Spanning Tree Protocol
1.1.e i PVST+, Rapid PVST+, MST
Introduction (Not on blueprint)
Basic STP purpose:
- Identify valid, loop free paths
- Choose best of these paths for forwarding traffic
- Blocking ports of valid but less-desirable paths
- Hold the less-desirable paths as standby in case the desired path goes down
Network loops:
- STP is a Layer 2 protocol
- Ethernet frames (L2) would loop around forever since, compared to Layer 3 packets, don’t have a TTL
BPDU (Bridge Protocol Data Unit):
- Multicast MAC address is 01-80-c2-00-00-00 (all, except PVST+)
- Multicast MAC address is 01-00-0C-CC-CC-CC (PVST+)
- Source MAC address is the one of the switchport where the BPDU is sent out
- Configuration BPDU:
- Only sent by the root bridge
- Used for STP computation
- Contains all the data about the root bridge
- Non-root switches relay the Configuration BPDU from the root bridge (if received on the root port)
- Topology Change Notification (TCN) BPDU:
- Can be sent out by all switches
- Used to announce STP topology changes
- Carries no data, only tells that a topology change occurred
- Triggered when a port goes from Learning into Forwarding/Blocking state
- Topology Change Acknowledge (TCA) BPDU:
- Sent out by the root bridge
- Used to acknowledge a TCN BPDU received from a downstream switch
- BPDU version for 802.1d is 0
- BPDU version for 802.1w is 2
BPDU default timers:
- Hello timer: 2 seconds
- Minimum: 1 second
- Maximum: 10 seconds
- Forward delay: 15 seconds
- Minimum: 4 seconds
- Maximum: 30 seconds
- Max age: 20 seconds
- Minimum: 6 seconds
- Maximum: 40 seconds
Diameter:
- Maximum number of switches that traffic passes along a Layer 2 network (including source and destination)
- Default value is 7
- Value can be between 1 and 7
- Based on the diameter value, STP can automatically calculate proper Forward Delay and Max Age timers
Extended Bridge ID:
- With PVST+ each VLAN has its own root bridge
- This requires the BID must also carry the VID (VLAN ID)
// Graphic missing - Coming soon //
Extended Bridge ID explained:
- Bridge priority: A 4-bit field that still carries the set bridge priority. The field looks like:
| 32768 | 16384 | 8192 | 4096 |
|---|---|---|---|
| 0 | 0 | 0 | 0 |
- Extended system ID: A 12-bit field that carries the VID. The field looks like:
| 2048 | 1024 | 512 | 256 | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
- MAC address: Just like the “normal” BID a 48-bit field containing the MAC address of the switch.
Root Bridge configuration:
- Primary and secondary root bridge should be defined manually
- Should be placed in the center of the Layer 2 network
Root bridge election characteristics:
- Only one root bridge per network is possible
- On first boot, every switch thinks he is the root bridge
- The Bridge ID (BID) is a combination of the switch priority and MAC address
- The root bridge is the switch with lowest Bridge ID (BID)
- Priority starts at 0, increments of 4096, default is 32768, maximum is 61440
- If a root bridge receives a superior BPDU, it revokes its root bridge status
Root bridge election process:
- Switch with lowest priority becomes the root switch
- On tie: The switch with the lowest MAC address becomes the root switch
Root bridge port characteristics:
- All ports have the role “Designated”
- All ports have the status “Forwarding”
Root port/Designated port election on non-root bridge switches:
- Port with lowest path cost (cumulated) to root bridge
- On tie: Lowest Sender (Upstream) BID
- On tie: Lowest Sender (Upstream) Port ID (= combination of Port Priority and Interface Index Number, eg. Gi1/2 has a default PortID of 128.7)
Designated port election on shared segment:
- Port with lowest BID becomes Designated Port
Cisco default STP settings:
- PVST+
STP (802.1d) (Not on blueprint)
Spanning Tree Protocol
STP characteristics:
- One STP instance for the whole network
Port Types:
- Root Port: Port that has the best root path cost to the root bridge.
- Designated Port: Downstream port that has the best root path cost to the root bridge.
