CCNP SWITCH v7.

Chapter 4: Spanning Tree in Depth

Focus on topics
Spanning Tree Protocol (STP) overview, its
operations, and history
Implementing Rapid Spanning Tree Protocol
(RSTP)
Describe how and where to configure the
following features: PortFast, UplinkFast,
Backbonefast, BPDU Guard, BPDU Filter, Root
Guard, Loop Guard, Unidirectional Link
Detection, and FlexLinks
Configure Multiple Spanning Tree (MST)
Troubleshooting STP
2

Additional Features of STP

Some features are implemented to speed up performance
UplinkFast, BackboneFast, Portfast
Some features are configured to increase stability
BPDUGuard, BPDU Filter, Root Guard, Loop Guard
Other mechanisms are not directly related to STP, but can be used
to either complement STP Operations
(UDLD) Unidirectional Link Detection
Or replace STP
FlexLinks

The Need for STP

Redundant topology can eliminate single point of failures in the network
However, redundant topology can cause some of the following key problems:
Broadcast storms: Each switch on a redundant network floods broadcast
frames endlessly
Multiple frame transmission: Multiple copies of the same unicast frames
may be delivered to destination station, which can cause problems with the
receiving protocol
MAC database instability: copies of the same frame being received on
different ports of the switch.
STP allows physical path redundancy while preventing the undesirable effects
of active loops in the network.

STP Standards

Spanning-tree varieties that use more than one instance of STP

have a higher CPU and memory requirements
CPU and memory requirements are also higher when spanningtree protocols with faster convergence are used because the
algorithm needs to make calculations more frequently

STP Operations
1. Elect a root bridge: Only one bridge can act as root bridge. All
data flows in the network are from the perspective of this switch.
2. Select the root port on all nonroot bridges: one port on each
nonroot bridge is the root port. This is the port with the lowestcost path from the nonroot bridge to the root bridge.
3. Select the designated port on each segment: there is one
designated port on each segment. This is selected on the bridge
with the lowest-cost path to the root bridge.
4. Block all remaining ports: Ports that are NOT designated or
Root must be nondesignated. These ports are normally in the
blocking state to break the loop topology

Port Roles

STP Decision Sequence

When creating a loop-free topology, STP always uses the same five-step
decision sequence:

Five-Step decision Sequence

Step 1 - Lowest BID
Step 2 - Lowest Path Cost to Root Bridge
Step 3 - Lowest Sender BID
Step 4 Lowest Port Priority
Step 5 - Lowest Port ID

Bridge Protocol Data Units

STP uses BPDUs t o exchange STP information, specifically for root
bridge election and for loop identification
BPDUs sent out every 2 seconds, with the destination STP Multicast
address 01-80-c2-00-00-00
Two Types
Configuration BPDUs: Used for calculation the STP
TCN (topology change notification): Used to inform changes in
the network.

Root Bridge Election

The root bridge is the logical centre of the spanning tree topology
The root bridge is chosen with an election. Each switch has an unique BID
that consists of:
Bridge priority ( a value between 0 and 65,535, with the default 32,768)
MAC Address
Lowest BID wins
If priority is the same lowest MAC wins

Root Port Election

Once the root bridge is elected, each nonroot bridge must figure out where it is in
relation to the root bridge
Root port is the port with the best path (lowest cost) to the root bridge
Determined by cummulative path cost of all links to the root bridge
STP cost is calculated from the bandwidth of the link:
If two ports have the same cost, sender port ID is used to break the tie
Link

Cost

10 Gbps

1 Gbps

100 Mbps

19

10 Mbps

100

Designated Port Election

After the root bridge and root ports on non-root bridges have been
elected, to prevent the loops STP has to identify which port on the
segment will forward the traffic.
The designated port, the one forwarding the traffic, is also chosen based
on the lowest cost the root bridge.
On the root bridge, all ports are designated.
If two paths have equal costs the following criteria is used:
lowest root BID
lowest root path cost to root bridge
lowest sender BID
lowest sender port ID

STP Port States

To participate in the spanning-tree process, a switch port must go
through several states.
A port starts in the disabled state, then after an administrator
enables it, goes through various states until it reaches the
forwarding state.

Per VLAN STP Plus (PVST+)

Unlike CST,PVST+ runs one spanning-tree instance for each VLAN.
This allows you to load balanced traffic over redundant links when
they're assigned to a different VLAN.

PVST+ Use of Extended System ID

PVST+ uses the extended system ID to carry the

VLAN ID+

PVST+ carries the VLAN ID in the 12-bit Extended System ID field

of the Bridge ID.
Since the bridge priority field has been reduced to 4 bits, the
priority is in increments of 4096
The bridge ID shows the actual priority plus the VLAN ID, thus
VLAN 1 with a default priority of 32,768 will show a priority of
32,769

STP Topology Changes

When a switch moves a port into the forwarding state or into
blocking state, that means an STP topology changes
The switch announces a topology change by sending a TCN BPDU
out from the root port.
This the BPDU does not contain data about the change, but it
only informs other switches in the network that the change has
occurred.
When the root bridge receives the TCN BPDU, it first sends an
acknowledgement BPDU topology change acknowledgement
(TCA) to the switch from which it receives the TCN.
The root bridge then signals the topology change to other
switches in the network by changing topology change flag in its
BPDU (TC)
Switches then shorten the bridge table ageing times to the
forward delay time.

STP Topology Changes

STP Topology Changes

There are three types of topology changes:
a direct topology change-can be detected on an interface, a
TCN message is sent to the root bridge, the root bridge
announces the topology change to other switches. Convergence
time takes two times the forward delay period, 30 seconds
with an indirect topology change-the status link stays up.
Something on the link has failed or is filtering traffic. The
topology change is detected because there are no BPDUs from
the root bridge Convergence time takes around 50 seconds
insignificant topology change -for example a PC is turned off.
No topology change has occurred, however, all switches will age
out entries from the content-addressable memory (CAM) table
sooner than normal

Rapid Spanning Tree Protocol

Rapid Spanning Tree Protocol (IEEE 802.1w (2001)), also referred
to as RSTP) significantly speeds the recalculation of the spanning
tree when the network topology changes.
RSTP defines the additional port roles of Alternate and Backup
and defines port states as discarding, learning, or forwarding.
802.1D STP standard was designed with the understanding that
recovering connectivity after an outage within a minute or so
gives adequate performance
Cisco enhanced the original 802.1D specification with features
such as UplinkFast, BackboneFast, and PortFast to speed up the
convergence time of a bridged network.
The drawback is that these mechanisms are proprietary and need
additional configuration. The IEEE 802.1w standard (RSTP) is an
evolution, rather than a revolution, of the 802.1D standard.

