ch 3 implementing stp

8/2/2019 Ch 3 Implementing STP

1/79

Implementing Spanning Tree

Ch 3

Topics

Describing STP Transparent Bridges &

Identifying Traffic Loops

802.1D S annin Tree

Implementing MSTP Explaining MSTP & MST Regions

Extended System ID.

Protocol

Root Bridge & Port Roles

Enhancements to STP

Implementing RSTP Rapid Spanning Tree Protocol

RSTP Port States & RSTP PortRoles

Edge Ports & RSTP Link

Interacting Between MST Regionsand 802.1D Networks

MSTP Implementation Commands

Configuring and Verifying MSTP

Spanning Tree Enhancements BPDU Guard

BPDU Filtering

Root Guard

9/3/2011 Ch3 Implementing STP 29/3/2011 2

RSTP BPDU

Proposal and AgreementProcess

RSTP Topology Change

Rapid PVST+ Implementation& Commands

UDLD

Flex Links

Recommended Practices

Troubleshooting STP


2/79

Spanning Tree History

STP was invented in 1985 by Radia Perlman at the Digital Equipment

Corporation

, .

Common Spanning Tree (CST) -> Cisco PVST+ -> Rapid STP (RSTP)

or IEEE 802.1w -> Cisco PVRST+ -> Multiple Spanning Tree (MST)or IEEE 802.1s -> STP security enhancements


Overview of the Spanning Tree Protocol

STP functionality of a switch is identical to that of a transparent bridge

Behavior of a switch without spanning tree

Does not modify the frames that are forwarded

Learns addresses by "listening" on a port for the source MAC addressof a device

Builds a MAC address table that indicates which MAC addresses arelearned on specific ports

Switches use this table to forward frames based on the destinationMAC address

Forwards packets with a destination multicast or broadcast MACaddress out all ports except for the port that initially received the


broadcast Referred to as flooding

Forwards a frame out all ports except for the port it entered if thedestination MAC address is unknown

Referred to as unknown unicast packets


3/79

Functions of a Bridge

Flooding

Filtering

Learning

Aging


Transparent Bridging

Switch treats each port as anindividual segment

Both ports belong to the

domain

Switch learns the MACaddresses Station A on port 1/1

Station B on port 1/2

Transparent to the attacheddevices

Allows bridges to forward


different packet types Without redundant links,

transparent bridging works

Problems, as soon as bridgednetworks have redundantpaths


4/79

Loop Behavior B will receive 2 copies

of frame from A

Each bridge will alsoreceive the others copy

ac r ge wupdate its table to saythat A is on LAN Y Neither bridge can

forward a packet to A

If Bridges dont knowwhere B is, each will


flood it, then receive itfrom the other and

transmit it back onLAN X This can repeat

indefinitely

Bridges with Loops1. Station A sends a frame to

station D. Both forward theframe and update theirtables based on the sourceaddress A.

2. Now there are two copiesof the frame on LAN 2.

The copy sent out bybridge 1 is received bybridge 2 and is flooded

The copy sent out bybridge 2 is received bybridge 1 and is flooded

Note that each frame ishandled separately

The tables of both bridgesare updated, but still thereis no information for


.

3. Now there are two copiesof the frame on LAN 1.Step 2 is repeated, and bothcopies flood the network.

4. The process continues onand on.


5/79

Spanning Tree Protocol (STP)

Part of 802.1d bridging specification

Can convert a loop into a tree by disabling links

.

Physical Network includes all connected bridges and Ports

Active Network are the paths that are in use

Inactive Routes are ports of Bridges in a blocking state Would form an illegal path if active

Can be placed in an active state if a primary route should fail

From Gra h Theor :


For any Connected Graph, consisting of nodes and edges, there is aspanning tree of edges that maintains the connectivity of the graph

but contains no closed loops

Removal of certain edges forms a structure that spans orconnects subnetworks

Spanning Trees



6/79

Preventing Bridging Loops with STP

STA Spanning TreeAlgorithm

To find the redundant links

point

Locates the redundant pathsto that reference point

Reference point is the root ofthe spanning tree

If the STA finds a redundantpath Selects a single path back


Blocks any otherredundancy paths

STP puts one of the switchports in blocking mode Preventing the bridging

loop

Blocked port continues toreceive bridge protocol dataunits (BPDU)

Switch forwards through thatport if a failure occurs on thecurrent forwarding link

Spanning Tree Example


was se ecte as root an t e spann ng tree wascreated from that root


7/79

STP (IEEE 802.1D)

STP uses the concepts of root bridges, root ports, and designated ports

Basic STP is defined in the STP-defining IEEE 802.1D

Bridge Identifier

,a bridge ID

2-byte priority value and the 6-byte MAC address make up the bridge ID

Default priority specified by IEEE 802.1D

32,768 (1000 0000 0000 0000 in binary, or 0x8000 in hex)

Midpoint value of possible values from 0 through 65,535

Bridge ID is always unique by virtue of a unique MAC address


STP Concepts

Layer 2 information between adjacent switches byexchanging bridge protocol data unit (BPDU)messages

Single root bridge is chosen to serve as thereference point

Each switch, except for the root bridge, selects a

9/3/2011 Ch3 Implementing STP 14

roo por a prov es e es pa o e roobridge

On the link between the two nonroot switch ports, aport on one switch becomes a designated port, andthe port on the other switch is in a blocking stateand does not forward frames

Typically, the designated port is on the switch withthe best path to the root bridge


8/79

Spanning-Tree Path Cost

Spanning-tree path cost is an accumulated total path cost based on

the bandwidth of all the links in the path Specified in the IEEE 802.1D specification

Prior to 802.1D-1998, different media, such as FDDI, ATM-155, and- , a to manua y sca e costs

Revised path cost of IEEE 802.1D-1998

Older specification calculated cost based on 1000-Mbps bandwidth

New specification adjusts the calculation by using a nonlinear scale toaccommodate higher-speed interfaces

Link S eedCost (Revised IEEE

S ecCost (Previous IEEE

S ec


10 Gbps 2 1

1 Gbps 4 1100 Mbps 19 10

10 Mbps 100 100

Bridge Protocol Data Units

Switches exchange control messages: BPDUs

Relay LAN topology information to other switches Refreshed at regular intervals 2 seconds by default

Multicast destination address for BPDUs is 01-80-c2-00-00-00

BPDUs are used to Elect a root bridge

Determine the location of redundant paths

Block certain ports to prevent loops

Notify the network of topology changes

Monitor the state of the spanning tree

Two types of BPDUs

Configuration BPDU


ent at per o c nterva s y t e root r ge on a ts ports Includes the STP parameters guarantees no mismatch in the timers

Used to elect the root bridge and to keep the topology stable

If not received from the root topology change may occur

Topology Change Notification (TCN) BPDU Generated by the switch when it detects a topology change


9/79

BPDUs

Two types: Configuration and TopologyChange Notification

Transmission of configuration BPDU istriggered by the root bridge Or one that considers itself the root

Passed by each bridge onto a LAN that it considersitself to be the designated bridge

Cascades throu hout the s annin tree


Collection is referred to as aconfiguration message

If a port does not receive a configurationmessage in its root port and times out, it willchange the topology and send a topologychange notification BPDU

Key BPDU Information

Root ID: The lowest bridge ID (BID)in the topology

Cost of path: Cost of all links from thetransmitting switch to the root bridge

BID: BID of the transmitting switch

Port ID: Transmitting switch port ID

STP timer values: Maximum age,hello time, forward delay

BPDUs contain the requiredinformation for STP configuration


0x00, and it uses the multicast MACaddress 01-80-C2-00-00-00


10/79

STP Root Bridge


Startup



11/79

Root Bridge Election

On boot up a switch assumes that it is the root bridge and sets the

bridge ID equal to the root ID Bridge ID is always unique by using a unique switch MAC address

