Notes on Networking

A blog to share my study notes on Cisco networking and more

STP

Apr
07

TOC

  • Concept
  • BPDU Frame
  • STP (802.1d) Process Phases
  • STP Port States
  • Timers
  • STP Topology Changes
  • STP Re-convergence Process
  • Optimizing STP Re-convergence
  • Protecting STP Topology
  • RSTP
  • STP and VLANs (CST, PVST+, MST)

 

Concept

Bridging loops forward a single frame around and around between switches forever.

STP prevents bridging loops by forming a spanning-tree topology in a layer 2 network with redundant links.

STP uses a special layer 2 frame called BPDU to operate.

BPDU Frame

BPDU is a special layer 2 frame that STP use to from a loop-free topology.

BPDU destination address is well-known multicast address 01-80-c2-00-00-00

BPDU are in two types

  • Configuration BPDU that is used for STP computation.
  • Topology Change Notification (TCN) BPDU that is used to announce a change in topology.

BPDU frame fields:

  • Protocol
  • Version
  • Message Type (Configuration or TCN)
  • Flags
  • Root Bridge ID
  • Root Path Cost
  • Sender Bridge ID
  • Sender Port ID
  • Message Age
  • Max Age
  • Hello Time
  • Forward Delay

 

STP (802.1d) Process Phases

  • Root Bridge Election in the Network
  • Root Port Election on each Switch
  • Designated Switch/Port Selection on each subnet

 

Root Bridge Election

Root Bridge is the bridge with the lowest Bridge ID.

Bridge ID = Bridge Priority + Bridge MAC address

Bridge ID (16 bits), Default = 32768

Root bridge election process:

  • Every switches claim to be the Root Bridge by sending Hello BPDU with their MAC address as Root Bridge’s Bridge ID.
  • Switches that receive a superior BPDU cease to originate Hello BPDUs and start to forward the superior BPDU after updating the BPDU’s following fields:
    • Cost
    • Forwarding Switch’s Bridge ID
    • Forwarding Switch’s Port Priority
    • Forwarding Switch’s Port Number
  • The Root Bridge is selected
  • The Root Bridge put all its ports in Forwarding state.

 

MAC Address Reduction/System ID extension Feature

Bridge ID = Bridge Priority (4 bit) + System ID extension (12 bit) + MAC address (48 bit).

Bridge ID multiple of 4096, System ID = VLAN ID or MST instance

This method is used in order to have different Bridge IDs for each VLAN so that STP can form different instance of spanning-tree for each VLAN (PVST).When this method was not used switches had to have many MAC addresses (one for each VLAN) to distinguish between BPDUs for different VLANs or they could have only one spanning-tree instance for entire network.

 

Root Port Election

The Root Port on a switch is the port which has the lowest calculated path to the Root Bridge.

Root Port election process:

  • The Root Bridge creates and sends Hello BPDUs every Hello Timer with Cost=0.
  • Each switch (non root) adds the cost of receiving port to the cost listed in the received BPDU.
  • Each Switch forwards the Hello BPDU after updating the following fields:
    • Cost
    • Forwarding Switch’s Bridge ID
    • Forwarding Switch’s Port Priority
    • Forwarding Switch’s Port Number
  • Each switch calculates the cost to reach the Root Bridge and elects the port with lowest calculated cost to the Root Bridge as Root Port. When the cost is a tie, the switch uses the following parameters to break the tie.
    • The port which receives BPDU with the lowest value of Forwarding Switch’s Bridge ID
    • The port which receives BPDU with the lowest value of Forwarding Switch’s Port Priority
    • The port which receives BPDU with the lowest value of Forwarding Switch’s Port Number
  • Each switch put the Root Port in Forwarding state.

 

Designated Switch/Port Selection

The switch with lowest cost from itself to the Root, as compared with other switches attached to the same segment is called the Designated Switch on that segment and its port attached to that segment is called the Designated Port on that segment. The Designated Switch puts the Designated Port in Forwarding State.

In other words, the Designated Switch/Port is the one that forwards BPDUs with the lowest cost into each segment. When the cost is a tie, the switch uses the following parameters to break the tie.

  • The port which receives BPDU with the lowest value of Forwarding Switch’s Bridge ID
  • The port which receives BPDU with the lowest value of Forwarding Switch’s Port Priority
  • The port which receives BPDU with the lowest value of Forwarding Switch’s Port Number

STP Port Costs

Bandwidth                               Cost (New)

10 Gbps                                   2

1000 Mbps                              4

100 Mbps                                19

10 Mbps                                  100

Port Costs can set manually on interfaces (recommended) or by setting bandwidth on interfaces. Good design practice dictates to set the same STP costs on both end of an interface.