Rapid Spanning Tree Protocol

In most cases, RSTP performs better than the Cisco proprietary
extensions, with negligible additional configuration.
In addition, 802.1w can revert to 802.1D to interoperate with
legacy bridges on a per-port basis.
RSTP provides rapid connectivity following the failure of a switch,
switch port, or LAN.
A new root port and the designated port of the connecting bridge
transition to forwarding through an explicit handshake protocol
between them.
RSTP enables switchport configuration so that the ports transition
to forwarding directly when the switch reinitializes.
On Cisco Catalyst switches, a rapid version of PVST+, called
PVRST+, is the per-VLAN version of the RSTP implementation. All
of the current generation of Catalyst switches support PVRST+..

RSTP Operation Port States

Port State

Description

Discarding

This state is seen in both a stable active topology and during

topology synchronization and changes. The discarding state
prevents the forwarding of data frames, thus breaking the
continuity of a Layer 2 loop.

Learning

This state is seen in both a stable active topology and during

topology synchronization and changes. The learning state accepts
data frames to populate the MAC table to limit flooding of unknown
unicast frames.

Forwarding
Operational
Status

This state is seen only in stable active topologies. The forwarding

switch ports determine the topology. Following a topology change,
or during synchronization, the forwarding of data frames occurs
only after a proposal
STP
Port State RSTP Port
Port Included
and agreement process.

State

in Active
Topology

Enabled

Blocking

Discarding

No

Enabled

Listening

Discarding

No

Enabled

Learning

Learning

Yes

Enabled

Forwarding

Forwarding

Yes

Disabled

Disabled

Discarding

No

RSTP Operation Port Roles

STP Port Role

RSTP Port
Role

STP Port
State

RSTP Port
State

Root port

Root port

Forwarding

Forwarding

Designated port

Designated
port

Forwarding

Forwarding

Nondesignated
port

Alternate or
backup port

Blocking

Discarding

Disabled

Disabled

Discarding

Transition

Transition

Listening
Learning

Learning

Root: The root port is the switch port on every nonroot bridge that is the chosen path to the root bridge.
Designated: Each segment has at least one switch port as the designated port for that segment. In a stable, active
topology, the switch with the designated port receives frames on the segment that are destined for the root bridge.
Alternate: The alternate port is a switch port that offers an alternate path toward the root bridge. It assumes a
discarding state in an active topology. The alternate port makes a transition to a designated port if the current
designated path fails.
Backup: The backup port is an additional switch port on the designated switch with a redundant link to the segment for
which the switch is designated. A backup port has a higher port ID than the designated port on the designated switch.
The backup port assumes the discarding state in a stable, active topology.
Disabled: A port that has no role within the operation of spanning tree.

Topology Change Mechanism in RSTP

With RSTP, a topology change is only when
a nonedge port transitions to the
forwarding state
1.The RSTP switch announces a topology
change by sending BPDUs with the TC bit
set out from all the nonedge designated
ports, thus actively informs the rest of the
bridges in the network of a topology
change, so they can correct their bridging
tables.
2.When a switch receives a BPDU with TC
bit set from a neighbor, it flushes the MAC
addresses associated with all nonedge
ports except the one receiving the
topology change
3.As long as the TC While timer is running
on a port, the BPDUs sent out of that port
have the TC bit set. While the timer is
active, the bridge sends BPDUs even on
the root port.

RSTP Link Type

Link
Type

Description

Pointtopoint

Port operating in fullduplex mode. It is

assumed that the port
is connected to a single
switch device at the
other end of the link.

Shared Port operating in halfduplex mode. It is

assumed that the port
is connected to shared
media where multiple
switches might exist.

RSTP Operation Rapid Transition to

Forwarding Edge Ports

An RSTP edge port is a switch

port that is never intended to
be connected to another switch
device.
It immediately transitions to the
forwarding state when enabled.
Neither edge ports nor PortFastenabled ports generate
topology changes when the
port transitions to disabled or
enabled status.
Unlike PortFast, an edge port
that receives a BPDU
immediately loses its edge port
status and becomes a normal
spanning-tree port.

RSTP Operation Bridge Identifier for PVRST+

Only four high-order bits of the 16-bit Bridge Priority

field affect the priority. Therefore, priority can be
incremented only in steps of 4096, onto which are
added the VLAN number. For example, for VLAN 11:
If the priority is left at default, the 16-bit Priority field
will hold 32768 + 11 = 32779.

RSTP and 802.1D STP Compatibility

RSTP can operate with 802.1D STP. However, 802.1ws fastconvergence benefits are lost when interacting with 802.1D
bridges.
Each port maintains a variable that defines the protocol to run on
the corresponding segment. If the port receives BPDUs that do
not correspond to its current operating mode for two times the
hello time, it switches to the other STP mode.

