapid Transition to Forwarding


Most important feature of 802.1w RSTP actively confirms that a port transition to forwarding is safe without relying on a timer configuration Relies upon two new variables
Edge port Link type

Ports directly connected to end stations cannot create bridging loops (edge ports)
Transition directly to forwarding skipping the listening and learning stages Designate edge ports through manual configuration Does not generate a topology change when its link transitions If an edge port receives a BPDU it immediately becomes a normal spanning-tree port

RSTP ports are able to achieve rapid transition to forwarding on edge ports and point-to-point links
Most switch-to-switch links are point-to-point

Switches automatically derive the link type from the duplex mode of a port Rapid transition to the forwarding state for the designated port occurs only if the link type parameter indicates a point-to-point link
9/3/2011 Ch3 Implementing STP 74

37

RSTP Operation Rapid Transition to Forwarding Link Type


Link Type Description

Point-to- Port operating in full-duplex i i i f ll d l point mode. It is assumed that the port is connected to a single switch device at the other end of the link.

Shared

Port operating in half-duplex mode. It is assumed that the port is connected to shared media where multiple switches might exist.

9/3/2011

Ch3 Implementing STP

75

RSTP Operation Rapid Transition to Forwarding Edge Ports


RSTP edge port is a switch port that is never intended to be connected to another switch device Immediately transitions to the forwarding state when enabled Neither edge ports nor PortFast-enabled ports generate topology changes when the port transitions Unlike PortFast, an edge port that receives a BPDU immediately loses its edge port status and becomes a normal spanning-tree port When an edge port receives a BPDU, it generates a topology change notification (TCN)

9/3/2011

Ch3 Implementing STP

76

38

RSTP BPDU Format and BPDU Handling


RSTP introduces a changes to the BPDU In 802.1D only 2 bits in the Type field were used
TC and TC Acknowledgement

RSTP uses all 6 remaining bits of the flag byte


Encode the role and state of the port originating the BPDU Handle the proposal and agreement mechanism

RSTP BPDU is now of type 2, version 2

9/3/2011

Ch3 Implementing STP

77

BPDU Generation
802.1D non-root bridge generates a BPDU only when it receives one on its root port 802 1w bridge sends a BPDU every hello time period 802.1w hello-time If a port receives no BPDUs for three consecutive hello times
Bridge immediately ages out protocol information Immediate aging also happens if the max age timer expires

In RSTP, transmissions of BPDU act as keep-alive mechanisms


Bridge has lost connectivity if it misses three BPDUs in a row Fast aging of the information allows quick failure detection

In RSTP mode switches detect physical link failures much faster than in 802.1D
9/3/2011 Ch3 Implementing STP 78

39

Proposal and Agreement in RSTP


Transition on point-to-point ports is rapid Bridge A and bridge B connect through port a on bridge A and port b on bridge B
Bridge A is the root because of its superior BPDUs

1. Ports a and b, the designated ports, start in discarding or learning state and send BPDUs with the proposal bit 2. Port b receives the superior BPDU from bridge A and immediately knows that port b is the new root port 3. Bridge B sends a BPDU back to bridge A with the agreement bit set in the BPDU 4. Bridge A transitions to forwarding as soon as it receives the BPDU with the agreement bit set from bridge B

9/3/2011

Ch3 Implementing STP

79

RSTP Proposal and Agreement Process


Switch A has a path to the root via switch B and switch C New link is added between the root and switch A Both ports are in blocking state until they receive a BPDU Port P0 of the root bridge sets the f h b id h proposal bit on the BPDUs it sends out. Switch A sees that the proposal BPDU has a superior path cost It blocks all non-edge designated ports other than the one over which the proposal-agreement process are occurring called sync and prevents switches below A from causing a loop during the proposalagreement process t Edge ports do not have to be blocked and remain unchanged during sync Bridge A sends an agreement that allows the root bridge to put root port P0 in forwarding state Port P1 becomes the root port for A
9/3/2011 Ch3 Implementing STP 80

40

Downstream Proposal and Agreement

Switch B on P5 will see that switch A is discarding and will also transition to the designated discarding state Switch A sends its proposal BPDU down to B with the root ID of the root bridge Switch B sees a proposal with the superior BPDU from A and blocks all non-edge Switch B sends a BPDU with the agreement bit set, and switch A P3 transitions to forwarding state The synchronization process continues with switches downstream from B
Ch3 Implementing STP 81

9/3/2011

RSTP Topology Change Mechanism


Only non-edge ports moving to the forwarding state cause a topology change
Loss of connectivity does not generate a topology change Port moving to blocking does not cause the bridge to generate a TC i bl ki d h b id C BPDU

RSTP bridge detects a topology change 1. Starts the TC While timer with a value equal to twice the hello time for its non-edge designated ports and its root port
Interval during which the RSTP bridge actively informs the rest of the bridges of a topology change

2. Flushes the MAC addresses associated with all non-edge ports 3. TC While timer running on a port:
BPDUs sent out of that port have the TC bit set Bridge sends BPDUs even on the root port

9/3/2011

Ch3 Implementing STP

82

41

Topology Change Mechanism in RSTP

9/3/2011

Ch3 Implementing STP

83

Topology Change Propagations


Bridge receives a BPDU with the TC bit set from a neighbor 1. Clears the MAC addresses learned on all its ports except the gy g one that received the topology change 2. Starts the TC While timer and sends BPDUs with TC set on its designated ports and root port
RSTP does not use the specific TCN BPDU anymore unless a legacy bridge needs to be notified.