(config-if)#spanning-tree vlan … cost …

(config-if)bandwidth

 

STP Port Roles

  • Root Port
  • Designated Port
  • Alternate Port (when using Uplinkefast feature)

 

STP Port States

  • Disabled

Port is shutdown.

 

  • Blocking

Not sending/receiving data frames

Not learning MAC address

Not sending BPDU, only receiving BPDU

 

  • Listening

Not sending/receiving data frames

Not learning MAC address

Sending and receiving BPDU frames
It’s a transitory state for Forward Delay time.

 

  • Learning

Not sending/receiving data frames

Learning MAC address

Sending and receiving BPDU frames

It’s a transitory state for Forward Delay time.

 

  • Forwarding

A port in Forwarding state sends and receives all frames normally.

 

STP Timers

STP timers are set globally/per-VLAN on Root Bridge and advertised in configuration BPDUs. Timer configurations on other switches do not take effect.

  • Hello Time

How long the Root Bridge waits before sending periodic configuration BPDUs

Default: 2 sec

 

  • Forward Delay

The amount of time spent in transitory Listening and Learning states.

Default: 15 sec

 

  • Max Age

Each switch port keeps a copy of BPDU it receives. If the port loses the contact to the BPDU source – not receiving BPDU for Max Age – the switch assumes that a Topology Change has occurred and begins the STP convergence process.

Default: 20 sec

It’s recommended to configure timers automatically based on network diameter and Hello Time.

(config)#spanning-tree vlan … hello-time …

(config)# spanning-tree vlan … forward-time …

(config)# spanning-tree vlan … max-age …

(config)#spanning-tree vlan … root [primary|secondary] diameter … hello-time

 

STP Topology Change

  • Direct Topology Change

A Direct Topology Change happens when a STP port status changes.

A port goes up:                                                            Discarding -> Listening

A port goes down:                                                       Forwarding -> Discarding

Root Port goes down and alternate port available:   Blocking -> Listening

Go to: STP Re-convergence Process

 

  • Indirect Topology Change

An Indirect Topology Change happens when BPDUs are not received for Max Age but no port status change is detected. In this case Max Age expires and another Root Port is selected.

 

  • Insignificant Topology Change

An Insignificant Topology Change happens when an access port goes down.

Go to: STP Re-convergence Process

 

STP Re-convergence Process

  • The switch experiencing STP port status change sends TCN BPDU out its Root Port and repeat this process every Hello Time until it’s acknowledged
  • The switch receiving TCN BPDU sends back an Acknowledgment via next Configuration BPDU by setting the TCA flag set.
  • Other switches repeat these two steps until the TCN BPDU is received by Root Bridge.
  • The Root Bridge sends TC BPDU via next Configuration BPDU with TC flag set to all switches. This BPDU is relayed by other switches.
  • All switches receiving TC BPDU shorten their CAM aging time to Forward Delay time.
  • If superior BPDU is received on another Blocking port, the port goes to Listening, Learning and Forwarding states respectively.

 

Optimizing STP Re-convergence

Portfast

Portfast allows a switch to place a port in Forwarding state immediately without passing through Listening and Learning states when the port goes up.

Portfast ports do not send TCN BPDUs toward the Root Bridge when they go up/down.

Appropriate for connection to workstations/servers at access layer switches/ports.

BPDUs are not expected on Portfast ports, but if received it returns to its normal STP behavior. So STP is still running on Portfast ports.

Portfast can be configured both globally and per interface. If it’s is configured globally it takes effect on all access ports.

Portfast is disabled on trunk ports by default. But in special cases when a trunk port is connected to a server for example to a Vmware server, switch can be forced to turn on STP on that particular trunk link.

(config)#spanning-tree portfast default

(config-if)#spanning-tree portfast

(config-if)#spanning-tree portfast trunk

 

Uplinkfast

Uplinkfast allows a switch to place the Alternate/Blocking port into Root/Forwarding state immediately without passing through Listening and Learning states when the Root Port goes down.

When the Root Port goes down and the Alternate port goes up immediately CAM tables should be updated. This switch generates spoofed multicast frames with the MAC addresses of all hosts in its CAM table in order to update CAM tables of other switches in the network.

Uplinkfast feature should only be enabled on leaf nodes in STP topology. In other words, switches with Uplinkfast feature enabled should never be Root Bridge or a transit switch.

