Since Ethernet Frames do not have TTL (Time To Live) like a IP-Datagram, they will live forever till they are processed. This could lead to many issues in case there is a loop in the topology. The packet will ends into an endless loop and cause a possible saturation of the link and resources of the devices that are trying to process this data.
After a defined process of exchanging specific frames (BPDU, Bridge protocol Data Unit) spanning-tree protocol creates a Layer-2 Tree topology by placing a root switch on the top of the tree, that all the members agreed before. The loop will be blocked by putting links in the tree into a blocking state in order to have a free loop topology. In case an uplink fails, the recalculation will start again and the blocking links may be unblock to prevent connectivity between devices in the upper layers. There is a process to select which ports are in blocking or forwarding state.
By putting some links into the blocking state, spanning-tree impide us to use multipaths to reach to the destination. Which means, that this mechanism impide us to use the fully amount of bandwith offered by the topology. Different versions/standards of the spanning-tree has been developed in order to solve this kind of issues with small difference between eachother. Let us have a look to some of them.
Here are some terms that will be discussed in this post:
- Primary Root Bridge
- Secondary Root Bridge
- Bridge
- BPDU
- TCN
- STP Timers
BPDU (Bridge Protocol Data Unit)
A BPDU is a spanning-tree message containing certain information about a device. The information found in this frame is pasted in the output below, which is related to the commong spanning tree. This can be read in every BPDU under the ‚Protocol Version Identifier‘ and the value set to it, in this case Spanning Tree (0) . It contains its protocol version identifier, type of BPDU, its flags, and information about the root bridge and the local brige. We can say that root and bridge identifier are different (00:1c:0e:87:78:00 and 00:1c:0e:87:85:00) which means the BPDU generated was not sent from the root brdige. We also found information about its Max Age, Hello Time and Forward Delay
Spanning Tree Protocol
Protocol Identifier: Spanning Tree Protocol (0x0000)
Protocol Version Identifier: Spanning Tree (0)
BPDU Type: Configuration (0x00)
BPDU flags: 0x00
0... .... = Topology Change Acknowledgment: No
.... ...0 = Topology Change: No
Root Identifier: 32768 / 100 / 00:1c:0e:87:78:00
Root Bridge Priority: 32768
Root Bridge System ID Extension: 100
Root Bridge System ID: 00:1c:0e:87:78:00
Root Path Cost: 4
Bridge Identifier: 32768 / 100 / 00:1c:0e:87:85:00
Bridge Priority: 32768
Bridge System ID Extension: 100
Bridge System ID: 00:1c:0e:87:85:00
Port identifier: 0x8004
Message Age: 1
Max Age: 20
Hello Time: 2
Forward Delay: 15
Some fields an its meaning:
Protocol Version Identfier can have different values based on version:
- Spanning Tree or PVST+ (0)
- Rapid Spanning Tree or Rapid PVST+ (2)
- Multiple Spanning Tree (3)
BPDU Type can be Configuration or Topology Change.
Root identifier is made of three values, the priority, the extended system ID and the MAC-Address of the bridge.
Root path cost is the cost for the path from the sending bridge to the root bridge.
Bridge identifier is made of three values, the priority, the extended system ID and the MAC-Address of the bridge.
Port identifier is the interface ID in hexadecimal from where the BPDU was sent from. Port identifier: 0x8004 means 0x80 for 128 and 0x0004 for interface number 4. Which means 128.4.
Message Age is the time in seconds elsapsed since the root bridge sent the last BPDU configuration.
Max Age is the time in seconds the bridge will keep the current configuration before deleting it. If this happen, the bridge will start with the process of election again.
Hello Time is the interval in seconds that the bridge uses to send out BPDUs.
Forward Delay is the time in seconds that the bridge waits before moving to the next state (Listening & Learning).
