STP - Spanning Tree Protocol in Depth: CIS 187 Multilayer Switched Networks CCNP SWITCH Version 7 Rick Graziani

STP – Spanning Tree Protocol
in Depth
CIS 187 Multilayer Switched Networks

CCNP SWITCH version 7
Rick Graziani
Topics
• Spanning Tree Protocol (STP) overview, its operations, and

history
• Implement Rapid Spanning Tree Protocol (RSTP)
• Describe how and where to configure the following
features: PortFast, UplinkFast, BackboneFast, BPDU
Guard, BPDU Filter, Root Guard, Loop Guard,
Unidirectional Link Detection, and FlexLinks
• Configure Multiple Spanning Tree (MST)
• Troubleshooting STP
Rick Graziani graziani@cabrillo.edu 2

Spanning Tree Protocol (STP)
• “STP often accounts for more

than 50 % of the configuration,
troubleshooting, and
maintenance headaches in real-
world campus networks
(especially if they are poorly
designed).”
• “Complex protocol that is
generally poorly understood.”
• Radia Perlman – Developer of
STP

Spanning Tree Protocol (STP)
• IEEE 802.1D
• A loop-prevention protocol
• Allows L2 devices to
communicate with each
other to discover physical
loops in the network.
• Algorithm that creates a
loop-free logical topology.
• STP creates a tree
structure of loop-free
leaves and branches that
spans the entire Layer 2
network.
L2 Loops
• Broadcasts and Layer 2

loops can be a dangerous
combination.
• Ethernet frames have no
TTL field IPv4 and IPv6
• After an Ethernet frame
starts to loop, it will probably
continue until someone
shuts off one of the switches
or breaks a link.
• IP has a mechanism to
prevent loops.
Rick Graziani graziani@cabrillo.edu

7
STP Prevents Loops
• The purpose of STP is to avoid and eliminate loops in the network by
negotiating a loop-free path through a root bridge.
• STP determines where the are loops and blocks links that are redundant.
• Ensures that there will be only one active path to every destination.

Spanning Tree Algorithm
• STP executes an algorithm

called Spanning Tree
Algorithm (STA).
– STA chooses a
reference point, called a
root bridge. X
– Then determines the
available paths to that
reference point.
– If more than two paths
exists, STA picks the
best path and blocks the
rest

Two-key STP Concepts
• STP calculations make extensive use of two key concepts in

creating a loop-free topology:
– Bridge ID
– Path Cost
Cost (Revised IEEE Cost (Previous IEEE

Link Speed
Spec) Spec)
10 Gbps 2 1
1 Gbps 4 1
100 Mbps 19 10
10 Mbps 100 100

Bridge ID (BID)
• Bridge ID (BID) is used to identify each bridge/switch.

• The BID is used in determining the center of the network, in respect to STP,
known as the root bridge.
Bridge ID
Without the
Extended
System ID
Bridge ID with
the Extended
System ID

Bridge ID (BID)
• Consists of two components:

– A 2-byte Bridge Priority: Cisco switch defaults to
32,768 or 0x8000.
• Usually expressed in decimal format
– A 6-byte MAC address
• Usually expressed in hexadecimal format.
Bridge ID (BID)
• Each switch has a unique BID.

• Original 802.1D standard, the BID = Priority Field +MAC address of
the switch.
– All VLANs were represented by a CST – one spanning tree for all
vlans (later).
• PVST requires that a separate instance of spanning tree run for each
VLAN
– BID field is required to carry VLAN ID (VID).
– Extended system ID to carry a VID.

What is the Priority of Access1?
Priority = Priority (Default 32,768) + VLAN
Access1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.964E.7EBB
Cost 19
Port 5(FastEthernet0/5)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address
=
0003.E461.46EC
+
Aging Time 20
VLAN0010 PVST coming

Root ID Priority 32778 later…
Cost 19
Address
=
0003.E461.46EC
+
Aging Time 20

What is the BID of this switch?
Core# show spanning-tree
VLAN0001
Cost 4
Port 25(GigabitEthernet0/1)

Address 0001.C945.A573
Aging Time 20

Bridge ID (BID)
• Used to elect a root bridge (coming)

• Lowest Bridge ID is the root.
• If all devices have the same priority, the bridge with the lowest MAC
address becomes the root bridge. (Yikes)
• Note: For simplicity, in our topologies we will use Bridge Priorities
without the Extended System ID. (Same process, just done per VLAN.)

Path Cost – Original Spec (Linear)

Link Speed
Spec) Spec)
10 Gbps 2 1
1 Gbps 4 1
100 Mbps 19 10
10 Mbps 100 100
• Bridges use the concept of cost to evaluate how close they are to
other bridges.
• Used to create the loop-free topology .
• Originally, 802.1D defined cost as 1 billion/bandwidth of the link in
Mbps.
– Cost of 10 Mbps link = 100
– Cost of 100 Mbps link = 10
– Cost of 1 Gbps link = 1
• Running out of room for faster switches including 10 Gbps Ethernet
Path Cost – Revised Spec (Non-Linear)
Link Speed
Spec) Spec)
10 Gbps 2 1
1 Gbps 4 1
100 Mbps 19 10
10 Mbps 100 100
• IEEE modified the most to use a non-linear scale with the new values of:
– 4 Mbps 250 (cost)
– 10 Mbps 100 (cost) • You can change the path cost by
– 16 Mbps 62 (cost) modifying the cost of a port.
– 45 Mbps 39 (cost) • Exercise caution when you do this!
– 100 Mbps 19 (cost) • BID and Path Cost are used to develop
– 155 Mbps 14 (cost) a loop-free topology .
– 622 Mbps 6 (cost) • Coming very soon!
– 1 Gbps 4 (cost)
– 10 Gbps 2 (cost)
Five-Step STP Decision Sequence
• When creating a loop-free topology, STP always uses the same

five-step decision sequence:
Five-Step decision Sequence

Step 1 - Lowest BID
Step 2 - Lowest Path Cost to Root Bridge
Step 3 - Lowest Sender BID
Step 4 – Lowest Port Priority
Step 5 - Lowest Port ID
• Bridges use Configuration BPDUs during this five-step process.

• We will assume all BPDUs are configuration BPDUs until
otherwise noted.

FYI: BPDU key concepts
BPDU key concepts:

• Bridges save a copy of only the best BPDU seen on every port.
• When making this evaluation, it considers all of the BPDUs
received on the port, as well as the BPDU that would be sent on
that port.
• As every BPDU arrives, it is checked against this five-step
sequence to see if it is more attractive (lower in value) than the
existing BPDU saved for that port.
• Only the lowest value BPDU is saved.
• Bridges send configuration BPDUs until a more attractive BPDU
is received.
• Okay, lets see how this is used...

Elect one Root Bridge
The STP algorithm uses three simple steps to converge on a loop-

free topology:
STP Convergence
Step 1 Elect one Root Bridge
Step 2 Elect Root Ports
Step 3 Elect Designated Ports
• When the network first starts, all bridges are announcing a

chaotic mix of BPDUs.
• All bridges immediately begin applying the five-step sequence
decision process.
• Switches need to elect a single Root Bridge.
• Switch with the lowest BID wins!
• Note: Many texts refer to the term “highest priority” which is the
“lowest” BID value.
• This is known as the “Root War.”

Lowest BID wins!
Who wins?

What is the BID of this switch? Who is the Root?

VLAN0001
Cost 4

Aging Time 20
• Use this command to view the information on the other four switches.
Distribution1# show spanning-tree

VLAN0001
Cost 19

Address 0005.5E0D.9315
Aging Time 20
25


VLAN0001
Cost 19

Address 0060.47B0.5850
Aging Time 20

Access1# show spanning-tree

VLAN0001
Cost 19

Address 0003.E461.46EC
Aging Time 20


VLAN0001
This bridge is the root

Aging Time 20

Lowest BID wins!
My BID is
32769.0001.C945.A573 Who wins?
My BID is My BID is
32769.0005.5E0D.9315 32769.0060.47B0.5850
My BID is My BID is
32769.0003.E461.46EC 32769.0001.964E.7EBB
I win!

Bridge IDs
32769.0001.C945.A573
32769.0005.5E0D.9315 32769.0060.47B0.5850
32769.0003.E461.46EC 32769.0001.964E.7EBB

Lowest BID wins!
Its all done with

BPDUs!

BPDUs
BPDUs
sent/relayed BPDU
every two
seconds.
BPDU BPDU
BPDU BPDU

Root Bridge Selection Criteria
My BID is
32768.0001.C945.A573 I’m Who wins?
the root!
My BID is
My BID is 32768.0060.47B0.5850
32768.0005.5E0D.9315 I’m the root!
I’m the root!
My BID is
My BID is
32768.0003.E461.46EC
32768.0001.964E.7EBB
I’m the root!
I’m the root! I win!
• At the beginning, all bridges assume and declare themselves as the

Root Bridge, by placing its own BID in the Root BID field of the BPDU.
Lowest BID wins!