Used to determine which switch becomes the root bridge

By exchanging BPDUs the switches determine which switch is the root

Example of the combination of the priority and bridge ID

08.00.00.00.0c.12.34.56

First 2 bytes are the priority

Last 6 bytes are the MAC address of the switch

Both switches are using the same default priority

Lowest MAC address becomes the root bridge

Ch3 Implementing STP9/3/2011 219/3/2011 21

PVST Extension to BID

Spanning tree operation requires that each switch have a

unique BID

n t e or g na . stan ar , t e was compose o

the Priority Field and the MAC address of the switch

All VLANs were represented by a CST (Common Spanning Tree)

PVST (Per VLAN Spanning Tree) requires separate

instance of spanning tree for each VLAN

BID field is required to carry VLAN ID (VID) information


Accomp s e y reus ng a port on o t e r or ty e as t eextended system ID


12/79

MAC Address Allocation and Reduction

Catalyst switches typically have a pool of up to 1024 MACaddresses some have fewer Pool acts as the MAC address com onent of the brid e IDs for

VLAN spanning trees

Number of MAC addresses available depends on the switch model

Switch allocates MAC addresses sequentially First MAC address in the range assigned to VLAN 1

Second MAC address in the range assigned to VLAN 2 and so on

Assigns the Supervisor Engine in-band (sc0) management interfacethe last MAC address in its ran e

9/3/2011 23

Some switches that have fewer MAC addresses than the

number of supported VLANs MAC address reduction feature is the solution Catalyst 6500 supports up to 4094 VLANs: needs MAC address

reduction to support 4094 STP instances

Implementing STP9/3/2011 23Ch3 Implementing STP

Extended System ID

802.1D 16-bit Brid e Priorit field is s lit into two fields

9/3/2011 24

Bridge Priority: 4-bit field that carries the bridge priority Priority is conveyed in discrete values in increments of 4096 rather than

discrete values in increments of 1

Default priority is 32,768, which is the mid-range value

Extended System ID: 12-bit field that carries the VID for PVST

MAC address: A 6-byte field with the MAC address of a singleswitch



13/79

Priority Values for Extended System ID

9/3/2011 25Ch3 Implementing STP9/3/2011 25

Bridge ID with MAC Address Reduction

Bridge ID contains an additional field called the system IDextension System ID extension with the bridge priority functions as the

un que ent er or a or an nstance seelater

Always the number of the VLAN or the MST instance

System ID extension for VLAN 100 is 100, and the system IDextension for MST instance 2 is 2

Bridge priority becomes a multiple of 4096 plus the VLANID if MAC address reduction is enabled

9/3/2011 26

w c can spec y e sw c pr or y on y as a mu p e o Only the following values are possible: 0, 4096, 8192,

12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960,45056, 49152, 53248, 57344, and 61440



14/79

Root Bridge Election

9/3/2011 27Implementing STP9/3/2011 27Ch3 Implementing STP

Configuring the Root Bridge

Configure a switch to become the root bridge for a VLAN

Lower its priority from the default value

spanning-tree vlan vlan-idpriority value

Suggest a root priority value of4096 to for the root bridge

Secondary root bridge

Priority between the value of the root bridge (4096) and the default value(32,768)

Generally the priority value 8192 is used

Automatically detect the current root switch and lower the priorityvalue of the respective switch so that it becomes the root

spanning-tree vlan vlan-id root primary

9/3/2011 28

but a higher value than the current root

spanning-tree vlan vlan-id root secondary

Ch3 Implementing STP9/3/2011 28


15/79

Root Bridge Commands


Planning Root Bridge Selection Locate the root bridge in the

center of the network

Keep path costs minimal

Traditional STP does not allow

Bridge priority does notguarantee a bridge will be root

If a new switch with a lowerbridge ID connects

STP topology changes

Cisco root guard feature

Protects switch from accepting

9/3/2011 30

etter s on spec ca yconfigured ports

Enable root guard on

Access-layer client ports

Distribution switch portsleading to the access switches



16/79

Spanning-Tree Port States and BPDUTimers

Propagation delays exist in switched networks Topology changes occur at different times and at different segments

Ports wait for new topology information to propagate before starting to

Five states for Layer 2 interface

Blocking interface does not participate in frame forwarding butlistens to incoming BPDUs Does not learn MAC addresses of received frames

Listening switch resolves the root and selects the root port, thedesignated port, and the nondesignated ports Does not learn the unicast address of any received frames


Learns MAC addresses of incoming frames but does not forward frames

Forwarding interface forwards frames

Port learns source MAC addresses and forwards frames based on thedestination MAC address

Disabled interface does not participate in spanning tree and does notforward frames

Three Timers In BPDU Frames

Hello time between each BPDU that is sent on a port by

the root bridge

secon s y e au u con gura e e ween an

Forward delay in the listening and learning states

Default is 15 seconds but is configurable between 4 and 30

Max age maximum length of time a bridge port saves its

configuration BPDU information

20 seconds by default but is configurable between 6 and 40


Spanning-tree topology of the network adheres to thetimers of the root bridge

Root bridge passes the times in BPDUs to all switches


17/79

STP State Machine


State Transitions

When powered on bridge assumes it is the root bridge Transitions to the listening state

Two transitions occur when a bridge sees a change in topology Port implements listening and learning states for the forward delay

During the listening state the bridge processes the BPDU received Ports that remain as designated or root ports transition to the learning state

after the forward delay

Ports that are not the designated or root ports transition back to theblocking state

Port in the learning state populates its MAC address table Does not forward user data frames

Learning state lasts the value of the forward delay timer


If a port is a designated or root port at the end of the learning statethe port transitions to the forwarding state Capable of sending and receiving user data

Ports that are not the designated or root ports transition back tothe blocking state


18/79

State Transitions


Typical 30+ seconds before forwarding

STPOperation

1. Elects one root bridge per VLAN based on lowest priority All ports designated ports send and receive traffic and BPDUs

2. Selects the root port on all nonroot bridges lowest-cost path to the root Root ports send and receive traffic

If equal-cost paths to the root selects the port that connects to the lowest bridgeID

If all bridge IDs are the same bridge selects the lowest port ID

From switch Y the lowest-cost ath to the root is throu h the Fast Ethernet


3. Selects the designated port on each segment on the bridge with thelowest path cost to the root Designated port for both segments is on the root bridge

10BASE-T port on switch Y is a nondesignated port and Blocks

Switch chooses a designated port as the least-cost path to the root bridge

Bridge ID acts as the tiebreaker


19/79

Enforcing the Topology

Place the root bridge manually in the Building Distribution

Submodule

eeps e orwar ng opo ogy op ma

Even if the administrator sets the root bridge priority to 0

No guarantee of security of the root bridge position

Selecting the root bridge and enforcing the topology is

vital to complex networks

Step 1. Configure the root and secondary root bridges


Step 2. Set the port priorities

Step 3. Set the port costsStep 4. Enable root guard on access-layer switches (see later)

Selection of Root and Designated Port on

Nonroot Bridges Five criteria in the decision-making process

Lowest root bridge ID

Lowest ath cost to the root brid e

Lowest sender bridge ID

Lowest port priority

Lowest port ID

Determining the root port of a switch that has equal-costpaths to the root STP looks at the bridge ID of the switches that sent the BPDUs


equa , oo s at t e pr or ty o t e ports Port with the lowest port priority (cost) would be selected as the

root port

If equal, STP uses the port identifiers and selects the port with thelowest port priority as the root port


20/79

STP Root Port Selection

Switch Y receives a BPDU from the root switch X From a Fast Ethernet segment

From an Ethernet se ment

Root path cost in both cases is 0

Local path cost on the Fast Ethernet port is 19

Local path cost on the Ethernet port is 100

Port on the Fast Ethernet segment has the lowest path costto the root bridge and is elected the root port for switch Y


STP Designated Port Selection

STP selects one designated port per segment to forward traffic Other ports on the segment receive traffic but do not forward

Elects the port on the segment with the lowest path cost to the root

If multiple ports on the same bridge have the same cost, the port withthe lowest port priority is chosen

If the port priority is the same, then the port with the lowest port IDbecomes the designated port

Because all ports on the root bridge have a root path cost of 0 STP designates all ports on the root bridge as designated ports

Root bridge ports act as designated ports in both the segments



21/79

Primary and Backup Root Bridges

For each VLAN the switch with the lowest bridge IDbecomes the root bridge for that VLAN