Topology Changes
Whenever a port in the topology change his state from forwarding to blocking or vice versa a Topology Change Notification will be generated by the bridge and sent out his root port in order to reach the root bridge with the ’news‘. This frames will be sent according the hello timers of spanning-tree till answer from the upstream bridge arrives with a Topology Change Acknowledgement. Both packet will be described below in this article. Once this notifications reaches the root brige it will acknowledge the change. Then for the duration of max_age+forward_delay the root bridge will send BPDU configuration with the TCN Flag. This will be propagated across the tree, once a bridge receive such a BPDU will automatically lower its MAC-Address learning time to the forward_delay value. This guarantees in case of a link failure a faster recover in case a MAC-Address is being reach over a new port.
Topology Change Notification (TCN)
The output below should show the way a brige announces a topology change. There is no information about the root cause of the topology change.
Spanning Tree Protocol
Protocol Identifier: Spanning Tree Protocol (0x0000)
Protocol Version Identifier: Spanning Tree (0)
BPDU Type: Topology Change Notification (0x80)
Topology Change Acknowledgement (TCA)
The TCN Acknowledgement looks like the output below
Spanning Tree Protocol
Protocol Identifier: Spanning Tree Protocol (0x0000)
Protocol Version Identifier: Spanning Tree (0)
BPDU Type: Configuration (0x00)
BPDU flags: 0x81, Topology Change Acknowledgment, Topology Change
1... .... = Topology Change Acknowledgment: Yes
.... ...1 = Topology Change: Yes
Root Identifier: 32768 / 1 / aa:bb:cc:00:01:00
Root Bridge Priority: 32768
Root Bridge System ID Extension: 1
Root Bridge System ID: aa:bb:cc:00:01:00
Root Path Cost: 0
Bridge Identifier: 32768 / 1 / aa:bb:cc:00:01:00
Bridge Priority: 32768
Bridge System ID Extension: 1
Bridge System ID: aa:bb:cc:00:01:00
Port identifier: 0x8001
Message Age: 0
Max Age: 20
Hello Time: 2
Forward Delay: 15
Example of a topology change
- SW4 send out his root port a TCN. The upperstream neighbor SW2 receives it and send a TC Ack back.
- SW2 send out his root port a TCN. The upperstream neighbor SW1 receives it and send a TC Ack back.
- SW1 as the root send out in his BPDU Configuration the TCN Flag set for the next Max_Age+Forwarding_Delay (20+15 on default timers) seconds. This BPDU are propagated to all members within the topology tree. As soon as a switch receive it, the switch lowers the timers for its MAC-Address aging time. After Max_Age+Forwarding_Delay (20+15 on default timers) seconds the BPDUs are sent without the TCN flag set and the switches will normalize its MAC-Address learning time.
1.1.e ii Switch priority, port priority, path cost, STP timers
Root bridge election
As mentioned before te root is at the top of the topology. For every single instance there is a root election. The root switch will be elected by exchanging information (Bridge ID) between devices and comparing it. The switch with the lowest bridge ID will be elected as the root.
The Bridge-ID is composed of the bridge priority (0 – 61440 in 4096 steps: 0, 4096, 8192, etc…) + System ID Extension (0 – 4095) + Base MAC-Address of the switch (Can be checked by issuing ’show version‘ command).
All the ports on a root switch are in a forward state (FWD) and are called Designated ports, which are always put to down links far from the root. Uplinks towards root bridge switch are Root ports. The rest of the switches will have only one Root port for every STP Instance, because having multiple root ports would lead into a looping state.
