Spanning Tree Review

Categories Cisco, IOS, Switch

Why do we need Spanning Tree

  • Good network design provides redundancy in devices and network links
  • The simplest solution involves adding a second link between switches to overcome a network link failure or ensuring that a switch is connected to at least two other switches in a topology.
  • This can cause problems when a switch must forward broadcasts or when unknown unicast flooding occurs.
  • Network broadcasts forward in a continuous loop until the link becomes saturated, and the switch is forced to drop packets.
  • Also the MAC address table must constantly change ports as the packets make loops. The packets continue to loop around the topology because there is not a time-to-live (TTL) mechanism for Layer 2 forwarding. The switch CPU utilization increases, as does memory consumption, which could result in the crashing of the switch.

Common Causes of Layer 2 Loops

  • STP disabled on a switch
  • A misconfigured load balancer that transmits traffic out multiple ports with the same MAC address
  • A misconfigured virtual switch that bridges two physical ports (Virtual switches typically do not participate in STP.)
  • End users using a dumb network switch or hub

How Spanning Tree Works

  • Spanning Tree Protocol (STP) enables switches to become aware of other switches through the advertisement and receipt of bridge protocol data units (BPDUs).
  • STP builds a Layer 2 loop-free topology in an environment by temporarily blocking traffic on redundant ports.
  • STP operates by selecting a specific switch as the master switch and running a tree-based algorithm to identify which redundant ports should not forward traffic.

Root bridge: The root bridge is the most important switch in the Layer 2 topology.

Bridge protocol data unit (BPDU): This network packet is used for network switches to identify a hierarchy and notify of changes in the topology.

Two Types of BPDUs:

  • Configuration
  • TCN

Max age: This is the maximum length of time that passes before a bridge port saves its BPDU information.

  • default is 20 seconds command spanning-tree vlan vlan-id max-age maxage. If a switch loses contact with the BPDU’s source, it assumes that the BPDU information is still valid for the duration of the Max Age timer

Hello time: time that a BPDU is advertised out of a port.

  • default is 2 seconds can be configured to 1 to 10 seconds with the command spanning-tree vlan vlan-id hellotime hello-time.

Forward delay: time that a port stays in a listening and learning state.

  • default value is 15 seconds can be 15 to 30 seconds with the command spanning-tree vlan vlan-id forward-time forward-time.

Election

  • Hello BPDUs are exchanged between all switches at the beginning of the root bridge election process
  • each switch considers itself as the root bridge, in fact it sends its BPDUs with its bridge ID as the root bridge ID
  • when a switch receives a BPDU with a lower bridge ID, it “adjusts” its BPDUs by sending them with the received lower bridge ID, otherwise it would just discard that BPDU with a higher bridge ID.
  • That process continues until all switches agree on the root bridge which has the lowest bridge ID.
  • In case all switches have same bridge priority then the tiebreaker here would be the mac address, the switch with the lowest mac address would be the root bridge.
  • The bridge ID is combined by the bridge priority, System ID Extension (based on IEEE 802.1t standard) and the mac address of the switch.

Finding Topology Change Causes

  • determining why TCNs are occurring involves checking a port to see whether it is connected to a host or to another switch.
  •  If it is connected to another switch, you need to connect to that switch and repeat the process of examining the STP details.
  • You might need to examine CDP tables or your network documentation.
  • You can execute the show spanningtree [vlan vlan-id] detail command again to find the last switch in the topology to identify the problematic port.

RSTP (802.1W) Port States

  • Discarding: The switch port is enabled, but the port is not forwarding any traffic to ensure that a loop is not created. This state combines the traditional STP states disabled, blocking, and listening.
  • Learning: The switch port modifies the MAC address table with any network traffic it receives. The switch still does not forward any other network traffic besides BPDUs.
  • Forwarding: The switch port forwards all network traffic and updates the MAC address table as expected. This is the final state for a switch port to forward network traffic.

STP Tuning

  • Ideally the root bridge is placed on a core switch, and a secondary root bridge is designated to minimize changes to the overall spanning tree

Root and Secondary Placement

  • spanning-tree vlan vlan-id priority priority: The priority is a value between 0 and 61,440, in increments of 4,096.
  • spanning-tree vlan vlan-id root {primary | secondary} [diameter diameter]: This command executes a script that modifies certain values. The primary keyword sets the priority
  • Generally, root switches are at Layer 2/Layer 3 boundaries.
  • minimize the number of hops to the furthest switch in the topology.
  • BEST PRACTICE: set the priority to 0 for the primary root switch and to 4096 for the secondary root switch.

Oh Snap, There’s a Loop!

