· Foreword

Local area networks (LAN) usually consist of multiple switches interconnected, and in order to avoid
broadcast storms, it is necessary to ensure that there is no path loop in the network.

STP protocol can form all links into a tree without loop, and can provide redundant backup to improve
network reliability.
 · Topology

Distribution
switch

Access switch
(PoE)

Terminal

PC1 PC2
VLAN 10 VLAN 10
 · Loop Phenomena and Hazards

The Phenomenon of Loops

• Switch port indicator flashes rapidly at the same frequency
• Switch MAC address table oscillation
• The switch is running out of resources and the login operation is exceptional

The Hazards of Loops

• Link blocking
• Host system response is slow
• Layer 2 switches are slow to manage
• Impact on the CPU of the gateway device
 · LOOP Effect

Within a VLAN, unknown unicast packets are flooded to all ports except the receiving port.

The switch is based on the working principle: learning records, table lookup and forwarding.

SW2
SW2 SW3
SW2 MAC address table SW3 SW3 MAC address table
VLAN MAC Port G0/2 G0/2 VLAN MAC Port

G0/1

SW1
SW1

G0/1 G0/2

G0/3 G0/4
SW1 MAC address table
VLAN MAC Port

VLAN10: PC1 VLAN10: PC2

Data needs to be transferred between PC1 and PC2

 · LOOP Effect

1 SW1 learns PC1_MAC, checks the MAC address table, there is no entry matching the destination MAC, and performs
flooding forwarding.
2 SW2 and SW3 receive the data frame, learn the source MAC, and perform flood forwarding.

SW2
SW2 SW3
SW2 MAC address table SW3 SW3 MAC address table
VLAN MAC Port G0/2 G0/2 VLAN MAC Port
3 3
10 PC1_MAC G0/1 10 PC1_MAC G0/1
G0/1

SMAC:PC1_MAC SW1
SW1 SMAC:PC1_MAC
DMAC:PC2_MAC 2 2 DMAC:PC2_MAC
G0/1 G0/2
SMAC:PC1_MAC
G0/3 G0/4
DMAC:PC2_MAC
SW1 MAC address table
1 VLAN MAC Port

10 PC1_MAC G0/3
VLAN10: PC1 VLAN10: PC2

Data needs to be transferred between PC1 and PC2

 · LOOP Effect

3 SW2 and SW3 receive the same frame from each other, learn the source MAC, and update PC1_MAC with the
interface.
4 SW1 learns and floods in sequence according to the same frame received from G0/1 and G0/2 (the MAC address
table is unstable)
5 SW2 and SW3 will receive the same frame again, and the same cycle...

SW2
SW2 SW3
SW2 MAC address table SW3 SW3 MAC address table
VLAN MAC Port G0/2 G0/2 VLAN MAC Port
10 PC1_MAC G0/1 10 PC1_MAC G0/1

10 PC1_MAC G0/2 4 4 G0/1

10 PC1_MAC G0/2
SMAC:PC1_MAC SMAC:PC1_MAC
10 PC1_MAC G0/1 DMAC:PC2_MAC 5 SW1
SW1 5 DMAC:PC2_MAC 10 PC1_MAC G0/1

G0/1 G0/2

G0/3 G0/4
5 5
SW1 MAC address table
VLAN MAC Port

10 PC1_MAC G0/3
VLAN10: PC1 VLAN10: PC2
10 PC1_MAC G0/1
10 PC1_MAC G0/2
Data needs to be transferred between PC1 and PC2
Broadcast storm in the network, Repeated
data frame flooding
 · Layer 2 Loop Solution

Deploying Spanning Tree Protocol on switches, logically blocking loop interfaces.

In the event of a physical failure, redundant links can resume normal forwarding.

Distribution Switch Distribution Switch

Deploy Spanning Tree

Protocol

Access Switch
 · STP Overview

What kind of protocol is STP?

• Prune a switched network with loops into a loop-free tree topology by blocking redundant links.
• When an active link is disconnected, the topology is re-pruned by activating the blocked redundant links to restore
network connectivity.

2. Active link
disconnect
SW1 SW2

3. Activate the 1. Block redundant

blocked link links
 · Spanning Tree Overview

Classification of Spanning Tree Protocols

• The classification of spanning tree protocols, in order of generation time, is STP, RSTP, MSTP.