Default STP Configuration on Cisco

Switch
PVST+ (depends on switch) most modern IOS PVRST+
Bridge priority 32,768 for each VLAN

Configuring and Modifying STP

Behavior

Step 1: Discover which is the root

bridge
Issue the show spanning-tree command on all switches
SW3# show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID
Priority
32769
Address
aabb.ccOO.4500
Cost
100
Port
4 (Ethernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID

Priority
Address
<output omitted>

32769 (priority 32768 sys-id-ext 1)

aabb.ccOO.5000

SW2#show spanning-tree
VLAN000l
spanning tree enabled protocol ieee
Root ID
Priority
32769
Address
aabb.ccOO.4500
Cost
100
Port
3 (Ethernet0/2)
Hello Time 2 sec Max Age 20 sec Forward
Bridge ID

Priority
Address
<output omitted>

32769 (priority 32768 sys-id-ext 1)

aabb.ccOO.4600

SW1# show spanning-tree

VLAN0001
Spanning tree enabled protocol ieee
Root ID
Priority
32769
Address
aabb.ccOO.4500
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address
aabb.ccOO.4500
.... output omitted ...>

Step 2: Investigate port roles on all

switches
SWl# show spanning-tree
<... output omitted ...>
Interface

Role Sts

Cost

Prio.Nbr

Type

---------

----

----

--------

----

---

EtO/0

Desg FWD

100

128.1 Shr

EtO/l

Desg FWD

100

128.2 Shr

SW2# show spanning-tree

<... output omitted ...>
Interface

Role Sts

Cost

Prio.Nbr

Type

---------

----

----

--------

----

---

EtO/l

Desg FWD

100

128.2 Shr

EtO/2

Root FWD

100

128.3 Shr

EtO/3

Desg FWD

100

128.4 Shr

SW3# show spanning-tree

<... output omitted ...>
Interface

Role Sts

Cost

Prio.Nbr

Type

---------

----

----

--------

----

---

EtO/l

Altn BLK

100

128.2 Shr

EtO/2

Altn BLK

100

128.3 Shr

EtO/3

Root FWD

100

128.4 Shr

Changing STP Priority

It is not advised for the network to choose a bridge by itself.
If all switches have default STP priorities, the switch the lowest
MAC address will become the root bridge.
The oldest switch will have the lowest MAC address because
lower MAC addresses were factory assigned first.
To manually set the root bridge, you can change a switches
priority.

The best solution is to use spanning-tree vlan vlan-id root

{primary | secondary} command
To make SW2 the root bridge, you configure the following:
SW2 (config)# spanning-tree vlan 1 root primary

Port Roles after configuring SW2 as root

bridge

STP Path Manipulation

For port role determination, the cost value is used.
If all ports have the same cost, the senders port ID breaks the
tie.
To control active port selection, change the cost of the interface
or senders Interface.
Port cost can be modified by using the spanning-tree vlan vlanlist cost cost-value command. The cost value can be between 1
and 65,535
The port ID consists of a port priority and a port number. The
port number is fixed, but you can change the port priority
Port priority can be modified by using the spanning-tree vlan
vlan-list port-priority port-priority command. The value can be
between 0 and 255. the default is 128. A lower port priority
means a more preferred path to the root bridge

STP Path Manipulation

On SW3 Ethernet 0/1 and Ethernet 0/2 have the same interface
STP cost
Ethernet 0/1 is forwarding because its senders port ID (128.2) is
lower than that of Ethernet 0/2 (128.4)

To change SW3 to use Ethernet 0/2 we can change the port cost
SW3(config)# interface Ethernet 0/2
SW3(config-if)# spanning-tree vlan 1 cost 16

STP Path Manipulation Before and After

Implementing PVRST+

1. Enable PVRST+ globally. PVRST+ should be configured on all

switches in the broadcast domain.
2. Designate and configure a switch to be the root bridge.
3. Designate and configure a switch to be the secondary
(backup) root bridge.
4. Ensure load sharing on uplinks using priority and cost
parameters.

Verifying PVRST+
The output below illustrates how to verify the RSTP
configuration for VLAN2 on a nonroot switch in a
topology.
Switch# show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol rstp
Root ID
Priority
32768
Address
000b.fcb5.dac0
Cost
38
Port
7 (FastEthernet0/7)
Hello Time 2 sec
Max Age 20 sec
Forward Delay 15 sec
Bridge ID Priority
32770 (priority 32768 sys-id-ext 2)
Address 0013.5f1c.e1c0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role
Sts
Cost
Prio.Nbr
Type
---------------------------- -----------------------Fa0/7
Root
FWD
19 128.7 P2p
Fa0/8
Root
FWD
19 128.8 P2p

Understanding
Spanning Tree
Enhancements

Implementing STP Stability

Mechanisms
The Cisco Spanning Tree Protocol Toolkit provides tools to better
manage STP. The key features of the Cisco STP toolkit that improve
STPa performance are as follows:
UplinkFast: enables fast uplink failover on an access switch.
BackboneFast: enables fast convergence in distribution or core
layer when STP changes occur.
PortFast: configures access port to transition directly to
forwarding state.
Key features that ensure STP stability are as follows:
BPDU Guard: disables the PortFast-enabled port if a BPDU is
received.
BPDU Filter: suppresses BPDUs on ports.
Root Guard: prevents external switches from becoming roots.
Loop Guard: Prevents an alternate port from becoming the
designated port if no BPDUs are received.

UplinkFast
In 802.1D, if forwarding uplinks fail, it will take 30 to 50 seconds
for the other uplink to take over.
UplinkFast creates an uplink group, the uplink group consists of
the root port and all ports that provide an alternate connection to
the root bridge.
If the root port fails, the next lowest cost from the uplink group is
selected to immediately replace it.
UplinkFast is a Cisco proprietary feature
It is turned off by default
To enable UplinkFast, use the following command:
ASW(config)# spanning-tree uplinkfast

Note: With RSTP, the UplinkFast feature is already integrated

Into the protocol in a standard-based way

BackboneFast
BackboneFast can be used in the core or distribution layer to
shorten convergence times of non-RSTP when an indirect link
failure occurs.
BackboneFast checks whether an alternate path exists to the root
bridge.
Indirect failure is when a link that is not directly connected to a
switch fails.
BackboneFast will allow the switch with the failed root link to
send RQLs (request link queries) to find out whether upstream
switches have a path to the root bridge, this will stop inferior
BPDUs from trying to cause a new root election, after the normal
timers have expired.
To configure BackboneFast:
DSW1(config)#spanning-tree backbonefast

Configure BackboneFast on all switches in the network

PortFast
Bypass 802.1D STP listening and learning
states (blocking state
forwarding
state)
Ports connected to end stations
Prevents DHCP timeouts
May create bridging loops if enabled on
trunk port
Never use the PortFast feature on switch
ports that connect to other switches.
These connections can cause physical
loops, and spanning tree must go through
the full initialization procedure in these
situations.
A spanning-tree loop can bring your
network down
With RSPT, PortFast is enabled with the
same commands. These single-host ports
are called edge ports.
PortFast defines these edge ports and

