Two PE Routers – PE1 and PE2. They are connected with the 10.0.0.0/24 network. PE1 has a loopback of 1.1.1.1 and PE2 has 2.2.2.2. This Provider network could easily be increased in size and number of devices. Most labs will use OSPF or EIGRP for the Provider network with a BGP connection between the specific provider edge devices connecting to the client.
C-1-1 Configuration
hostname C-1-1
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 11.11.11.11
C-1-2 Configuration
hostname C-1-2
!
interface Loopback0
ip address 12.12.12.12 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 12.12.12.12
!
C-2-1 Configuration
hostname C-2-1
!
interface Loopback0
ip address 21.21.21.21 255.255.255.255
!
interface GigabitEthernet0/1
ip address 172.16.1.2 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 21.21.21.21
!
C-2-2 Configuration
hostname C-2-2
!
interface Loopback0
ip address 22.22.22.22 255.255.255.255
!
interface GigabitEthernet0/1
ip address 172.16.2.2 255.255.255.0
ip ospf 2 area 0
duplex auto
speed auto
media-type rj45
!
router ospf 2
router-id 22.22.22.22
!
PE1
hostname PE1
!
ip vrf Client1
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
ip vrf Client2
rd 65000:2
route-target export 65000:1
route-target import 65000:1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
ip vrf forwarding Client1
ip address 192.168.1.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip vrf forwarding Client2
ip address 172.16.1.1 255.255.255.0
ip ospf 2 area 0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
media-type rj45
mpls ip
!
router ospf 1 vrf Client1
router-id 192.168.1.1
redistribute bgp 65000 subnets
!
router ospf 2 vrf Client2
router-id 172.16.1.1
redistribute bgp 65000 subnets
!
router bgp 65000
bgp router-id 1.1.1.1
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 65000
neighbor 2.2.2.2 update-source Loopback0
!
address-family ipv4
neighbor 2.2.2.2 activate
exit-address-family
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf Client1
redistribute ospf 1
exit-address-family
!
address-family ipv4 vrf Client2
redistribute ospf 2
exit-address-family
!
ip route 2.2.2.2 255.255.255.255 10.0.0.2
PE2 Configuration
hostname PE2
!
ip vrf Client1
rd 65000:1
route-target export 65000:1
route-target import 65000:1
!
ip vrf Client2
rd 65000:2
route-target export 65000:2
route-target import 65000:2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
ip vrf forwarding Client1
ip address 192.168.2.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip vrf forwarding Client2
ip address 172.16.2.1 255.255.255.0
ip ospf 2 area 0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
media-type rj45
mpls ip
!
router ospf 1 vrf Client1
router-id 192.168.2.1
redistribute bgp 65000 subnets
!
router ospf 2 vrf Client2
router-id 172.16.2.1
redistribute bgp 65000 subnets
!
router bgp 65000
bgp router-id 2.2.2.2
bgp log-neighbor-changes
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
!
address-family ipv4
neighbor 1.1.1.1 activate
exit-address-family
!
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended
exit-address-family
!
address-family ipv4 vrf Client1
redistribute ospf 1
exit-address-family
!
address-family ipv4 vrf Client2
redistribute ospf 2
exit-address-family
!
ip route 1.1.1.1 255.255.255.255 10.0.0.1
Good network design provides redundancy in devices and network links
The simplest solution involves adding a second link between switches to overcome a network link failure or ensuring that a switch is connected to at least two other switches in a topology.
This can cause problems when a switch must forward broadcasts or when unknown unicast flooding occurs.
Network broadcasts forward in a continuous loop until the link becomes saturated, and the switch is forced to drop packets.
Also the MAC address table must constantly change ports as the packets make loops. The packets continue to loop around the topology because there is not a time-to-live (TTL) mechanism for Layer 2 forwarding. The switch CPU utilization increases, as does memory consumption, which could result in the crashing of the switch.