- Non-Designated Port: Port that, compared to the designated port, has a higher cost and is therefor blocking
Port States:
- Disabled:
- Port is down
- Blocking:
- Not accepting BPDUs from neighbors, only listens to them
- Listening:
- Can send and receive BPDUs
- No MAC addresses are learned
- Learning:
- Can send and receive BPDUs
- MAC addresses are learned
- Forwarding:
- Can send and receive BPDUs
- Can send and receive Data
“STP 802.1d” CLI show commands:
## Showing STP configuration in brief
Switch# show spanning-tree summary
## Showing STP configuration in detail
Switch# show spanning-tree detail
## Showing STP configuration for a specific VLAN
Switch# show spanning-tree vlan <vlan-id>
PVST+
Per VLAN Spanning Tree Plus
PVST+ characteristics:
- Cisco proprietary protocol
- Per VLAN version of 802.1d (Classic STP)
- One STP instance for every VLAN and therefore one root bridge per VLAN
- After 10 missing BPDUs the neighbor is considered as dead
Extended Bridge ID:
- Introduction of the extended Bridge ID (Priority + VLAN ID + MAC address)
Root Bridge Election:
- Just like normal STP (802.1d) but instead with Extended Bridge ID
Port Roles/States:
- Just like normal STP (802.1d)
“PVST+” CLI configuration commands:
## Enabling PVST+
Switch(config)# spanning-tree mode pvst
## Configuring the PVST+ primary and secondary root bridge for a specific VLAN
Switch(config)# spanning-tree vlan <vlan-ids> root primary
Switch(config)# spanning-tree vlan <vlan-ids> root secondary
RPVST+
Rapid Per VLAN Spanning Tree Plus
RPVST+ general characteristics:
- Cisco proprietary protocol
- Per VLAN version of 802.1w / 802.1D-2004 (RSTP)
- Uses 802.1d rules on the port receiving 802.1d (Classic STP) BPDUs
- One STP instance for every VLAN and therefore one root bridge per VLAN
RPVST+ convergence/timer characteristics:
- Designed to massively speed up convergence
- Convergence is within a few milliseconds (P2P links)
- Fast convergence only possible if both sides receive BPDUs and if the proposal/sync process is successful
- With fast convergence, no timers are used, synchronization is based on the proposal/sync process
- On shared links timer-based convergence is used
Proposal/Agreement/Sync Process:
- Used only by Point-to-Point (P2P) links
- Proposal/sync process travels from top (root bridge) to bottom (access layer)
- Proposal = Signifies willingness to become Designated Forwarding port
- If the proposal bit in a BPDU is 1, no one has yet agreed to the information
- Sync process:
- Ports between two switches come up as designated (role) and discarding (state), both assuming to be the root switch and all non-edge ports will be blocked
- Both switches transmit a BPDU with the proposal bit set
- The BID of the incoming BPDU is compared against the own BID
- If the own BID is lower, the switch will disagree to the incoming BPDU and send out a proposal stating he is the root bridge
- If a switch agrees with a proposal, all non-edge ports will become again designated (role) and discarding (state)
- The superior BPDU will be forwarded downstream and this process continues until full convergence is done
RPVST+ BPDU characteristics:
- BPDUs are sent out by every switch and used as keepalives (by default every 2 seconds)
- After 3 missing BPDUs the neighbor is considered as dead
- Only one type of BPDU (configuration BPDU) is used
- TCN BPDUs are no longer used, unless a legacy bridge (running 802.1d) needs to be notified
- Instead, a configuration BPDU with the TC bit set will be sent out
- Edge ports don’t trigger topology changes anymore
- When a non-edge port goes into Forwarding state, a configuration BPDU with the TC bit set is triggered
- A configuration BPDU with the TC bit set forces the receiving switch to wipe out all MAC addresses on all non-edge ports except the one where the BPDU was received
Extended Bridge ID:
- Just like normal PVST+ (Priority + VLAN ID + MAC address)
Root bridge election:
- Just like normal PVST+ (Priority + VLAN ID + MAC address) + proposal/agreement process
Link Types:
- Full duplex:
- Point-to-Point (P2P) links
- Half duplex:
- Shared links
Port Types:
- Edge port:
- Port where a single host connects
- Root port:
- Port with the best (cumulated) cost to the root
- Point-to-point (P2P) port:
- Port between two switches
Port Roles:
- Root port:
- Upstream port that has the best root path cost to the root bridge
- Designated port:
- Downstream port that has the best root path cost to the root bridge
- Alternate port:
- Considered as an alternate root port
- Can only listen to BPDUs
- Equivalent to the UplinkFast port
- Operates in discarding state
- Backup port:
- Considered as a backup designated port
- Same collision domain as the other designated port
- Operates in discarding state
Port States:
- Discarding:
- Combines 802.1d disabled, blocking and listening states
- Incoming frames are dropped
- No MAC addresses are learned
- Can send and receive BPDUs
- Learning:
- Unable to send or receive data
- MAC addresses are learned