Configuring PortFast on Access Ports

Use the spanning-tree portfast interface
command to enable the PortFast feature.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface FastEthernet 3/27
Switch(config-if)# spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet3/27 but will only
have effect when the interface is in a non-trunking mode.
Switch(config-if)# end
Switch#
Switch# show spanning-tree interface FastEthernet 3/27 portfast
VLAN0001
enabled

Configuring PortFast Globally

Use the spanning-tree portfast default global
configuration mode command to enable the PortFast
feature on all nontrunking interfaces.
Switch(config)# spanning-tree portfast default

Configuring PortFast on Trunk Ports

Use the spanning-tree portfast trunk interface
command to enable the PortFast feature on a trunk
port.
Switch(config-if)# spanning-tree portfast trunk

Spanning-tree portfast trunk should never be used

on switch interconnects because with switch
interconnects you want STP to make sure there is
no loop before forwarding.
The command is really designed for servers which
are running 802.1q on their NICs and which can
transition to forwarding immediately.

Configuring Access Port Macro

Use the switchport host macro command on an
interface connecting to an end station.
Switch(config-if)# switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
Switch(config-if)# end
Switch#

BPDU Guard
BPDU Guard puts an interface configured for STP PortFast in the err-disable state
upon receipt of a BPDU.
BPDU guard disables interfaces as a preventive step to avoid potential bridging
loops.
BPDU guard shuts down PortFast-configured interfaces that receive BPDUs, rather
than putting them into the STP blocking state (the default behavior).
PortFast-configured interfaces should not receive BPDUs. Reception of a BPDU by a
PortFast-configured interface signals an invalid configuration, such as connection
of an unauthorized device.
BPDU guard provides a secure response to invalid configurations, because the
administrator must manually re-enable the err-disabled interface after fixing the
invalid configuration.
It is also possible to set up a time-out interval after which the switch automatically
tries to re-enable the interface. (errdisable recovery bpduguard)
However, if the invalid configuration still exists, the switch err-disables the
interface again.

BPDU Guard Configuration

To enable BPDU guard globally, use the command:

spanning-tree portfast bpduguard default

To enable BPDU guard on a port, use the command:

spanning-tree bpduguard enable

BPDU guard logs messages to the console:

2009 May 12 15:13:32 %SPANTREE-2-RX_PORTFAST:Received

BPDU on PortFast enable port.
Disabling 2/1
2009 May 12 15:13:32 %PAGP-5-PORTFROMSTP:Port 2/1 left
bridge port 2/1
Note: it is highly recommended to always enable BPDU Guard on all PortFast
enabled ports! This will prevent adding a switch to a switch port that is
dedicated to an end device.
Note: Global configurational is conditional: If the port is not Portfast enabled,
BPDU Guard will not be activated.

BPDU Guard Configuration Example

Switch(config)# spanning-tree portfast default
Switch(config)# spanning-tree portfast bpduguard default
Switch(config)# end
Switch# show spanning-tree summary totals
Root bridge for: none.
PortFast BPDU Guard is enabled
Etherchannel misconfiguration guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Default pathcost method used is short
Name
Blocking Listening Learning Forwarding STP Active
------------ -------- --------- -------- ---------- --------34 VLANs
0
0
0
36
36

BPDU Filter
BPDUs are sent on all ports, even if they are PortFast enabled
BPDU filtering prevents a Cisco switch from sending BPDUs on
PortFast-enabled interfaces, preventing unnecessary BPDUs from
being transmitted to host devices.
Configuring BPDU Filter, so that all configuration BPDUs received
on a port are dropped can be useful for service provider
environments, where a service provider provides Layer 2
Ethernet access for customers.

BPDU Filter
BPDU guard has no effect on an interface if BPDU filtering is
enabled.
When enabled globally, BPDU filtering has these attributes:
It affects all operational PortFast ports on switches that do not
have BPDU filtering configured on the individual ports.
If BPDUs are seen, the port loses its PortFast status, BPDU
filtering is disabled, and STP sends and receives BPDUs on the
port as it would with any other STP port on the switch.
Upon startup, the port transmits ten BPDUs. If this port
receives any BPDUs during that time, PortFast and PortFast
BPDU filtering are disabled.
When enabled on an interface, BPDU filtering has these
attributes:
It ignores all BPDUs received.
It sends no BPDUs.

BPDU Filtering Configuration

To enable BPDU filtering globally, use the command:
spanning-tree portfast bpdufilter default
To enable BPDU guard on a port, use the command:
spanning-tree bpdufilter enable

Verifying BPDU Filtering Configuration

(1)
PortFast BPDU filtering status:
Switch# show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID
is enabled
Portfast Default
is disabled
PortFast BPDU Guard Default
is disabled
Portfast BPDU Filter Default is enabled
Loopguard Default
is disabled
EtherChannel misconfig guard is enabled
UplinkFast
is disabled
BackboneFast
is disabled
Configured Pathcost method used is short
Name
Blocking
Listening
Learning
------- ----------------VLAN0001 2
0
0
6
------- ----------------1 vlan
2
0
0
6

Forwarding
STP Active
---------------8
---------------8

Verifying BPDU Filtering Configuration (2)

Verifying PortFast BPDU filtering on a specific port:
Switch# show spanning-tree interface fastEthernet 4/4 detail
Port 196 (FastEthernet4/4) of VLAN0010 is forwarding
Port path cost 1000, Port priority 160, Port Identifier 160.196.
Designated root has priority 32768, address 00d0.00b8.140a
Designated bridge has priority 32768, address 00d0.00b8.140a
Designated port id is 160.196, designated path cost 0
Timers:message age 0, forward delay 0, hold 0
Number of transitions to forwarding state:1
The port is in the portfast mode by portfast trunk configuration
Link type is point-to-point by default
Bpdu filter is enabled
BPDU:sent 0, received 0

Root Guard
Root guard is useful in avoiding Layer 2 loops during
network anomalies.
The Root guard feature forces an interface to become a
designated port to prevent surrounding switches from
becoming root bridges.
Root guard-enabled ports are forced to be designated
ports.
If the bridge receives superior STP BPDUs on a Root guardenabled port, the port moves to a root-inconsistent STP
state, which is effectively equivalent to the STP listening
state, and the switch does not forward traffic out of that
port.
As a result, this feature enforces the position
of the root bridge.