Choose a centrally located or core switch in the network

Has enough CPU power and switching capacity to forward trafficbetween various distribution-layer and access-layer switches

Backup or secondary root bridges are selected in the eventof a failure of the primary root bridge Selection is done intentionally


t pr mary root r ge a ure t e new root r ge s stcentrally located

In a production network Backup root bridge must have the same capacity as the primary

No degradation of performance with a primary root bridge failure

Sample Scenario of STP Election Process

Root Bridge Selection


Bridge with the lowest MAC address becomes the root bridge

ASW11 is the root bridge with a bridge ID of 00:00:0c:aa:aa:aa

Other two switches are non-root bridges

Root bridges designate all ports as designated ports


22/79

Root Port Selection

DSW111 and DSW112 are non-root bridges Each elects a single root port


ece ve a on segment or or segment orDSW112 Root path cost of 0, local path cost of 19, total cost of 19

Also receive a BPDU from the other on segment 3 Root path cost of 19, local path cost of 100

Switch elects the port on segment 1 for DSW111 or segment 2 forDSW112 as the root port

Designated PortSelection

Port on either DSW111 or DSW112 ends up as designated port for segment 3

DSW111 and DSW112 examine the root bridge ID in the BPDUs Root bridge IDs are the same


econ step t e r ges exam ne t e root pat cost Cost is the same for both ports

Third step is to check the sender bridge ID Both bridges have the same priority, so the bridge with the lower of the two MAC

addresses has the lowest bridge ID, DSW111

Port on DSW111 becomes the designated port on segment 3

Port on DSW112 becomes the non-designated port put into blocking state


23/79

Recall that switches go through three steps for their initial convergence:STP ConvergenceSTP Convergence

Step 1 Elect one Root Bridge

STP Convergence: Summary

Step 3 Elect Designated Ports

Also, all STP decisions are based on a the following predeterminedsequence:

FiveFive--Step decision SequenceStep decision Sequence

Step 1 - Lowest BID

Ste 2 - Lowest Path Cost to Root Brid e

Step 3 - Lowest Sender BID

Step 4 Lowest Port Priority

Step 5 - Lowest Port ID

9/3/2011 45Ch3 Implementing STP

STP Example Physical Topology



24/79

Active Topology After STP

RPC=4RPC=2

RPC=4


RPC=2

Another

TreeExampleNetwork


From 802.1d Spec


25/79

ResultantSpanning

ree


STP Topology Changes Bridge sends the TCN BPDU if either:

Port in forwarding or listening state transitions to blocking (link failure)

Port moves to forwarding state and the bridge already has a designatedport

Non-root bridge receives a TCN on its designated port

TCN is a simple BPDU with three fields Same as the first three fields of a configuration BPDU

Type field in a TCN BPDU is 0x80

Designated bridge receives the TCN and acknowledges it Sends back a configuration BPDU with the Topology Change

Acknowledgement (TCA) bit set

Bridge notifying change continues TCN BPDU until the designated bridgeacknowledges it

Desi nated brid e enerates another TCN for its own root ort


So on until the TCN BPDU reaches the root bridge

Root bridge is aware there has been a topology change in the network Starts sending out its configuration BPDUs with the Topology Change

(TC) bit set

Every bridge in the network relays these BPDUs with this bit set

Each bridge reduces its MAC address table aging time to the value ofthe forward delay timer


26/79

Topology Change Notification fromSource Bridge

Link to Switch a


Root Switch Sets TC Flag Due to TCN



27/79

Steps from Sample TCN

1. Switch B notices link failure has occurred when switch A fails

2. Switch B sends a TC BPDU out the root port Continues to send the TC BPDU until switch C responds with a TCA

3. Switch C sends a TCA to switch B Sends a TC BPDU out the root port

Propagation TCN

4. When the root switch receives the topology change message Acknowledges the TC BPDU with a TCA to the sending bridge

5. Root switch changes its configuration BPDU to indicate topology change Sets the topology change for a period equal to the sum of the the forward delay

timer and the max age timer

6. Switch receiving the TC configuration BPDU message from the root switch


uses the value of the forward delay timer to age out entries in the address table Age out MAC address entries faster than the 300-second default

Ensures MAC addresses no longer available due to the topology change age outquickly

Switch continues until it no longer receives TC BPDU messages from the root

Enhancements to STP



28/79

Per VLAN Spanning Tree Plus

PVST+ maintains a separate spanning-tree instance for each

VLAN By default a single spanning tree runs on each VLAN

STP enabling and disabling on a per-VLAN basis

.proprietary features

PVST+ provides for load balancing on a per-VLAN basis Allows creation of different logical topologies using the VLANs on a

switched network

Ensure that all links can be used and that one link is not oversubscribed

Typical Building Access submodule switch connected to two BuildingDistribution submodule switches One Building Distribution submodule switch is root for one VLAN


Other Building Distribution submodule switch is root for the secondVLAN

Building Access submodule switch in this scenario would use both thelinks, one for each VLAN, achieving load balancing

Each instance of PVST+ on a VLAN has a single root bridge Provide different STP root switches per VLAN

Allows for the load balancing of root bridge responsibilities and link paths

PVST+

One s annin -tree instance exists for the rimar VLAN


Second instance for the alternate VLAN Single switch and a single trunking port can serve different roles for each VLAN

On the access-layer switch, a port forwards for one VLAN while blocking forthe other VLANs

Desired STP configuration and resulting layer 2 topology is not necessarilyautomatic

Network administrator needs to plan and configure manually


29/79

PVST+ Load Balancing Scenario

PVST+ is implemented for ten VLANs


Each port is participating in all ten VLANs

Actively forwarding traffic for only half of them

Each switch maintains ten spanning-tree instances

Configuring the Basic Parameters of

PVST+

Default mode for STP on Catalyst switches is

PVST+

Possible to disable STP on a per-VLAN basis

Enable STP:

spanning-tree vlan vlan-id



30/79

Configuring Port Cost

Assign lower cost values to interfaces to make spanningtree select those first

STP uses the port cost value when the interface is anaccess port

Uses VLAN port cost values when the interface is a trunkport


Verifying the STP Configuration Display the STP information for a specific VLAN

show spanning-tree vlan vlan-id

Priority field is 8193 even though the configured priority value is 8192

Switch uses MAC address reduction feature

r or ty e s nc u e t e n ormat on + =


??


31/79

How can


Arent all ports

Of a root bridgeDesignatedPorts?

Detailed STP Information for a Trunk

Interface



32/79

Spanning-Tree Bridge Information

show spanning-tree bridge

VLANs


IEEE Documents on STP



33/79

Rapid Spanning Tree Protocol

Rapid Spanning Tree Protocol (IEEE 802.1w referred to as RSTP) Significantly speeds recalculation of spanning tree with topology

changes

Defines additional port roles of Alternate and Backup

Defines three port states: discarding, learning, or forwarding

Cisco enhanced 802.1D with features such as UplinkFast,BackboneFast, and PortFast to speed up the convergence time

Proprietary and need additional configuration

IEEE 802.1w standard (RSTP) is an evolution of 802.1D standard

802.1D terminology primarily the same and most parameters areunchan ed


In most cases RSTP performs better than the Cisco proprietaryextensions

802.1w is capable of reverting to 802.1D to interoperate with legacybridges on a per-port basis

Reverting negates the benefits of 802.1w for that segment

RSTP

RSTP selects one switch as the root of an active topology

Assigns port roles to individual ports on the switch

rov es rap connect v ty o ow ng t e a ure o a

switch, port, or LAN

New root port and the designated port of the connecting

bridge transition to forwarding through an explicit

handshake protocol

Allows switch-port configuration


Ports transition to forwarding directly when the switch reinitializes

Cisco Catalyst switches RPVST+ is the per-VLAN version

of the RSTP implementation

Current generation Catalyst switches support RPVST+


34/79

RSTP Ports


RSTP Port States Three port states in RSTP:

Discarding

Learning

Forwarding

Discardin state is a mer er of Disabled

Blocking

Listening

STP mixes the state of a port withthe role it plays in the activetopology

RSTP considers no differencebetween a port in blocking state

an a por n s en ng s a e: odiscard frames, and neither learnsMAC addresses

RSTP decouples therole of aport from thestate of a port



35/79

RSTP Operation Port StatesPort State Description

DiscardingThis state is seen in both a stable active topology and during topology

synchronization and changes. The discarding state prevents the forwarding of data

frames, thus breaking the continuity of a Layer 2 loop.