- Can send and receive BPDUs
- Forwarding:
- Can send and receive data
- Can send and receive BPDUs
“RPVST+” CLI configuration commands:
## Enabling RPVST+
Switch(config)# spanning-tree mode rapid-pvst
## Configuring the RPVST+ link type for a specific interface
Switch(config)# interface <if>
Switch(config-if)# spanning-tree link type [point-to-point | shared]
## Configuring the RPVST+ primary and secondary root bridge for a specific VLAN
Switch(config)# spanning-tree vlan <vlan-ids> root primary
Switch(config)# spanning-tree vlan <vlan-ids> root secondary
MST
Multiple Spanning Tree
MST characteristics:
- Defined under 802.1s
- Backwards compatible with PVST+ and RPVST+ using classic 802.1d timers
- Topology calculation/convergence is done like RSTP (802.1w)
- One STP instance for multiple (grouped) VLANs
- Can be complex and requires great deal of planning
- Maximum of 16 MST instances possible (0-15)
- Every VLAN is mapped to instance 0 by default
- Uses long cost by default (see “Path Cost”)
- A MST region is always seen as a “black box” or “one big switch” from the point of other switches who don’t belong to that specific region
- A single BPDU is used for all instances
- MST BPDUs contain configuration attributes that a receiving switch compares against its own configuration
- BPDUs don‘t include the whole instance configuration, only a hash value of them
MST VLAN pruning:
- When pruning, all VLANs of a given MST instance (and never individual VLANs!) must be pruned of a trunk line to avoid traffic flow interruption for individual VLANs
- This is because MST calculates a STP topology for each MST instance and not for individual VLANs
Important MST configuration similarities on all participating switches:
- Configuration name
- Revision version
- VLANs to MST instance mapping
Instance Types:
- CST: Common Spanning Tree. Maintains a loop-free path between different MST regions.
- CIST: Common and Internal Spanning Tree. Combination of CST and IST. Maintains a loop-free path between all switches within a STP domain.
- IST: Internal Spanning Tree. Also known as Instance 0. Only Instance to send BPDUs. Contains all VLANs which haven’t been assigned to an MST Instance. Runs inside a MST region.
- MSTI: Multiple Spanning Tree Instance. Maintains a loop-free path between all switches for a defined group of VLANs within the MST Instance. Runs inside a MST region.
Root bridges within MST:
- CST root bridge: A single “global” CST root bridge is needed for the whole STP domain.
- CIST regional root bridge: Each MST region needs a single regional root bridge for the CST.
- IST root bridge: The IST of each region needs its own root bridge.
- MSTI root bridge: Each MSTI within a MST region needs its own root bridge.
// Graphic missing - Coming soon //
“MST” CLI configuration commands:
## Enabling RPVST+
Switch(config)# spanning-tree mode mst
## Configuring MST including instances
Switch(config)# spanning-tree mst configuration
Switch(config-mst)# name <mst-name>
Switch(config-mst)# revision <rev-id>
Switch(config-mst)# instance <id> vlan <vlan-ids>
## Fine-tuning MST parameters
Switch(config)# spanning-tree mst hello-time <value>
Switch(config)# spanning-tree mst forward-time <value>
Switch(config)# spanning-tree mst max-age <value>
## Configuring the MST bridge priority for a specific instance
Switch(config)# spanning-tree mst <instance> priority <value>
## Configuring the MST primary and secondary root bridge for a specific instance
Switch(config)# spanning-tree mst <instance> root primary
Switch(config)# spanning-tree mst <instance> root secondary
“MST” CLI show commands:
## Showing the current MST configuration parameters
Switch(config-mst)# show current
## Showing the pending MST configuration parameters
Switch(config-mst)# show pending
## Fine-tuning MST parameters
Switch# show spanning-tree mst
1.1.e MST/(Rapid-)PVST+ interoperability (not on blueprint)
General Information on “MST/(Rapid-)PVST+ interoperability”:
- When connecting a MST region to a (Rapid-)PVST+ topology, MST going to simulate PVST+ with the PVST simulation mechanism feature
- This means that the MST region will replicate the MST IST BPDU for each VLAN on the interfaces connected to the (Rapid-)PVST+ switches
- Therefor each BPDU carries the same information and advertises the same root bridge
- Interfaces connected to (Rapid-)PVST+ switches are called boundary interfaces/ports
- When the MST region is receiving PVST+ BPDUs, it decides on the port role for the boundary interfaces for all VLANs by looking at the information in all PVST+ BPDUs
- If the MST IST BPDU is superior to all PVST+ BPDUs, the port of the MST switch becomes a designated port
- If the MST IST BPDU is inferior to the PVST+ VLAN 1 BPDU and all other PVST+ VLAN BPDUs are superior the PVST+ VLAN 1 BPDU, then the port will become a root port
- Important: If the PVST+ VLAN 1 BPDU is superior, all other PVST+ BPDUs must be superior to the PVST+ VLAN 1 BPDU (hint: extended bridge ID) or else the port will become inconsistent (= blocking)!