Topology Change Notification is flooded very quickly


Propagation is a one-step process Initiator of the topology change is flooding this information throughout the network

802.1D only the root sends BPDUs with the TC bit set In RSTP there is no need to wait for the root bridge to be notified
9/3/2011 Ch3 Implementing STP 84

42

RSTP TC Actions Summary

9/3/2011

Ch3 Implementing STP

85

RSTP and 802.1D STP Compatibility


RSTP can operate with 802.1D STP
802.1ws fast-convergence benefits are lost when interacting with 802.1D bridges

Each port maintains a variable that defines the protocol to run on the corresponding segment
If the port receives BPDUs that do not correspond to its current operating mode for two times the hello time, it switches to the other STP mode

Default STP Configuration on Cisco Switch


PVST+ Bridge priority 32,768 for each VLAN
9/3/2011 Ch3 Implementing STP 86

43

PortFast
Spanning Tree PortFast causes an interface configured as an access port to enter the forwarding state immediately
Bypasses the listening and learning states

Enable on Layer 2 access ports connected to a single workstation or se ve server Server and workstation are attached to an access switch through ports that have the PortFast feature enabled

9/3/2011

Ch3 Implementing STP

87

STP State Machine with PortFast

STP state jumps directly from blocking to forwarding without going through the listening and learning state PortFast suppresses topology change notifications
9/3/2011 Ch3 Implementing STP 88

44

Configuring the PortFast Feature Globally


On Building Access submodule switches enable PortFast globally
spanning-tree portfast default No need to explicitly enable PortFast on each port Explicitly disable PortFast on uplink ports [no] spanning-tree portfast

9/3/2011

Ch3 Implementing STP

89

Configuring PortFast on Trunk Ports


Use the spanning-tree portfast trunk interface command to enable the PortFast feature on a trunk port.
Switch(config)# spanning-tree portfast t S it h( fi )# i t tf t trunk k

9/3/2011

Ch3 Implementing STP

90

45

Configuring Access Port Macro


Use the switchport host macro command on an interface connecting to an end station PortFast is a highly recommended configuration on end-user ports and server ports Disable negotiation of channeling and trunking To place an interface into this desired configuration
switchport host
Switch(config-if)# switchport host switchport mode will be set to access spanning-tree portfast will b enabled i t tf t ill be bl d channel group will be disabled Switch(config-if)# end Switch#

9/3/2011

Ch3 Implementing STP

91

Implementing PVRST+

1. 2. 3. 4. 5.

Enable PVRST+ globally. PVRST+ should be configured on all switches in the b d t domain th broadcast d i Designate and configure a switch to be the root bridge. Designate and configure a switch to be the secondary (backup) root bridge. Ensure load sharing on uplinks using priority and cost parameters. Verify the configuration.
9/3/2011 Ch3 Implementing STP 92

46

Verifying PVRST+
The output below illustrates how to verify the RSTP configuration for VLAN2 on a nonroot switch in a topology.
Switch# show spanning-tree vlan 2 VLAN0002 Spanning tree enabled protocol rstp Root ID Priority 32768 Address 000b.fcb5.dac0 Cost 38 Port 7 (FastEthernet0/7) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32770 (priority 32768 sys-id-ext 2) Address 0013.5f1c.e1c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Ti A i Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------------------- ----------------------Fa0/7 Root FWD 19 128.7 P2p Fa0/8 Root FWD 19 128.8 P2p

9/3/2011

Ch3 Implementing STP

93

Multiple Spanning Tree (MST)


MST (802.1s) extends the IEEE 802.1w RST algorithm to multiple spanning trees Reduce the total number of spanning-tree instances to match the physical topology of the network PVST+ runs STP instances for each VLAN
Does not take into consideration the physical topology

MST uses a minimum number of STP instances


Match the number of physical topologies present

9/3/2011

Ch3 Implementing STP

94

47

MST (802.1s)
MST builds multiple spanning trees over trunks
Grouping and associating VLANs to spanning-tree instances Each instance may have a topology that is independent of other instances P id multiple forwarding paths for data traffic and enables Provides lti l f di th f d t t ffi d bl load balancing Failure in one forwarding path does not affect other instances with different forwarding paths

MST spanning-tree instance may exist only on bridges that have compatible VLAN instance assignments
Configuring a set of bridges with the same MST configuration information allows them to participate in a specific set of spanning-tree spanning tree instances

MST region refers to the set of interconnected bridges that have the same MST configuration Achieve load balancing on the access switch uplinks based on even or odd VLANs or any other scheme deemed appropriate
9/3/2011 Ch3 Implementing STP 95

VLAN Load Balancing


1000 VLANs map to two MST instances
Each switch needs to maintain only two spanning trees

Concept of two MST instances extends to 4096 VLANs MST converges faster than PVST+
Backward compatible with 802.1D STP, 802.1w (RSTP), and the Cisco PVST+ architecture

9/3/2011

Ch3 Implementing STP

96

48

Comparison

PVST+ Case Achieves load balancing by configuring such that a specific number of VLANs are forwarding on each uplink trunk
Bridge D1 to be the root for VLAN 501 1000 g Bridge D2 to be the root for VLAN 1 500 Load balancing between the access and distribution layers Switches 1000 VLAN instances for only two different logical topologies

PVST+ characteristics
Provides the ability to optimize load balancing Maintains per-VLAN STP instance and results in more CPU utilization
9/3/2011 Ch3 Implementing STP 97