• Once all of the switches see that Access2 has the lowest BID, they are
all in agreement that Access2 is the Root Bridge.
Root Bridge

Elect Root Ports
I will select
STP Convergence one Root
Step 1 Elect one Root Bridge Port that is
Step 2 Elect Root Ports closest,
Step 3 Elect Designated Ports best path to
the root
bridge.
• Now that the Root War has been won, switches move on to
selecting Root Ports.
• A bridge’s Root Port is the port closest to the Root Bridge.
• Bridges use the cost to determine closeness.
• Every non-Root Bridge will select one Root Port!
• Specifically, bridges track the Root Path Cost, the cumulative
cost of all links to the Root Bridge.
Determining (Electing) the Root Port

• Root Bridge, Access2 sends out BPDUs, containing a Root Path Cost of 0.
• Access1, Distribution1, and Distribution2 receives these BPDUs and adds the Path Cost
of the FastEthernet interface to the Root Path Cost contained in the BPDU.
• Access1, Distribution1, and Distribution2 add Root Path Cost 0 PLUS its Path (port)
cost of 19 = 19.
– This value is used internally and used in BPDUs to other switches.
Path Cost
BPDU BPDU
Cost=0+19=19 Cost=0+19=19
19
19
Root Bridge
0
0
BPDU 19 0 BPDU
Cost=0
Cost=0+19=19

Difference b/t Path Cost and Root Path Cost Root Path Cost
Path Cost: • Cumulative cost to the Root Bridge.
• The value assigned to each port. • This is the value transmitted in the BPDU.
• Added to BPDUs received on that port to • Calculated by adding the receiving port’s
Path Cost to the valued contained in the
calculate Root Path Cost. BPDU.
Path Cost
BPDU BPDU
Cost=0+19=19 Cost=0+19=19
19
19
Root Bridge
0
0
BPDU 19 0 BPDU
Cost=0
Cost=0+19=19

What are the Path Costs for Root Bridge
Access2?
Path Cost
VLAN0001

Aging Time 20
Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- -----------------------
Fa0/1 Desg FWD 19 128.1 P2p

What are the Path Costs for Distribution1?
Path Cost
VLAN0001
Cost 19

Address 0005.5E0D.9315
Aging Time 20

---------------- ---- --- --------- -------- ----------------------
Gi0/1 Desg FWD 4 128.25 P2p
Gi0/2 Altn BLK 4 128.26 P2p
Fa0/3 Root FWD 19 128.3 P2p

What are the Path Costs for Access1?
Path Cost
VLAN0001
Cost 19

Aging Time 20

---------------- ---- --- --------- -------- ----------------------

What are the Path Costs for Distribution2?
Path Cost
VLAN0001
Cost 19

Address 0060.47B0.5850
Aging Time 20

---------------- ---- --- --------- -------- ----------------------
Fa0/5 Altn BLK 19 128.5 P2p

show spanning-tree detail
Path Cost
Use this command to view the

Root Path Cost of an interface.
Distribution1# show spanning-tree detail
VLAN0001 is executing the ieee compatible Spanning Tree Protocol

Bridge Identifier has priority of 32768, sysid 1, 0005.5E0D.9315
Configured hello time 2, max age 20, forward delay 15
Current root has priority 32769
Root port is 3 (FastEthernet0/3), cost of root path is 19
Topology change flag not set, detected flag not set
Number of topology changes 0 last change occurred 00:00:00 ago
from FastEthernet0/1
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0, aging 300

Path Cost

Access1# show spanning-tree detail

Bridge Identifier has priority of 32768, sysid 1, 0003.E461.46EC

Path Cost


Bridge Identifier has priority of 32768, sysid 1, 0060.47B0.5850



Bridge Identifier has priority of 32768, sysid 1, 0001.964E.7EBB
No Root port – This switch is the Root Bridge!

• Switches now send BPDUs with their Root Path Cost out other interfaces.
• Access 1 uses this value of 19 internally and sends BPDUs with a Root Path Cost of 19
out all other ports. (For simplicity we will not include BPDU to root.)
• Switches receive BPDU and add their path cost.
• Note: STP costs are incremented as BPDUs are received on a port, not as they are sent
out a port.
Path Cost
BPDU BPDU
Cost=4+19=23
Cost=4+19=23
19
19
BPDU
BPDU
Cost=19 Cost=19 0
0
19 0
Root Bridge

• Distribution 1 and Distribution 2 receive the BPDUs from Access 1, and adds the Path Cost of
4 to those interfaces, giving a Root Path Cost of 23.
• However, both of these switches already have an “internal” Root Path Cost of 19 that was
received on another interface. (Fa0/3 for each with a Root Path Cost of 19.)
• Distribution 1 and Distribution 2 use the better BPDU of 19 when sending out their BPDUs to
other switches.
BPDU BPDU
Cost=4+19=23
Cost=4+19=23
19
19
BPDU
BPDU
Cost=19 Cost=19 0
0
19 0
Root Bridge

• Distribution 1 now sends BPDUs with its Root Path Cost out other interfaces (Best BPDU).
• Again, STP costs are incremented as BPDUs are received on a port, not as they are sent
out a port.
Path Cost
BPDU
Cost=4+19=23
BPDU
BPDU
Cost=19+19=38
Cost=19
19
23 23
19
0 Root Bridge
19
0
19
BPDU
0
Cost=4+19=23

Final Results
• Ports show BPDU Received Root Path Cost + Path Cost = Root Path Cost of Interface,
after the “best” BPDU is received on that port from the neighboring switch.
• This is the cost of reaching the Root Bridge from this interface towards the neighboring
switch.
• Now let’s see how this is used!
Path Cost
19+4=23 19+4=23
23+4=27 23+4=27
19+19=38 19+19=38
19 19+4=23
19+4=23 19
19+4=23 19+4=23
0
19 0
0 Root Bridge

show spanning-tree
Which port is the Root Port?

VLAN0001
Cost 4

Aging Time 20

---------------- ---- --- --------- -------- --------------------------------
Gi0/1 Root FWD 4 128.25 P2p Path Cost

Which port is the Root Port?

Core# show spanning-tree detail

Bridge Identifier has priority of 32768, sysid 1, 0001.C945.A573
Root port is 25 (GigabitEthernet0/1), cost of root path is 4
from FastEthernet0/1 Path Cost

Next: Elect Root Ports
• Elect Root Ports • Every non-Root bridge must select one Root Port.
• Elect Designated Ports • A bridge’s Root Port is the port closest to the Root
Bridge.
• Non-Designated Ports: All other ports • Bridges use the cost to determine closeness.
These values Path Cost

would be the
Root Path 23 23
Cost if this
interface was
used to reach 27 27
the Root
Bridge. 38 38
19 23
23 19
23 23 0
19 0
0 Root Bridge

Elect Root Ports: (Review)
• Ports show Root Path Cost of Interface, after the “best” BPDU is received on
that port from the neighboring switch.
• This is the cost of reaching the Root Bridge from this interface towards the
neighboring switch.
Distribution 1 “thought process”
Path Cost
If I go through
Core it costs
27.
If I go
through D2
it costs 38.
If I go
through A1 it
costs 23.
If I go through
A2 it costs 19.
This is the best
path to the
Root!
Elect Root Ports:
• This is from the switch’s perspective.
• Switch, “What is my cost to the Root Bridge?”
• Later we will look at Designated Ports, which is from the Segment’s perspective.
Distribution 1 “thought process”

Path Cost
If I go through
Core it costs
27.
If I go
through D2
it costs 38.
If I go
through A1 it
costs 23.
If I go through
A2 it costs 19.
This is the best
path to the
Root!
Elect Root Ports
• Every non-Root bridge must select one Root Port.
• A bridge’s Root Port is the port closest to the Root Bridge.
• Bridges use the Root Path Cost to determine closeness.
? ?
23 23
27 27
38 38
19 23
23 19 RP
RP
23 23 0
19 RP 0
0 Root Bridge

Elect Root Ports Five-Step decision Sequence
• Core switch has two equal Root Path Costs Step 1 - Lowest BID
to the Root Bridge. Step 2 - Lowest Path Cost to Root Bridge
• In this case we need to look at the five-step Step 3 - Lowest Sender BID
decision process. Step 4 - Lowest Port Priority
? ?
23 23
27 27
38 38
19 23
23 19 RP
RP
23 23 0
19 RP 0
0 Root Bridge

