Spanning Tree Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The specification for STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your network. Loops are deadly to a network.
STP is necessary where you want redundant links, but not loops. Redundant links are as important as backups in the case of a failover in a network. A failure of your primary activates the backup links so that users can continue to use the network. Without STP on the bridges and switches, such a failure can result in a loop.
Note that there are different flavors of STP such as plain STP (802.1D), PVST+ (Cisco), RSTP (802.1w), Rapic PVST+ (Cisco) etc. Ensure that they are compatible and provide optimal performance when selecting a one or more flavors of STP.
During the process of Spanning-Tree Algorithm execution, some redundant ports need to be blocked. This is required to avoid bridging loops. To choose which port to use for forwarding frames, and which port to block.
The following three components are used by the Spanning-Tree Protocol:
1. Path Cost: The port with lowest path cost is placed in the forwarding mode. Other ports are placed in blocking mode.
2. Bridge ID: If the path costs are equal, then the bridge ID is used to determine which port should forward. The port with the lowest Bridge ID is elected to forward, and all other ports are blocked
3. Port ID: If the path cost and bridge ID are equal, the Port ID is used to elect the forwarding port. The lowest port ID is chosen to forward. This type of situation may arise when there are parallel links, used for redundancy.
A switch, participating in Spanning-Tree protocol, passes through the following states:
1. Blocked state: This is the initial state. All ports are put in a blocked state to prevent bridging loops.
2. Listen state: This is the second state of switch ports. Here all the ports are put in listen mode. The port can listen to frames but can't send. The period of time that a switch takes to listen is set by "fwd delay" .
3. Learn state: Learn state comes after Listen state. The only difference is that the port can add information that it has learned to its address table. The period of time that a switch takes to learn is set by "fwd delay".
4. Forward state: A port can send and receive data in this state. Before placing a port in forwarding state, Spanning-Tree Protocol ensures that there are no redundant paths or loops.
5. Disabled state: This is the state when the switch port is disabled. A switch port may be disabled due to administrative reasons or due to switch specific problems
The bridge ID consists of the following:
1. 2-byte priority: The default value on Cisco switches is 0X8000 (32,768), lower the priority, higher the chances of becoming a root bridge.
2. MAC address: The 6 byte MAC address of the bridge. Lower the MAC address, higher the chances of becoming a root bridge.
Note that, the bridge (or switch) with lowest value of 2-byte priority will become the root bridge. If the priority value is same, then the bridge with lowest value of 6-byte MAC address will become the root bridge.
The following methods are used for implementing Spanning-Tree in a VLAN environment:
1. PVST (Per VLAN Spanning Tree): This is a Cisco proprietary method. Requires Cisco ISL encapsulation. Separate instances of Spanning-Tree are for every VLAN.
2. CST (Common Spanning Tree): This is supported by IEEE802.1Q. Here, A single instance of Spanning Tree runs for all VLANs. BPDU information is exchanged on VLAN1
3. PVST+ (Per VLAN Spanning Tree Plus): This is also a Cisco proprietary method for implementing STP in VLAN environment.
PVST+ is available with Catalyst 4.1 release or above. Switches before release 4.1 are compatible with PVST implementation of Spanning-Tree. Note that PVST+ is backward compatible. PVST+ is also compatible with 802.1Q implementation of CST (Common Spanning Tree) protocol. PVST+ is in fact requires no configuration to make it compatible with PVST (Plug and play compatible).
To configure Rapid Spanning Tree Protocol (RSTP) on an edge port, use the command
Switch(config-if)#spanning-tree portfast.
To enable Multiple Spanning Tree (MST) on a switch, use the command
Switch(config)#spanning-tree mode mst
To enter MST configuration mode on a switch, use the command
Switch(config)#spanning-tree mst configuration
RSTP defines port states according to what the port does with the incoming frames. The allowed port states are as given below:
a. Discarding: The incoming frames are discarded. No MAC addresses are learned.
b. Learning: The incoming frames are dropped, but MAC addresses are learned.
c. Forwarding: The incoming frames are forwarded according to the learned MAC addresses.
The following are true about protected STP topology using Cisco switches:
1. When using "root guard" feature, a switch port blocks all superior BPDUs, or the ones with better bridge ID. No data can be sent or received through the port that is blocking any such BDPUs.
2. bpduguard is recommended to be enabled where PortFast is enabled. This is normally done on access layer switches, where the end user systems are connected.
3. True, a port configured with BPDU guard is put into errdisable state when a BPDU is received.
4. BPDU guard is recommended on switch ports with PortFast already enabled.
If you have enabled STP protection features, the following command lists the ports that have been labeled as having inconsistent state:
show spanning-tree inconsistentports
The following command enables you to look at reasons for inconsistencies:
show spanning-tree interface <type> <mod>/<num> [detail]
During the process of Spanning-Tree Protocol execution, Root switch (say, switch A) is elected first. Next, the switch closest to the root switch is selected. This switch is known as Designated switch or Parent switch (say switch B). The frames are forwarded to the root switch(A) through the designated switch(B). Now the lowest cost port on the switch(say switch C) is selected. This is known as the Root port. Here, switch B is the designated switch for switch C and switch A is known as the root switch for switch C. Note that switch C is connected to the root switch (A) through its designated switch (B).