802.1Q Case

IEEE 802.1Q defines a Common Spanning Tree (CST) instance


One spanning-tree instance for the entire bridged network regardless of the number of VLANs

CST instance
No load balancing is possible Switch CPU utilization is low since only one instance Cisco implementation enhances 802.1Q to support PVST+
Behaves exactly as the PVST case
9/3/2011 Ch3 Implementing STP 98

49

MST Case

Combines the best of PVST+ and 802.1Q


Most networks do not need more than a few topologies Mapping several VLANs reduces the number of spanning-tree instances

Network running MST


Desired load-balancing scheme is possible Switch utilization is low

Because MST is a newer protocol issues may arise


More complex than the usual spanning tree and requires additional training of the operation staff Interaction with legacy bridges is sometimes challenging
9/3/2011 Ch3 Implementing STP 99

MST Regions
Received BPDUs need to identify STP instances and the VLANs that are mapped to the instances Each switch running MST has a single configuration of three attributes
Alphanumeric configuration name (32 bytes) C fi Configuration revision number (2 bytes) ti ii b b t ) 4096-element table that associates each of the potential 4096 VLANs to a given instance

To be part of a common MST region switches must share the same configuration attributes Must be able to exactly identify the boundaries of the regions
Characteristics of the region are included in BPDUs Switches do not propagate exact VLANs-to-instance mapping in the BPDU Sw tc es only eed Switches o y need to know w et e t ey a e in the same region as a neighbor ow whether they are t e sa e eg o e g bo Switches send a digest of the VLANs-to-instance mapping table along with the revision number and the name Switch receives a BPDU compares it with its own computed digest If the digests differ the port receiving the BPDU is at the boundary of a region

9/3/2011

Ch3 Implementing STP

100

50

Switches in Different MST Regions

Port is at the boundary of a region if:


Designated bridge on its segment is in a different region It receives legacy 802.1D BPDUs

Port on B1 is at the boundary of region A Ports on B2 and B3 are internal to region B


9/3/2011 Ch3 Implementing STP 101

Extended System ID

Rather than VLAN number in PVST

9/3/2011

Ch3 Implementing STP

102

51

Configuring Basic Parameters of MST

9/3/2011

Ch3 Implementing STP

103

MST Configuration
Enable MST on switch
Switch(config)# spanning-tree mode mst

Enter MST configuration submode


Switch(config)# spanning-tree mst configuration

Display current MST configuration


Switch(config-mst)# show current

Name MST instance


Switch(config-mst)# name name

Set the 16-bit MST revision number 16 bit


Not incremented automatically when you commit a new MST configuration Switch(config-mst)# revision revision_number

9/3/2011

Ch3 Implementing STP

104

52

MST Configuration (cont)


Map VLANs to MST instance
Switch(config-mst)# instance instance_number vlan vlan_range

Display new MST configuration to be applied


Switch(config-mst)# show pending

Apply configuration and exit MST configuration submode


Switch(config-mst)# exit

Assign root bridge for MST instance


Syntax makes the switch root primary or secondary (only active if primary fails) Sets primary priority to 24576 and secondary to 28672 Switch(config)# spanning-tree mst instance_number root primary | secondary

9/3/2011

Ch3 Implementing STP

105

MST Configuration Example

SwitchA(config)# spanning-tree mode mst SwitchA(config)# spanning-tree mst configuration SwitchA(config-mst)# name XYZ SwitchA(config-mst)# revision 1 SwitchA(config-mst)# instance 1 vlan 11, 21, 31 SwitchA(config mst)# SwitchA(config-mst)# instance 2 vlan 12 22 32 12, 22, SwitchA(config)# spanning-tree mst 1 root primary SwitchB(config)# spanning-tree mode mst SwitchB(config)# spanning-tree mst configuration SwitchB(config-mst)# name XYZ SwitchB(config-mst)# revision 1 SwitchB(config-mst)# instance 1 vlan 11, 21, 31 SwitchB(config-mst)# instance 2 vlan 12, 22, 32 SwitchB(config)# spanning-tree mst 2 root primary

9/3/2011 9/3/2011

Ch3 Implementing STP Ch3 Implementing STP

106 106

53

Verifying MST Configuration Example (1)


Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# spanning-tree mode mst Switch(config)# spanning-tree mst configuration Switch(config-mst)# show current Current MST configuration Name [] Revision 0 Instance Vlans mapped -------- ----------------------------------------------------------0 1-4094 --------------------------------------------------------------------Switch(config-mst)# name cisco Switch(config-mst)# revision 1 Switch(config-mst)# instance 1 vlan 1-10 Switch(config-mst)# show pending Pending MST configuration Name [cisco] Revision 1 Instance Vlans mapped -------- ----------------------------------------------------------0 11-4094 1 1-10 Switch(config-mst)# end

9/3/2011

Ch3 Implementing STP

107

Verifying MST Configuration Example (2)