IEEE standards followed by the Spanning Tree Protocol

• The IEEE standards followed by the three spanning trees are: STP-IEEE 802.3D, RSTP-IEEE 802.3W, MSTP-
IEEE 802.3S.
 · STP Working Principle

STP is based on the SPA (shortest path algorithm) algorithm, which goes through four steps in building a loop-
free tree structure through SPA:
• Election of the root bridge (Root)
• Election of the root port (RP)
• Election of the designated port (DP)
• Block all remaining ports

The raw data needed to implement the SPA algorithm is done by exchanging BPDU (bridge protocol data unit)
messages between switches.
BPDU
SW2 SW3

BPDU BPDU

SW1
 · BPDU Message

BPDU, Bridge Protocol Data Unit

 · BPDU Message

The length of each field in the message and its content are as follows:
Protocol Identifier Version Message Type Flag Root ID Root Path Cost
Bridge ID Port ID Message Age Max Age Hello Time Forward Delay

• Protocol Identifier: 2 bytes, always 0

• Version: 1 byte, 0 for STP, 2 for RSTP, 3 for MSTP
• Message Type: 1 byte, 0x00 for C-BPDU, responsible for establishing and maintaining STP topology, 0x80 for
TCN-BPDU, conveying topology changes
• Flags: 1 byte, the lowest bit = TC (Topology Change) flag, the most significant bit = TCA (Topology Change
Acknowledgement) flag
• Root ID: 8 bytes, indicating the RID of the current root bridge (i.e. "Root ID"), consisting of a 2-byte bridge priority
and a 6-byte MAC address
• Root Path Cost: 4 bytes, indicating the cumulative overhead of the port sending the BPDU message to the root
bridge (1G interface cost value is 4, 10G interface cost value is 2)
 · BPDU Message

The length of each field in the message and its content are as follows:
Protocol Identifier Version Message Type Flag Root ID Root Path Cost
Bridge ID Port ID Message Age Max Age Hello Time Forward Delay

• Bridge ID: 8 bytes, indicating the BID of the sender of the BPDU message, which is composed of 2 bytes of bridge
priority and 6 bytes of MAC address.
• Port ID: 2 bytes, the first byte is the priority of the port, default 128, the second byte is the port number to send. In
fact, the last 4 bits of the port priority and the 8 bits of the port number together constitute the port ID, which is
allocated by the system and cannot be modified.
• Message Age: 2 bytes, indicating the survival time of the BPDU message, the maximum time for the port to keep
the BPDU.
• Max Age: 2 bytes, indicating the maximum survival time of the BPDU message, that is, the aging time, default 20
seconds.
• Hello Time: 2 bytes, indicating the time interval between sending two adjacent BPDUs, the device maintains its
position by continuously sending BPDUs, Hello time is the interval time of sending, default 2 seconds.
• Forward Delay: 2 bytes, indicating the duration of the control listening and learning state, indicating the time the
switch maintains in the listening and learning state before sending packets after the topology change, default 15
seconds.
 · Convergence Process of STP - Election of Root Bridge

Election of Root Other Ports

Election of RP Election of DP
Bridge Block

In a switched broadcast domain, a switch is elected as the root bridge. The election process is as follows:
• Compare the Bridge IDs of the BPDU you receive and the BPDU you send. The smaller Bridge ID becomes the root bridge:
• For the comparison of Bridge ID ： 1. Priority, lower priority is better 2. MAC address, smaller is better

SW2 SW3
Bridge ID: 0.0000-0000-0002 Bridge ID: 4096.0000-0000-0003

ROOT

SW1
Bridge ID: 32768.0000-0000-0001
 · Convergence Process of STP - Election of RP

Election of Root Other Ports

Election
Election of
of RP
RP Election of DP
Bridge Block

All non-root bridge switches in the broadcast domain select the root port (RP). The RP is the port that is closest to the root bridge
on the non-root bridge switch. Election process:
1. Cost, the smallest cost value of the interface becomes the RP