Common Causes of Layer 2 Loops
STP disabled on a switch
A misconfigured load balancer that transmits traffic out multiple ports with the same MAC address
A misconfigured virtual switch that bridges two physical ports (Virtual switches typically do not participate in STP.)
End users using a dumb network switch or hub
How Spanning Tree Works
Spanning Tree Protocol (STP) enables switches to become aware of other switches through the advertisement and receipt of bridge protocol data units (BPDUs).
STP builds a Layer 2 loop-free topology in an environment by temporarily blocking traffic on redundant ports.
STP operates by selecting a specific switch as the master switch and running a tree-based algorithm to identify which redundant ports should not forward traffic.
Root bridge: The root bridge is the most important switch in the Layer 2 topology.
Bridge protocol data unit (BPDU): This network packet is used for network switches to identify a hierarchy and notify of changes in the topology.
Two Types of BPDUs:
Configuration
TCN
Max age: This is the maximum length of time that passes before a bridge port saves its BPDU information.
default is 20 seconds command spanning-tree vlan vlan-id max-age maxage. If a switch loses contact with the BPDU’s source, it assumes that the BPDU information is still valid for the duration of the Max Age timer
Hello time: time that a BPDU is advertised out of a port.
default is 2 seconds can be configured to 1 to 10 seconds with the command spanning-tree vlan vlan-id hellotime hello-time.
Forward delay: time that a port stays in a listening and learning state.
default value is 15 seconds can be 15 to 30 seconds with the command spanning-tree vlan vlan-id forward-time forward-time.
Election
Hello BPDUs are exchanged between all switches at the beginning of the root bridge election process
each switch considers itself as the root bridge, in fact it sends its BPDUs with its bridge ID as the root bridge ID
when a switch receives a BPDU with a lower bridge ID, it “adjusts” its BPDUs by sending them with the received lower bridge ID, otherwise it would just discard that BPDU with a higher bridge ID.
That process continues until all switches agree on the root bridge which has the lowest bridge ID.
In case all switches have same bridge priority then the tiebreaker here would be the mac address, the switch with the lowest mac address would be the root bridge.
The bridge ID is combined by the bridge priority, System ID Extension (based on IEEE 802.1t standard) and the mac address of the switch.
Finding Topology Change Causes
determining why TCNs are occurring involves checking a port to see whether it is connected to a host or to another switch.
If it is connected to another switch, you need to connect to that switch and repeat the process of examining the STP details.
You might need to examine CDP tables or your network documentation.
You can execute the show spanningtree [vlan vlan-id] detail command again to find the last switch in the topology to identify the problematic port.
RSTP (802.1W) Port States
Discarding: The switch port is enabled, but the port is not forwarding any traffic to ensure that a loop is not created. This state combines the traditional STP states disabled, blocking, and listening.
Learning: The switch port modifies the MAC address table with any network traffic it receives. The switch still does not forward any other network traffic besides BPDUs.
Forwarding: The switch port forwards all network traffic and updates the MAC address table as expected. This is the final state for a switch port to forward network traffic.
STP Tuning
Ideally the root bridge is placed on a core switch, and a secondary root bridge is designated to minimize changes to the overall spanning tree
Root and Secondary Placement
spanning-tree vlan vlan-id priority priority: The priority is a value between 0 and 61,440, in increments of 4,096.
spanning-tree vlan vlan-id root {primary | secondary} [diameter diameter]: This command executes a script that modifies certain values. The primary keyword sets the priority
Generally, root switches are at Layer 2/Layer 3 boundaries.
minimize the number of hops to the furthest switch in the topology.
BEST PRACTICE: set the priority to 0 for the primary root switch and to 4096 for the secondary root switch.
Oh Snap, There’s a Loop!
Catalyst switches detect a MAC address that is flapping between interfaces and notify via syslog.
MAC address of the host, VLAN, and ports between which the MAC address is flapping.