Switch# show spanning-tree mst ###### MST00 vlans mapped: 5-4094 Bridge address 0009.e845.6480 priority 32768 (32768 sysid 0) Root this switch for CST and IST Configured hello time 2, forward delay 15, max age 20, max hops 20 Interface Role Sts Cost ----------------------------Fa3/24 Desg FWD 2000000 Fa3/32 Desg FWD 200000 Fa3/42 Back BLK 200000 ###### MST01 vlans mapped: 1-2 Bridge address 0009.e845.6480 Root this switch for MST01 Interface Role Sts Cost ----------------------------Fa3/24 Desg FWD 2000000 Fa3/32 Desg FWD 200000 Fa3/42 Back BLK 200000 ###### MST02 vlans mapped: 3-4 pp Bridge address 0009.e845.6480 Root this switch for MST02 Interface Role Sts Cost ----------------------------Fa3/24 Desg FWD 2000000 Prio.Nbr -------128.152 128.160 128.170 Type ------Shr P2p P2p

priority 32769 (32768 sysid 1) Prio.Nbr -------128.152 128.160 128.170 Type ------Shr P2p P2p

priority 32770 (32768 sysid 2) Prio.Nbr -------128.152 Type ------Shr

9/3/2011

Ch3 Implementing STP

108

54

Verifying MST Configuration Example (3)


Switch# show spanning-tree mst 1 ###### MST01 vlans mapped: 1-2 Bridge address 0009.e845.6480 priority 32769 (32768 sysid 1) Root this switch for MST01 Role Sts Cost Prio.Nbr Type Interface ---------------- ----------- -------- ----------------Fa3/24 Desg FWD 2000000 128.152 Shr Fa3/32 Desg FWD 200000 128.160 P2p Fa3/42 Back BLK 200000 128.170 P2p

9/3/2011

Ch3 Implementing STP

109

Verifying MST Configuration Example (4)


Switch# show spanning-tree mst interface FastEthernet 3/24 FastEthernet3/24 of MST00 is designated forwarding Edge port: no (default) port guard : none (auto) bpdu filter: disable Link type: shared Boundary : internal bpdu guard : disable Bpdus sent 81, received 81 Instance -------0 1 2 Role ---Sts --Desg Desg Desg Cost ------FWD FWD FWD

(default) (default) (default)

Prio.Nbr Vlans mapped -------- ------------------------2000000 128.152 5-4094 2000000 128.152 1-2 2000000 128.152 3-4

9/3/2011

Ch3 Implementing STP

110

55

Verifying MST Configuration Example (5)


Switch# show spanning-tree mst 1 detail ###### MST01 vlans mapped: 1-2 Bridge address 0009.e845.6480 priority 32769 (32768 sysid 1) Root this switch for MST01 FastEthernet3/24 of MST01 is designated forwarding Port info p port id 128.152 p priority 128 cost 2000000 y Designated root address 0009.e845.6480 priority 32769 cost 0 Designated bridge address 0009.e845.6480 priority 32769 port id 128.152 Timers: message expires in 0 sec, forward delay 0, forward transitions 1 Bpdus (MRecords) sent755, received 0 FastEthernet3/32 of MST01 is designated forwarding Port info port id 128.160 priority 128 cost 200000 Designated root address 0009.e845.6480 priority 32769 cost 0 Designated bridge address 0009.e845.6480 priority 32769 port id 128.160 Timers: message expires in 0 sec, forward delay 0, forward transitions 1 Bpdus ( p (MRecords) sent 769, received 1 ) , FastEthernet3/42 of MST01 is backup blocking Port info port id 128.170 priority 128 cost 200000 Designated root address 0009.e845.6480 priority 32769 cost 0 Designated bridge address 0009.e845.6480 priority 32769 port id 128.160 Timers: message expires in 5 sec, forward delay 0, forward transitions 0 Bpdus (MRecords) sent 1, received 769

9/3/2011

Ch3 Implementing STP

111

Spanning Tree Enhancements


Preventable common network attacks involving STP Connecting an unauthorized hub Users may plug in a unauthorized hub to extend the network
May create an STP loop BPDU Guard detects the loop and effectively err-disables the user port p y p

Connecting an unauthorized access switch Users may plug in an unauthorized access switch
Will not cause a network loop but it may result in a topology change and may become the root Root Guard feature will detect the BPDU sent by this newly added access switch and will disable the user port

Unidirectional link due to faulty cabling or device cable fault or device will cause switch links to become unidirectional
Result in an STP loop UDLD feature detects and err-disables the offending link

Blocking port erroneously moving to forwarding state software inconsistency or BPDU loss can also cause this to occur
Loop Guard feature will detect such a condition and put the blocking switch port into an inconsistent state

9/3/2011

Ch3 Implementing STP

112

56

Spanning Tree Enhancements

BPDU guard: Prevents accidental connection of switching devices to PortFast-enabled ports. Connecting switches to PortFast-enabled ports can cause Layer 2 loops or topology c a ges changes BPDU filtering: Restricts the switch from sending unnecessary BPDUs out access ports Root guard: Prevents switches connected on ports configured as access ports from becoming the root switch Loop guard: Prevents root ports and alternate ports from moving to forwarding state when they stop receiving BPDUs

BPDU Guard
Puts an interface configured for STP PortFast in the errdisable state upon receipt of a BPDU
Disables interfaces to avoid a potential bridging loop

Shuts down PortFast-configured interfaces that receive PortFast configured BPDUs


Rather than putting them into the STP blocking state (default) Manually re-enable the err-disabled interface after fixing the invalid configuration

PortFast-configured interfaces should not receive BPDUs


Reception of a BPDU signals an invalid configuration such as connection of an unauthorized device

BPDU Guard applied globally to all P tF t G d li d l b ll t ll PortFast-configured fi d interfaces


Can also be enabled/disabled per-interface basis

Global configuration command [no] spanning-tree portfast bpduguard


9/3/2011 Ch3 Implementing STP 114

57

BPDU Guard Configuration


To enable BPDU guard globally, use the command:
spanning-tree portfast bpduguard default