Elect Root Ports Five-Step decision Sequence
• Distribution 1 switch has a lower Sender BID Step 1 - Lowest BID
than Distribution 2. Step 2 - Lowest Path Cost to Root Bridge
• Core chooses the Root Port of G 0/1. Step 3 - Lowest Sender BID
Step 4 - Lowest Port Priority
? ?
RP 23 23
My BID is My BID is
32769.0005.5E0D.9315 32769.0060.47B0.5850
Lower BID 27
27
38 38
19 23
23 19 RP
RP
23 23 0
19 RP 0
0 Root Bridge

Elect Designated Ports
STP Convergence
• The loop prevention part of STP becomes evident during this step, electing
designated ports.
• A Designated Port functions as the single bridge port that both sends and
receives traffic to and from that segment and the Root Bridge.
• Each segment in a bridged network has one Designated Port, chosen
based on cumulative Root Path Cost to the Root Bridge.
• The switch containing the Designated Port is referred to as the Designated
Bridge for that segment.
• To locate Designated Ports, lets take a look at each segment.
• Segment’s perspective: From a device on this segment, “Which switch
should I go through to reach the Root Bridge?”
– Root Path Cost, the cumulative cost of all links to the Root Bridge.
– Obviously, the segment has not ability to make this decision, so the
perspective and the decision is that of the switches on that segment.
• A Designated Port is elected for every segment.
• The Designated Port is the only port that sends and receives traffic to/from that segment to
the Root Bridge, the best port towards the root bridge.
• Note: The Root Path Cost shows the Sent Root Path Cost.
• This is the advertised cost in the BPDU, by this switch out that interface, i.e. this is the cost of
reaching the Root Bridge through me!
RP 23 23
19 19
19 19
19 19
19 19 RP
RP
19 19 0
19 RP 0
0 Root Bridge

• A Designated Port is elected for every segment.
• Segment’s perspective: From a device on this segment, “Which switch should I go through
to reach the Root Bridge?”
• “I’ll decide using the advertised Root Path Cost from each switch!”
RP 23 23
? ?
19 19
?
19 19
19 19
19 RP ? ? 19 RP
? ?
19 19 0
19 RP ? 0
Root Bridge
0

Segment’s perspective:
• Access 2 has a Root Path Cost = 0 (after all it is the Root Bridge) and Access 1 has a Root
Path Cost = 19.
• Because Access 2 has the lower Root Path Cost it becomes the Designated Port for that
segment.
RP 23 23
19 19
My19 designated
What is my
port
best
willpath
be 19
0
via Access
to the2Root
(Fa0/5).
Bridge,
It’s 19
the
19
19
best path,
via Access
lowest Root
1 or 0Path,
via
19 19 RP
RP to the Root
Access
Bridge.
2?
19 19 0
19 RP ? DP 0
Root Bridge
0

• The same occurs between Access 2 and Distribution ,1 and Access 2 and Distribution 2
switches.
• Because Access 2 has the lower Root Path Cost it becomes the Designated Port for those
segments.
RP 23 23
19 19
19 19
19 19
19 RP
? 19 RP
?
19 19 DP 0 DP
19 RP DP 0
0 Root Bridge

Segment’s perspective: Five-Step decision Sequence
• Segment between Distribution 1 and Access Step 1 - Lowest BID
1 has two equal Root Path Costs of 19. Step 2 - Lowest Path Cost to Root Bridge
• Using the Lowest Sender ID (first two steps Step 3 - Lowest Sender BID
are equal), Access 1 becomes the best path Step 4 - Lowest Port Priority
and the Designated Port. Step 5 - Lowest Port ID
RP 23 23
32769.0005.5E0D.9315
19 19
What is my best path

19 to the Root 19Bridge, 19
19 19
via Distribution 1 or
19 RP 19 via Access 1? 19 RP
They are the same!
? Who has the lowest
BID?
DP 19 19 DP 0 DP
32769.0003.E461.46EC 19 RP DP 0
0 Root Bridge
Lower BID
Access 1 has Lower Sender BID
Port 26 (GigabitEthernet0/2) of VLAN0030 is designated blocking
Port path cost 4, Port priority 128, Port Identifier 128.26
Designated root has priority 128, address 000C.CF0B.1503
Designated bridge has priority 32769, address 0003.E461.46EC
Designated port id is 128.26, designated path cost 4
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Port 26 (GigabitEthernet1/2) of VLAN0001 is designated forwarding

Designated root has priority 128, address 0001.C746.B605
32769.0003.E461.46EC
Note: PT does not show proper BID
• Segment between Distrib. 1 and Distrib. 2 Step 1 - Lowest BID
has two equal Root Path Costs of 19. Step 2 - Lowest Path Cost to Root Bridge
are equal), Distribution 1 becomes the best Step 4 - Lowest Port Priority
path and the Designated Port. Step 5 - Lowest Port ID
RP 23 23
32769.0005.5E0D.9315 32769.0060.47B0.5850
19
Lower BID
DP
19
?
19 19
19 19
19 RP 19 RP
DP
19 19 DP 0 DP
19 RP DP 0
0 Root Bridge

Distribution 1 has Lower Sender BID
Port 5 (FastEthernet0/5) of VLAN0030 is designated forwarding
Designated bridge has priority 32769, address 0005.5E0D.9315

Port 5 (FastEthernet0/5) of VLAN0001 is designated blocking
Designated bridge has priority 32769, address 0005.5E0D.9315
Rick Graziani graziani@cabrillo.edu Note: PT does not show proper BID 68

• Segment between Access 1 and Distrib. 2 Step 1 - Lowest BID
has two equal Root Path Costs of 19. Step 2 - Lowest Path Cost to Root Bridge
are equal), Access 1 becomes the best path Step 4 - Lowest Port Priority
and the Designated Port. Step 5 - Lowest Port ID
RP 23 23
32769.0060.47B0.5850
19 19
DP
19 19
19
19
19
RP ? 19 RP
32769.0003.E461.46EC DP
19 DP 19 DP 0 DP
Lower BID 19 RP DP 0
0 Root Bridge

Access 1 has Lower Sender BID
Port 25 (GigabitEthernet0/1) of VLAN0001 is designated blocking
Designated root has priority 128, address 00D0.BCC1.2603

Port 25 (GigabitEthernet1/1) of VLAN0001 is designated forwarding
Designated root has priority 128, address 0001.C746.B605
Rick Graziani graziani@cabrillo.edu Note: PT does not show proper BID 70

• Because Distribution 1 has the lower Root Path Cost it becomes the Designated Port
for that segment.
• Because Distribution 2 has the lower Root Path Cost it becomes the Designated Port
for that segment.
Five-Step decision
Sequence
Step 1 - Lowest BID
Step 2 - Lowest Path Cost to
Root Bridge
RP 23 23 Step 3 - Lowest Sender BID
? ? Step 4 - Lowest Port Priority
DP DP
19 19
DP
19 19
19 19
19 RP 19 RP
DP
19 19 DP 0 DP
DP
19 RP DP 0
0 Root Bridge

• All other ports, those ports that are not Root Ports or Designated Ports, become Non-
Designated Ports.
• Non-Designated Ports are put in blocking mode.
• This is the loop prevention part of STP.
RP 23 23
X
NDP
DP
19 19 DP
DP
19
NDP
19 X
NDP
X 19
RP
19
X
NDP 19 RP
19
DP
19 19 DP 0 DP
DP
19 RP DP 0
0 Root Bridge

---------------- ---- --- --------- -------- --------------------------------
Gi0/1 Root FWD 4 128.25 P2p
---------------- ---- --- --------- -------- --------------------------------
---------------- ---- --- --------- -------- --------------------------------
---------------- ---- --- --------- -------- --------------------------------
---------------- ---- --- --------- -------- --------------------------------
Fa0/5 Desg FWD 19
Rick Graziani graziani@cabrillo.edu 128.5 P2p 73
Lowest BID wins!
Its all done with

BPDUs!

