This is my review and notes of Chapter 3 of “Implementing Cisco Switched Networks Foundation Learning Guide”.
I found this chapter a hard read. The different versions of spanning-tree along with enhancements can be a hard area to stomach. For me, the problem is that the different versions along with enhancements, are similar enough that I find it hard to distinguish the differences between each protocol, along with what each of the different “Port Guards” and “Port Filters” do. This is no fault of the book, but something I felt I needed to say anyway.
I think this chapter also could have been written better. There were a few paragraphs I quite plainly did not understand, until I looked at a different source for an explanation and then reread the text book. It felt like, ‘oh I can now see what they’re trying to say’, but the writer was coming from a background of already knowing what they were writing about. For someone new, or coming from CCNA, I think they could struggle reading some of this.
On the positive, I think the layout of the chapter is generally okay. It initially goes through each version/type of Spanning-Tree along with modes and distinguishing features between them. The seconds half of the chapter is dedicated to STP enhancements.
If you want a really good how-to with examples, see How to Master CCNP Switch. I think it does this well. I feel the goal of the book is not to throw a whole lot of theory at you, but give you just enough theory that you actually understand each feature through examples. If I manage to get through the foundation learning guide with enough time before my exam, I may read all of the gns3vault book.
Having just finished this chapter, it feels like it was written by multiple people, where there were some things said at one point, that had some disconnection to something else at another point. As in, you could be reading about feature X on one page, and something related to feature X was said on another page later on, but there was no connection made between the two things, or re-affirming the earlier point. An example being Cisco PortFast, and RSTP Edge port. Both are very similar but still
In terms of the CCNP exam, probably need to know:
– Core basics of STP
– Enough to understand PVST+ and configure it
– Possibly some RSTP/MST
– Spanning-Tree Enhancements
– Background of STP
– Spanning-tree basics
– RSTP (+ Port states, Roles etc.)
– Basics of PVRST+ along with configuration
– MST (Basics + MST Regions, and Configuration)
– Spanning Tree Enhancements (BPDU Guard/Filter, Root Guard, Loop Guard)
– UDLD, Flex Links
– Recommended STP practices
INSERT IMAGE HERE
CST – Common Spanning Tree
– 1 STP instance, regardless of no. of VLANs
– Low Resources needed.
– Slow to converge
– Sub-optimal traffic flow can occur if more than one VLAN due to all traffic being required to take the same path.
Per VLAN Spanning-tree Plus
– Enhancement of STP with multiple instances, 1 for each VLAN.
– Includes several enhancements such as PortFast, BPDU Guard, BPDU Filter, Root Guard, Loop Guard
– Higher Resources needed.
– Each VLAN has a root bridge, allowing for optimisation of traffic flows for each VLAN.
Rapid STP – 802.1W
– Evolution of STP allowing for fast convergence.
– Medium Resources
– Still only single STP instance.
– Maps multiple VLANs that have the same traffic flow requirements into the same STP instance.
– Cisco implementation provides up to 16 instances of RSTP and combines many VLANs with the same physical and logical topology into a common RSTP instance.
Per VLAN Rapid Spanning Tree Plus
– Cisco enhanced version of RSTP similar to PVST+
– Provides a separate instance of 802.1W per VLAN
– Resources needed = very high.
PVST+ is Cisco default.
STP initially converges on a logically loop free topology by performing these steps:
1. Elects one Root Bridge
– All active ports are Designated Fowarding
– These ports send/recv traffic and configuration messages (BPDUs)
– Lowest priority switch becomes Root Bridge.
2. Selects the Root port on all Non-Root Switches
– Each switch in the spanning tree has a port it uses to reach the root bridge. This is known as the root port and is the port used to send/receive traffic to/through other switches.
– Root port is the lowest cost path from the non-root bridge to the root bridge.
– If non-root bridge has two or more equal cost paths to the root bridge, it selects the port that has the lowest port ID.
– Port-ID consists of a configurable priority + port number.
3. Selects the Designated port on each segment.
– On each segment, STP establishes one designated port on the bridge that has the lowest path cost to the root bridge.
– All ports that are up on the root bridge are Designated Forwarding.
– The Switch primarily chooses a designated port as the least-cost path to the root bridge. In the event of a tie, the bridge ID acts as the tiebreaker.
What the heck does that mean? The below image should explain it.