To enable BPDU guard on a port, use the command:


spanning-tree bpduguard enable

BPDU guard logs messages to the console:


2009 May 12 15:13:32 RX_PORTFAST:Received port. Disabling 2/1 2009 May 12 15:13:32 2/1 left bridge port %SPANTREE-2BPDU on PortFast enable

%PAGP-5-PORTFROMSTP:Port 2/1

9/3/2011

Ch3 Implementing STP

115

BPDU Guard Configuration Example


Switch(config)# spanning-tree portfast edge bpduguard default Switch(config)# end Switch# show spanning-tree summary totals Root bridge for: none. PortFast P tF t BPDU G Guard i enabled d is bl d Etherchannel misconfiguration guard is enabled UplinkFast is disabled BackboneFast is disabled Default pathcost method used is short Name Blocking Listening Learning Forwarding STP Active ------------ -------- --------- -------- ---------- --------34 VLANs 0 0 0 36 36

58

BPDU Filtering
Prevents switches from sending BPDUs on PortFast-enabled interfaces
Typically connect to host devices

Configure BPDU filtering on a per-port or global basis If configured on an interface


Switch does not send BPDUs and drops all BPDUs it receives

If globally enabled
It affects all operational PortFast ports on switches that do not have BPDU filtering configured on the individual ports Switch changes the interface back to normal STP operation if the port receives BPDUs on an interface Upon startup, the port transmits ten BPDUs. If this port receives any BPDUs during that time, PortFast and PortFast BPDU filtering are disabled

BPDU Guard enabled on the same interface as BPDU filtering has no effect
BPDU filtering takes precedence

9/3/2011

Ch3 Implementing STP

117

BPDU Filtering Configuration


To enable BPDU filtering globally, use the command: spanning-tree portfast bpdufilter default To enable BPDU guard on a port, use the command: spanning-tree bpdufilter enable Verify the configuration show spanning-tree summary totals

9/3/2011

Ch3 Implementing STP

118

59

Verifying BPDU Filtering Configuration (1)


PortFast BPDU filtering status:
Switch# show spanning-tree summary Switch is in pvst mode Root bridge for: none Extended E t d d system ID t is i enabled bl d Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short Name Blocking Listening Learning Forwarding STP Active ------- ----------------- ---------------VLAN0001 2 0 0 6 8 ------- ----------------- ---------------1 vlan 2 0 0 6 8

9/3/2011

Ch3 Implementing STP

119

Verifying BPDU Filtering Configuration (2)


Verifying PortFast BPDU filtering on a specific port:
Switch# show spanning-tree interface fastEthernet 4/4 detail Port 196 (FastEthernet4/4) of VLAN0010 is forwarding Port path cost 1000, Port priority 160, Port Identifier 160.196. Designated root has priority 32768, address 00d0.00b8.140a Designated bridge has priority 32768, address 00d0.00b8.140a Designated port id is 160.196, designated path cost 0 Timers:message age 0, forward delay 0, hold 0 Number of transitions to forwarding state:1 The port is in the portfast mode by portfast trunk configuration Link type is point-to-point by default Bpdu filter is enabled BPDU:sent 0, received 0

9/3/2011

Ch3 Implementing STP

120

60

PortFast BPDU Filtering Port Configurations


Per-Port Configuration Default Default Default Disable Enable Global Configuration Enable Enable Disable Not applicable Not applicable PortFast State Enable Disable Not applicable PortFast BPDU Filtering State Enable Disable Disable

Not Disable applicable Not Enable applicable

9/3/2011

Ch3 Implementing STP

121

Root Guard
Useful in avoiding Layer 2 loops during network anomalies Forces an interface to become a designated port to prevent surrounding switches from becoming a root switch
Enforce the root bridge placement in the network Root Guard enabled ports forced to be designated ports

Bridge receives superior BPDUs on a Root Guard enabled port


Port moves to a root-inconsistent STP state Switch does not forward traffic out of that port

Switches A and B comprise the core of the network and switch A is the root bridge for a VLAN

9/3/2011

Ch3 Implementing STP

122

61

Root Guard Motivation

Switches A and B comprise the core of the network; Switch A is the root bridge When Switch D is connected to Switch C, it begins to participate in STP If the priority of Switch D is 0 or any value lower than that of the current root bridge, Switch D becomes the root bridge

Having Switch D as the root causes the Gigabit Ethernet link connecting the two core switches to block Causes all the data to flow via a 100-Mbps link across the access layer. Obviously a terrible outcome
9/3/2011 Ch3 Implementing STP 123

Root Guard Operation

After the root guard feature is enabled on a port, the switch does not enable that port to become an STP root port Cisco switches log the following message when a root guardenabled port receives a superior BPDU:

%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77.