Port Cost/Port ID Step 1 - Lowest BID

0/2
0/1
Assume path cost and port

priorities are default (128). Port ID
used in this case. Port 0/1 would
forward because it’s the lowest.
• If the path cost and bridge IDs are equal (as in the case of parallel links),
the switch goes to the port priority as a tiebreaker.
• This is the sender’s Port priority + Port ID
• Lowest port priority wins (all ports set to 128).
• .
• If all ports have the same priority, the port with the lowest port number
forwards frames.
Port Cost/Port ID Five-Step decision Sequence
• Fa 0/3 received a lower Port ID value than Fa 04. Step 1 - Lowest BID
• More later (Fast EtherChannel) Step 2 - Lowest Path Cost to Root Bridge
RP
19
NDP
19
DP
DP

Port Cost/Port ID

VLAN0001
Address 0009.7c0b.e7c0
Cost 19
Port 3 (FastEthernet0/3)
Address 000b.fd13.9080
Aging Time 300
Interface Port ID Designated Port ID
Name Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr
---------------- -------- --------- --- --------- -------------------- --------
Fa0/1 128.1 19 BLK 19 32769 000b.befa.eec0 128.1
Fa0/2 128.2 19 BLK 19 32769 000b.befa.eec0 128.2
Fa0/3 128.3 19 FWD 0 32769 0009.7c0b.e7c0 128.1
Fa0/4 128.4 19 BLK 0 32769 0009.7c0b.e7c0 128.2
Fa0/5 128.5 19 FWD 19 32769 000b.fd13.9080 128.5
Gi0/1 128.25 4 FWD 19 32769 000b.fd13.9080 128.25

PVST+ (More later)
• Per VLAN Spanning Tree Plus (PVST+)

maintains a separate spanning-tree
instance for each VLAN.
– PVST Only over ISL
– PVST+ Includes ISL and 802.1Q
• Provides for load balancing on a per-
VLAN basis.
• Switches maintain one instance of
spanning tree for each VLAN allowed on
the trunks.
• Non-Cisco 802.1Q switches maintain
only one instance of spanning tree for all
VLANs allowed on the trunks.
Distribution1(config)# spanning-tree vlan 1, 10 root primary
Distribution2(config)# spanning-tree vlan 20 root primary

Distribution1 is the Root for VLAN1 and 10
Root VLANs 1,10

Distribution2 is the Root for VLAN 20
Root VLAN 20

Load Balancing with 2 Root Switches
Notice that more links are being used!
Root VLANs 1,10 Root VLAN 20

STP Convergence: Summary
Recall that switches go through three steps for their initial

convergence:
STP Convergence
Also, all STP decisions are based on a the following predetermined

sequence:
Step 1 - Lowest BID
Step 4 – Lowest Port Priority

STP Convergence: Summary
Example:
• A network that contains 15 switches and 146
segments (every switchport is a unique segment)
would result in:
– 1 Root Bridge
– 14 Root Ports
– 146 Designated Ports

STP Port States
STP Port States
MAC Address Disabled
Blocking
Listening
Learning
Forwarding
Table BPDUs
Updating Data
Port State BPDU MAC-Add Table Data frames Duration

Disabled None sent/received No update None sent/received Until no shutdown
Administratively shutdown; Not an STP port state
Blocking Receive only No update None sent/received Continuous if loop
detected
Port initializes; receives BPDUs only

Listening Receive and send No update None sent/received Forward delay 15 sec
Building active topology. Thinks port can be selected root or designated port.
Returns to blocking (NDP) if cannot become root or designated port.
Learning Receive and send Updating Table None sent/received Forward delay 15 sec
Building bridging table. Switch can now learn source MAC Addresses but is not
formally receiving frames in order to forward them.
Forwarding Receive and send Updating Table Sent and received Continuous if up and no
loop detected
Ports and States
• Ports
• Blocked - Doesn't send BPDU's, but is receiving them.
• Designated - Send BPDU's and Receives BPDU's.
• Root - Doesn't send BPDU's, but is receiving them.
• Port states:
• Blocking: State where the switch port can receive BPDU, but can not
forwarding user traffic or BPDUs.
• Listening: State where the switch port can send & receive BPDU, but
can not forwarding user traffic.
• Learning: State where the switch port can learn MAC address, send
and receive BPDU, but not forwarding user traffic.
• Forwarding: State where the switch port can learn MAC address, send
and receive BPDU, and forwarding user traffic.

2
2
L is te n in g
5
3
4
1
D is a b le d o r 4
B lo c k in g L e a r n in g
Down
2
4
5
6
2
F o r w a r d in g
S ta n d a rd S ta te s C is c o S p e c ific S ta te s
( 1 ) P o r t e n a b le d o r in it ia liz e d (6 ) P o rtF a s t
( 2 ) P o r t d is a b le d o r f a ile d ( 7 ) U p lin k F a s t
( 3 ) P o r t s e le c t e d a s R o o t o r D e s ig n a t e d P o r t
( 4 ) P o r t c e a s e s to b e a R o o t o r D e s ig n a te d P o r t
( 5 ) F o r w a r d in g tim e r e x p ir e s

STP Timers

STP Timers
Hello Time
• IEEE specifies default of 2 seconds.
• The interval between Configuration BPDUs.
• The Hello Time value configured at the root bridge determines
the Hello Time for all nonroot switches.
• Locally configured Hello Time is used for the TCN BPDU.

STP Timers
Forward Delay Timer

• The default value of the forward delay (15 seconds)
• Originally derived assuming a maximum network size of seven bridge
hops
– A maximum of three lost BPDUs, and a hello-time interval of 2
seconds.
– See LAN Switching, by Clark, or other resources for this calculation
• Forward delay is used to determine the length of:
– Listening state
– Learning state

STP Timers
Max Age Timer

• Max Age is the time that a bridge stores a BPDU before
discarding it.
• Each port saves a copy of the best BPDU it has received.
• If the device sending this best BPDU fails, it may take 20
seconds before a switch transitions the connected port to
Listening.

STP Timers
Modifying Timers
• Do not change the default timer values without careful consideration.
• Cisco recommends to modify the STP timers only on the root bridge
• The BPDUs pass these values from the root bridge to all other bridges in the
network.
• It can take 30-50 seconds for a switch to adjust to a change in topology.
• Switch(config)# spanning-tree vlan vlan-id [forward-time

seconds | hello-time hello-time | max-age seconds |
priority priority | protocol protocol | {root {primary |
secondary} [diameter net-diameter [hello-time hello-
time]]}]
Configuring the
Root Bridge
Switch(config)# spanning-tree vlan 1 priority priority
• This command statically configures the priority (in multiples of 4096).

• Valid values are from 0 to 61,440.
• Default is 32768.
• Lowest values becomes Root Bridge.

Configuring the
Root Bridge
Switch(config)# spanning-tree vlan 1 root primary
• This command forces this switch to be the root.

• The spanning-tree root primary command alters this switch's bridge priority to
24,576 (+VLAN ID).
• If the current root has bridge priority which is more than 24,576, then the current
is changed to 4,096 less than of the current root bridge.

Configuring the
Root Bridge
Switch(config)# spanning-tree vlan 1 root secondary
• This command configures this switch to be the secondary root in

case the root bridge fails.
• The spanning-tree root secondary command alters this switch's
bridge priority to 28,672.
• If the root switch should fail, this switch becomes the next root switch.

Change the root bridge
Current Root
Bridge
• Modify the topology so that the Core switch is the root bridge and
Distribution1 is the secondary root bridge for VLAN 1.

Change the root bridge
Core(config)# spanning-tree vlan 1-30 root primary
Distribution1(config)# spanning-tree vlan 1-30 root secondary
Notice the change…. Root
Before After
Root

Verify changes After Root

VLAN0001

Aging Time 20

---------------- ---- --- --------- -------- ----------------------

Verify changes After Root

VLAN0001
Cost 4

Address 0060.47B0.5850
Aging Time 20

---------------- ---- --- --------- -------- --------------------------------
Gi0/2Rick Graziani graziani@cabrillo.edu
Root FWD 4 128.26 P2p 99
Topology Change Notification BPDUs
• Direct Topology Changes

– Is a change that can be detected on a switch interface.
• Insignificant Topology Changes
– A users PC causes the link to go up or down (normal
booting or shutdown process).

TCNs: Direct Topology Change
• When a bridge needs to signal a topology change, it
starts to send TCNs on its root port.
• Switch A detects link down. Config BPDU
Root
– Removes “best BPDU” from Root Port (this port
is the best path to the Root Bridge) Idle MAC
entries are
– Can’t send TCN out root port to Root bridge. flushed TCN
C D
– Without Uplinkfast (coming) Switch A not aware
of another path to root.
• Switch C is aware of down link and sends TCN
X RP
B A E
message out RP to Root Bridge.
• Root Bridge sends Configuration BPDU with TCN NDP (Blocking)
New RP (Blocking,
bit set to let switches know of configuration change. Listening, Learning,
Forwarding)
• All switches:
– Shorten MAC address tables aging time to
Forward Delay (15 seconds).
– This flushes idle entries.
• Switch A waits to hear from Root Bridge.
• Receives Config BPDU on previously blocked port,
new “best BPDU”, this becomes new RP.
– This new RP will go through listening, learning
and forwarding states.
• TCN does not start a STP recalculation.
TCNs
Idle MAC Idle MAC
• Direct Topology Change: Is a change entries are entries are
that can be detected on a switch flushed flushed
interface. Config BPDU

Root
– Can can take about 30 seconds on Idle MAC
the affected switch (two times entries are
flushed C D
forward delay). TCN
– All switches flush idle entries in Idle MAC
RP
MAC table. entries are B A E
flushed
– Solutions: Uplinkfast
• Insignificant Topology Change: A Idle MAC
Idle MAC
entries are
users PC causes the link to go up or entries are
flushed
flushed
down (normal booting or shutdown
process).
– No significant impact but given
enough hosts switches could be in
a constant state of flushing MAC
address tables.
– Causes unknown unicast floods.
– Solution
Rick Graziani PortFast
graziani@cabrillo.edu 102
TCN BPDUs
• Understanding Spanning-Tree Protocol Topology

Changes
http://www.cisco.com/warp/public/473/17.html
• Remember that a TCN does not start a STP recalculation.
• This fear comes from the fact that TCNs are often
associated with unstable STP environments; TCNs are a
consequence of this, not a cause.
• The TCN only has an impact on the aging time; it will not
change the topology nor create a loop.