Having a look to the root election process from the switch perspective while running some debug
Switch-5#sh spann vlan 10
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 4106
Address aabb.cc00.5000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 4106 (priority 4096 sys-id-ext 10)
Address aabb.cc00.5000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p
Et0/2 Desg FWD 100 128.3 P2p
Et0/3 Desg FWD 100 128.4 P2p
Switch-5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch-5(config)#spann vlan 10 pr
Switch-5(config)#spann vlan 10 priority 61440
Switch-5(config)#
*Oct 26 21:17:28.724: setting bridge id (which=1) prio 61450 prio cfg
61440 sysid 10 (on) id F00A.aabb.cc00.5000
*Oct 26 21:17:28.724: STP: VLAN0010 we are the spanning tree root
Switch-5(config)#end
Switch-5#
*Oct 26 21:17:35.534: %SYS-5-CONFIG_I: Configured from console by console
Switch-5#
*Oct 26 21:17:47.385: STP: VLAN0010 heard root 32778-aabb.cc00.2000 on Et0/0
*Oct 26 21:17:47.385: supersedes 61450-aabb.cc00.5000
*Oct 26 21:17:47.385: STP: VLAN0010 new root is 32778, aabb.cc00.2000
on port Et0/0, cost 100
*Oct 26 21:17:47.385: STP: VLAN0010 heard root 61450-aabb.cc00.4000 on Et0/1
*Oct 26 21:17:47.389: STP: VLAN0010 heard root 32778-aabb.cc00.3000 on Et0/2
*Oct 26 21:17:47.390: STP: VLAN0010 Topology Change rcvd on Et0/1
*Oct 26 21:17:47.390: STP: VLAN0010 sent Topology Change Notice on Et0/0
*Oct 26 21:17:47.390: STP: VLAN0010 Topology Change rcvd on Et0/2
Switch-5#
*Oct 26 21:17:48.390: STP: VLAN0010 sent Topology Change Notice on Et0/0
*Oct 26 21:17:48.390: STP[10]: Generating TC trap for port Ethernet0/2
*Oct 26 21:17:48.390: STP: VLAN0010 Et0/2 -> blocking
*Oct 26 21:17:48.394: STP[10]: Generating TC trap for port Ethernet0/1
*Oct 26 21:17:48.394: STP: VLAN0010 Et0/1 -> blocking
Switch-5#
After changing the spanning-tree priority for VLAN 10 the switch assumes he is the root and start sending and receiving BPDUs (See red text above). After some time the switch hears from a bridge that also asumes to be root, the switch analyze it and come to the conclusion that the heard priority is lower than the configured one (See blue text above). He will also receive another BPDUs from e0/1 and e0/2 but these are higher than the chosen one.
Now changing back to root by changing the priority for vlan 10 to the lowest in the tree.
Switch-5(config)#spanning-tree vlan 10 priority 0 *Oct 26 21:42:32.828: setting bridge id (which=1) prio 10 prio cfg 0 sysid 10 (on) id 000A.aabb.cc00.5000 *Oct 26 21:42:32.828: STP: VLAN0010 Et0/1 -> listening *Oct 26 21:42:32.828: STP: VLAN0010 Et0/2 -> listening *Oct 26 21:42:32.830: STP: VLAN0010 Topology Change rcvd on Et0/2 *Oct 26 21:42:32.830: STP: VLAN0010 Topology Change rcvd on Et0/1 *Oct 26 21:42:47.834: STP: VLAN0010 Et0/1 -> learning *Oct 26 21:42:47.834: STP: VLAN0010 Et0/2 -> learning *Oct 26 21:43:02.834: STP: VLAN0010 Et0/1 -> forwarding *Oct 26 21:43:02.834: STP: VLAN0010 Et0/2 -> forwarding Switch-5(config)#
We can clearly appreciate the 15 second steps from listening, over learning to forwarding state. Port e0/0 did not change its state.
Root port an designated port
Switches other than the root bridge need to elect a root port and designated port(s). The root port is locally significant and unique and its the shorter path to the root bridge. The designated port(s) are downlinks to downstream switches in the topology.
There are some terms that need to be clarify before we go to the tie break of the election.
Path-Cost
the cost of a path is defined by the bandwidth of a port. The more bandwidth the port has, the lower it cost. Back then when STP was developed links with speeds of 1 Gigabit or 10 Gigabit did not exist, therefore with the past of the time and all the new speeds, the 16-bit predetermined for the path cost value were not enough, so a new space of 32-bit has been created in order to keep up with the time. This two methods are called short and long mode.
| Link speed | Short mode (Old 16-bit) | Long mode (New 32-bit) |
| 10 Mbps | 100 | 2000000 |
| 100 Mbps | 19 | 200000 |
| 1 Gbps | 4 | 20000 |
| n x 1 Gbps (EtherChannel) | 3 | 10000 |
| 10 Gbps | 2 | 2000 |
| 100 Gbps | N/A | 200 |
| 1 Tbps | N/A | 20 |
Port-ID & priority
The Port-ID its made of two values separated by a dot. The first value is the port priority which is by default 128. After the priority the interface number follows.