Moved to root-inconsistent state.
9/3/2011 Ch3 Implementing STP 124

62

Root Guard Operation

Current design recommendation is to enable root guard on all access ports Switch C blocks the port connecting to Switch D when it receives a superior BPDU Port transitions to the root-inconsistent STP state No traffic passes through the port while it is in root-inconsistent state

When Switch D stops sending superior BPDUs, the port unblocks again and goes through regular STP transition Recovery is automatic; no intervention is required

9/3/2011

Ch3 Implementing STP

125

Configuring and Verifying RootGuard


Switch(config)# interface FastEthernet 5/8 Switch(config-if)# spanning-tree guard root Switch(config-if)# end Switch# show running-config interface FastEthernet 5/8 Building configuration... Current configuration: 67 bytes ! interface FastEthernet5/8 switchport mode access spanning-tree guard root end Switch# show spanning-tree inconsistentports Name Interface Inconsistency ----------------------------------------- -----------------VLAN0001 FastEthernet3/1 P t T F tEth t3/1 Port Type I Inconsistent i t t VLAN0001 FastEthernet3/2 Port Type Inconsistent VLAN1002 FastEthernet3/1 Port Type Inconsistent VLAN1002 FastEthernet3/2 Port Type Inconsistent Number of inconsistent ports (segments) in the system :4

9/3/2011

Ch3 Implementing STP

126

63

Preventing Forwarding Loops and Black Holes


Catalyst switches support two features to address such conditions UDLD aggressive and normal mode
Detects and disables unidirectional links

Loop Guard
Improves the stability of Layer 2 networks by preventing bridging loops

9/3/2011

Ch3 Implementing STP

127

Loop Guard
Additional protection against Layer 2 forwarding loops
Occur if one port of a redundant topology stops receiving BPDUs Switches rely on continuous BPDUs

When one port in a redundant topology stops receiving BPDUs


STP conceives the topology as loop-free i h l l f Blocking port changes to designated port and moves to forwarding state Creates a bridging loop

Loop Guard feature switches do an additional check before transitioning


Switch places the port into the STP loop-inconsistent blocking state

Switch logs the following message


SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 3/2 in vlan 3. Moved to loop-inconsistent state.

If a switch receives a BPDU on a port in the loop-inconsistent STP state loop inconsistent
Port transitions through STP states Recovery is automatic

After recovery the switch logs the following message:


SPANTREE-2-LOOPGUARDUNBLOCK: port 3/2 restored in vlan 3.

9/3/2011

Ch3 Implementing STP

128

64

Without Loop Guard


Unidirectional link failure between B and C C is not receiving BPDUs from B Blocking port on C transitions to listening state and to forwarding state Bridging loop occurs

9/3/2011

Ch3 Implementing STP

129

Unidirectional Link with Loop Guard

Blocking port on C transitions into the loopinconsistent state Port in the loop-inconsistent state does not pass data traffic
Bridging loop does not occur Effectively equal to the blocking state
9/3/2011 Ch3 Implementing STP 130

65

Loop Guard Messages

When the Loop Guard feature places a port into the loop-inconsistent blocking state, the switch logs the following message:
SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 3/2 in vlan 3. Moved to loop-inconsistent state.

After recovery, the switch logs the following message:


SPANTREE-2-LOOPGUARDUNBLOCK: port 3/2 restored in vlan 3.

9/3/2011

Ch3 Implementing STP

131

Loop Guard Configuration Considerations


Configure Loop Guard on a per-port basis Blocks inconsistent ports on a perVLAN basis For example, on a trunk port, if BPDUs are not received for only one particular VLAN, the switch blocks only that VLAN Moves the port for that VLAN to the loop-inconsistent STP state Enable Loop Guard on all nondesignated ports Loop guard should be enabled on root and alternate ports for all possible combinations of active topologies Loop Guard is disabled by default on Cisco switches
9/3/2011 Ch3 Implementing STP 132

66

Configuring Loop Guard


Interface configuration command: spanning-tree guard loop Loop Guard and Root Guard cannot coexist on the same port
Enabling Loop Guard disables any Root Guard

Enabling globally enables on ports considered to be point-to-point


Full-duplex ports Override the global configuration on a per-port basis

Global configuration command:


spanning tree spanning-tree loopguard default

Disable on interface with interface configuration command


no spanning-tree guard

9/3/2011

Ch3 Implementing STP

133

Verifying Loop Guard Configuration


To verify Loop Guard status on an interface, issue the command show spanning-tree interface interface-id detail
Switch# show spanning-tree interface FastEthernet 3/42 detail Port 170 (FastEthernet3/42) of VLAN0001 is blocking Port path cost 19, Port priority 128, Port Identifier 128.170. Designated root has priority 8193, address 0009.e845.6480 Designated bridge has priority 8193, address 0009.e845.6480 Designated port id is 128.160, designated path cost 0 Timers: message age 1, forward delay 0, hold 0 Number of transitions to forwarding state: 0 Link type i point-to-point b d f l i k is i i by default Loop guard is enabled on the port BPDU: sent 1, received 4501

9/3/2011

Ch3 Implementing STP

134

67

Unidirectional Link Failures

Unidirectional links can cause STP loops Unidirectional Link Detection (UDLD) will detect unidirectional link conditions when Layer 1 mechanisms do not Provides the ability to shut down the affected interface

9/3/2011

Ch3 Implementing STP

135

UDLD
UDLD allows for detection of unidirectional link conditions on switch ports
Link remains in the up state but the interface is not passing traffic Typically from faulty Gigabit Interface Converters (GBIC) i f f Gi i f C (G C)

Layer 2 protocol that works with Layer 1 mechanisms


UDLD performs tasks that auto-negotiation cannot Detects the identities of neighbors and shuts down misconnected ports

UDLD enabled switch periodically sends packets to its neighbor


Expects packets to be echoed back before a predetermined timer expires If link is unidirectional it shuts down the port

UDLD packets contain information about


Sending the port's device ID and port ID Neighbor's device ID and port ID

Neighbor devices with UDLD enabled send the same hello message

9/3/2011

Ch3 Implementing STP

136

68

UDLD Modes
Normal Mode UDLD detects unidirectional links due to misconnected interfaces on fiber-optic connections
UDLD changes the UDLD-enabled port to an undetermined state if it stops receiving UDLD messages from its directly connected neighbor