Root Guard Motivation

Switches A and B comprise the core of the network. Switch A is the root bridge.
Switch C is an access layer switch. When Switch D is connected to Switch C, it
begins to participate in STP. If the priority of Switch D is 0 or any value lower than
that of the current root bridge, Switch D becomes the root bridge.
Having Switch D as the root causes the Gigabit Ethernet link connecting the two
core switches to block, thus causing all the data to flow via a 100-Mbps link
across the access layer. This is obviously a terrible outcome.

Root Guard Operation

After the root guard feature is enabled on a port, the switch

does not enable that port to become an STP root port.
Cisco switches log the following message when a root
guardenabled port receives a superior BPDU:
%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become nondesignated in VLAN 77.
Moved to root-inconsistent state.

Root Guard Operation

Root Guard is used on designated ports, and it does not allow the port
to become nondesignated.
In this configuration, Switch C blocks the port connecting to Switch D
when it receives a superior BPDU. The port transitions to the rootinconsistent STP state. No traffic passes through the port while it is in
root-inconsistent state.
When Switch D stops sending superior BPDUs, the port unblocks again
and goes through regular STP transition of listening and learning, and
eventually to the forwarding state. Recovery is automatic; no

Root Guard Configuration

Switch(config)# interface FastEthernet 5/8
Switch(config-if)# spanning-tree guard root
Switch(config-if)# end
Switch# show running-config interface
FastEthernet 5/8
Building configuration...
Current configuration: 67 bytes
!
interface FastEthernet5/8
switchport mode access
spanning-tree guard root
End

Verifying Root Guard Configuration

Switch# show spanning-tree inconsistentports
Name
Interface
Inconsistency
----------------------------------------- -------------VLAN0001
FastEthernet3/1 Port Type Inconsistent
VLAN0001
FastEthernet3/2 Port Type Inconsistent
VLAN1002
FastEthernet3/1 Port Type Inconsistent
VLAN1002
FastEthernet3/2 Port Type Inconsistent
Number of inconsistent ports (segments) in the system :4

Loop Guard
The Loop Guard STP feature improves the stability of Layer 2 networks
by preventing forwarding bridging loops.
In STP, switches rely on continuous reception or transmission of
BPDUs, depending on the port role. A designated port transmits
BPDUs whereas a nondesignated port receives BPDUs.
Bridging loops occur when a port erroneously transitions to forwarding
state because it has stopped receiving BPDUs.
Ports with loop guard enabled do an additional check before
transitioning to forwarding state. If a nondesignated port stops
receiving BPDUs, the switch places the port into the STP loopinconsistent blocking state.
If a switch receives a BPDU on a port in the loop-inconsistent STP
state, the port transitions through STP states according to the
received BPDU. As a result, recovery is automatic, and no manual
intervention is necessary.

Loop Guard Messages

When the Loop Guard feature places a port into the loop-inconsistent
blocking state, the switch logs the following message:
#SPANTREE-2-LOOPGUARD_BLOCK: LoopGuard blocking port FastEthernet
0/24 VLAN0050

After recovery, the switch logs the following message:

#SPANTREE-2-LOOPGUARD_UNBLOCK:
0/24 VLAN0050

LoopGuard unblocking port FastEthernet

Loop Guard Configuration

Considerations
Configure Loop Guard on a per-port
basis, although the feature blocks
inconsistent ports on a per-VLAN basis.
In the case of an EtherChannel
interface, the channel status goes into
the inconsistent state for all the ports
belonging to the channel group for the
particular VLAN not receiving BPDUs.
Enable Loop Guard on all
nondesignated ports. Loop guard
should be enabled on root and
alternate ports for all possible
combinations of active topologies.
Loop Guard is disabled by default on
Cisco switches.

Loop Guard Configuration

Use the following interface-level configuration command to
enable Loop Guard:

Switch(config-if)# spanning-tree guard loop

If Loop Guard is enabled globally, the switch enables Loop Guard
only on ports considered to be point-to-point links (full-duplex
links).
The global configuration can be overridden on a per-port basis. To
enable Loop Guard globally, use the following global
configuration command:

Switch(config)# spanning-tree loopguard default

Verifying Loop Guard Configuration

To verify Loop Guard status on an interface, issue the
command show spanning-tree interface
interface-id detail.
Switch# show spanning-tree interface FastEthernet 3/42 detail
Port 170 (FastEthernet3/42) of VLAN0001 is blocking
Port path cost 19, Port priority 128, Port Identifier 128.170.
Designated root has priority 8193, address 0009.e845.6480
Designated bridge has priority 8193, address 0009.e845.6480
Designated port id is 128.160, designated path cost 0
Timers: message age 1, forward delay 0, hold 0
Number of transitions to forwarding state: 0
Link type is point-to-point by default
Loop guard is enabled on the port
BPDU: sent 1, received 4501

Unidirectional Link Detection (UDLD)

The link between Switches B and C becomes unidirectional. Switch B

can receive traffic from Switch C, but Switch C cannot receive traffic
from Switch B.
On the segment between Switches B and C, Switch B is the designated
bridge sending the root BPDUs and Switch C expects to receive the
BPDUs.
Switch C waits until the max-age timer (20 seconds) expires before it
takes action. When this timer expires, Switch C moves through the
listening and learning states and then to the forwarding state. At this
moment, both Switch B and Switch C are forwarding to each other and

UDLD Modes
Normal Mode UDLD detects unidirectional links due to
misconnected interfaces on fiber-optic connections. UDLD
changes the UDLD-enabled port to an undetermined state if it
stops receiving UDLD messages from its directly connected
neighbor.
Aggressive Mode (Preferred) When a port stops receiving
UDLD packets, UDLD tries to reestablish the connection with the
neighbor. After eight failed retries, the port state changes to the
err-disable state. Aggressive mode UDLD detects unidirectional
links due to one-way traffic on fiber-optic and twisted-pair links
and due to misconnected interfaces on fiber-optic links.