An example for Fa0/13 would be 128.13.
Root Port election
The root port election will check the following information in this order
- The Spanning-Tree Path-Cost to the root. The lowest path its the shorter path to the root bridge, therefore the best path.
- If there are multiple ports receiving the BPDUs with the same path cost, then the port where the neighbor with the lowes Bridge-ID is connected.
- In case there are multiple links going to the same neighbor mentioned in point 3. Then the switch will select the port with the lowest port priority value.
- In case this also are the same, then the tie breaker will be the port with the lowest interface number.
1.1.e i PVST+, Rapid PVST+, MST
PVST+
Per VLAN Spanning-Tree+ or PVST+ is a Cisco Propietary Spanning-Tree protocol that is capable of running an instances of STP for every single vlan created in the switch. For every instance there is an own tree and therefore also a root bridge.
Port states
Blocking (BLK): During this process the switch will discard everything rather than BPDUs. This are the only frames that will be processed. If a BPDU arrives with a shorter path to the root bridge, then the port will wait 20 seconds before moving to the next state. BPDUs with a longer path to the root will be discard.
Listening (LIS): During this state still this port will not participate in forwarding frames. The port will remain 15 seconds in this state before moving to the next one.
Learning (LRN): During this state the swith receive frames and updated its MAC-Address table based on the information gathered. The port remains in this state for another 15 seconds.
Forwarding (FWD): After the port was in learning it moves finally to the forwarding state, which start not only listening for frames but also forwarding them.
Disabled: In this state the port does no take part of STP.
Regarding the states aboves we realize that a port takes 50 seconds before moving into the finally desired forwarding state (Or not).
Rapid PVST+ and MST port states
Newer implementations of the Spanning-Tree Protocol has some different states and move from one state to the other without timers.The states are: discarding (Blocking), learning and forwarding
Faster convergence through Proposal and agreement process
The idea behind this is to move faster from one state to the other for faster convergence. After a failure non-edge ports are in the designated discarding state and will exchange BPDUs if its a superior one the port receiving this frame will be moved to the root discarding state
If a switch receives on a root port a BPDU with the proposal bit set, then all non-edge ports will be moved into discarding state. This is called Sync. At the end the switch will send a BPDU with the agreement bit set which will finish the process.
Rapid PVST+
Rapid Per VLAN Spanning-Tree+ has all the capabilities of PVST+ but also from Rapid Spanning-Tree Protocol (RSTP 802.1w). This implementation takes benifit of faster convergence due moving from discarding state to forwarding state based on a proccess called ‚proposal and agreement‘ which doesnt have timers that need to be waited in order to move to the next state.
MST 802.1s
Multiple Spanning Tree is capable of grouping vlans into a instance. In other STP implementations like PVST, we have an instance for every single VLAN active in the topology. What happen if our environment has 500 VLANs? We will have 500 instances sending one BPDU every two second across every Port participating in STP. Imagine a network switch with one uplink to the root bridge and two downlink two downstream switches. Every 2 seconds 1500 BPDUs will be processed by the CPU and sent out of the ports. MST can group a range of vlans into an instance and therefore reducing the amount of BPDUs sent.
Multiple Spanning Tree Protocol works with regions in order to group its members. Therefore a member of the same environment group should share among other members the region name, revision number and the mapping table. A switch can only in one region at the same time.
MST uses a default instance to create the loop free topology. This is called Internal Spanning Tree and its mapped to the instance 0. Depending of the platform, we will be able to create a limit of instances.
Interoperability
When a switch running PVST+ is connected to a switch running STP there is an instantenously interoperability since both uses the same type of BPDU. So they both can be mixed in the same topology. Only caveat is, that switches running STP wont have the benefit of Rapid PVST+.
When a switch with PVST+ or Rapid PVST+ is connected to a region, MST needs to interact with them. Since MST does not use one BPDU per VLAN it needs a backward mechanism to communicate with the neighbor bridge running PVST+, this is called PVST Simunlation Mechanism. MST will send out his boundary port for every VLAN the same BPDU with the same attributes, which will lead into the neighbor switch taking the same decision for every VLAN connected to the MST Region.