Aggressive Mode (Preferred) When a port stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor
After eight failed retries, the port state changes to the err-disable state Aggressive mode UDLD detects unidirectional links due to oneway traffic on fiber-optic and twisted-pair links and due to misconnected interfaces on fiber-optic links

9/3/2011

Ch3 Implementing STP

137

UDLD Scenario Due to Miswiring


A detects UDLD advertisement from C C i advertising B as is d ti i its neighbor All switches detect the miswiring and potentially errdisable the ports Default interval for is f l i lf i 15 seconds Configurable for faster detection
9/3/2011 Ch3 Implementing STP 138

69

UDLD Configuration
UDLD is disabled on all interfaces by default udld global configuration command affects fiber-optic interfaces only
udld enable enables UDLD normal mode on all fiber interfaces udld aggressive enables UDLD aggressive mode on all fiber interfaces

udld port interface configuration command can be used for twisted-pair and fiber interfaces
To enable UDLD in normal mode, use the udld port command To enable UDLD in aggressive mode, use the udld port aggressive Use the no udld port command on fiber-optic ports to return control of UDLD to the udld enable global configuration command or to disable UDLD on nonfiber-optic ports Use the udld port aggressive command on fiber-optic ports to override the setting of the udld enable or udld aggressive global configuration command Use the no form on fiber-optic ports to remove this setting and to return control of UDLD enabling to the udld global configuration command or to disable UDLD on nonfiber-optic ports
9/3/2011 Ch3 Implementing STP 139

Aggressive Mode UDLD


Variation of UDLD that provides additional benefits When a port stops receiving UDLD packets tries to re-establish the connection After eight failed retries the port state changes to the err-disable state retries,
Aggressive Mode UDLD State Bidirectional. error message displayed, port in err-disable state error message displayed displayed, port in err-disable state error message displayed, port in err-disable state

Issue Link is bidirectional Layer 1 up unidirectional link One side of a link has port stuck (tx and rx). One side of a link up & other side of the link down

UDLD State Bidirectional. error message displayed, port in err-disable state Undetermined. Undetermined Undetermined.

9/3/2011

Ch3 Implementing STP

140

70

UDLD Configuration and Verification


Switch(config)# interface gigabitEthernet 5/1 Switch(config-if)# udld port aggressive Switch# show udld gigabitEthernet 5/1 Interface Gi5/1 --Port enable administrative configuration setting: Enabled / in aggressive mode Port enable operational state: Enabled / i aggressive mode i in i Current bidirectional state: Bidirectional Current operational state: Advertisement - Single neighbor detected Message interval: 15 Time out interval: 5 Entry 1 --Expiration time: 38 Device ID: 1 Current neighbor state: Bidirectional Device name: FOX06310RW1 Port ID: Gi1/1 Neighbor echo 1 device: FOX0627A001 Neighbor echo 1 port: Gi5/1 Message interval: 15 Time out interval: 5 CDP Device name: SwitchB

Loop Guard versus Aggressive Mode UDLD


Loop Guard Configuration Action granularity Auto-recovery Protection against STP failures caused by unidirectional links Protection against STP failures caused by problem in software in designated bridge not sending BPDUs Per port Per VLAN Yes Aggressive Mode UDLD Per port Per port Yes, with err-disable timeout feature

Yes, when enabled on all Yes, when enabled on all links root ports and alternate in redundant topology ports in redundant topology Yes No

Protection against miswiring


9/3/2011

No
Ch3 Implementing STP

Yes
142

71

Aggressive Mode UDLD and Loop Guard


Aggressive mode UDLD cannot detect failures caused by problems in software
Less common than failures caused by hardware failures

Aggressive mode UDLD is more robust in its ability to detect unidirectional links on EtherChannel
Loop Guard blocks all interfaces of the EtherChannel Aggressive mode UDLD disables the single port that is exhibiting problems

Aggressive mode UDLD is not dependent on STP, so it supports Layer 3 links Loop Guard does not support shared links or interfaces that are p pp unidirectional on switch Bootup
If a port never receives BPDUs it becomes a designated port Aggressive mode UDLD does provide protection against such a failure

Enabling both aggressive mode UDLD and Loop Guard provides the highest level of protection
9/3/2011 Ch3 Implementing STP 143

Flex Links

Flex Links is a Layer 2 availability feature Provides an alternative solution to STP Users turn off STP and still provide basic link redundancy Flex Links can coexist with spanning tree on the distribution layer switches Distribution layer switches are unaware of the Flex Links feature Flex Links enables a convergence time of less than 50 milliseconds Convergence time remains consistent regardless of the number of VLANs or MAC addresses configured Flex Links is based on defining an active/standby link pair on a common access i / db li k i switch Flex Links are a pair of Layer 2 interfaces, either switchports or port channels Configured to act as backup to other Layer 2 interfaces
144

9/3/2011

Ch3 Implementing STP

72

Flex Links Configuration Considerations


Flex Link is configured on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link When one of the links is up and forwarding traffic, the other link is in standby mode At any given time, only one of the interfaces is in the link up state and forwarding traffic If the primary link shuts down, the standby link starts forwarding traffic When the active link comes back up, it goes into standby mode and does not forward traffic Flex Links are supported only on Layer 2 ports and port channels, not on VLANs or on Layer 3 ports Only one Flex Link backup link can be configured for any active link An interface can belong to only one Flex Link pair A i t f b l t l Fl Li k i An interface can be a backup link for only one active link An active link cannot belong to another Flex Link pair STP is disabled on Flex Link ports Flex Link port does not participate in STP, even if the VLANs present on the port are configured for STP
Ch3 Implementing STP 145