UDLD Configuration
UDLD is disabled on all interfaces by default.
The udld global configuration command affects fiber-optic interfaces
only.
udld enable enables UDLD normal mode on all fiber interfaces.
udld aggressive enables UDLD aggressive mode on all fiber interfaces.

The udld port interface configuration command can be used for

twisted-pair and fiber interfaces.
To enable UDLD in normal mode, use the udld port command. To enable
UDLD in aggressive mode, use the udld port aggressive.
Use the no udld port command on fiber-optic ports to return control of
UDLD to the udld enable global configuration command or to disable UDLD
on nonfiber-optic ports.
Use the udld port aggressive command on fiber-optic ports to override
the setting of the udld enable or udld aggressive global configuration
command. Use the no form on fiber-optic ports to remove this setting and to
return control of UDLD enabling to the udld global configuration command
or to disable UDLD on nonfiber-optic ports.

UDLD Configuration and Verification

Switch(config)# interface gigabitEthernet 5/1
Switch(config-if)# udld port aggressive
Switch# show udld gigabitEthernet 5/1
Interface Gi5/1
--Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5
Entry 1
--Expiration time: 38
Device ID: 1
Current neighbor state: Bidirectional
Device name: FOX06310RW1
Port ID: Gi1/1
Neighbor echo 1 device: FOX0627A001
Neighbor echo 1 port: Gi5/1
Message interval: 15
Time out interval: 5
CDP Device name: SwitchB

Loop Guard versus Aggressive Mode UDLD

Loop Guard

Aggressive Mode
UDLD

Configuration

Per port

Per port

Action granularity

Per VLAN

Per port

Auto-recovery

Yes

Yes, with err-disable

timeout feature

Protection against STP Yes, when enabled

failures caused by
on all root ports
unidirectional links
and alternate ports
in redundant
topology

Yes, when enabled on all

links in redundant
topology

Protection against STP Yes

failures caused by
problem in software in
designated bridge not
sending BPDUs

No

Protection against
miswiring

Yes

No

Flex Links
Flex Links is a Layer 2 availability
feature that provides an alternative
solution to STP and allows users to turn
off STP and still provide basic link
redundancy.
Flex Links can coexist with spanning
tree on the distribution layer switches;
however, the distribution layer switches
are unaware of the Flex Links feature.
Flex Links enables a convergence time
of less than 50 milliseconds. In addition,
this convergence time remains
consistent regardless of the number of
VLANs or MAC addresses configured on
switch uplink ports.
Flex Links is based on defining an
active/standby link pair on a common
access switch. Flex Links are a pair of
Layer 2 interfaces, either switchports or
port channels, that are configured to act
as backup to other Layer 2 interfaces.

Flex Links Configuration Considerations

A Flex Link is configured on one Layer 2 interface (the active link) by assigning
another Layer 2 interface as the Flex Link or backup link.
When one of the links is up and forwarding traffic, the other link is in standby
mode, ready to begin forwarding traffic if the other link shuts down.
At any given time, only one of the interfaces is in the link up state and
forwarding traffic.
If the primary link shuts down, the standby link starts forwarding traffic. When
the active link comes back up, it goes into standby mode and does not forward
traffic.
Flex Links are supported only on Layer 2 ports and port channels, not on VLANs
or on Layer 3 ports.
Only one Flex Link backup link can be configured for any active link.
An interface can belong to only one Flex Link pair. An interface can be a
backup link for only one active link. An active link cannot belong to another
Flex Link pair.
STP is disabled on Flex Link ports. A Flex Link port does not participate in STP,
even if the VLANs present on the port are configured for STP.

Flex Links Configuration and Verification

FlexLinks are configured at the interface level with
the command switchport backup interface.
Here we configure an interface with a backup
interface and verify the configuration.
Switch(config)# interface fastethernet1/0/1
Switch(config-if)# switchport backup interface fastethernet1/0/2
Switch(config-if)# end
Switch# show interface switchport backup
Switch Backup Interface Pairs:
Active Interface
Backup Interface
State
-----------------------------------------------------FastEthernet1/0/1
FastEthernet1/0/2
Active Up/Backup Standby

Recommended Practices for STP

Stability
PortFast: Apply to all end-user ports. To
secure PortFast enabled ports, always
combine PortFast with BPDU Guard
Root Guard: Apply to all ports where
root is never expected.
Loop Guard: Apply to all ports that are
or can become nondesignated.
UDLD: The UDLD protocol enables
devices to monitor the physical
configuration of the cables and detect
when a unidirectional link exists. When a
unidirectional link is detected, UDLD shuts
down the affected LAN port. UDLD is often
configured on port linking switches.

Note: The use of Root Guard and Loop

Guard is mutually exclusive.

Multiple
Spanning Tree

Multiple Spanning Tree

Multiple Spanning Tree (MST) extends the IEEE 802.1w RST
algorithm to multiple spanning trees.
The main purpose of MST is to reduce the total number of
spanning-tree instances to match the physical topology of the
network.
Reducing the total number of spanning-tree instances will reduce
the CPU loading of a switch.
The number of instances of spanning tree is reduced to the
number of links (that is, active paths) that are available.
PVRST+ runs STP instances for each VLAN and does not take into
consideration the physical topology that might not require many
different STP topologies.
MST, on the other hand, uses a minimum number of STP
instances to match the number of physical topologies present.

MST Motivation

Above: 2 links 1000 VLANs 2 MST instances.

Each switch maintains only two spanning trees, instead of
maintaining 1000 spanning trees, thus reducing the need for
switch resources.
Concept extendable to 4096 VLANs: VLAN load balancing.
MST converges faster than PVRST+ and is backward compatible
with 802.1D STP and 802.1w.