- Important: When connecting a MST-enabled network to a non-MST network, it is recommended to make the MST region the root for all VLANs!
1.1.e ii Switch priority, port priority, path cost, STP timers
Switch priority
Switch priority characteristics:
- The default switch priority is 32768
- Value can be between 0 and 61440 in increments of 4096
- The lower, the better
- Used as first measurement when two switches try to decide who of them is the root bridge
“STP Switch priority” CLI configuration commands:
## Configuring the STP bridge priority for a specific VLAN
Switch(config)# spanning-tree vlan <vlan-ids> priority <value>
Port priority
Port priority characteristics:
- The default port priority is 128
- Value can be between 0 and 255 in increments of 16
- The lower, the better
- Important: Changing the port priority on a downstream switch towards an upstream switch doesn’t change the STP behavior. When working with port priority, the value must be changed on the upstream switch towards the downstream switch!
“STP Port priority” CLI configuration commands:
## Configuring the STP port priority for all VLAN
Switch(config)# interface <if>
Switch(config-if)# spanning-tree port-priority <value>
## Configuring the STP port priority for a specific VLAN
Switch(config)# interface <if>
Switch(config-if)# spanning-tree vlan <vlan-ids> port-priority <value>
Path cost
Path cost characteristics:
- Port with lowest path cost (cumulated) to Root Bridge becomes the Root Port
- The path cost is determined by the bandwidth along the path
- Path cost can be tuned manually per port or per VLAN
- The lower, the better
- By default, the short/classic path cost is used which can be changed to the long path cost method
- The path cost method should be equal across all switches
| Data rate | STP Cost (802.1D-1998) | STP Cost (802.1D-2004) |
|---|---|---|
| 4 Mbps | 250 | 5,000,000 |
| 10 Mbps | 100 | 2,000,000 |
| 16 Mbps | 62 | 1,250,000 |
| 100 Mbps | 19 | 200,000 |
| 1 Gbps | 4 | 20,000 |
| 2 Gbps | 3 | 10,000 |
| 10 Gbps | 2 | 2000 |
“STP Path cost” CLI configuration commands:
## Configuring STP to use the long path cost calculation method
Switch(config)# spanning-tree pathcost method long
## Modifying the STP path cost of a specific interface manually
Switch(config)# interface <if>
Switch(config-if)# spanning-tree cost <value>
## Modifying the STP path cost on a specific interface for a specific VLAN manually
Switch(config)# interface <if>
Switch(config-if)# spanning-tree vlan <vlan-ids> cost <value>
STP timers
Default values (Classic STP):
- Hello: 2 sec
- Forward Delay: 15 sec
- Max Age: 20 sec
- Aging Time: 300 sec
Timer meanings:
- Hello: Time between each BPDU that is sent on a port
- Forward Delay: Time spent in listening and learning per state
- Max Age: Maximum time a bridge port saves its BPDU information
STP timer characteristics:
- Only timer changes configured on the root bridge will take effect
“STP timers” CLI configuration commands:
## Configuring the STP hello timer manually
Switch(config)# spanning-tree vlan <vlan-ids> hello-time <value>
## Configuring the STP forward delay timer manually
Switch(config)# spanning-tree vlan <vlan-ids> forward-time <value>
## Configuring the STP max age timer manually
Switch(config)# spanning-tree vlan <vlan-ids> max-age <value>
1.1.e iii PortFast, BPDU Guard, BPDU Filter
PortFast
What PortFast does:
- Normal STP port behavior: Blocking - Listening - Learning - Forwarding
- PortFast port behavior: Blocking - Forwarding
PortFast characteristics:
- Should always be used on ports connecting to end devices (hosts)
- The configured port goes immediately from Blocking to Forwarding state
- Useful in situations where eg. DHCP timeouts occur because of the STP port process
- Normally only used on edge (access/single-host) ports
- When enabled on edge port, only takes effect when port is in non-trunking mode
- Can also be enabled on a trunk port with a specific command
- PortFast ports don‘t create STP topology change BPDUs
- When a BPDU is received, portfast state is revoked
- Can be enabled per port or globally
- Also known as “edge port” in RSTP
“STP PortFast” CLI configuration commands:
## Enabling PortFast globally
Switch(config)# spanning-tree portfast default