Looking at the example, each switch has a port it uses to reach the root bridge known as the root port. It is possible for the switch to have other ports still fowarding to other switches though, and not have any loops caused. For example, the link between B and D. B’s down link is Designated Forwarding, while the port on D is the Root Port. As we have a loop between B and C, C loses the tie breaker and marks the port as nondesignated/blocked.
STP Port States
– NonDesignated port and does not participate in frame forwarding.
– Port receives BPDUs to determine the location and rootID of the root switch and which port roles (root, designated, or nondesignated) each switch port should assume in the final active STP topology.
– Default time in this state is 20 seconds (MaxAage)
– STP has established that the port can participate in the STP topology.
– In this state, port is both receiving and sending BPDUs to neighbors.
– Default time in this state is 15 seconds (Forward Delay).
– Port prepares to participate in frame forwarding and begins to populate the CAM table.
– Default time in this state is 15 seconds (Forward Delay).
– Port is actively forwarding traffic with other switches in topology.
– Port sends/receives BPDUs.
– Does not participate in STP nor forward frames.
So how does the switch determine which port should be the Root Port?
– Through a cost value associated with the port.
– Swith port cost is based on link speed.
The cost to the root bridge is calculated using the cumulative costs of all links between the local switch and the root bridge and becomes the path cost.
Default port cost values:
10 Gbit – Cost 1
1 Gbit – Cost 4
100 Mbit – Cost 19
What happens when you have two paths with the same accumulative cost?
The Tie breaker is the PortID. PortID is a combination of a default value and port number. The default value is 128. So port 1’s port ID is a priority of 128.1.
Lowest PortID wins.
RSTP – Rapid Spanning Tree Protocol 801.1W
Enhancements over STP:
– A lot faster at converging
– Introduces several new port roles (Alternate and Backup)
– Simplified port states (Discarding, Learning, Forwarding)
– Backwards compatible with STP
RSTP Port States
– Represents STP’s Disabled, Blocking, Listening states
– State is seen in both a stable active topology and during topology snchronisation and changes.
– Discarding state prevents the forwarding of traffic therefore no network loop.
– Seen in both stable active topology and topology synchronisation and changes.
– Accepts data frames to populate the MAC table to limit flooding of unknown unicast frames.
– Only seen in stable active topologies.
– Self explanatory (data is forwarding).
RSTP Port Roles
– Switch port on every non-root switch that is chosen as the path to the root bridge.
– Only 1 root port can be on each switch.
– See STP operation above. Same as STP.
– See STP operation above. Same as STP.
– Switch port that offers an alternative path toward the root bridge.
– Assumes a discarding state in a stable environment.
– Present on nondesignated switches and makes a transition to designated port if the current designated path fails. See below image for what this looks like.
– If two switches have two redundant links, one link will be Designated (with Root Port at the other end), and the other link as Designated (with Backup at the other end). See below image.
– A backup port has a higher port ID than the designated port on the designated switch.
– The backup port assumes the discarding state in a stable environment.
Rapid Transitioning to Forwarding
RSTP introduces two new variables called Link type (Probably not important to know for the exam), and Edge port.
– Provides categorisation for each port participating in RSTP.
– Derived from port duplex mode. Full Duplex is considered to be a point to point link, where as half duplex is probably on a shared medium.
– I’m not sure how much this still plays a part in networks today…
Only thing more to be aware of, is of Root, Alternate, Blocking and Designated, only Designated Ports really makes use of the link type parameter.
– Port configured on the switch to be connected to a host.
– Equivilent to Cisco PortFast feature
– Allows the port to transition directly to forwarding, skipping the listening and learning stages.
– Doesn’t generate a topology Change (TCN) when its’ link transitions to up.
– If an edge port receives a BPDU, it immediately loses its’ edge port status and becomes a normal STP port. This is different behavior to Cisco PortFast. <— This is from the book. I have yet to find out how Edge Ports and PortFast totally differ.
Bridge Idenfier for PVRST+
Because PVST+ or PVRST+ requires that a separate instance of spanning tree run for each VLAN, the BID field is required to carry VLAN ID info.
Bridge ID in this case, is made up of:
Bridge Priority: default is 32768. This is only a 4-bit field, so the value increments by 4096.
Extended system ID: 12 bit field carrying in this case, the VID
MAC Address: 6 byte field with MAC address of single switch.