2. Bridge ID value, the smallest Bridge ID value becomes the RP. For comparison of Bridge ID
(1) Bridge priority; (2) MAC address. The smaller is the better
3. Port ID, the smallest Port ID value becomes the RP. For comparison of Port ID
(1) Port priority; (2) Port number. The smaller is the better

Cost=30 RP
SW2 SW3
Bridge ID: 0.0000-0000-0002 Bridge ID: 4096.0000-0000-0003

ROOT

Cost=10 Cost=20

RP

SW1
Bridge ID: 32768.0000-0000-0001
 · Convergence Process of STP - Election of DP

Election of Root Other Ports

Election
Election of
of RP
RP Election
Election of
of DP
DP
Bridge Block

Election of the designated port (DP) on all links is achieved by comparing the fields in the BPDUs sent by the two ports on the
same link. The election process:
1. Cost, the smaller Cost value becomes the DP
2. Bridge ID, the smaller Bridge ID value becomes the DP
3. Port IDs, the smaller Port ID value becomes the DP

DP Cost=30 RP
SW2 SW3
Bridge ID: 0.0000-0000-0002 Bridge ID: 4096.0000-0000-0003
DP
ROOT

Cost=10 Cost=20

RP DP

SW1
Bridge ID: 32768.0000-0000-0001
 · Convergence Process of STP - Remaining Ports Block

Election of Root Other

OtherPorts
Ports
Election
Election of
of RP
RP Election
Election of
of DP
DP
Bridge Block
Block

All ports other than RP and DP are blocked, to be AP(Alternate Port).

DP Cost=30 RP
SW2 SW3
Bridge ID: 0.0000-0000-0002 Bridge ID: 4096.0000-0000-0003
DP AP
ROOT

Cost=10 Cost=20

RP DP

SW1
Bridge ID: 32768.0000-0000-0001
 · Port status

The four states that would appear in the interface during the completion of STP spanning tree convergence are Blocking, Listening,
Learning and Forwarding:

• Blocking state: listening to BPDUs, but not forwarding BPDUs, discarding all received data frames, not learning mac
addresses and not generating any MAC address table entries;

• Listening state: lasts 15s, accepts and sends BPDUs, does not forward user data, does not generate MAC address
table entries for the port, completes STP convergence in this state, the switch can decide the root bridge in this state,
and can select the root port, the designated port and the non-designated port;

• Learning state: lasts 15s, accepts and sends BPDUs, does not forward user data, completes MAC address table
entries for some ports, with the aim of reducing the massive broadcast packet flooding that occurs when users start
forwarding data;

• Forwarding state: accept and send BPDUs, forward user data.

 · Port status

Role Status Receive BPDU Send BPDU Learn MAC address Forward Data

Blocked Port Blocking √ ╳ ╳ ╳

/ Listening √ √ ╳ ╳

/ Learning √ √ √ ╳

RP/DP Forwarding √ √ √ √
 · STP Real Cases

Topology diagram description: RP

ROOT
• The MAC addresses of the 6 switches are 1111.1111.1111-6666.6666.6666 DP
DP DP
• SW1, bridge priority 4096, all interface priority and Cost values are default DP DP DP DP

values
• SW2, bridge priority 8192, all interface priority and Cost values are default
values
• SW3, bridge priority default value, all interface priority and Cost as default
• SW4, bridge priority default value, all interface priority and Cost as default RP RP RP
• Based
 SW5, bridge priorityinformation,
on the above default value, 0/2analyze
please port priority 16,bridge
the root the rest
in as
thisdefault
topology DP DP
diagram, all root ports, designated ports, and Block ports. DP DP
• SW6, bridge priority default value, all interface priority and Cost as default

 Based on the results, please analyze what other problems exist in this network?
RP
 · TCN-BPDU Detailed Explanation

The IEEE 802.1D protocol specifies that TCN-BPDUs (hereafter referred to as TC messages) are generated under two criteria ：

• A port on the bridge is transitioned to the Forwarding state and the bridge contains at least one designated port
• A port on the bridge changes from the Forwarding state or Learning state to the Blocking state

If one of the above two criteria is met, the network topology has changed and the bridge will need to use TC messages to inform
the root bridge of the topology change.