Learning This state is seen in both a stable active topology and during topologys nchronization and chan es. Thelearnin state acce tsdataframesto o ulate the .

MAC table to limit flooding of unknown unicast frames.

Forwarding This state is seen only in stable active topologies. The forwarding switch portsdetermine the topology. Following a topology change, or during synchronization, the

forwarding of data frames occurs only after a proposal

and agreement process.

Operational Status STP Port State RSTP Port State Port Included in

Active Topology

Enabled Blocking Discarding No

Enabled Listening Discarding No

Enabled Learning Learning Yes

Enabled Forwarding Forwarding Yes

Disabled Disabled Discarding No


RSTP Port Roles

Port role defines

Purpose of a

switch port

The way it

handles data

frames

Port roles and

port states

transition

inde endent

of each other


Different switch Same switch


36/79

RSTP Operation Port Roles

STP Port Role RSTP PortRole STP PortState RSTPPortState

Root port Root port Forwarding Forwarding

Desi nated ort Desi nated Forwardin Forwardin

port

Nondesignated

port

Alternate or

backup port

Blocking Discarding

Disabled Disabled - Discarding

Transition Transition Listening

Learning

Learning

9/3/2011 Ch3 Implementing STP 719/3/2011 71Ch3 Implementing STP

RSTP Port Roles

Root closest port to the root bridge in terms of path cost Single root bridge for the whole bridged network

Root brid e is the onl brid e that does not have a root ort

Designated port bridge sending the best BPDU is thedesignated bridge for the segment Corresponding port on that bridge is the designated port

Alternate port blocked from receiving root BPDUsfrom another bridge

Becomes the designated port if the active designated port fails


Backup port blocked from receiving root BPDUs fromthe designated port for a shared LAN segmentfrom thesame bridge on which the port is located

Becomes the designated port if the existing designated port fails

Disabled port has no role within spanning tree


37/79

RSTP Port Roles


Rapid Transition to Forwarding

Most important feature of 802.1w

RSTP actively confirms that a port transition to forwarding is safewithout relying on a timer configuration

Relies upon two new variables

Link type

Ports directly connected to end stations cannot create bridgingloops (edge ports) Transition directly to forwarding skipping the listening and learning stages

Designate edge ports through manual configuration

Does not generate a topology change when its link transitions

If an edge port receives a BPDU it immediately becomes a normalspanning-tree port


RSTP ports are able to achieve rapid transition to forwarding onedge ports and point-to-point links Most switch-to-switch links are point-to-point

Switches automatically derive the link type from the duplex mode of aport

Rapid transition to the forwarding state for the designated port occursonly if the link type parameter indicates a point-to-point link


38/79

RSTP Operation Rapid Transition toForwarding Link Type

Link

Type

Description

Point-to-

point

Port operating in full-duplex

mode. It is assumed that the

port is connected to a single

switch device at the other end

of the link.

Shared Port operating in half-duplex

mode. It is assumed that the

media where multiple

switches might exist.


RSTP Operation Rapid Transition to

Forwarding Edge Ports RSTP edge port is a switch port that is

never intended to be connected to

another switch device

forwarding state when enabled

Neither edge ports nor PortFast-enabled

ports generate topology changes when

the port transitions

Unlike PortFast, an edge port that

receives a BPDU immediately loses its

ed e ort status and becomes a normal

spanning-tree port

When an edge port receives a BPDU, it

generates a topology change

notification (TCN)



39/79

RSTP BPDU Format and BPDU Handling RSTP introduces a changes to the BPDU

In 802.1D only 2 bits in the Type field were used TC and TC Acknowledgement

RSTP uses all 6 remaining bits of the flag byte

nco e e ro e an s a e o e por or g na ng e

Handle the proposal and agreement mechanism

RSTP BPDU is now of type 2, version 2


BPDU Generation

802.1D non-root bridge generates a BPDU only when itreceives one on its root port

-.

If a port receives no BPDUs for three consecutive hellotimes Bridge immediately ages out protocol information

Immediate aging also happens if the max age timer expires

In RSTP, transmissions of BPDU act as keep-alivemechanisms


Bridge has lost connectivity if it misses three BPDUs in a row Fast aging of the information allows quick failure detection

In RSTP mode switches detect physical link failures muchfaster than in 802.1D


40/79

Proposal and Agreement in RSTP

Transition on point-to-point ports is rapid

Bridge A and bridge B connect through port a on bridge A and port bon bridge B Bridge A is the root because of its superior BPDUs

1. Ports a and b, the designated ports, start in discarding or learning stateand send BPDUs with the proposal bit

2. Port b receives the superior BPDU from bridge A and immediatelyknows that port b is the new root port

3. Bridge B sends a BPDU back to bridge A with the agreement bit set inthe BPDU

4. Bridge A transitions to forwarding as soon as it receives the BPDUwith the agreement bit set from bridge B


RSTP Proposal and Agreement Process Switch A has a path to the root via

switch B and switch C

New link is added between the rootand switch A

Both ports are in blocking state untilthey receive a BPDU

Port P0 of the root bridge sets theproposal bit on the BPDUs it sendsout.

Switch A sees that the proposalBPDU has a superior path cost

It blocks all non-edge designatedports other than the one over whichthe proposal-agreement process areoccurring called sync andprevents switches below A fromcausing a loop during the proposal-


agreemen process

Edge ports do not have to beblocked and remain unchangedduring sync

Bridge A sends an agreement thatallows the root bridge to put rootport P0 in forwarding state

Port P1 becomes the root port for A


41/79

Downstream Proposal and Agreement

Switch B on P5 will see that switchA is discarding and will alsotransition to the designateddiscarding state

Switch A sends its proposal BPDUdown to B with the root ID of theroot bridge

Switch B sees a proposal with thesuperior BPDU from A and blocks


all non-edge

Switch B sends a BPDU with theagreement bit set, and switch A P3transitions to forwarding state

The synchronization processcontinues with switchesdownstream from B

RSTP Topology Change Mechanism

Only non-edge ports moving to the forwarding state cause atopology change

Loss of connectivity does not generate a topology change

Port moving to blocking does not cause the bridge to generate a TCBPDU

RSTP bridge detects a topology change

1. Starts the TC While timer with a value equal to twice the hello timefor its non-edge designated ports and its root port

Interval during which the RSTP bridge actively informs the rest of thebridges of a topology change


2. Flushes the MAC addresses associated with all non-edge ports3. TC While timer running on a port:

BPDUs sent out of that port have the TC bit set

Bridge sends BPDUs even on the root port


42/79

Topology Change Mechanism in RSTP


Topology Change Propagations

Bridge receives a BPDU with the TC bit set from a neighbor

1. Clears the MAC addresses learned on all its ports except theone that received the topology change

2. Starts the TC While timer and sends BPDUs with TC set onits designated ports and root port RSTP does not use the specific TCN BPDU anymore unless a legacy

bridge needs to be notified.