Enhancements to 802.1D, PVST+,
RSTP and MST
Cisco’s RSTP is Rapid PVST+

IEEE Documents
• IEEE 802.1D - Media Access Control (MAC) bridges

• IEEE 802.1Q - Virtual Bridged Local Area Networks
• IEEE 802.1w - Rapid Reconfiguration (Supp. To
802.1D)
• IEEE 802.1s - Multiple Spanning Tree (Supp. To
802.1Q)

Enhancements to STP
• STP
– PortFast
– BPDU Guard
– Root Guard
– UplinkFast
– BackboneFast
• Per VLAN Spanning Tree (PVST+)
• Rapid Spanning Tree Protocol (RSTP)
• Multiple Spanning Tree Protocol (MST)
– MST is also known as Multiple Instance Spanning Tree
Protocol (MISTP) on Cisco Catalyst 6500 switches and
above
Helping STP protect your LAN
from Problems
PortFast
BPDU Guard
Root Guard
UplinkFast
BackboneFast
PortFast
Forwarding
Learning
Listening
BlockingState
State
State I’m adding
Powered any
On addresses on
this port to
my MAC
Address
• Host powered on. Table.
• Port moves from blocking state immediately to listening state (15
seconds).
– Determines where switch fits into spanning tree topology.
• After 15 seconds port moves to learning state (15 seconds).
– Switch learns MAC addresses on this port.
• After 15 seconds port moves to forwarding state (30 seconds total).

PortFast – Problem DHCP
Forwarding
Learning
Listening
BlockingState
State
State
Powered
On
DHCP Discovery
Timeout
IP Address = 169.x.x.x
• Host sends DHCP Discovery

• Host never gets IP addressing information
• Also: Insignificant Topology Change

– A users PC causes the link to go up or down (normal booting or shutdown process).
– No significant impact but given enough hosts switches could be in a constant state
of flushing MAC address tables.
– Causes unknown unicast floods.

PortFast
Forwarding
Portfast enabled
State
Powered
On
DHCP Discovery
DHCP Offer
• The purpose of PortFast is to minimize the time that access ports wait for
STP to converge.
• When a port comes up, the port immediately moves into Forwarding state.
• The advantage of enabling PortFast is to prevent DHCP timeouts.
• Host sends DHCP Discovery
• Host can now can IP addressing information.

Configuring Portfast
Access2(config)#interface range fa 0/10 - 24
Access2(config-if-range)#switchport mode access
<Previously configured>
Access2(config-if-range)#spanning-tree portfast
OR
Access2(config)#spanning-tree portfast default
• Warning: PortFast should only be enabled on ports that are connected

to a single host.
• If hubs or switches are connected to the interface when PortFast is
enabled, temporary bridging loops can occur.
• If a loop is detected on the port, it will move into Blocking state.

Protecting against unexpected BPDUs
• BPDU Guard
• BPDU Filter
• Root Guard
• Loop Guard
• Coast Guard 

Problem: Unexpected BPDUs
Blocking and
now listening
to BPDUs
BPDU
X
Forwards
BPDUs to
Portfast other
switches.
STP Reconvergence?
• Even though PortFast is enabled, the interface will listen for BPDUs.
• A port configured with PortFast will go into blocking state if it receives a Bridge
Protocol Data Unit (BPDU).
• This could lead to false STP information that enters the switched network and
causes unexpected STP behavior.
• Newly connected switch could advertise itself as the root.
• BPDU Guard: Developed to protect integrity of switch ports with PortFast enabled
but also keeps maintains STP integrity by disallowing unauthorized switches.
Solution: BPDU Guard
Err-Disable,
Shutdown
BPDU
| No BPDUs sent
Portfast &
BPDU Guard
Distribution1(config)#interface range fa 0/10 - 24

Distribution1(config-if-range)#spanning-tree bpduguard enable
• When the BPDU guard feature is enabled on the switch, STP shuts down PortFast
enabled interfaces that receive BPDUs instead of putting them into a blocking state.
– Errdisable: Port must be manually re-enabled or automatically recovered via timers.
• BPDU guard will also keep switches added outside the wiring closet by users from
impacting and possibly violating Spanning Tree Protocol.
Portfast + BPDU Guard
• It is highly recommended to always enable BPDU Guard

on all PortFast-enabled ports!
• This will prevent adding a switch to a switch port that is
dedicated to an end device.
• A hub or some unmanaged switches do not send BPDUs;
therefore, BPDU Guard will not be able to detect them.
• If a hub or an unmanaged switch connects to two locations
in a network, you might end up with a loop in your network.

BPDU Filter
• Always run STP to prevent loops.

• However, in special cases, you need to
prevent BPDUs from being sent out.
Switch(config-if)# spanning-tree bpdufilter enable

! Enables BPDU Filter on a specific switch port
Switch(config)# spanning-tree portfast bpdufilter default
! Enables BPDU Filter on all switch ports that are PortFast-enabled
• When enabled globally:

– If BPDUs are detected, the port loses its PortFast status, BPDU Filter is
disabled, and the STP sends and receives BPDUs on the port as it would with
any other STP port on the switch.
– Upon startup, the port transmits ten BPDUs. If this port receives any BPDUs
during that time, PortFast and PortFast BPDU Filter are disabled.
• When enabled on an individual port:
– It ignores all BPDUs received.
– It sends no BPDUs.
Root Guard
Protect Protect
Potential Root
Potential Root
• Root Guard prevents a switch from becoming the root bridge.

– Typically access switches
• Configured on switches that connect to this switch.

Root Guard
• UplinkFast must
be disabled
because it
cannot be used
with root guard.
Distribution1(config)#interface fa 0/3
Distribution1(config-if-range)#spanning-tree guard root
Distribution1(config)#interface gig 0/2
Distribution2(config)#interface fa 0/3
Distribution2(config)#interface gig 0/1
Access2(config)#no spanning-tree uplinkfast

Root Guard
Root
Guard I no longer
want to be
root. I have
I wantbeento
I STP
will now
Inconsistent
transition to
Superior be root
reconfigured
BPDU to be a non-
listening
State – no
sate,
traffic
thenis learning bridge!
state,
passed.
then forwarding sate. root bridge.
• This message appears after root guard blocks a port:

%SPANTREE-2-ROOTGUARDBLOCK: Port 0/3 tried to become
non-designated in VLAN 1. Moved to root-inconsistent
state

UplinkFast
• Uplinkfast allows access layer switches that have redundant links to

multiple distribution switches the ability to converge quickly when a link has
failed.
– For “Leafs” (end nodes) of the spanning tree.
– Not for use within backbone or distribution switches (BackboneFast).

UplinkFast Root
Unblock G 1/1 skips

listening and learning
and goes directly to
X
forwarding
• UplinkFast must have direct knowledge of the link failure in order to move a
blocked port into a forwarding state.
• Single Root Port but multiple potential root ports.
• If Root Port fails, next-lowest path cost is unblocked and used without delay
(almost).
– This switchover occurs within 1 second.
UplinkFast
Access1(config)#spanning-tree uplinkfast
• Uplinkfast is enabled for the entire switch and all VLANs.

– Not supported on a per-VLAN basis.
• Uplinkfast keeps track of all possible paths to the Root Bridge.
– So, not allowed on the Root Bridge
– Switches BID: Raised to 49,152 to make it unlikely it will be the Root
Bridge.