These messages should be investigated to ensure that a forwarding loop does not exist
Root Guard
Enabled on a port-by-port basis; it prevents a configured port from becoming a root port.
Stops downstream switches from becoming the root bridge – Errdisables ports that receive the BPDU
Command spanningtree guard root – Root guard is placed on designated ports toward other switches that should never become root bridges.
STP Portfast
Placed on host ports, disables TCNs
Bypass listen and learning state go straight to forwarding
Saves time, used on Access ports
Beneficial in environments where computers use Dynamic Host Configuration Protocol (DHCP) or Preboot Execution Environment (PXE).
Command spanning-tree portfast trunk. ONLY USED ON SINGLE HOST EX: ESXI SERVER
command spanning-tree portfast or globally on all access ports with the command spanning-tree portfast default
BPDU Guard
BPDU guard is a safety mechanism that shuts down portfast ports upon receipt of a BPDU.
Ensures that a loop cannot accidentally be created if an unauthorized switch is added to a topology.
spanning-tree portfast bpduguard default. BPDU guard can be enabled or disabled on a specific interface with the command spanning-tree bpduguard {enable | disable}.
BPDU guard is typically configured with all host-facing ports that are enabled with portfast.
Use Error Recovery to recover ports that were shut down from BPDU guard errdisable recovery cause bpduguard
The period that the Error Recovery checks for ports is configured with the command errdisable recovery interval time-seconds
BPDU Filter
Blocks BPDUs from being transmitted out a port
Most network designs do not require BPDU filter, which adds an unnecessary level of complexity and also introduces risk.
UDLD Fiber Trunking
Unidirectional Link Detection (UDLD) allows for the bidirectional monitoring of fiber-optic cables.
Lab
SW-01 Configuration
SW-01#sh runn
Building configuration…
Current configuration : 3810 bytes
!
! Last configuration change at 19:53:21 UTC Sat Mar 13 2021
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW-01
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
errdisable recovery cause bpduguard
errdisable recovery interval 30
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
description SHUTDOWN-NO-USERS
switchport access vlan 999
switchport mode access
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
description SHUTDOWN-NO-USERS
switchport access vlan 999
switchport mode access
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
description SHUTDOWN-NO-USERS
switchport access vlan 999
switchport mode access
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
description SHUTDOWN-NO-USERS
switchport access vlan 999
switchport mode access
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
description ACCESS-WIRED
switchport access vlan 10
switchport mode access
media-type rj45
negotiation auto
spanning-tree portfast edge
spanning-tree bpduguard enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
end
SW-02 Configuration
SW-02#sh runn
Building configuration…
Current configuration : 3810 bytes
!
! Last configuration change at 19:53:22 UTC Sat Mar 13 2021
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW-02
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
errdisable recovery cause bpduguard
errdisable recovery interval 30
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
description SHUTDOWN-NO-USERS
switchport access vlan 999
switchport mode access
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
description SHUTDOWN-NO-USERS
switchport access vlan 999
switchport mode access
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
description SHUTDOWN-NO-USERS
switchport access vlan 999
switchport mode access
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
description SHUTDOWN-NO-USERS
switchport access vlan 999
switchport mode access
shutdown
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
description ACCESS-WIRED
switchport access vlan 10
switchport mode access
media-type rj45
negotiation auto
spanning-tree portfast edge
spanning-tree bpduguard enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
end
SW-02#
SW-03 Configuration
SW-03#sh runn
Building configuration…
Current configuration : 3443 bytes
!
! Last configuration change at 19:53:38 UTC Sat Mar 13 2021
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW-03
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 0
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
spanning-tree guard root
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
spanning-tree guard root
!
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
end
SW-03#
SW-04 Configuration
SW-04#sh runn
Building configuration…
Current configuration : 3446 bytes
!
! Last configuration change at 19:53:44 UTC Sat Mar 13 2021
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname SW-04
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 4096
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
spanning-tree guard root
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
spanning-tree guard root
!
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 666
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
end