Virtual Interfaces
For every Spanning-Tree instance on every port participating in spanning-tree there is a virtual interfaces that send out BPDUs. The calculation for virtual interfaces is the follow:
(Trunk ports x VLANs allowed) + Access ports = virtual interfaces
In an Rapid PVST+ environment with 10 VLANs, with 20 access ports, one downlink and one uplink allowing all VLANs the calculation would look like this.
(2 x 10) + 20 = 40 Virtual interfaces
If you run 1000 vlans on your environment and you have a switch 15 up- and downlinks you will end up into 15 000 virtual interfaces that sends every hello timer a BPDU that has been generated by the CPU.
1.1.e iii PortFast, BPDU Guard, BPDU Filter
There is a toolkit offering different aspects to adapt spanning-tree behaviour to the needs of the insfrastructure.
Portfast
Allows to bypass the listening and learning state. In other words it changes from blocking to forwarding. Another function is not to generate a TCN BPDU everytime the port changes state.
BPDUguard
Disables portfast feature if a BPDU is received on that port and moves the port into err-disabled.
BPDUfilter
Disables receiving and send BPDUs on the port configured.
1.1.e iv Loop Guard, Root Guard
Loopguard
It takes unidirectional link failures if BPDU is not received from the link.
Rootguard
This feature checks on the port configured, if a superior BPDU arrives. In case this happens the port will be put in state.
Design, Deploy, Operate, Optimize
Design
First of all one of this standard implementation needs to be choosen. It depends of many things. How your network infrastructure looks like, what are the business needs and how to convert this needs/expectations into technical solutions.
Some things to keep in mind while choosing the right standard:
| Multiple instances? | Network convergence time | Scalability | Ressource consumption | Standard | |
| STP | Single | Slow | No | 802.1d | |
| PVST+ | Multiple | Slow | Cisco | ||
| RSTP | Single | Fast | 802.1w | ||
| Rapid PVST+ | Multiple | Fast | Cisco | ||
| MST | Multiple* | Fast | 802.1s |
By choosing a standard we also need to take consideration of the current infrastructure in case we are working on a brown field. The backward compatibility of the technologies must be guarantee.
Based on the information above regarding the virtual interfaces a network engineer can decide which STP implementation should be deployed. Running 700 VLANs with Rapid PVST+ on an access switch towards the hypervisor ports configured as trunk would end up into thousands of virtual interfaces. Rapid PVSt+ and MST has different limitations regarding virtual interfaces. The BPDU frames are created and processed by the CPU. This can lead into high CPU-Peaks causing not having enough time to process other control plane packets. The limitations are for MST 100 000 virtual interface and for Rapid PVST+ 12 000.
Another important aspect while designing networks where spanning-tree is implemented is something mentioned at the beginning of the post. If we do not change anything by default all instances will go through the same links, and some links will remain unused. The technique it is called VLAN Load-Balancing and the idea behind it is to have different priorities for different VLANs so that there are different root switches for the different instances and therefore different trees. This will cause that ports are in blocking state in some instances and in forwarding states in others.
Last but not least a network engineer should take convergence time in consideration. Even if in RSTP or MST the convergence time can take only a few seconds, this could cause a huge problem in critical networks. Therefore spanning-tree should be avoided by simplifcation of the upper network layers (Distribution, Core) by implementing technologies like VSS, or VPC. This should not be missunderstood, even if loops are eliminated by design by the use of the technologies mentioned above, spanning-tree should not be disabled by any circumstances, then someone can create a layer-2 loop by mistake and put down the entire network.
Deploy
Configuring MST
Before the spanning-tree mode is changed to mst certain settings need to be adapted. by entering the following command a network engineer can enter into the mst configuration mode.
spanning-tree mst configuration name CCIE revision 1 instance 1 vlan 10, 20, 30, 40
VLANs not mentioned in the MST configuration are automatically in instance 0. Moving one VLAN from an instance to other will cause a disruption in the whole instance.
Once the configuration is done multiple spanning-tree can be enabled as the desired protocol.