If no priority has been configured, every switch will have the same default priority, and the election of the root for each VLAN is based on the MAC address. Because this can result in a random switch becoming the root bridge, it is advisable to lower the bridge priority on the switch that should be the root bridge in your network.
MST – Multiple Spanning Tree
– Purpose is to reduce the total number of STP instances to match the physical topology of the network and thus reduce the CPU cycles of a switch.
– MST enables you to build multiple spanning trees over trunks by grouping VLANs and associating them with STP instances. Each instance can havee a topology independent of other spanning-tree instances. This architechture provides multiple active forwarding paths for data traffic and enables load balancing.
The main enhancement introduced by MST is the ability to map several VLANs to a single spanning-tree instance. The problem with this though, is how do you known what VLAN should be associated with which instance.
Each switch that runs MST in the network has a single MST config that consists of:
– Alphanumeric config name
– Config rev. no.
– 4096 element table that associates each of the potential 4096 VLANs supports on the switch to a given instance.
Extended System ID for MST
– Consists of Bridge priority + Extended System ID + MAC Address.
In the case of MST, the Extended Sys ID is the MST Instance Number.
S1(config)#spanning-tree mst configuration
S1(config-mst)#show current – Display the current configuration before making changes
S1(config-mst)#instance ___ vlan ___
S1(config-mst)#show pending – MST config to be applied
S1(config-mst)#end – Applies the config
S1(config-mst)#spanning-tree mst instance-no root primary|secondary
S1(config-mst)#spanning-tree extend system-id – Enables MAC addr reduction
S1(config-mst)#spanning-tree mst pre-standard – Cmd required IF neighbor is using a prestandard version of MST.
Spanning Tree Enhancements
– Prevents accidential connection of an STP switch to a PortFast enabled port.
BPDU Guard puts an interface configured for STP PortFast in the err-disabled state upon receipt of a BPDU. The Switch disables the interface[s] as a preventitive step to avoid potential bridging loops.
Once a port has been put in the err-disabled state, the switch requires manual intervention by ‘no shut’ing the port. Alternatively BPDU Guard can be configured to that after a set interval, the port will be ‘no shut’, but will again shutdown for a specified amount of time if it receives another BPDU.
To enable globally: “spanning-tree portfast edge bpduguard default”
Alternatively under each desired port: “spanning-tree bpduguard enable”
To verify: “Show Spanning-tree summary totals”
– Restricts the switch from sending BPDUs out access ports.
When enabled globally, BPDU filtering has the following effect:
– Affects all operational PortFast ports that do not have BPDU filtering configured on the individual ports (well no duh!)
– If BPDUs are seen, the port loses its’ PortFast state, BPDU filtering is disabled, and STP begins to send/receive BPDUs on that port.
– On switch/port start up, the port transmits 10 BPDUs. If this port receives any BPDUs during that time, PortFast and PortFast BPDU filtering are disabled.
When enabled on an individual port:
– Ignores all BPDUs received.
– Sends no BPDUs.
If you enable BPDU Guard on the same interface as BPDU Filtering, BPDU Guard has no effect because BPDU filtering takes precedence over BPDU Guard.
To enable globally: “spanning-tree portfast bpdufilter default”
To enable PortFast BPDU filtering on a specific port: “ spanning-tree bpdufilter enable”
Verify config: “show spanning-tree summary”
– Prevents switches connected on ports configured as access ports from becoming the root switch.
– Root Guard provides a way to enforce the root bridge placement in the network.
– If the bridge receives superior STP BPDUs on a Root Guard-enabled port, the port moves to a root-inconsistent STP state (effectively equal to a listening state, and the switch does not forward traffic out of that port. Because of this, this feature effectively enforces the position of the root bridge.
Best practice is to enable Root Guard on all access ports so that a root bridge is not established through these ports.
If a superior BPDU is received on a Root Bridge port, the port goes into root-inconsistent state (effectively same as listening state). At this point, a log message will appear in the buffer. The port will stay in this state as long as superier BPDUs are being received. Once superior BPDUs are no longer received, the port will transition to the forwarding state. Recovery is automatic, and no user intervention is required.
To enable on an interface: spanning-tree guard root
Verify: Show spanning-tree inconsistentports
Preventing Forwarding Loops and Black Holes
Loop Guard provides additional layer 2 protection against forwarding loops.