Topology Change Notification is flooded very quickly Propagation is a one-step process


Initiator of the topology change is flooding this information throughoutthe network

802.1D only the root sends BPDUs with the TC bit set

In RSTP there is no need to wait for the root bridge to benotified


43/79

RSTP TC Actions Summary


RSTP and 802.1D STP Compatibility

RSTP can operate with 802.1D STP

802.1ws fast-convergence benefits are lost when

interacting with 802.1D bridges

Each port maintains a variable that defines the

protocol to run on the corresponding segment

If the port receives BPDUs that do not correspond to its

current operating mode for two times the hello time, it

Default STP Configuration on Cisco Switch

PVST+

Bridge priority 32,768 for each VLAN



44/79

PortFast Spanning Tree PortFast causes an interface configured as an access

port to enter the forwarding state immediately

Bypasses the listening and learning states

Enable on Layer 2 access ports connected to a single workstation orserver

Server and workstation are attached to an access switch through portsthat have the PortFast feature enabled


STP State Machine with PortFast


STP state jumps directly from blocking to forwarding

without going through the listening and learning state

PortFast suppresses topology change notifications


45/79

Configuring the PortFast Feature Globally

On Building Access submodule switches enable PortFastgloballyspanning-tree portfast default

No need to ex licitl enable PortFast on each ort

Explicitly disable PortFast on uplink ports

[no] spanning-tree portfast


Configuring PortFast on Trunk Ports Use the spanning-tree portfast trunk interface

command to enable the PortFast feature on a trunk port.

w c con g spann ng- ree por as run



46/79

Configuring Access Port Macro

Use the switchport host macro command on an interfaceconnecting to an end station

PortFast is a highly recommended configuration on end-userports and server ports

Disable negotiation of channeling and trunking

To place an interface into this desired configurationswitchport host

Switch(config-if)# switchport host

switchport mode will be set to access

spann ng- ree por as w e ena e

channel group will be disabled

Switch(config-if)# end

Switch#


Implementing PVRST+

1. Enable PVRST+ globally. PVRST+ should be configured on all switches in

t e roa cast oma n2. Designate and configure a switch to be the root bridge.

3. Designate and configure a switch to be the secondary (backup) root bridge.

4. Ensure load sharing on uplinks using priority and cost parameters.

5. Verify the configuration.



47/79

Verifying PVRST+

The output below illustrates how to verify the RSTP

configuration for VLAN2 on a nonroot switch in a topology.

Switch# show spanning-tree vlan 2

VLAN0002Spanning tree enabled protocol rstp

Root ID Priority 32768

Address 000b.fcb5.dac0Cost 38

Port 7 (FastEthernet0/7)

Hello Time 2 sec Max Age 20 sec Forward Delay15 sec

Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)

Address 0013.5f1c.e1c0Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

g ng me

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- -------- -------- --------

---------Fa0/7 Root FWD 19 128.7 P2pFa0/8 Root FWD 19 128.8 P2p


Multiple Spanning Tree (MST)

MST (802.1s) extends the IEEE 802.1w RST

algorithm to multiple spanning trees

Reduce the total number of spanning-tree

instances to match the physical topology of the

network

PVST+ runs STP instances for each VLAN

Does not take into consideration the physical topology


MST uses a minimum number of STP instances

Match the number of physical topologies present


48/79

MST (802.1s)

MST builds multiple spanning trees over trunks Grouping and associating VLANs to spanning-tree instances Each instance may have a topology that is independent of other

instances

Provides multiple forwarding paths for data traffic and enablesload balancing

Failure in one forwarding path does not affect other instances withdifferent forwarding paths

MST spanning-tree instance may exist only on bridges thathave compatible VLAN instance assignments Configuring a set of bridges with the same MST configuration

information allows them to participate in a specific set of


spann ng- ree ns ances

MST region refers to the set of interconnected bridges that

have the same MST configuration Achieve load balancing on the access switch uplinks based

on even or odd VLANs or any other scheme deemedappropriate

VLAN Load Balancing 1000 VLANs map to two MST instances

Each switch needs to maintain only two spanning trees

Concept of two MST instances extends to 4096 VLANs

MST converges faster than PVST+

Backward compatible with 802.1D STP, 802.1w (RSTP), and the CiscoPVST+ architecture



49/79

Comparison

PVST+ Case

Achieves load balancing by configuring such that a specific number ofVLANs are forwarding on each uplink trunk Brid e D1 to be the root for VLAN 501 1000


Bridge D2 to be the root for VLAN 1 500

Load balancing between the access and distribution layers

Switches 1000 VLAN instances for only two different logical topologies PVST+ characteristics

Provides the ability to optimize load balancing

Maintains per-VLAN STP instance and results in more CPU utilization

802.1Q Case

IEEE 802.1Q defines a Common Spanning Tree (CST)instance One spanning-tree instance for the entire bridged network


CST instance No load balancing is possible

Switch CPU utilization is low since only one instance

Cisco implementation enhances 802.1Q to support PVST+ Behaves exactly as the PVST case


50/79

MST Case

Combines the best of PVST+ and 802.1Q Most networks do not need more than a few topologies

Mapping several VLANs reduces the number of spanning-tree instances


Desired load-balancing scheme is possible

Switch utilization is low

Because MST is a newer protocol issues may arise More complex than the usual spanning tree and requires additional

training of the operation staff

Interaction with legacy bridges is sometimes challenging

MST Regions

Received BPDUs need to identify STP instances and the VLANs that aremapped to the instances

Each switch running MST has a single configuration ofthree attributes Alphanumeric configuration name (32 bytes)

on gura on rev s on num er ytes

4096-element table that associates each of the potential 4096 VLANs to a giveninstance

To be part of a common MST region switches must share the sameconfiguration attributes

Must be able to exactly identify the boundaries of the regions Characteristics of the region are included in BPDUs

Switches do not propagate exact VLANs-to-instance mapping in the BPDU

Switches onl need to know whether the are in the same re ion as a nei hbor


Switches send a digest of the VLANs-to-instance mapping table along with therevision number and the name

Switch receives a BPDU compares it with its own computed digest

If the digests differ the port receiving the BPDU is at the boundary of aregion


51/79

Switches in Different MSTRegions


Designated bridge on its segment is in a different region

It receives legacy 802.1D BPDUs

Port on B1 is at the boundary of region A

Ports on B2 and B3 are internal to region B

Extended System ID


Rather than VLAN number in PVST


52/79

Configuring Basic Parameters of MST


MST Configuration

Enable MST on switch

Switch(config)# spanning-tree mode mst

Enter MST confi uration submode

Switch(config)# spanning-tree mst configuration

Display current MST configuration

Switch(config-mst)# show current

Name MST instance

Switch(config-mst)# name name

- Not incremented automatically when you commit a new MST configuration

Switch(config-mst)# revision revision_number



53/79

MST Configuration (cont)

Map VLANs to MST instanceSwitch(config-mst)# instance instance_numbervlan vlan_range

Switch(config-mst)# show pending

Apply configuration and exit MST configuration submode

Switch(config-mst)# exit

Assign root bridge for MST instance

Syntax makes the switch root primary or secondary (only active if

Sets primary priority to 24576 and secondary to 28672

Switch(config)# spanning-tree mst instance_numberroot primary |secondary


MST Configuration Example

SwitchA(config)# spanning-tree mode mst

SwitchA(config)# spanning-tree mst configuration

SwitchA(config-mst)# name XYZ

SwitchA(config-mst)# revision 1

SwitchA(config-mst)# instance 1 vlan 11, 21, 31

SwitchA confi -mst instance 2 vlan 12 22 32 , ,

SwitchA(config)# spanning-tree mst 1 root primary

SwitchB(config)# spanning-tree mode mst

SwitchB(config)# spanning-tree mst configuration

SwitchB(config-mst)# name XYZ

SwitchB(config-mst)# revision 1

SwitchB(config-mst)# instance 1 vlan 11, 21, 31

SwitchB(config-mst)# instance 2 vlan 12, 22, 32

SwitchB(config)# spanning-tree mst 2 root primary

9/3/2011 106Ch3 Implementing STP9/3/2011 106Ch3 Implementing STP


54/79

Verifying MST Configuration Example (1)Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# spanning-tree mode mst

Switch(config)# spanning-tree mst configuration

Switch(config-mst)# show current

Current MST configuration

Name []

Revision 0

Instance Vlans mapped

-------- -----------------------------------------------------------

0 1-4094

---------------------------------------------------------------------

Switch(config-mst)# name cisco

Switch(config-mst)# revision 1

Switch(config-mst)# instance 1 vlan 1-10

Switch(config-mst)# show pending

Pending MST configuration

Name [cisco]

Revision 1

Instance Vlans mapped

-------- -----------------------------------------------------------0 11-4094

1 1-10

Switch(config-mst)# end


Verifying MST Configuration Example (2)Switch# show spanning-tree mst

###### MST00 vlans mapped: 5-4094

Bridge address 0009.e845.6480 priority 32768 (32768 sysid 0)