BackboneFast Root
Switch(config)#spanning-tree backbonefast
• Backbone fast is a Cisco proprietary feature that, once enabled on all switches can
save a switch up to 20 seconds (Max Age) when it recovers from an indirect link
failure.
• Configured in global configuration mode and should be enabled on all switches in
the network.
– Requires the use of RLQ (Root Link Query) requests and replies.
– Disabled by default.
I just
Thisheard from
new BPDU
My link to the Root Core that they
is inferior to the
Root has are still
onethe Root.
it had
gone
Thanks down.
for I I will:
stored for this
X
Forwarding
Blocking
Listening
telling
have nome RP • Send
portBPDU to
so I will
alternate
Core is thepath RP D1 ignore it.
toRoot.
it. So,
I will
I’m After 20 seconds
• Transition port
Inferior BPDU Let me send
the
change
new root
my this port
immediately will now
to
my current
RP
andtosendFa 0/5.
out go into
listening
Root state
a query
my BPDUs Forwarding20 state.
saving (RLQ).
on all ports. seconds (Max
Age)
• BackboneFast is initiated when a root port or blocked port on a switch receives

inferior BPDUs from a designated bridge.
• Inferior BPDUs are sent from a designated bridge that has lost its connection to the
root bridge.
• Normally, a switch must wait for Max Age (20 seconds) to expire before responding
to an inferior BPDU.
• With Backbonefast, switch determines alternate paths to Root.
BackboneFast
Normal BPDU
= Core
= Dist1
FYI – More Information

• An inferior BPDU identifies one switch as
Inferior BPDU both the root bridge and the designate
bridge.
• Distribution 1 is the Designated Bridge.
• Normally, sends BPDUs with Root Bridge
= Dist1 as the Core BID.
Same • Inferior BPDU – A received BPDU that
= Dist1 Switch identifies the root bridge and the
designated bridge as the same switch. (“I
was only just the Designated Bridge, but
now that I can’t get to the Root Bridge, so
now I am also the Root Bridge.”) 130
Unidirectional Link Detection Protocol (ULDP)
Designated Port
BPDU
Blocked Port
BPDU Received only,
none sent
• Spanning-Tree Protocol (STP) resolves redundant physical

topology into a loop-free, tree-like forwarding topology.
• This is done by blocking one or more ports.
ULDP
BPDU BPDU
BPDU Loop! BPDU
BPDU
BPDU No BPDU’s Received
Change to Forwarding State
• STP uses Bridge Protocol Data Units (BPDUs).
• If a switch’s port in blocking port stops receiving BPDUs:
– STP eventually ages out the STP information for the port (up to 50 secs)
– Moves port to forwarding state.
• This creates a forwarding loop or STP loop.
• How is it possible for the switch to stop receiving BPDUs while the port is up?
– The reason is unidirectional link.
Unidirectional Link

ULDP
BPDU
No BPDU’s Received
• RFC 5171: “Issues arise when, due to mis-wirings or to hardware faults, the
communication path behaves abnormally and generates forwarding anomalies.
• Link fails in the direction of SwitchC.
– SwitchC stops receiving traffic from SwitchB.
– However, SwitchB still receives traffic from C.
• UDLD is a Layer 2 (L2) protocol that works with the Layer 1 (L1) mechanisms
to determine the physical status of a link.
ULDP
My device/port
ID & your
device port ID Layer 1: Auto-
negotiation
My device/port configured
ID & your (speed/duplex)
device port ID
Layer 2: UDLD
configured
• Enable both auto-negotiation and UDLD to prevent unidirectional

connection.
• With UDLD switches share Device/Port ID information.

ULDP
My device/port
ID & your
X
device port ID Unidirectional link failure
My device/port
ID & your UDLD-3-DISABLE: Unidirectional
device port ID link detected on port 1/2. Port
disabled
Port disabled
• Port shutdown by UDLD remains disabled until:

– Manually reenabled or
– errdisable timeout expires (if configured)

Configuring ULDL
Switch(config)# udld {enable | aggressive}

or
Switch(config)# interface fa 1/2
Switch(config-if)# udld {enable | aggressive}
• Normal mode (enable) – Port is allowed to continue it’s operation

merely marks the port as being in undetermined state and generates a
syslog message.
• Aggressive mode – Port is place in Errdisable state and cannot be
Rick used.
Graziani graziani@cabrillo.edu 137
Loopguard
Loop! X BPDU
No BPDU’s Received
No Loopguard Configured
• Loopguard also protects against ports erroneously transitioning to

forwarding mode.
• Loopguard will also protect against STP failures, designated switch not
sending BPDUs due to software problems.
Loopguard
BPDU X Unidirectional link failure
BPDU
%SPANTREE-2-LOOPGUARD_BLOCK:
Loop guard blocking port
FastEthernet1/0 on VLAN0010
Loopguard Configured
Inconsistent Blocking State
• If the switch begins to receive BPDUs again, it will transition through

normal STP states.
• Loopguard does NOT protect against problems due to wiring issues.
• Highest level of protection is to enable both Loopguard and UDLD.
Configuring Loopguard
Switch(config)# spanning-tree loopguard default

or
Switch(config)# interface fa 1/2
Switch(config-if)# spanning-tree guard loop

Flex Links
• Switches B and
C are unaware
Active Backup of FlexLinks.
Switch(config)# interface FastEthernet0/1

Switch(config-if)# switchport backup interface FastEthernet0/2
! Configures an interface with a backup interface
• Layer 2 availability feature that provides an alternative solution to STP and allows
users to turn off STP and still provide basic link redundancy.
• FlexLinks are a pair of a Layer 2 interfaces, where one interface is configured to act
as a backup to the other.
• FlexLinks are typically configured in service provider or enterprise networks where
customers do not want to run STP.
• FlexLinks provide link-level redundancy that is an alternative to STP.
• STP is automatically disabled on FlexLinks interfaces.
Flex Links
• Switches B and
C are unaware
Active Backup of FlexLinks.
Switch(config)# interface FastEthernet0/1

Switch(config-if)# switchport backup interface FastEthernet0/2
! Configures an interface with a backup interface
• Fast Ethernet 0/1 (active link) forwarding traffic between port Ethernet 0/1
and Switch B
• Fast Ethernet 0/2 (the backup link) and Switch C is not forwarding traffic.
• If port Fast Ethernet 0/1 goes down, port Fast Ethernet 0/2 comes up and
starts forwarding traffic to Switch C.
• When port Fast Ethernet 0/1 comes back up, it goes into standby mode and
does not forward traffic; port Fast Ethernet 0/2 continues to forward traffic.
Flex Links
• If Fast Ethernet 0/1 shuts down, Fast
Ethernet 0/2 starts forwarding traffic.
• If there is no traffic from the PC to the server
after failover to Fast Ethernet 0/2…
• ….Switch C does not learn the MAC address
of the PC on Fast Ethernet 0/4,
• ….Switch C keeps forwarding traffic from the
server to the PC out of Fast Ethernet 0/3.
• Traffic loss from the server to the PC. Dummy
Multicast
• To alleviate this problem, the feature sends
out a dummy multicast packet with the X
Active Backup
source MAC address of the PC over Fast
Ethernet 0/2.
• Switch C learns the PC MAC address on
Fast Ethernet 0/4 and starts forwarding traffic
from the server to the PC out of Fast
Ethernet 0/4.
• One dummy multicast packet is sent out for
every MAC address.
STP Recommendations

RSTP – IEEE 802.1w
(Rapid Spanning Tree Protocol)
Cisco’s RSTP is Rapid PVST+

Rapid Spanning Tree Protocol

Rapid Spanning Tree Protocol
• The immediate hindrance of STP is convergence.

• Depending on the type of failure, it takes anywhere from 30 to 50
seconds, to converge the network.
• RSTP helps with convergence issues that plague legacy STP.
STP vs RSTP
802.1D 802.1w
vs
• RSTP is based on IEEE 802.1w standard.

• IEEE 802.1w took 802.1D’s principle concepts and made convergence
faster.
• STP topology change takes 30 seconds (two intervals of Forward Delay timer).
• RSTP is proactive and therefore negates the need for the 802.1D delay timers.
• RSTP (802.1w) supersedes 802.1D, while still remaining backward compatible.
• RSTP BPDU format is the same as the IEEE 802.1D BPDU format, except that
the Version field is set to 2 to indicate RSTP.
• The RSTP spanning tree algorithm (STA) elects a root bridge in exactly the
same way as 802.1D elects a root.
RSTP
• RSTP can be applied on Cisco switches as:

– A single instance per VLAN
• Rapid PVST+ (RPVST+)
– Multiple instances
• IEEE 802.1s Multiple Spanning Tree (MST)

STP Port Behavior and States
• 802.1D
– Ports
• Root Port
• Designated Port
• Blocking Port
– Non Designated Port and Non Root Port
– Cisco’s proprietary UplinkFast has a hidden Alternative Port
offering parallel paths, but in Blocking state.
– States
• Disabled (Not 802.1D state)
• Blocking
• Listening
• Learning
• Forwarding
– Only state that sends/receives data.