## Enabling PortFast per interface (access interfaces)
Switch(config)# interface <if>
Switch(config-if)# spanning-tree portfast
## Enabling PortFast per interface (trunk interfaces)
Switch(config)# interface <if>
Switch(config-if)# spanning-tree portfast trunk
“STP PortFast” CLI show commands:
## Showing if PortFast is enabled for a specific interface
Switch# show spanning-tree interface <if> portfast
BPDUguard
BPDU = Bridge Protocol Data Unit = Contains STP information
What BPDUguard does:
- When a port receives a BPDU message, the port will go immediately into errdisable state
BPDUguard characteristics:
- Usually used in combination with PortFast
- Automatic errdisable recovery possible, but must be enabled, disabled by default
- Can be enabled per port OR globally
- Never to be used together with BPDUfilter because BPDUguard will become ineffective
“STP BPDUguard” CLI configuration commands:
## Enabling BPDUguard globally
Switch(config)# spanning-tree portfast bpduguard default
## Enabling BPDUguard per interface
Switch(config)# interface <if>
Switch(config-if)# spanning-tree bpduguard enable
BPDUfilter
What BPDUfilter does:
- Prevents a port from sending or receiving BPDU messages
BPDUfilter characteristics:
- Can be configured in two ways (either/or):
- Global config: If a BPDU is received, the PortFast state is revoked and filter is disabled
- Per-port config: Effectively disables STP on the configured port
- Never to be used together with BPDUguard because BPDUguard will become ineffective
“STP BPDUfilter” CLI configuration commands:
## Enabling BPDUfilter globally
Switch(config)# spanning-tree portfast bpdufilter default
## Enabling BPDUfilter per interface
Switch(config)# interface <if>
Switch(config-if)# spanning-tree bpdufilter enable
1.1.e iv Loop Guard, Root Guard
Loop Guard
What Loop Guard does:
- Blocks a non-designated port from going from BLOCKING/DISCARDING to FORWARDING state when it’s not receiving BPDUs anymore
Loop Guard characteristics:
- Monitors non-designated ports and keeps them in the non-designated state
- Keeps track of BPDU activity on non-designated ports
- At a sudden loss BPDUs the port will go into a loop-inconsistent state (BLOCKING)
- When the port receives BPDUs again it cycles through the STP states and becomes active again
- Can be enabled globally or per port
“STP Loop Guard” CLI configuration commands:
## Enabling Loop Guard globally
Switch(config)# spanning-tree loopguard default
## Enabling Loop Guard per interface
Switch(config)# interface <if>
Switch(config-if)# spanning-tree guard loop
“STP Loop Guard” CLI show commands:
## Showing inconsistent STP interfaces
Switch# show spanning-tree inconsistentports
Root Guard
What Root Guard does:
- Prevents switches coming online later as the root bridge of becoming the root bridge
Root Guard characteristics:
- Prevents every downstream switch from the root bridge of becoming the primary or secondary root bridge, even if it has a lower BID
- When a superior BPDU is received on a RootGuard protected port, the BPDU is discarded and the port is put into root-inconsistent state (BLOCKING)
- The RootGuard protected port will always be a STP designated port
- RootGuard be enabled on all ports where root bridge should not appear
- No traffic passes through the port if it is in inconsistent state
- After the connected switch stops sending superior BPDUs the port is automatically unblocked again (automatic recovery)
- The normal STP process (depending on the STP mode) is running on the port as long as the connected device doesn’t send superior BPDUs
- RootGuard must be configured on a per-port basis for every downstream switch and can’t be configured globally
Root Guard best practice:
- Assuming that the root bridge is the core switch:
- Enabling on all core switch ports connecting to distribution switches (designated ports)
- Enabling on distribution switch ports connection to access switches (designated ports)
“STP Root Guard” CLI configuration commands:
## Enabling Root Guard per interface
Switch(config)# interface <if>
Switch(config-if)# spanning-tree guard root
“STP Root Guard” CLI show commands:
## Showing inconsistent STP interfaces
Switch# show spanning-tree inconsistentports