Root this switch for CST and IST

Configured hello time 2, forward delay 15, max age 20, max hops 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- -------

Fa3/24 Desg FWD 2000000 128.152 Shr

Fa3/32 Desg FWD 200000 128.160 P2p

Fa3/42 Back BLK 200000 128.170 P2p



Root this switch for MST01


---------------- ---- --- --------- -------- -------

Fa3/24 Desg FWD 2000000 128.152 Shr

Fa3/32 Desg FWD 200000 128.160 P2p

Fa3/42 Back BLK 200000 128.170 P2p

###### MST02 vlans ma ed: 3-4

Bridge address 0009.e845.6480 priority 32770 (32768 sysid 2)Root this switch for MST02


---------------- ---- --- --------- -------- -------

Fa3/24 Desg FWD 2000000 128.152 Shr



55/79

Verifying MST Configuration Example (3)

Switch# show spanning-tree mst 1



Root this switch for MST01


---------------- ---- --- ------ -------- -----------------

Fa3/24 Desg FWD 2000000 128.152 Shr

Fa3/32 Desg FWD 200000 128.160 P2p

Fa3/42 Back BLK 200000 128.170 P2p


Verifying MST Configuration Example (4)

Switch# show spanning-tree mst interface FastEthernet 3/24

FastEthernet3/24 of MST00 is designated forwarding

Edge port: no (default) port guard : none (default)

Link type: shared (auto) bpdu filter: disable (default)

Boundary : internal bpdu guard : disable (default)

Bpdus sent 81, received 81

Instance Role Sts Cost Prio.Nbr Vlans mapped

-------- ---- --- ------- -------- -------------------------

0 Desg FWD 2000000 128.152 5-4094

1 Desg FWD 2000000 128.152 1-2

2 Desg FWD 2000000 128.152 3-4



56/79

Verifying MST Configuration Example (5)Switch# show spanning-tree mst 1 detail###### MST01 vlans mapped: 1-2

Bridge address 0009.e845.6480 priority 32769 (32768 sysid1)Root this switch for MST01FastEthernet3/24 of MST01 is designated forwardingPort info port id 128.152 priority 128 cost 2000000Designated root address 0009.e845.6480 priority 32769 cost 0Designated bridge address 0009.e845.6480 priority 32769 port id128.152Timers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus (MRecords) sent755, received 0FastEthernet3/32 of MST01 is designated forwardingPort info port id 128.160 priority 128 cost 200000Designated root address 0009.e845.6480 priority 32769 cost 0Designated bridge address 0009.e845.6480 priority 32769 port id128.160Timers: message expires in 0 sec, forward delay 0, forward transitions 1Bpdus (MRecords) sent 769, received 1FastEthernet3/42 of MST01 is backup blockingPort info port id 128.170 priority 128 cost 200000Designated root address 0009.e845.6480 priority 32769 cost 0

Designated bridge address 0009.e845.6480 priority 32769 port id128.160Timers: message expires in 5 sec, forward delay 0, forward transitions 0Bpdus (MRecords) sent 1, received 769


Spanning Tree Enhancements Preventable common network attacks involving STP

Connecting an unauthorized hub Users may plug in aunauthorized hub to extend the network May create an STP loop

BPDU Guard detects the loop and effectively err-disables the user port

Connecting an unauthorized access switch Users may plug in anunauthorized access switch Will not cause a network loop but it may result in a topology change and

may become the root

Root Guard feature will detect the BPDU sent by this newly added accessswitch and will disable the user port

Unidirectional link due to faulty cabling or device cable fault ordevice will cause switch links to become unidirectional


UDLD feature detects and err-disables the offending link

Blocking port erroneously moving to forwarding state softwareinconsistency or BPDU loss can also cause this to occur Loop Guard feature will detect such a condition and put the blocking

switch port into an inconsistent state


57/79

Spanning Tree Enhancements

BPDU guard: Prevents accidental connection of switching devices to PortFast-enabled

ports. Connecting switches to PortFast-enabled ports can cause Layer 2 loops or topology

chan es

BPDU filtering: Restricts the switch from sending unnecessary BPDUs out access ports

Root guard: Prevents switches connected on ports configured as access ports from

becoming the root switch

Loop guard: Prevents root ports and alternate ports from moving to forwarding state when

they stop receiving BPDUs

BPDU Guard

Puts an interface configured for STP PortFast in the err-disable state upon receipt of a BPDU Disables interfaces to avoid a potential bridging loop

Shuts down PortFast-confi ured interfaces that receiveBPDUs Rather than putting them into the STP blocking state (default)

Manually re-enable the err-disabled interface after fixing theinvalid configuration

PortFast-configured interfaces should not receive BPDUs Reception of a BPDU signals an invalid configuration such as

connection of an unauthorized device


uar app e g o a y to a ort ast-con gureinterfaces Can also be enabled/disabled per-interface basis

Global configuration command

[no] spanning-tree portfast bpduguard


58/79

BPDU Guard Configuration

To enable BPDU guard globally, use the command:spanning-tree portfast bpduguard default

To enable BPDU uard on a ort use the command:

spanning-tree bpduguard enable

BPDU guard logs messages to the console:2009 May 12 15:13:32 %SPANTREE-2-

RX_PORTFAST:Received BPDU on PortFast enable

port.

Disabling 2/1

2009 May 12 15:13:32 %PAGP-5-PORTFROMSTP:Port

2/1 left bridge port 2/1


BPDU Guard Configuration ExampleSwitch(config)# spanning-tree portfast edge bpduguard default

Switch(config)# end

Switch# show spanning-tree summary totals

Root bridge for: none.

or as uar s ena e

Etherchannel misconfiguration guard is enabled

UplinkFast is disabled

BackboneFast is disabled

Default pathcost method used is short

Name Blocking Listening Learning Forwarding STP Active

------------ -------- --------- -------- ---------- ---------

34 VLANs 0 0 0 36 36


59/79

BPDU Filtering

Prevents switches from sending BPDUs on PortFast-enabled interfaces

Typically connect to host devices

Configure BPDU filtering on a per-port or global basis

If configured on an interface

Switch does not send BPDUs and drops all BPDUs it receives

If globally enabled

It affects all operational PortFast ports on switches that do not have BPDUfiltering configured on the individual ports

Switch changes the interface back to normal STP operation if the portreceives BPDUs on an interface

Upon startup, the port transmits ten BPDUs. If this port receives anyBPDUs during that time, PortFast and PortFast BPDU filtering are


disabled

BPDU Guard enabled on the same interface as BPDU filtering has

no effect BPDU filtering takes precedence

BPDU Filtering Configuration

To enable BPDU filtering globally, use the command:

spanning-tree portfast bpdufilter

e au

To enable BPDU guard on a port, use the command:

spanning-tree bpdufilter enable

Verify the configuration

show spanning-tree summary totals



60/79

Verifying BPDU Filtering Configuration (1)

PortFast BPDU filtering status:

Switch# show spanning-tree summary

Switch is in pvst mode

Root bridge for: none

Exten e system ID s ena e

Portfast Default is disabled

PortFast BPDU Guard Default is disabled

Portfast BPDU Filter Default is disabled

Loopguard Default is disabled

EtherChannel misconfig guard is enabled

UplinkFast is disabled

BackboneFast is disabled

Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding

STP Active

------- ---- -------- ------- -------- ---------

VLAN0001 2 0 0 6

8

------- ---- -------- ------- -------- ---------1 vlan 2 0 0 6

8


Verifying BPDU Filtering Configuration (2)

Verifying PortFast BPDU filtering on a specific port:

Switch# show spanning-tree interface fastEthernet 4/4 detail

Port path cost 1000, Port priority 160, Port Identifier 160.196.