9/3/2011

Flex Links Configuration and Verification


FlexLinks are configured at the interface level with the command

switchport backup interface


Here we configure an interface with a backup interface and verify the configuration
Switch(config)# interface fastethernet1/0/1 Switch(config-if)# switchport backup interface fastethernet1/0/2 Switch(config-if)# end Switch# show interface switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State -----------------------------------------------------FastEthernet1/0/1 FastEthernet1/0/2 Active Up/Backup Standby

9/3/2011

Ch3 Implementing STP

146

73

STP Best Practices and Troubleshooting

9/3/2011

Ch3 Implementing STP

147

Switching Design Best Practices


Use Layer 3 connectivity at the distribution and core layers. Use PVRST+ or MST Do not disable STP at the access layer y Isolate different STP domains in a multivendor environment Use Loop Guard on Layer 2 ports between distribution switches and on uplink ports from access to distribution switches Use Root Guard on distribution switches facing access switches Use Port U P t security, PortFast, BPDU Guard, and it P tF t G d d Root Guard on access switch ports facing end stations Use aggressive mode UDLD on ports linking switches

9/3/2011

Ch3 Implementing STP

148

74

Potential STP Problems


Duplex mismatch Unidirectional link failure Frame corruption Resource errors PortFast configuration error

9/3/2011

Ch3 Implementing STP

149

Duplex Mismatch

Point-to-point link One side of the link is manually configured as full duplex Other side is using the default configuration for auto-negotiation

9/3/2011

Ch3 Implementing STP

150

75

Unidirectional Link Failure

Frequent cause of bridge loops Undetected failure on a fiber link or a problem with a transceiver

9/3/2011

Ch3 Implementing STP

151

Frame Corruption
If an interface is experiencing a high rate of physical errors, the result may be lost BPDUs
May lead to an interface in the blocking state moving to the forwarding state

Uncommon scenario due to conservative default STP parameters Frame corruption is generally a result of a duplex mismatch, bad cable, or incorrect cable l i h b d bl i bl length h

9/3/2011

Ch3 Implementing STP

152

76

Resource Errors
STP is performed by the CPU (software-based)
If the CPU of the bridge is over-utilized for any reason, it might lack the resources to send out BPDUs

STP is generally not a processor-intensive application and has priority over other processes
Resource problem is unlikely

Exercise caution when multiple VLANs in PVST+ or PVRST mode exist PVRST+ d i
Consult the product documentation for the recommended number of VLANs and STP instances on any specific switch
9/3/2011 Ch3 Implementing STP 153

PortFast Configuration Error

Switch A has Port p1 in the forwarding state and Port p2 configured for PortFast and Device B is a hub Port p2 goes to forwarding and creates a loop between p1 and p2 as soon as the second cable plugs in to Switch A Loop ceases as soon as p1 or p2 receives a BPDU that transitions one of these two ports into blocking mode

Problem is that if the looping traffic is intensive, the bridge might have trouble successfully sending the BPDU that stops the loop BPDU guard prevents this type of event from occurring
Ch3 Implementing STP 154

9/3/2011

77

Troubleshooting Methodology
Troubleshooting STP issues can be difficult if logical troubleshooting procedures are not deployed in advance Occasionally, rebooting of the switches might resolve the problem temporarily
Without determining the underlying cause of the problem, the problem is likely to return

Steps provide a general overview of a methodology for troubleshooting STP: Step 1. Develop a plan Step 2. Isolate the cause and correct an STP problem Step 3. Document findings
9/3/2011 Ch3 Implementing STP 155

Chapter 3 Summary (1)


Spanning Tree Protocol is a fundamental protocol to prevent Layer 2 loops and at the same time provide redundancy in the network. This chapter covered the basic operation and configuration of RSTP and MST. Enhancements now enable STP to converge more quickly and run more efficiently.
RSTP provides faster convergence than 802.1D when topology changes occur. RSTP enables several additional port roles to increase the overall mechanism s mechanisms efficiency. show spanning-tree is the main family of commands used to verify RSTP operations. MST reduces the encumbrance of PVRST+ by allowing a single instance of spanning tree to run for multiple VLANs.

9/3/2011

Ch3 Implementing STP

156

78

Chapter 3 Summary (2)


The Cisco STP enhancements provide robustness and resiliency to the protocol. These enhancements add availability to the multilayer switched network. These enhancements not only isolate bridging loops but also prevent bridging loops from occurring. To protect STP operations, several features are available that control the way BPDUs are sent and received:
BPDU guard protects the operation of STP on PortFast-configured ports. BPDU filtering prevents BPDUs from being sent and ignores received BPDUs while leaving the port in forwarding state. Root guard prevents root switch being elected via BPDUs received on a rootgua d co gu ed po t. guard configured port. Loop guard detects and disables an interface with Layer 2 unidirectional connectivity, protecting the network from anomalous STP conditions. UDLD detects and disables an interface with unidirectional connectivity, protecting the network from anomalous STP conditions. In most implementations, the STP toolkit should be used in combination with additional features such as Flex Links.
9/3/2011 Ch3 Implementing STP 157

79