MST Instances

2 distinct final logical STP topologies exist, therefore require 2 MST

instances (500 per instance here).
Load-balancing works because half of the VLANs follow each separate
instance.
Switch utilization is low because it only has to handle two instances.
MST is the best solution for this scenario.
Considerations: MST is more complex than 802.1D and 802.1w, so it
requires additional training. Interaction with legacy bridges can be

MST Regions

Each switch that runs MST in the network has a single MST configuration that
consists of three attributes:
An alphanumeric configuration name (32 bytes)
A configuration revision number (2 bytes)
A 4096-element table that associates each of the potential 4096 VLANs supported on
the chassis to a given instance

To be part of a common MST region, a group of switches must share the same
configuration attributes.
It is the responsibility of the network administrator to propagate the
configuration properly throughout the region

STP Instances with MST

MST does not send BPDUs for every active instance separately. A
special instance (instance 0) is designated to carry all STP-related
information.
BPDUs carry all the usual STP information, in addition to
configuration name, revision number, and hash value that is
calculated over VLAN-to-instance mapping tables.
If hash values do not match, an MST misconfiguration exists
the
switches.
between
On left, all
sixtwo
VLAN
instances
initially belong to MST0. This is
the default behaviour
MST11 is created with VLANs 11,
22, and 33.
MST12 is created with VLANs 44,
55, and 66.
If different root bridges are
configured, their topologies will
converge differently, thus the
links are more evenly utilized.

MST Use of Extended System ID

MST carries the instance number in the 12-bit

Extended System ID field of the Bridge ID.

MST Configuration
Enable MST on switch.
Switch(config)# spanning-tree mode mst

Enter MST configuration submode.

Switch(config)# spanning-tree mst configuration

Display current MST configuration.

Switch(config-mst)# show current

Name MST instance.

Switch(config-mst)# name name

Set the 16-bit MST revision number. It is not incremented

automatically when you commit a new MST configuration.
Switch(config-mst)# revision revision_number

MST Configuration (cont)

Map VLANs to MST instance.
Switch(config-mst)# instance instance_number vlan vlan_range

Display new MST configuration to be applied.

Switch(config-mst)# show pending

Apply configuration and exit MST configuration submode.

Switch(config-mst)# exit

Assign root bridge for MST instance. This syntax makes the
switch root primary or secondary (only active if primary fails). It
sets primary priority to 24576 and secondary to 28672.
Switch(config)# spanning-tree mst instance_number root primary |
secondary

MST Configuration Example

SwitchA(config)# spanning-tree mode mst

SwitchA(config)# spanning-tree mst configuration
SwitchA(config-mst)# name XYZ
SwitchA(config-mst)# revision 1
SwitchA(config-mst)# instance 1 vlan 11, 21, 31
SwitchA(config-mst)# instance 2 vlan 12, 22, 32
SwitchA(config)# spanning-tree mst 1 root primary
SwitchB(config)# spanning-tree mode mst
SwitchB(config)# spanning-tree mst configuration
SwitchB(config-mst)# name XYZ
SwitchB(config-mst)# revision 1
SwitchB(config-mst)# instance 1 vlan 11, 21, 31
SwitchB(config-mst)# instance 2 vlan 12, 22, 32
SwitchB(config)# spanning-tree mst 2 root primary
Note: you must also configure SwitchC with MST as well

Verifying MST Configuration Example (1)

Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# spanning-tree mode mst
Switch(config)# spanning-tree mst configuration
Switch(config-mst)# show current
Current MST configuration
Name []
Revision 0
Instance Vlans mapped
-------- ----------------------------------------------------------0 1-4094
--------------------------------------------------------------------Switch(config-mst)# name cisco
Switch(config-mst)# revision 1
Switch(config-mst)# instance 1 vlan 1-10
Switch(config-mst)# show pending
Pending MST configuration
Name [cisco]
Revision 1
Instance Vlans mapped
-------- ----------------------------------------------------------0 11-4094
1 1-10
Switch(config-mst)# end

Verifying MST Configuration Example (2)

Switch# show spanning-tree mst
###### MST00 vlans mapped: 5-4094
Bridge
address 0009.e845.6480
priority 32768 (32768 sysid 0)
Root
this switch for CST and IST
Configured
hello time 2, forward delay 15, max age 20, max hops 20
Interface
Role
Sts Cost
Prio.Nbr
Type
--------------------- --------- -------------Fa3/24
Desg
FWD 2000000
128.152
Shr
Fa3/32
Desg
FWD 200000
128.160
P2p
Fa3/42
Back BLK 200000
128.170
P2p
###### MST01 vlans mapped: 1-2
Bridge
address 0009.e845.6480
priority 32769 (32768 sysid 1)
Root
this switch for MST01
Interface
Role
Sts Cost
Prio.Nbr
Type
--------------------- --------- -------------Fa3/24
Desg
FWD 2000000
128.152
Shr
Fa3/32
Desg
FWD 200000
128.160
P2p
Fa3/42
Back
BLK 200000
128.170
P2p
###### MST02 vlans mapped: 3-4
Bridge
address 0009.e845.6480
priority 32770 (32768 sysid 2)
Root
this switch for MST02
Interface
Role
Sts Cost
Prio.Nbr
Type
--------------------- --------- -------------Fa3/24
Desg
FWD 2000000
128.152
Shr

Verifying MST Configuration Example (3)

Switch# show spanning-tree mst 1
###### MST01
vlans mapped: 1-2
Bridge
address 0009.e845.6480 priority 32769 (32768 sysid 1)
Root
this switch for MST01
Interface
Role
Sts Cost
Prio.Nbr
Type
---------------- ------ ------ -------- ----------------Fa3/24
Desg
FWD 2000000 128.152 Shr
Fa3/32
Desg
FWD 200000
128.160 P2p
Fa3/42
Back
BLK 200000
128.170 P2p

Verifying MST Configuration Example (4)

Switch# show spanning-tree mst interface FastEthernet 3/24
FastEthernet3/24 of MST00 is designated forwarding
Edge port: no
(default)
port guard : none
(default)
Link type: shared
(auto)
bpdu filter: disable (default)
Boundary : internal
bpdu guard : disable (default)
Bpdus sent 81, received 81
Instance
-------0
1
2

Role
---Desg
Desg
Desg

Sts
--FWD
FWD
FWD

Cost
------2000000
2000000
2000000

Prio.Nbr
-------128.152
128.152
128.152

Vlans mapped
------------------------5-4094
1-2
3-4

Verifying MST Configuration Example (5)