Designated root has priority 32768, address 00d0.00b8.140a

Designated bridge has priority 32768, address 00d0.00b8.140a

Designated port id is 160.196, designated path cost 0

Timers:message age 0, forward delay 0, hold 0

Number of transitions to forwarding state:1

The port is in the portfast mode by portfast trunk configuration

Link type is point-to-point by default

Bpdu filter is enabled

BPDU:sent 0, received 0



61/79

PortFast BPDU Filtering PortConfigurations

Per-Port

Configuration

Global

Configuration

PortFast

State

PortFast BPDU

Filtering State

Default Enable Enable Enable

Default Enable Disable Disable

Default Disable Notapplicable

Disable

Disable Not applicable Nota licable

Disable


Enable Not applicable Not

applicable

Enable

Root Guard

Useful in avoiding Layer 2 loops during network anomalies

Forces an interface to become a designated port to preventsurrounding switches from becoming a root switch Enforce the root bridge placement in the network

Bridge receives superior BPDUs on a Root Guard enabled port Port moves to a root-inconsistent STP state

Switch does not forward traffic out of that port

Switches A and B comprise the core of the network and switch A is theroot bridge for a VLAN



62/79

Root Guard Motivation

Switches A and B comprise the core of the network; Switch A is the root bridge

When Switch D is connected to Switch C, it begins to participate in STP

If the priority of Switch D is 0 or any value lower than that of the current root bridge,

Switch D becomes the root bridge

Having Switch D as the root causes the Gigabit Ethernet link connecting the two coreswitches to block

Causes all the data to flow via a 100-Mbps link across the access layer.

Obviously a terrible outcome


Root Guard Operation

After the root guard feature is enabled on a port, the switch does not enable that

port to become an STP root port

Cisco switches log the following message when a root guardenabled portreceives a superior BPDU:

%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to

become non-designated in VLAN 77.

Moved to root-inconsistent state.



63/79

Root Guard Operation

Current design recommendation is to enable root guard on all access ports

Switch C blocks the port connecting to Switch D when it receives a superior BPDU

Port transitions to the root-inconsistent STP state

No traffic passes through the port while it is in root-inconsistent state

When Switch D stops sending superior BPDUs, the port unblocks again and goes

through regular STP transition

Recovery is automatic; no intervention is required


Configuring and Verifying RootGuard

Switch(config)# interface FastEthernet 5/8

Switch(config-if)# spanning-tree guard root


Switch# show running-config interface FastEthernet 5/8

Building configuration...

Current configuration: 67 bytes

!

interface FastEthernet5/8

switchport mode access

spanning-tree guard root

end

Switch# show spanning-tree inconsistentports

Name Interface Inconsistency

-------------------- ---------------------- ------------------

V as erne or ype ncons s en

VLAN0001 FastEthernet3/2 Port Type Inconsistent



Number of inconsistent ports (segments) in the system :4



64/79

Preventing Forwarding Loops and BlackHoles

Catalyst switches support two features to address

such conditions

UDLD aggressive and normal mode

Detects and disables unidirectional links

Loop Guard

Improves the stability of Layer 2 networks by

preventing bridging loops


Loop Guard

Additional protection against Layer 2 forwarding loops Occur if one port of a redundant topology stops receiving BPDUs

Switches rely on continuous BPDUs

When one port in a redundant topology stops receiving BPDUs STP conceives the topology as loop-free

Blocking port changes to designated port and moves to forwarding state

Creates a bridging loop

Loop Guard feature switches do an additional check before transitioning Switch places the port into the STP loop-inconsistent blocking state

Switch logs the following messageSPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 3/2 in

vlan 3. Moved to loop-inconsistent state.


- Port transitions through STP states

Recovery is automatic

After recovery the switch logs the following message:SPANTREE-2-LOOPGUARDUNBLOCK: port 3/2 restored in vlan 3.


65/79

Without Loop Guard

Unidirectionallink failure

between B and C

C is not receiving

BPDUs from B

Blocking port on

C transitions to

listening state and

to forwarding

state


Bridging loop

occurs

Unidirectional Link with Loop Guard

Blocking port on C transitions into the loop-inconsistent state


Port in the loop-inconsistent state does not passdata traffic

Bridging loop does not occur

Effectively equal to the blocking state


66/79

Loop Guard Messages

When the Loop Guard feature places a port into the loop-inconsistent blocking

state, the switch logs the following message:

SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port

3/2 in vlan 3.

Moved to loop-inconsistent state.

After recovery, the switch logs the following message:

SPANTREE-2-LOOPGUARDUNBLOCK: port 3/2 restored in vlan 3.


Loop Guard Configuration Considerations Configure Loop Guard on a per-port basis

Blocks inconsistent ports on a per-

VLAN basis

For exam le on a trunk ort if BPDUs are, ,

not received for only one particular VLAN,

the switch blocks only that VLAN

Moves the port for that VLAN to the

loop-inconsistent STP state

Enable Loop Guard on all nondesignated

ports

Loop guard should be enabled on rootand alternate ports for all possible

combinations of active topologies

Loop Guard is disabled by default on Cisco

switches



67/79

Configuring Loop Guard

Interface configuration command:

spanning-tree guard loop

Loop Guard and Root Guard cannot coexist on the same port Enabling Loop Guard disables any Root Guard

Enabling globally enables on ports considered to be point-to-point Full-duplex ports

Override the global configuration on a per-port basis

Global configuration command:-


Disable on interface with interface configuration command

no spanning-tree guard

Verifying Loop Guard Configuration To verify Loop Guard status on an interface, issue the commandshow spanning-tree interface interface-id

detail

Switch# show spanning-tree interface FastEthernet 3/42 detail

Port 170 (FastEthernet3/42) of VLAN0001 is blocking

Port path cost 19, Port priority 128, Port Identifier 128.170.

Designated root has priority 8193, address 0009.e845.6480

Designated bridge has priority 8193, address 0009.e845.6480

Designated port id is 128.160, designated path cost 0

Timers: message age 1, forward delay 0, hold 0

Number of transitions to forwarding state: 0

L nk type s po nt-to-po nt y e au tLoop guard is enabled on the port

BPDU: sent 1, received 4501



68/79

Unidirectional LinkFailures

Unidirectional links can cause

STP loops

Unidirectional Link Detection(UDLD) will detect

unidirectional link conditions

when Layer 1 mechanisms do

not

Provides the ability to shut

down the affected interface


UDLD

UDLD allows for detection of unidirectional link conditions on switchports

Link remains in the up state but the interface is not passing traffic

Typically from faulty Gigabit Interface Converters (GBIC)

Layer 2 protocol that works with Layer 1 mechanisms

UDLD performs tasks that auto-negotiation cannot

Detects the identities of neighbors and shuts down misconnected ports

UDLD enabled switch periodically sends packets to its neighbor

Expects packets to be echoed back before a predetermined timer expires

If link is unidirectional it shuts down the port


Sending the port's device ID and port ID

Neighbor's device ID and port ID

Neighbor devices with UDLD enabled send the same hello message


69/79

UDLD Modes

Normal Mode UDLD detects unidirectional links due to

misconnected interfaces on fiber-optic connections

UDLD changes the UDLD-enabled port to an undetermined state if

it sto s receivin UDLD messa es from its directl connected

neighbor

Aggressive Mode (Preferred) When a port stops

receiving UDLD packets, UDLD tries to reestablish the

connection with the neighbor

After eight failed retries, the port state changes to the err-disable

state

Aggressive mode UDLD detects unidirectional links due to one-

way traffic on fiber-optic and twisted-pair links and due to

misconnected interfaces on fiber-optic links


UDLD Scenario Due to Miswiring

A detects UDLD

advertisement from C

s a vert s ng as

its neighbor

All switches detect

the miswiring and

potentially err-

disable the ports


Default interval for is15 seconds

Configurable for

faster detection


70/79

UDLD Configuration UDLD is disabled on all interfaces by default

udld global configuration command affects fiber-optic interfaces only udld enable enables UDLD normal mode on all fiber interfaces

udld aggressive enables UDLD aggressive mode on all fiber interfaces

udld port interface configuration command can be used for twisted-pair

and fiber interfaces

To enable UDLD in normal mode, use the udld port command

To enable UDLD in aggressive mode, use the udld port aggressive

Use the no udld port command on fiber-optic ports to return control of

UDLD to the udld enable global configuration command or to disable

UDLD on nonfiber-optic ports

Use the udld port aggressive command on fiber-optic ports to override

the setting of the udld enable or udld aggressive global configuration

command Use the no form on fiber-optic ports to remove this setting and to return control of

UDLD enabling to the udld global configuration command or to disable UDLD

on nonfiber-optic ports


Aggressive Mode UDLD

Variation of UDLD that provides additional benefits

When a port stops receiving UDLD packets tries to re-establish theconnection

- , -

Issue UDLD StateAggressive Mode

UDLD State

Link is bidirectional Bidirectional. Bidirectional.