In daily maintenance, TC messages are usually generated in the following situations:

• A device or link failure that triggers an STP recalculation and generates TC message
• STP configuration parameter changes, triggering STP recalculation and generating TC messages
• A port connected to a terminal that is STP-enabled but not configured as a edge port, which generates TC messages when the
link state of the port changes as a result of a reboot
• Attack TC messages from customer equipments may also travel to the Layer 2 network they accessed
 · TCN-BPDU Interaction Example

Root

The bridge senses the topology change and generates TCN-BPDUs, which are sent
from the root port to notify the root bridge;

If the upstream bridge is not the root bridge, the upstream bridge sends the TCA SW1
position of 1 in the next configuration BPDU to be sent as an acknowledgement of
SW4
the TCN to the downstream bridge ；

The upstream bridge sends TCN-BPDUs from the root port to inform the root
bridge;
SW2 SW5

Repeat steps 2 and 3 until the root bridge receives the TCN-BPDU;

SW3
TCN-BPDU

C-BPDU for TCA placement

C-BPDU for TCN placement

 · TCN-BPDU Interaction Example

After the root bridge receives the TCN-BPDU, it will 1.sends the TCA position of 1
Root
in the next configuration BPDU as an acknowledgement to the TCN. 2.At the same
time, the root bridge will modify its MAC address table aging time from 300
seconds to Forward Delay, 15 seconds, 3.and at the same time, the root bridge will
also issue a configuration BPDU with TCN position 1, which is used to notifying all
SW1
bridges in the network that the network topology has changed.
SW4

The root bridge will send the configuration BPDU with TCN set to 1 during the Max SW2 SW5
Age + Forward Delay time( 20s+15s) afterwards, and when the bridge receives the
configuration BPDU, it will shorten its MAC address aging time from 300s to
Forward Delay that is 15 seconds.
SW3
TCN-BPDU

C-BPDU for TCA placement

C-BPDU for TCN placement

 · STP Reconvergence

Direct Connection Failure Non-direct Connection Failure

Root Root

DP DP DP DP

RP RP
DP
RP

SW1 SW2
SW1
• SW1 upstream line is exceptional and sends a BPDU with
• The blocked port will switch from the Block state to the Root ID of its own bridge ID to SW2, which is received by
Listening and Learning states, and finally enter the the blocking port of SW2 and found to be no better than the
forwarding state BPDU cached by its own port, and therefore ignored;
• Direct link failure, reconvergence requires Forwarding • After Max Age, the port switches to the Listening and
Delay*2=30s Learning states in turn, and finally enters the forwarding
state
• Non-direct connection failure, need Max Age+Forwarding
Delay*2=50s
 · STP Basic Configuration

The switch starts the spanning tree protocol and configures the root bridge priority command to elect the root bridge.

Ruijie(config)#spanning-tree
Ruijie(config)#spanning-tree mode stp
Ruijie(config)#spanning-tree priority ?
<0-61440> Bridge priority in increments of 4096 (default value: 32768)

Why can the root bridge priority only be an integer multiple of 4096?
• Bridge ID: 8 bytes, is composed of 2 bytes of bridge priority and 6 bytes of MAC address, while in the 2 bytes (16
bits) priority field, the last 12 bits are used to identify the MAC address, only the first 4 bits are modified by
configuration, 212=4096.
 · STP Basic Configuration

Modify the port cost value and port priority to determine the port role.

Ruijie(config-if-GigabitEthernet 0/36)#spanning-tree cost ?

<1-200000000> Port path cost
Ruijie(config-if-GigabitEthernet 0/36)#spanning-tree port-priority ?
<0-240> Port priority in increments of 16 (default value: 128)

View the spanning tree topology and protocol configuration parameters.

Ruijie#show spanning-tree summary

 · STP Configuration Examples

SW1 Core SW2

SW1(config)#spanning-tree SW2(config)#spanning-tree
SW1(config)#spanning-tree mode stp SW2(config)#spanning-tree mode stp
SW1(config)#spanning-tree priority 0 SW2(config)#spanning-tree priority 4096

SW3

SW3(config)#spanning-tree
SW3(config)#spanning-tree mode stp

Access
 · STP Configuration View

View the spanning tree topology and protocol configuration parameters.