(config)# spanning-tree mode mst
Configuring Rapid PVST+
Configuring Rapid PVST+ is easier than mst. We only need to change the mode using the following command.
(config)# spanning-tree mode rapid-pvst
Priority of each VLAN can be changed individually by issuing the followin command.
(config)# spanning-tree vlan 10 priority 4096
Operate
To have an overview about the configuration, we can issue the following command, which will show some information about the network. We would be able to see the ports for every vlan (Only the amount of ports).
Switch-5#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: VLAN0010 Extended system ID is enabled Portfast Default is disabled Portfast Edge BPDU Guard Default is disabled Portfast Edge BPDU Filter Default is disabled Loopguard Default is disabled PVST Simulation Default is enabled but inactive in rapid-pvst mode Bridge Assurance is enabled EtherChannel misconfig guard is enabled Configured Pathcost method used is short UplinkFast is disabled BackboneFast is disabled Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- VLAN0001 2 0 1 1 4 VLAN0010 0 0 4 0 4 VLAN0020 0 0 3 1 4 ---------------------- -------- --------- -------- ---------- ---------- 3 vlans 2 0 8 2 12 Switch-5#
Imagine there were ports on blocking, this is not meant to be in ALT BLK state, it can be also a problem in the network. With the next command we can check inconsistent ports. We can appreciate that two ports are in blocking state because Bridge Assurance detected some issues on the link.
Switch-5#sh spanning-tree inconsistentports Name Interface Inconsistency -------------------- ------------------------ ------------------ VLAN0010 Ethernet0/0 Bridge Assurance Inconsistent VLAN0020 Ethernet0/0 Bridge Assurance Inconsistent Number of inconsistent ports (segments) in the system : 2 Switch-5#
The ‚detail‘ command show us for the specific VLAN a lot of information. Maybe relevant for a network engineer is the line containing ‚Number of topology changes XYZ last change occurred XX:YY:ZZ ago‘. This command show also per port attributes and also the amount of BPDU sent and received.
Switch-5#sh spanning-tree vlan 10 detail
VLAN0010 is executing the rstp compatible Spanning Tree protocol
Bridge Identifier has priority 0, sysid 10, address aabb.cc00.5000
Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
We are the root of the spanning tree
Topology change flag not set, detected flag not set
Number of topology changes 5 last change occurred 00:01:07 ago
from Ethernet0/3
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0, aging 300
Port 1 (Ethernet0/0) of VLAN0010 is designated forwarding
Port path cost 100, Port priority 128, Port Identifier 128.1.
Designated root has priority 10, address aabb.cc00.5000
Designated bridge has priority 10, address aabb.cc00.5000
Designated port id is 128.1, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default, Peer is STP
BPDU: sent 51, received 2
Port 2 (Ethernet0/1) of VLAN0010 is designated forwarding
Port path cost 100, Port priority 128, Port Identifier 128.2.
Designated root has priority 10, address aabb.cc00.5000
Designated bridge has priority 10, address aabb.cc00.5000
Designated port id is 128.2, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default, Peer is STP
BPDU: sent 51, received 2
By issuing the following command we can see who is the root, who are we, the default timers and the state and roles for every interface.
Switch-5#show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 10
Address aabb.cc00.5000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 10 (priority 0 sys-id-ext 10)
Address aabb.cc00.5000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg BKN*100 128.1 P2p Network Peer(STP) *BA_Inc
Et0/1 Desg FWD 100 128.2 P2p Peer(STP)
Et0/2 Desg FWD 100 128.3 P2p Peer(STP)
Et0/3 Desg FWD 100 128.4 P2p
Switch-5#
Last but not least the debug options.
Switch-5#debug spanning-tree ? all All Spanning Tree debugging messages bpdu Spanning tree BPDU bpdu-opt Optimized BPDU handling config Spanning tree config changes etherchannel EtherChannel support events Spanning tree topology events exceptions Spanning tree exceptions general Spanning tree general mstp MSTP debug commands pvst+ PVST+ events root Spanning tree root events snmp Spanning Tree SNMP handling switch Switch Shim debug commands synchronization STP state sync events Switch-5#
Optimize
In order to optimize a Spanning-Tree environment there is a toolkit with different tools to improve the stability of the network. They should be applied on the right ports.