Switch# show spanning-tree mst 1 detail
###### MST01
vlans mapped: 1-2
Bridge
address 0009.e845.6480 priority 32769 (32768 sysid 1)
Root
this switch for MST01
FastEthernet3/24 of MST01 is designated forwarding
Port info
port id 128.152 priority 128 cost 2000000
Designated root
address 0009.e845.6480 priority 32769 cost 0
Designated bridge
address 0009.e845.6480 priority 32769 port id 128.152
Timers: message expires in 0 sec, forward delay 0, forward transitions 1
Bpdus (MRecords) sent755, received 0
FastEthernet3/32 of MST01 is designated forwarding
Port info
port id 128.160 priority 128 cost 200000
Designated root
address 0009.e845.6480 priority 32769 cost 0
Designated bridge
address 0009.e845.6480 priority 32769 port id 128.160
Timers: message expires in 0 sec, forward delay 0, forward transitions 1
Bpdus (MRecords) sent 769, received 1
FastEthernet3/42 of MST01 is backup blocking
Port info
port id 128.170 priority 128 cost 200000
Designated root
address 0009.e845.6480 priority 32769 cost 0
Designated bridge
address 0009.e845.6480 priority 32769 port id 128.160
Timers: message expires in 5 sec, forward delay 0, forward transitions 0
Bpdus (MRecords) sent 1, received 769

Configuring MST Path Cost

Path cost functions the same as with other STP's except with MST
port costs are configured per instance.
MST, like any other STP, uses a sequence of four criteria to
choose the best path:
Lowest BID
Lowest root path cost
Lowest sender BID
Lowest sender Port ID

You can assign lower cost values to the interfaces that you want
selected first and higher cost values of that you want selected
last.
Switch(config)# interface Ethernet 0/2
Switch(config-if)# spanning-tree mst 1 cost 100000

Configuring MST Port Priority

Port priority functions the same as with other STP's except with
MST port priorities are configured per instance.
MST, like any other STP, uses the sequence of four criteria to
choose the best path:
Lowest BID
Lowest root path cost
Lowest sender BID
Lowest sender Port ID

You can assign higher senders priority values (lower numeric

values) to interfaces that you want selected first and lower
senders priority values (higher numeric values) that you want
selected last.
Switch(config)# interface Ethernet 0/2
Switch(config-if)# spanning-tree mst 1 port-priority 32

Troubleshootin
g STP

Potential STP Problems

Duplex mismatch
Unidirectional link failure
Frame corruption
Resource errors
PortFast configuration error

Duplex Mismatch

Point-to-point link.
One side of the link is manually configured as full
duplex.
Other side is using the default configuration for autonegotiation.

Unidirectional Link Failure

Frequent cause of bridge loops.

Undetected failure on a fiber link or a problem with a
transceiver.

Frame Corruption
If an interface is experiencing a high rate of physical errors, the
result may be lost BPDUs, which may lead to an interface in the
blocking state moving to the forwarding state.
Uncommon scenario due to conservative default STP parameters.
Frame corruption is generally a result of a duplex mismatch, bad
cable, or incorrect cable length.

Resource Errors
STP is performed by the CPU (software-based). This means that if
the CPU of the bridge is over-utilized for any reason, it might lack
the resources to send out BPDUs.
STP is generally not a processor-intensive application and has
priority over other processes; therefore, a resource problem is
unlikely to arise.
Exercise caution when multiple VLANs in PVST+ or PVRST+ mode
exist. Consult the product documentation for the recommended
number of VLANs and STP instances on any specific switch to
avoid exhausting resources.

PortFast Configuration Error

Switch A has Port p1 in the forwarding state and Port p2 configured for
PortFast. Device B is a hub. Port p2 goes to forwarding and creates a
loop between p1 and p2 as soon as the second cable plugs in to
Switch A. The loop ceases as soon as p1 or p2 receives a BPDU that
transitions one of these two ports into blocking mode.
The problem with this type of transient loop condition is that if the
looping traffic is intensive, the bridge might have trouble successfully
sending the BPDU that stops the loop. BPDU guard prevents this type
of event from occurring.

Troubleshooting Methodology
Troubleshooting STP issues can be difficult if logical
troubleshooting procedures are not deployed in advance.
Occasionally, rebooting of the switches might resolve the
problem temporarily, but without determining the underlying
cause of the problem, the problem is likely to return. The
following steps provide a general overview of a methodology for
troubleshooting STP:
Step 1. Develop a plan.
Step 2. Isolate the cause and correct an STP problem.
Step 3. Document findings.

Develop a Plan
It is critical to develop a plan of action for potential STP issues. To
create a plan, you must understand the following basic
characteristics of your network:
Topology of the bridged network
Location of the root bridge
Location of the blocked ports and, therefore, the redundant links
Understand the following basic characteristics of your network:
Knowing the basic characteristics is essential in troubleshooting
any Layer 2 issue. In addition, knowledge of the network helps to
focus attention on the critical ports on key devices, because most
of the STP troubleshooting steps simply involve using show
commands to identify error conditions. Knowing which links on
each device is redundant helps to quickly stop a bridging loop by
disabling those links.

Isolate the Cause, Correct the Problem

If there is a STP loop in your network, follow these steps:
Step 1. Identify a bridging loop.
Step 2. Restore connectivity.
Step 3. Check the port status.
Step 4. Check for resource errors.
Step 5. Disable unneeded features.

Document the Findings

When the STP issue is isolated and resolved, it is important to
document any learnings from the incident as part of improving
the plan for future issues.
Not documenting any configuration or network design changes to
the previous plan might result in difficulty troubleshooting during
the next STP issue

Resources
Cisco Spanning Tree Protocol Configuration Guide:
www.cisco.com/en/US/docs/switches/lan/catalyst3560/software
/release/12.2_52_se/command/reference/3560cr.html
Configuring MST Configuration Guide:
www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/
release/12.2_52_se/configuration/guide/swstp.html
Cisco Optional Spanning-Tree Features Configuration Guide:
www.cisco.com/en/US/docs/switches/lan/catalyst3560/software
/release/12.2_52_se/configuration/guide/swmstp.html
www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/
release/12.2_52_se/configuration/guide/swstpopt.html