RSTP
Root Bridge: Same election process as 802.1D (lowest BID)
Ports
• Root Port (802.1D Root Port)
– The one switch port on each switch that has the best
root path cost to the root.
• Designated Port (802.1D Designated Port)
– The switch port on a network segment that has the
best root path cost to the root.
• Alternate Port (802.1D Blocking Port)
– A port with an alternate path the root.
– An alternate port receives more useful BPDUs from
another switch and is a port blocked.
– Similar to how Cisco UplinkFast works.
• Backup Port (802.1D Blocking Port)
– A port that provides a redundant (but less desirable)
connection to a segment where another switch port
already connects. (Not common – hubs)
– A backup port receives more useful BPDUs from the
same switch it is on and is a port blocked.
RSTP Port States
Operational STP Port State RSTP Port State
Port State
Disabled Disabled Discarding
Enabled Blocking Discarding
Enabled Listening Discarding
Enabled Learning Learning
Enabled Forwarding Forwarding
• RSTP defines port states based on what it does with incoming data frames.
• Discarding
– Incoming frames are dropped
– No MAC Addresses learned
– Combination of 802.1D (Disabled), Blocking and Listening
• Learning
– Incoming frames are dropped
– MAC Addresses learned
• Forwarding
– Incoming frames are forward.

You will probably not see a
backup port role in practice. It is
used only when switches are
connected to a shared segment.
To build shared segments, you
need hubs, and these are
obsolete.
RSTP BPDUs
STP Port State STP BPDUs RSTP Port State RSTP BPDUs
Disabled Not Sent/Received Discarding Not Sent/Received

Blocking Receive only Discarding Sent/Received
Listening Sent/Received Discarding Sent/Received
Learning Sent/Received Learning Sent/Received
Forwarding Sent/Received Forwarding Sent/Received
• RSTP uses same 802.1D BPDU format for backward compatibility.

– 802.1D and 802.1w switches can coexist.
• BPDUs sent out every switch port at Hello Time intervals regardless if
BPDUs are sent on the port.
• When three BPDUs in a row (6 seconds) are missed:
– the neighbor switch is presumed down
– All MAC address information pointing to that switch (out that port) is
immediately aged out (flushed)
– Switch can detect a neighbor down in 6 seconds instead of MaxAge
of 20 seconds.
RSTP Convergence
• http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/
12.1_9_ea1/configuration/guide/swmstp.html#wp1048403
• Convergence is a two step process:
1. Elect a Root Bridge
2. Examine all switch ports which by default are in Blocking state and
advance to the appropriate state to prevent loops.
• STP requires the expiration of several timers before switch ports can be
moved to Forwarding state.
• RSTP takes a different approach:
– When a switch joins the topology (powered-up) or detects a failure in the
existing topology…
– Determines its forwarding decisions based on the type of port.
• Edge Port
• Root Port
• Point-to-Point Port

Edge Ports
• Edge port will never have a switch connected to it so cannot form bridging
loops.
• Immediately transitions to forwarding state.
• Traditional identified with STP PortFast feature.
• For familiarity the command is the same: spanning-tree portfast
• Never generates topology changes notifications (TCNs) when the port transitions
to a disabled or enabled status.
• If an edge port receives a BPDU, it loses its Edge Port status becomes a normal
spanning-tree port.
Non-Edge Ports
• Root Port
– The one switch port on each switch that has the best root path cost to the root.
• Point-to-Point Port (Link Type)
– Port operating in full-duplex mode.
– Connects to another switch and becomes a Designated Port.
– Uses a quick handshake with neighboring switch rather than timers to decide
port state.
• Shared Medium Port (Link Type)
– Port operating in half-duplex mode.
– It is assumed that the port is connected to shared media where multiple
switches might exist.
Point-to-Point: The Quick Handshake
Proposal
Root RP
A DP B
Agreement
• Switch A is connected to Switch B through a point-to-point link,

– All ports are in the Discarding (Blocking) state.
• Switch A has a lower BID than Switch B.
• Switch A sends a proposal message (Configuration BPDU) to Switch B,
proposing itself as the Root Bridge and the designated switch on the segment.
• Switch B:
– Selects its new root port the port from which the proposal message
was received and immediately goes into Forwarding State
– Forces all nonedge ports to the Discarding (Blocking) state,
– Sends an agreement message.
• Switch A: Immediately transitions its designated port to the forwarding
state.
• No loops in the network are formed because Switch B blocked all of its
nonedge ports and because there is a point-to-point link between Switches A
and B.
Proposal
Root RP
A DP B
Agreement
Proposal
Root DP DP
DP RP
A B C
Agreement
Proposal
Root DP RP DP RP C DP RP D
A B
Agreement
• Switch C is connected to Switch B: a similar set of handshaking messages

are exchanged.
• Switch C selects the port connected to Switch B as its root port, and both
ends immediately transition to the forwarding state.
• Handshaking process continues throughout topology.

RSTP Topology Change Notifications
802.1D 802.1D
• 802.1D
– Switch detects a state change (up or down), it sends the Root Bridge a TCN BPDU.
– The Root Bridge sends out a Configuration BPDU (TCN bit set) to all switches to
tell them about the change. (30 seconds before Forwarding)
• RSTP
– Detects a topology change only when a nonedge port transitions to the
Forwarding State.
– RSTP uses its convergence mechanisms (Edge Ports, Point-to-Point ports,
handshaking, etc.) to prevent bridging loops.
– Therefore, topology changes are detected only so MAC address tables can be
updated and corrected.
– This means that a loss of connectivity is not considered as a topology change any
more, contrary to 802.1D (that is, a port that moves to blocking no longer generates
a TC).
RSTP Topology Change
Notifications
RSTP
• When a topology change occurs:
– Switch flushes the MAC addresses associated
with all nonedge ports. RSTP no longer uses the specific
TCN BPDU, unless a legacy bridge
– Switch sends BPDU with TCN bit set to all
needs to be notified
neighbors so they can update their MAC Address
tables too.
• When a bridge receives a BPDU with the TCN bit set from a neighbor:
– It clears the MAC addresses learned on all its ports, except the one the port that
it receives the topology change.
– It sends BPDUs with TCN set on all its designated ports and root port (RSTP no
longer uses the specific TCN BPDU, unless a legacy bridge needs to be notified).
• This way, the TCN floods very quickly across the whole network - now a one step
process.
• The initiator of the topology change floods this information throughout the network,
as opposed to 802.1D where only the root did.
• Much faster than the 802.1D equivalent < wait for the root bridge to be notified, and
then max age plus forward delays>.
• In just a few seconds, or a small multiple of hello-times, most of the entries in the
CAM tables of the entire network (VLAN) flush.
• This approach results in potentially more temporary flooding, but on the other hand it
clears potential stale information and allows rapid convergence.
Rapid PVST Implementation Commands
Cisco implements RSTP with Rapid PVST+
Switch(config)# spanning-tree mode rapid-pvst
• To revert back to the default PVST+ using traditional 802.1D:
Switch(config)# spanning-tree mode pvst

Cisco implements RSTP with Rapid PVST+
• To configure an RSTP edge port:

Switch(config-if)# spanning-tree portfast
• RSTP automatically decides if a port is point-to-point link operating in full duplex or half-
duplex.
• If you need to set it manually, other switch is in Half-Duplex but still point-to-point (by the
way, both ends must then be Half-Duplex):
Switch(config-if)# spanning-tree link-type point-to-point

164

VLAN0001
Spanning tree enabled protocol rstp
Cost 4

Aging Time 20

802.1D creates a single
instance of STP for all
VLANs.
PVST+ and RPVST create a

single instance of STP for
each VLAN.
If there are 500 VLANs in the

network that would be 500
Cisco’s RSTP is Rapid PVST+ instances of STP running!
PVST+ does allow different
VLANs to have different Root
Bridges which can allow for
the use of redundant links.

Multiple Spanning Tree Protocol – 802.1s
• MSTP is also known as Multiple Instance Spanning Tree

Protocol (MISTP) on Cisco Catalyst 6500 switches and
above

Multiple Spanning Tree Protocol – 802.1s
Instance 1 maps to VLANs 1–500

Instance 2 maps to VLANs 501–1000
• Multiple Spanning Tree (MST) extends the IEEE 802.1w RST algorithm to multiple
spanning trees.
• The main purpose of MST is to:
– Reduce the total number of spanning-tree instances to match the physical topology
of the network
– Thus reduce the CPU cycles of a switch.
• Allows the network administrator to configure the exact number of instances.
• PVST+ runs a single instance of STP for each VLAN and does not take into
consideration the physical topology.
– May have 1,000 VLANs but only 2 different topologies (2 different Root Bridges).
– PVST+ will still create 1,000 instances of STP
• MST, on the other hand, uses a minimum number of STP instances to match the
number of physical topologies present.
– May have 1,000 VLANs but only 2 different topologies (2 different Root Bridges).
– MST will let you specify only 2 instances of STP.
MST Regions
• MST combines some but not necessarily all VLANs into logical spanning-tree
instances.
• This difference raises the problem of determining which VLAN is supposed to
be associated with which instance.
• VLAN-to-instance association is communicated by tagging the BPDUs so that
the receiving device can identify the instances and the VLANs to which they
apply.