Portfast & BPDUGuard
Portfast should be applied on ports on access switches towards hosts that should not participate in spanning tree like hypervisors. Imagine in a network where the process of proposal and agreement takes place, normally all non-edge ports will go into discarding mode. This is not convenient for ports facing hosts, since the intra switch communication will be blocked till the sync is finished. Ports configured as edge will not generate any TCN if its state changes.
Another feature called BPDU Guard can help to complement Portfast by putting the port in err-disabled if a BPDU arrives on that interface. This should help the network to sanatize itself by using th
Configuring Portfast and BPDU Guard on Rapid PVSt+ and MST
(conf-if)# spanning-tree portfast (conf-if)# spanning-tree bpduguard
RootGuard
In order to prevent that some one accidentally (Or not) connects a switch with a lower priority that the current configured root bridge and therefore change the topology, RootGuard can be enabled. This feature should be enabled on downstream ports on the core and distribution layer. RootGuard can and should be configured per interface basis. The configuration is very simple.
(config-if)#spanning-tree guard root
Enabling this feature on an interface will cause that all instances will use RootGuard on this port.
Bridge Assurance
Whenever a port in blocking state stops receiving BPDUs it will move to forwarding state. Not receiving BPDUs can have many reasons, it doesnt mean that there is no loop anymore. The remote device can have undirectional issues or maybe lack of ressources to generate a BPDU. Bridge Assurance (BA) needs to be enabled on both ends of a p2p link. If the port stops receiving BPDUs it will move directly into blocking state in order to prevent loops. BA should be placed on every inter link switch on the network.
BA is enabled by default and is only active on ports configured as network.
(config-if)# spanning-tree portfast network
LoopGuard
This feature prevents that a port becomes designated forwarding instead of root or alternate. This feature should be place on access switches on the uplink toward distribution layer.
The command to configure it is the follow:
(config-if)# spanning-tree guard loop
VLAN based load-balancing
In this case we can see two topology trees, one for VLAN 10 and the second for vlan 20. Having a look on the picture above, we see that Host-2 is in VLAN 10 and connected to Switch-3. Imagine that the active layer-3 interface for VLAN 10 is on Switch-4. Based on this information everytime that Host-2 wants to reach this l3 interface would leave on Switch-3 over port e0/2 to Switch-5 and from there over e0/1 to Switch-4. This is much a longer way than going directly over e0/0 on Switch-3.
By manipulating the priority on Switch-4 for VLAN 10 a better path to the l3 interface can be achieved.
Switch-4(config)# spanning-tree vlan 10 root primary
As described above in this article the priority is the first thing that spanning-tree checks to elect a root bridge. This can be used to manually create different paths for different instances.
STP-Timers (Diameter)
Hereby can a network engineer automatically set forwarding and max-age timers. This settings will be automatically propagated via BPDU. This will automatically speed up network convergence.
Switch-5(config)#spanning-tree vlan 10 root primary diameter ?
<2-7> Maximum number of bridges between any two end nodes
Switch-5(config)#spanning-tree vlan 10 root primary diameter 3 ?
hello-time Hello interval for this spanning tree
<cr>
Switch-5(config)#spanning-tree vlan 10 root primary diameter 3 hello-time ?
<1-10> Hello interval in seconds
Switch-5(config)#spanning-tree vlan 10 root primary diameter 3 hello-time 1 ?
<cr>
Switch-5(config)#spanning-tree vlan 10 root primary diameter 3 hello-time 1
Switch-5(config)#do sh spann vl 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 24586
Address aabb.cc00.5000
This bridge is the root
Hello Time 1 sec Max Age 7 sec Forward Delay 5 sec
Bridge ID Priority 24586 (priority 24576 sys-id-ext 10)
Address aabb.cc00.5000
Hello Time 1 sec Max Age 7 sec Forward Delay 5 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 P2p
Et0/1 Desg FWD 100 128.2 P2p
Et0/2 Desg FWD 100 128.3 P2p
Et0/3 Desg FWD 100 128.4 P2p
Switch-5(config)#
I bit, therefore I byte 