Ruijie#show spanning-tree summary

Spanning tree enabled protocol stp
Root ID Priority 0
Address 00d0. f822. 3344
this bridge is root
Hello Time 4 sec Forward Delay 18 sec Max Age 25 sec

Bridge ID Priority 0
Address 00d0. f822. 3344
Hello Time 4 sec Forward Delay 18 sec Max Age 25 sec

Interface Role Sts Cost Prio OperEdge Type

---------------- ---- --- ---------- -------- -------- ----------------
Gi0/2 Desg FWD 20000 128 False P2p
Gi0/1 Desg FWD 20000 128 False P2p
 · STP Advanced Features - Port Fast

If a port of the switch is connected to a user terminal, then the port needs to go through 2 Forwarding Delays before it can enter the forwarding
state (Listening and Learning, 30 seconds in total) under the regular configuration, which is obviously unreasonable;

The interface accessing the user terminal can be configured as Port Fast, so that the interface can skip the 30 seconds waiting time and enter
directly to the forwarding state;

If a port with Port Fast set also receives a BPDU, the port will enter the forwarding state after 2 Forwarding Delays;

Configuration commands:

Ruijie(config)#interface gigabitEthernet 0/1

Ruijie(config-if-GigabitEthernet 0/1)#spanning-tree portfast

port fast
 · STP Advanced Features - BPDU Guard

BPDU Guard is that once a port that should not receive BPDUs (such as portfast port) receives a BPDU message, then the function will
immediately shut down the port and set the port state to error-disabled state, in this mode, the interface can send BPDUs ；

Two configuration modes of BPDU Guard

• Global Mode Enabling: When this feature is enabled in global mode, it will come into effect on all interfaces with portfast configured.
If Port Fast is turned on for an interface and the interface receives a BPDU, the port will enter the Error-disabled state, indicating
that a network device may have been added to the network by an illegal user, causing the network topology to change.

Ruijie(config)#spanning-tree portfast bpduguard default

• Interface Mode Enabling: Turn on BPDU Guard for a single interface (independent of whether portfast is configured for that port).
In this case if the port receives a BPDU, it will enter the Error-disabled state

Ruijie(config)#interface gigabitEthernet 0/1

Ruijie(config-if-GigabitEthernet 0/1)#spanning-tree bpduguard enable

How to recover from Error-disabled

• Interface mode, shutdown then no shutdown
• Global mode, errdisable recovery interval 300s
 · STP Advanced Features - BPDU Filter

BPDU Filter can filter out BPDUs received or sent on the interface;

Two configuration modes of BPDU Filter

• Global Mode Enabling: Turn on the global BPDU Filter function, in this state, the interface with Port Fast enabled will neither
receive BPDUs nor send BPDUs. And if the portfast port receives BPDUs, then the portfast attribute will be disabled, and the BPDU
Filter will also be disabled automatically.

Ruijie(config)#spanning-tree portfast bpdufilter default

• Interface Mode Enabling: Enable BPDU Filter for a single interface in interface mode (independent of whether Port Fast is turned
on for that port). In this case the interface neither receives BPDUs nor sends BPDUs, which is equivalent to turning off the STP
function of the interface, and the interface directly enters the forwarding state.

Ruijie(config)#interface gigabitEthernet 0/1

Ruijie(config-if-GigabitEthernet 0/1)#spanning-tree bpdufilter enable
 · STP Advanced Features-Tc-protection

TC-BPDU message refers to the BPDU message carrying the TC flag, the switch receives this type of message indicates that the network
topology has changed and will perform the MAC address table deletion operation. For Layer 3 switches, it also triggers a re-pass operation of the
fast forwarding module and changes the port state of the ARP table entry.

In order to avoid the above operation being frequently done when the switch is maliciously attacked by forged TC-BPDU messages, which will
overload the CPU of the device and affect the stability of the network, you can use the TC-protection function for protection:

• When the corresponding function is turned on, only one deletion operation will be performed within a certain period of time (usually
4 seconds) after receiving TC-BPDU messages, while monitoring whether TC-BPDU messages are received within that period of
time.
• If a TC-BPDU message is received within this time period, the device will perform another delete operation after the timeout. This
avoids frequent deletion of MAC address table entries and ARP table entries and protects the device CPU resources.

Ruijie(config)#spanning-tree tc-protection