802.1D 802.1D
MST Regions
MST
Region
• MST Region is a group of switches placed under a common administration (like an AS).
• In most networks a single MST region is sufficient.
– A single MST Region can handle 15 STP instances (topologies).
• Within a region, all switches must run the instance of MST as defined by:
– MST configuration name (32 characters)
– MST configuration revision number ( 0 to 65,535)
– MST instance-to-VLAN mapping table (4,096 entries)
• MST was designed to work with all forms of STP.
• IST (Internal Spanning Tree) instance runs to work out a loop-free topology inside the
MST Region.
• IST presents the entire MST region as a single virtual switch (bridge) to the CST (802.1D)
outside.
MST
• Remember, the whole idea of MST is to map multiple VLANs to a smaller

number of STP instances.
– Cisco supports a maximum of 16 MST Instances (MSTIs) in a region.
– The IST uses MST 0 leaving 1 through 15 available for use.
• The Distribution1 switch is the primary root bridge for the data VLANs 10, 30,
and 100
– Secondary root bridge for the voice VLANs 20, 40, and 200.
• The Distribution2 switch the primary root bridge for the voice VLANs 20, 40,
and 200
– Secondary root bridge for the data VLANs 10, 30, and 100.
• Distribution1 is chosen as CIST regional root.
– It means that Distribution1 is the root for IST0.
STP Instances with
MST
• MST supports a number of instances. Instance 0 is the internal spanning tree

(IST).
• Different MST instances (MSTIs) exist within a single MST region.
• MSTI1 and MSTI2 are mapped to different VLANs.
• Their topologies converge differently because root bridges are configured
differently.
• Within the MST region, there are three independent STP instances: MSTI0
(IST), MSTI1, and MSTI2.

STP Instances with
MST
• All six VLAN instances initially belong to MSTI0.

– This is the default behavior.
• Then make the half of VLAN instances (11, 22, and 33) mapped to MSTI1, and
the other half (44, 55, and 66) mapped to MSTI2.
• If different root bridges are configured for MSTI1 and MSTI2, their topologies will
converge differently.
• By having different Layer 2 topologies between MST instances, links are more
evenly utilized.

Extended System ID for MST

Configuring and Verifying MST
STP configuration that you will

perform in this section.
•VLANs 2 and 3 are mapped into
MST instance 1.
•VLANs 4 and 5 are mapped into
MST instance 2.
• All three switches are configured with PVST+

• Four user-created VLANs: 2, 3, 4, and 5.
• SW1 is configured as the root bridge for VLANs 2 and 3.
• SW2 is configured as the root bridge for VLANs 4 and 5.
Current RSTP
SW3# show spanning-tree summary

Switch is in pvst mode
Root bridge for: none
<... output omitted ...>
Name Blocking Listening Learning Forwarding STP Active
--------- -------- --------- -------- ---------- ----------
VLAN0001 1 0 19 0 20
VLAN0002 1 0 2 0 3
VLAN0003 1 0 2 0 3
VLAN0004 1 0 2 0 3
VLAN0005 1 0 2 0 3
--------- -------- --------- -------- ---------- ----------
5 vlans 5 0 27 0 32
Configuring and
Verifying MST
SW1(config)# spanning-tree mst configuration

SW1(config-mst)# name CCNP
SW1(config-mst)# revision 1
--------
---------
• An STP instance is created for each VLAN with PVST+.

• Five VLANs translate into five STP instances.
• SW1 and SW2 also run the same number of running STP instances as SW3.
• All three switches are in the same MST region, CCNP, and same revision, 1.
SW1(config-mst)# instance 1 vlan 2,3
SW1(config-mst)# end


• Map VLANs 2 and 3 to MST instance 1.

• Map VLANs 4 and 5 to MST instance 2
SW1(config)# spanning-tree mst 1 root primary
SW1(config)# spanning-tree mst 2 root secondary
• Configure SW1 as primary root bridge for MST instance 1 and secondary root
for instance 2

SW2(config)# spanning-tree mst 1 root secondary
SW2(config)# spanning-tree mst 2 root primary
---------
SW1(config)# spanning-tree mode mst
-----------
-----------
• Configure SW2 as secondary root bridge for MST instance 1 and primary root
for instance 2.
• Change STP mode to MST on all three switches
SW3# show spanning-tree summary
Switch is in mst mode (IEEE Standard)
<... output omitted ...>
Name Blocking Listening Learning Forwarding STP Active

---------- -------- --------- -------- ---------- ----------
MST0 0 0 0 24 24
MST1 0 0 0 4 4
MST2 0 0 0 4 4
--------- -------- --------- -------- ---------- ----------
3 msts 0 0 0 32 32
• MST runs three instances: the default MSTI0 and the two you configured
(MSTI1 and MSTI2).
SW3(config-mst)# show current
Current MST configuration
Name [CCNP]
Revision 1 Instances configured 3
Instance Vlans mapped

-------- -----------------------------------------------------------
0 1,6-4094
1 2-3
2 4-5
---------------------------------------------------------------------
• MST configuration on SW3
• VLANs 2 and 3 are mapped to MSTI1 .
• VLANs 4 and 5 are mapped to MSTI2.
• All other VLANs are mapped to MSTI0 or IST.
STP – Spanning Tree Protocol
CIS 187 Multilayer Switched Networks

CCNP SWITCH
Rick Graziani

STP - Spanning Tree Protocol in Depth: CIS 187 Multilayer Switched Networks CCNP SWITCH Version 7 Rick Graziani

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

STP - Spanning Tree Protocol in Depth: CIS 187 Multilayer Switched Networks CCNP SWITCH Version 7 Rick Graziani

Uploaded by

Copyright:

Available Formats

STP – Spanning Tree Protocol

CIS 187 Multilayer Switched Networks

• Spanning Tree Protocol (STP) overview, its operations, and

Rick Graziani graziani@cabrillo.edu 2

• “STP often accounts for more

Rick Graziani graziani@cabrillo.edu 3

• Broadcasts and Layer 2

Rick Graziani graziani@cabrillo.edu

Rick Graziani graziani@cabrillo.edu 9

• STP executes an algorithm

Rick Graziani graziani@cabrillo.edu 10

• STP calculations make extensive use of two key concepts in

Cost (Revised IEEE Cost (Previous IEEE

Rick Graziani graziani@cabrillo.edu 11

• Bridge ID (BID) is used to identify each bridge/switch.

Rick Graziani graziani@cabrillo.edu 12

• Consists of two components:

• Each switch has a unique BID.

Rick Graziani graziani@cabrillo.edu 14

VLAN0010 PVST coming

Rick Graziani graziani@cabrillo.edu 15

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Rick Graziani graziani@cabrillo.edu 16

• Used to elect a root bridge (coming)

Rick Graziani graziani@cabrillo.edu 17

Cost (Revised IEEE Cost (Previous IEEE

• When creating a loop-free topology, STP always uses the same

Five-Step decision Sequence

• Bridges use Configuration BPDUs during this five-step process.

Rick Graziani graziani@cabrillo.edu 20

BPDU key concepts:

Rick Graziani graziani@cabrillo.edu 21

The STP algorithm uses three simple steps to converge on a loop-

• When the network first starts, all bridges are announcing a

Rick Graziani graziani@cabrillo.edu 22

Rick Graziani graziani@cabrillo.edu 23

Core# show spanning-tree

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Distribution1# show spanning-tree

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Rick Graziani graziani@cabrillo.edu

Distribution2# show spanning-tree

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Rick Graziani graziani@cabrillo.edu 26

Access1# show spanning-tree

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Rick Graziani graziani@cabrillo.edu 27

Access2# show spanning-tree

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Rick Graziani graziani@cabrillo.edu 28

Rick Graziani graziani@cabrillo.edu 29

Rick Graziani graziani@cabrillo.edu 30

Its all done with

Rick Graziani graziani@cabrillo.edu 31

Rick Graziani graziani@cabrillo.edu 32

• At the beginning, all bridges assume and declare themselves as the

Rick Graziani graziani@cabrillo.edu 34

Rick Graziani graziani@cabrillo.edu 35

Rick Graziani graziani@cabrillo.edu 37

Rick Graziani graziani@cabrillo.edu 38

Rick Graziani graziani@cabrillo.edu 39

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Interface Role Sts Cost Prio.Nbr Type