Layer 1 up

unidirectional link

error message displayed,

port in err-disable state

error message displayed,



port stuck (tx and rx).

. ,


One side of a linkup & other side of the

link down

Undetermined. error message displayed,port in err-disable state


71/79

UDLD Configuration and VerificationSwitch(config)# interface gigabitEthernet 5/1

Switch(config-if)# udld port aggressive

Switch# show udld gigabitEthernet 5/1

Interface Gi5/1

---

Port enable administrative configuration setting: Enabled / in aggressive mode

Port enable operational state: Enabled / in aggressive mode

Current bidirectional state: Bidirectional

Current operational state: Advertisement - Single neighbor detected

Message interval: 15

Time out interval: 5

Entry 1

---

Expiration time: 38

Device ID: 1

Current neighbor state: Bidirectional

Device name: FOX06310RW1

Port ID: Gi1/1

Neighbor echo 1 device: FOX0627A001

Neighbor echo 1 port: Gi5/1

Message interval: 15Time out interval: 5

CDP Device name: SwitchB

Loop Guard versus Aggressive Mode

UDLDLoop Guard Aggressive Mode UDLD

Configuration Per port Per port

Action granularity Per VLAN Per port

Auto-recovery Yes Yes, with err-disable timeout

feature

Protection against STP

failures caused by

unidirectional links

Yes, when enabled on all

root ports and alternate

ports in redundant

topology

Yes, when enabled on all links

in redundant topology

Protection against STP Yes No

in software in designated

bridge not sending BPDUs

Protection against

miswiring

No Yes



72/79

Aggressive Mode UDLD and Loop Guard

Aggressive mode UDLD cannot detect failures caused by problems insoftware

Less common than failures caused by hardware failures

Aggressive mode UDLD is more robust in its ability to detectunidirectional links on EtherChannel

Loop Guard blocks all interfaces of the EtherChannel

Aggressive mode UDLD disables the single port that is exhibitingproblems

Aggressive mode UDLD is not dependent on STP, so it supports Layer3 links

Loop Guard does not support shared links or interfaces that are


unidirectional on switch Bootup

If a port never receives BPDUs it becomes a designated port

Aggressive mode UDLD does provide protection against such a failure

Enabling both aggressive mode UDLD and Loop Guard providesthe highest level of protection

Flex Links Flex Links is a Layer 2 availability feature

Provides an alternative solution to STP Users turn off STP and still provide basic

link redundancy

Flex Links can coexist with spanning tree on

the distribution layer switches

the Flex Links feature

Flex Links enables a convergence time of less

than 50 milliseconds

Convergence time remains consistent

regardless of the number of VLANs or

MAC addresses configured

Flex Links is based on defining an

act ve stan y n pa r on a common accessswitch

Flex Links are a pair of Layer 2 interfaces,

either switchports or port channels

Configured to act as backup to other Layer

2 interfaces



73/79

Flex Links Configuration Considerations

Flex Link is configured on one Layer 2 interface (the active link) byassigning another Layer 2 interface as the Flex Link or backup link

When one of the links is up and forwarding traffic, the other link is in

standby mode

At any given time, only one of the interfaces is in the link up state and

forwarding traffic

If the primary link shuts down, the standby link starts forwarding traffic

When the active link comes back up, it goes into standby mode and does

not forward traffic

Flex Links are supported only on Layer 2 ports and port channels, not on

VLANs or on Layer 3 ports

Only one Flex Link backup link can be configured for any active link

n nter ace can e ong to on y one ex n pa r

An interface can be a backup link for only one active link

An active link cannot belong to another Flex Link pair

STP is disabled on Flex Link ports

Flex Link port does not participate in STP, even if the VLANs present on

the port are configured for STP


Flex Links Configuration and Verification FlexLinks are configured at the interface level with the command

switchport backup interface

Here we configure an interface with a backup interface and verify the

configuration

Switch(config)# interface fastethernet1/0/1

Switch(config-if)# switchport backup interface fastethernet1/0/2


Switch# show interface switchport backup

Switch Backup Interface Pairs:

Active Interface Backup Interface State

----------------- ------------------ ---------------------FastEthernet1/0/1 FastEthernet1/0/2 Active Up/Backup

Standby



74/79

STP Best Practices and Troubleshooting


Switching Design Best

Practices Use Layer 3 connectivity at the distribution and

core layers.

Use PVRST+ or MST

Do not disable STP at the access la er

Isolate different STP domains in a multivendor

environment

Use Loop Guard on Layer 2 ports between

distribution switches and on uplink ports from

access to distribution switches

Use Root Guard on distribution switches facing

access switches

se or secur y, or as , uar , anRoot Guard on access switch ports facing end

stations

Use aggressive mode UDLD on ports linking

switches



75/79

Potential STP Problems

Duplex mismatch

Unidirectional link failure

Frame corruption

Resource errors

PortFast configuration error


Duplex Mismatch

Point-to-point link One side of the link is manually configured as full duplex

Other side is using the default configuration for auto-negotiation



76/79

Unidirectional Link Failure

Frequent cause of bridge loops

Undetected failure on a fiber link or a roblem with a transceiver


Frame Corruption

If an interface is experiencing a high rate of

physical errors, the result may be lost BPDUs

May lead to an interface in the blocking state moving to

the forwarding state

Uncommon scenario due to conservative default

STP parameters

Frame corruption is generally a result of a duplex

mismatch, bad cable, or incorrect cable length



77/79

Resource Errors

STP is performed by the CPU (software-based)

If the CPU of the bridge is over-utilized for any reason,

it might lack the resources to send out BPDUs

STP is generally not a processor-intensive

application and has priority over other processes

Resource problem is unlikely

Exercise caution when multiple VLANs in PVST+

or PVRST+ mode exist

Consult the product documentation for therecommended number of VLANs and STP instances on

any specific switch


PortFast Configuration Error

Switch A has Port p1 in the forwarding state and Port p2 configured for PortFast and

Device B is a hub

Port p2 goes to forwarding and creates a loop between p1 and p2 as soon as the second

Loop ceases as soon as p1 or p2 receives a BPDU that transitions one of these two

ports into blocking mode

Problem is that if the looping traffic is intensive, the bridge might have trouble

successfully sending the BPDU that stops the loop

BPDU guard prevents this type of event from occurring



78/79

Troubleshooting Methodology

Troubleshooting STP issues can be difficult if logicaltroubleshooting procedures are not deployed in

Occasionally, rebooting of the switches might resolvethe problem temporarily

Without determining the underlying cause of the problem,the problem is likely to return

Steps provide a general overview of a methodology fortroubleshootin STP:

Step 1. Develop a plan

Step 2. Isolate the cause and correct an STP problem Step 3. Document findings


Chapter 3 Summary (1)

Spanning Tree Protocol is a fundamental protocol to

prevent Layer 2 loops and at the same time provide

redundancy in the network. This chapter covered the basic

operation and configuration of RSTP and MST.

Enhancements now enable STP to converge more quickly

and run more efficiently.

RSTP provides faster convergence than 802.1D when topology

changes occur.

RSTP enables several additional port roles to increase the overall

mechanisms efficienc ..

show spanning-tree is the main family of commands used

to verify RSTP operations.

MST reduces the encumbrance of PVRST+ by allowing a single

instance of spanning tree to run for multiple VLANs.



79/79

Chapter 3 Summary (2)

The Cisco STP enhancements provide robustness and resiliency to theprotocol. These enhancements add availability to the multilayer

switched network. These enhancements not only isolate bridging loops

but also prevent bridging loops from occurring. To protect STP

operations, several features are available that control the way BPDUs

are sent and received:

BPDU guard protects the operat