Loop Guard places a port in STP loop-inconsistent state when it stops receiving BPDUs, and will recover when BPDUs are again recieved.
This is to stop the port transitioning to the listening/learning/forwarding state after the MaxAge timer has expired when that port should in fact be receiving BPDUs. Why could this happen? If there’s an issue with the physical link (e.g. Unidirectional link failure) between the two switches for whatever reason, the switch with a port currently blocking may still be able to send traffic. So when this link comes up, in at least 1 direction we have a loop in the network.
A port in the STP loop-inconsistent state does not pass data traffic, hence, a bridging looop does not occur. The loop-inconsistent state is effectively equal to the blocking state.
Loop Guard is configured on a per port basis, although the feature blocks inconsistent ports on a per-VLAN basis.
Enable Loop Guard on all Non-Designated ports (E.g. Root Port, Alternate Port)
To enable on an interface: spanning-tree guard loop
Globally: spanning-tree loopguard default
Verify: Show spanning-tree interface __ detail
A unidirectional link occurs when traffic is transmitted between neighbors in one direction only. This can cause spanning-tree loops.
UDLD enables a device to shutdown a link when a unidirectional link is detected.
UDLD is most useful on fibre links, but can also be configured on ethernet.
With UDLD enabled, the switch periodically sends UDLD protocol packets to its’ neighbor and expects the packets to be echoed back before a predetermined timer expires. Default interval is 15 seconds.
A UDLD-enabled switch sends UDLD protocol packets with its own device ID and port ID to the neighboring device. The UDLD is in determined status if the switch sees its own information in the packet sent by the neighbor. If the device does not see itself in the neighboring device’s UDLD protocol packets, the link is determined as unidirectional.
To enable udld globally: udld enable [aggressive]
to enable on an interface: udld enable [aggressive]
In normal mode: UDLD marks this port as “Undetermined”, but does NOT shut down or disable the port, which continues to operate under it’s current STP status. This mode of operations is informational and potentially less disruptive (though it does not prevent STP loops).
In aggressive mode: When a port stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After 8 failed attempts, the port state changes to err-disable state, which effectively disables the port. To get out of this state, the port needs to be shut, then no shut. Alternatively also enable “errdisable recovery” to auto recover from such issues.
Comparason between Aggressive Mode UDLD and Loop Guard
While these two features overlap in what they offer, they differ in their approach to the problem and in functionality. Both complement eachother and it can be advisable to enable both features at the same time.
Loop Guard focuses on problems around BPDUs being received, and the STP daemon. UDLD focuses from the perspective of miswiring or other cabling issues.
In the case of EtherChannel, if BPDUs are not being received, the whole aggregator will shutdown with LoopGuard. Meanwhile, if the problem is physical in terms of one of the links in the EtherChannel, Aggressive UDLD can detect this issue and only shut down the affected cable.
– Simple alternative to STP.
– This enhancement enables a convergence time of less than 50 milliseconds.
– Convergence time remains consistent regardless of the number of VLANs or MAC addresses configured on uplink ports.
– Only supported on Layer 2 ports and port channels, not on VLANs or on L3 ports.
– STP is disabled on Flex Link ports.
S1(config)#switchport backup interface fa0/2
S1#show int switchport backup
Recommended Spanning Tree Practices
– Loop Guard is implemented on the L2 ports between distribution switches and on the uplink ports from the access switches to the distribution switches.
– Root Guard is configured on the distribution swtich ports facing the access switches.
– UplinkFast is implemented on the uplink ports from the access switches to the distribution switches.
– BPDU Guard or Root Guard is configured on ports from the access switches to the end devcies, as is PortFast.
– UDLD enables devices to monitor the physical configuration of the cables and detect when a unidirectional link exists. When a unidirectional link is detected, UDLD shuts down the affected LAN port. UDLD is often configured on ports linking switches.
– Depending on the security requirements of an organisation, the port security feature can be used to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.
Check the Port Status:
– Blocked ports: Check to make sure the switch reports receiving BPDUs periodically on the root and blocked ports. To check BPDUs on ports:
– show spanning-tree vlan __ detail
– Duplex mismatch: check on both ends of the link
– show interface
– Port Utilisation: An overloaded port may fail to transmit vital BPDUs and is also and indication of a possible bridging loop.
– Show interface
– Frame curruption: Unlikely issue, but check the input error fields using ‘show interface’.