  • Catalyst switches detect a MAC address that is flapping between interfaces and notify via syslog.
  • MAC address of the host, VLAN, and ports between which the MAC address is flapping.
  • These messages should be investigated to ensure that a forwarding loop does not exist

Root Guard

  • Enabled on a port-by-port basis; it prevents a configured port from becoming a root port.
  • Stops downstream switches from becoming the root bridge – Errdisables ports that receive the BPDU
  • Command spanningtree guard root – Root guard is placed on designated ports toward other switches that should never become root bridges.

STP Portfast

  • Placed on host ports, disables TCNs
  • Bypass listen and learning state go straight to forwarding
  • Saves time, used on Access ports
  • Beneficial in environments where computers use Dynamic Host Configuration Protocol (DHCP) or Preboot Execution Environment (PXE).
  • Command spanning-tree portfast trunk. ONLY USED ON SINGLE HOST EX: ESXI SERVER
  • command spanning-tree portfast or globally on all access ports with the command spanning-tree portfast default

BPDU Guard

  • BPDU guard is a safety mechanism that shuts down portfast ports upon receipt of a BPDU.
  • Ensures that a loop cannot accidentally be created if an unauthorized switch is added to a topology.
  • spanning-tree portfast bpduguard default. BPDU guard can be enabled or disabled on a specific interface with the command spanning-tree bpduguard {enable | disable}.
  • BPDU guard is typically configured with all host-facing ports that are enabled with portfast.
  • Use Error Recovery to recover ports that were shut down from BPDU guard errdisable recovery cause bpduguard
  •  The period that the Error Recovery checks for ports is configured with the command errdisable recovery interval time-seconds

BPDU Filter

  • Blocks BPDUs from being transmitted out a port
  • Most network designs do not require BPDU filter, which adds an unnecessary level of complexity and also introduces risk.

UDLD Fiber Trunking

  • Unidirectional Link Detection (UDLD) allows for the bidirectional monitoring of fiber-optic cables.

Lab

SW-01 Configuration

SW-01#sh runn
 Building configuration…
 Current configuration : 3810 bytes
 !
 ! Last configuration change at 19:53:21 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-01
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 errdisable recovery cause bpduguard
 errdisable recovery interval 30
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/3
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  description ACCESS-WIRED
  switchport access vlan 10
  switchport mode access
  media-type rj45
  negotiation auto
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
 !
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end

SW-02 Configuration

SW-02#sh runn
 Building configuration…
 Current configuration : 3810 bytes
 !
 ! Last configuration change at 19:53:22 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-02
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 errdisable recovery cause bpduguard
 errdisable recovery interval 30
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/3
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  description SHUTDOWN-NO-USERS
  switchport access vlan 999
  switchport mode access
  shutdown
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  description ACCESS-WIRED
  switchport access vlan 10
  switchport mode access
  media-type rj45
  negotiation auto
  spanning-tree portfast edge
  spanning-tree bpduguard enable
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
!
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end 
 SW-02#

SW-03 Configuration

SW-03#sh runn
 Building configuration…
 Current configuration : 3443 bytes
 !
 ! Last configuration change at 19:53:38 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-03
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 spanning-tree vlan 1-4094 priority 0
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/3
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  media-type rj45
  negotiation auto
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
 !
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end 
 SW-03#

SW-04 Configuration

SW-04#sh runn
 Building configuration…
 Current configuration : 3446 bytes
 !
 ! Last configuration change at 19:53:44 UTC Sat Mar 13 2021
 !
 version 15.2
 service timestamps debug datetime msec
 service timestamps log datetime msec
 no service password-encryption
 service compress-config
 !
 hostname SW-04
 !
 boot-start-marker
 boot-end-marker
 !
 !
 !
 no aaa new-model
 !
 !
 !
 !
 !
 !
 !
 !
 ip cef
 no ipv6 cef
 !
 !
 !
 spanning-tree mode rapid-pvst
 spanning-tree extend system-id
 spanning-tree vlan 1-4094 priority 4096
 !
 vlan internal allocation policy ascending
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 !
 interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet0/1
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/2
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
  spanning-tree guard root
 !
 interface GigabitEthernet0/3
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 666
  switchport mode trunk
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/0
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/1
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/2
  media-type rj45
  negotiation auto
 !
 interface GigabitEthernet1/3
  media-type rj45
  negotiation auto
 !
 ip forward-protocol nd
 !
 no ip http server
 no ip http secure-server
 !
 !
 !
 !
 !
 !
 control-plane
 !
 line con 0
 line aux 0
 line vty 0 4
 !
 !
 end