The command "show spanningtree" includes information about the following:
1. VALN number
2. Root bridge priority, MAC address
3. Bridge timers (Max Age, Hello Time, Forward Delay)
The following is the sample output of the "show spanning-tree" command
PVST (Per VLAN Spanning Tree) implementation has one instance of STP running for each VLAN. Therefore, when there are 32 VLANs in the bridge network, there will be 32 instances of STP running. Also, each VLAN has a unique root, path cost etc. corresponding to that VLAN.
PVST+ implementation of Spanning-Tree interoperates with 802.1Q compliant switches, that are using Common Spanning Tree (CST) protocol.
The three different types of SPAN are:
1. Local SPAN: The SPAN source and destination are located on the local switch.
2. Remote SPAN: The SPAN source and destination are located on different switches.
3. VLAN based SPAN: Here the source is a VLAN instead of a port.
Rapid Spanning Tree Protocol (RSTP) is based on the IEEE standard 802.1w. The standard has evolved from its predecessor 802.1D. 802.1w has the advantage of faster convergence over 802.1D.
1. 802.1D: This is a Spanning Tree Protocol (STP) that provides loop free switched or bridged network. Topology changes are made dynamically.
2. 802.1Q: The IEEE 802.1Q specification establishes a standard method for tagging Ethernet frames with VLAN membership information.
3. 802.1w: This standard is developed subsequent to 802.1D and offers faster convergence. 802.1w is known as Rapid Spanning Tree Protocol (RSTP).
4. 802.1s: IEEE 802.1s standard represents Multiple Spanning Tree protocol.
The following statements are true:
Two switch features available with Cisco switches for preventing un-intentional BPDUs are:
a. root guard: When configured at the interface level, BPDU Guard shuts the port down as soon as the port receives a superior BPDU. By default, it is disabled on all switch ports. To enable root guard, use the command:
switch(config-if)#spanning-tree guard root
If the superior BPDUs are no more received, the port is restarts the normal STP states to return to normal use.
b. bpdu guard: Here if any BPDU (superior or not) is received on a port configured with BPDU guard, the port is immediately put into errdisable state. The port is effectively shutdown and it must either be enabled manually or by use of a timeout function. By default, it is disabled on all ports. To enable BPDU guard use the command at interface configuration mode:
switch(config-if)#spanning-tree bpduguard enable
A port that is shutdown will continue to be in errdisable state even if the BPDUs are no longer received. It is recommended to use bpdu guard on all ports that have portfast enabled. The protection is useful for access layer nodes where the end user computers are expected to be connected.
The following STP features are useful in preventing mis-behaviour of STP due to sudden loss of BPDUs:
a. BPDU skew detection: It measures the amount of time that elapses from the expected time of arrival of a BDPU to the actual time of arrival of the BDPU. The arrival skew time condition is reported via syslog messages.
b. Loop guard: The loop guard is intended to provide additional protection against L2 forwarding loops (STP loops). For example, an STP loop is created when a blocking port in a redundant topology erroneously transitions to forwarding state. The loop guard needs to be enabled on the non-designated ports to effectively prevent STP loops. Non-designated ports are the root port, alternate root ports, and ports that are normally blocking. The command used to enable loop guard is:
Switch(config-if)# spanning-tree guard loop
The command is used at port level, loop guard is disabled by default on all switch ports.
Unidirectional Link Detection (UDLD) - The UDLD protocol allows devices connected through media such as fiber-optic or twisted-pair Ethernet to monitor the physical configuration of the cables and detect when a unidirectional link exists. If a unidirectional link is detected, UDLD shuts down the affected port and send out an alert.
UDLD has two modes of operation.
1. Normal mode: Allows the port to operate even after detection of a uni-directional port. A syslog message is generated to alert the administrator.
2. Aggressive mode: Soon after a uni-directional port is detected, an attempt is made to verify the link. If the verification process fails, the link is immediately placed in errdisable state.
By default, UDLD is disabled on a switch. UDLD can be used either on interface basis or globally. To enable UDLD, use the following global configuration command:
Switch(config)#udld {aggressive | enable | message time <seconds>}
Use "aggressive" keyword to enable "aggressive" mode.
Message time <seconds> can be set to any value between 7 seconds and 90 seconds. This is the time period that the switch port echos messages to the neighboring port to find whether the link is operation or not
There are two different ways of protecting against bad or unexpected BPDUs:
1. Root Guard, and
2. BPDU Guard
There are three ways of protecting against sudden loss of BPDUs:
1. BPDU Skew Detection
2. Loop Guard
3. UDLD
1. Root Guard -When configured at the interface level, BPDU Guard shuts the port down as soon as the port receives a superior BPDU.
2. BPDU Guard: Here if any BPDU (superior or not) is received on a port configured with BPDU guard, the port is immediately put into errdisable state. The port is effectively shutdown.
3. BPDU Skew Detection -It measures the amount of time that elapses from the expected time of arrival of a BDPU to the actual time of arrival of the BDPU. The arrival skew time condition is reported via syslog messages.
4. Loop Guard - The loop guard is intended to provide additional protection against L2 forwarding loops (STP loops). For example, an STP loop is created when a blocking port in a redundant topology erroneously transitions to forwarding state. The loop guard needs to be enabled on the non-designated ports to effectively prevent STP loops. Non-designated ports are the root port, alternate root ports, and ports that are normally blocking.
5. Unidirectional Link Detection (UDLD) - The UDLD protocol allows devices connected through media such as fiber-optic or twisted-pair Ethernet to monitor the physical configuration of the cables and detect when a unidirectional link exists. If a unidirectional link is detected, UDLD shuts down the affected port and send out an alert.
The STP ensures that timers are set on a switch, so that the bridging loops are avoided and the network is stable. Default timer values are as below:
Hello time: 2 seconds
Maximum time (max age): 20 seconds
Forward delay (fwd delay): 15 seconds.
These default values are assigned based on the assumption that the switch diameter is 7. The diameter can have values from 2 to 7. Diameter is measured from the root bridge (including root bridge) to the destination bridge. Each bridge increments the diameter by one count.
STP is enabled on every port on Cisco switches, by default. It is preferred to leave it enabled, so that bridging loops don't occur.
STP can be disabled selectively on any specific port by issuing the command:
Switch (enable) set spantree disable <mod-number>/<port-number>
Ex: Switch (enable) set spantree disable
2/4
The above command disables STP on port 4 of module 2.
The advantages of Common Spanning Tree (CST) approach to VLAN implementation are fewer BPDUs and less processing overhead. Remember that in PVST, each VLAN has a separate instance of STP running.
The disadvantages of CST implementation are sub-optimal root bridge (since there will be only one root bridge for all VLANs, which may not be place optimally for some VLANs), and possibly, longer convergence times.
STP UplinkFast is most suitable for use with access layer switches. This feature is not supported in Core layer switches like 8500 series switches.
The following are true about Rapid Spanning Tree Protocol:
1. RSTP uses 802.1D BDPU format to provide backward compatibility. However, the BDPU version is set to 2 to distinguish RSTP BDPU from 802.1D BDPUs.
2. A switch running RSTP can detect a neighbor failure in three Hello intervals or 6 seconds. This is much shorter than the normal 20 seconds max age used for 802.1D.
3. RSTP uses "Root Bridge" in the same manner as that of 802.1D STP.
4. If a switch running RSTP receives and 802.1D BDPU, the switch begins to use 802.1D rules on that port.
To configure Rapid Spanning Tree Protocol (RSTP) on an edge port, use the command
Switch(config-if)#spanning-tree portfast
To enable Multiple Spanning Tree (MST) on a switch, use the command
Switch(config)#spanning-tree mode mst
To enter MST configuration mode on a switch, use the command
Switch(config)#spanning-tree mst configuration
The following are important commands that you need to know:
To display the UDLD status on one or all ports :
Show udld [type <mod>/<num>]
To re-enable port that UDLD aggressive mode has errdisabled
udld reset
PVST+ is based on IEEE802.1D standard and includes Cisco proprietary extensions such as BackboneFast, UplinkFast, and PortFast.
Cisco's Rapid-PVST+ is based on IEEE 802.1w (RSTP) standard and has a faster convergence than 802.1D.
Cisco's STP Implementations: PVST, PVST+
Cisco's RSTP Implementation: RPVST+
Rapid-PVST+ is backward compatible with PVST+.
RSTP is able to interoperate with legacy STP protocols. However, it is important to note that the inherent fast convergence benefits of 802.1w are lost when it interacts with legacy bridges.
The primary advantage of MST over RSTP (or Cisco's PVSTP+) is that it requires less number of Spanning Tree instances running on a switch network. Several VLANs can be grouped and assigned to an MST instance. Cisco supports a maximum of 16 MSTIs in each region. IST always exists as MSTI number 0, leaving MSTI 1 through 15 available for use. MST must be manually configured on the all switches using CLI or SNMP.
IEEE 802.1s MST: MST extends the IEEE 802.1w Rapid Spanning Tree (RST) algorithm to multiple spanning trees. The advantages of using MST are: 1. Reduced processor load, improved convergence. MST is backward compatible with 802.1D STP, 802.1w (rapid spanning tree protocol [RSTP).
There are three different types of Switch Port Analyzers:
1. Local SPAN: Mirrors traffic from one or more interface on the switch to one or more interfaces on the same switch
2. Remote SPAN (or RSPAN): RSPAN allows you to monitor traffic from source ports distributed over multiple switches, which means that you can centralize your network capture devices. RSPAN works by mirroring the traffic from the source ports of an RSPAN session onto a VLAN that is dedicated for the RSPAN session. This VLAN is then trunked to other switches, allowing the RSPAN session traffic to be transported across multiple switches. The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port.
3. Encapsulated remote SPAN (ERSPAN): encapsulated Remote SPAN (ERSPAN), as the name says, brings generic routing encapsulation (GRE) for all captured traffic and allows it to be extended across Layer 3 domains. ERSPAN is a Cisco proprietary feature