Uplinkfast increases the Bridge Priority to 49152 to make the switch unlikely to become the root.

Uplinkfast increases the switch port cost by 3000 to make the switch unlikely to become a transit switch in STP topology.

Uplinkfast is only recommended on switches with Alternate/Blocking ports only at access layer.

Uplinkfast is configured globally.

(config)#spanning-tree uplinkfast

 

Backbonefast

Backbonefast allows a switch to detect indirect link failure immediately and not to wait for Max Age timer. So switches can start STP re-convergence process more quickly.

Backbonefast can improve re-convergence process for Max Age seconds.

If an inferior BPDU is received, it’s a signal that an indirect link failure has occurred.

If an inferior BPDU is received on the Root Port and the switch has no port in Alternate/Blocking state, the switch recognizes that it has lost connectivity to the Root Bridge and immediately expire the Max Age timer.

If an inferior BPDU is received on a port in Alternate/Blocking state the switch utilizes a Root Link Query (RLQ) protocol (RLQ Request/Response). …

Backbonefast should be configured globally on all switches in the network.

(config)#spanning-tree backbonefast

 

Protecting STP Topology

BPDU Filter

If configured per interface:

  • BPDU Filter filters BPDUs in both directions (Not sending out BPDU/Not processing BPDUs if received).

If configured globally in conjunction with Portfast:

  • BPDU Filter only filters BPDUs in outbound direction.
  • Do not send out BPDUs on ports that are configured as Portfast. But because Portfast mechanism needs the BPDUs, it does not filter BPDUs in inbound direction. Remember that Portfast listen for BPDUs, if a BPDU is received on Portfast port, it returns to normal STP behavior.

BPDU Filter can be both configured globally and per interface:

(config)#spanning-tree portfast bpdufilter default

Or

(config-if)#spanning-tree bpdufilter enable

BPDU Filter is only recommended at access layer/edge ports.

 

BPDU Guard

If BPDU is received on a port with BPDU Guard feature enabled, the switch will immediately put that port in err-disabled status.

BPDU Guard can be both configured globally in conjunction with Portfast and per interface:

(config)#spaning-tree portfast  bpduguard default

Or

(config-if)#spanning-tree bpduguard enable

BPDU Guard is only recommended at access layer/edge ports.

 

Root Guard

You know that downstream ports on distribution switch toward access switches and downstream ports on core switches toward distribution switches should not become Root Ports. You also know that access ports should not become Root Ports.

Root Guard prevents a port from becoming the Root Port on a particular switch.

If a superior BPDU is received on a Root Guard enabled port, the switch will immediately place the port in Root-Inconsistence state until it stops receiving superior BPDUs.

Root Guard can be configured only per interface:

(config-if)#spanning-tree guard root

Although it can be configured on access ports it’s more common to configure BPDU Guard or BPDU filter on access ports.

 

Loop Guard

Unidirectional link failure may lead to switching loops when the Rx circuit is cut but Tx circuit is working on an Alternate/Blocking port.

Loop Guard keeps track of BPDU on non-designated ports (Root Ports and Alternate Ports). If BPDUs go missing on Alternate/Blocking ports then the switch put the port in Loop Inconsistence/Blocking state.

Loop Guard recovers automatically if BPDUs are received again.

Loop Guard is configured per port but works per VLAN!

Loop Guard can be configured both globally and per interface:

(config)#spanning-tree loopguard default

Or

(config-if)#spanning-tree guard loop

 

UDLD

UDLD monitor a port to be bidirectional using special layer 2 frames.

Both ends of a link should be configured for UDLD to work but if configured only on one end it does not take effect.

UDLD modes:

  • Normal

The unidirectional link continues to operate.

The switch generates Syslog messages.

 

  • Aggressive

The switch places the unidirectional port in err-disabled state.

UDLD sends Echo frames every 15 seconds by default and detects unidirectional links after not hearing Echo frames for 3 intervals.

Unidirectional links should be detected before STP place these that port in Forwarding state, so:

3 * UDLD interval < Max Age + Forward Delay + Forward Delay,

3 * 15 < 15 + 20 + 20

UDLD in conjunction with EtherChannel disables just a link not the whole EtherChannel.

UDLD can be configured both globally and per interface.

(config)#udld  [enable |aggressive ]

Or

(config-if)# udld  [enable |aggressive |disable]

 

STP Optimization and Protection Big Picture

stp

RSTP

Rapid Spanning Tree Protocol (RSTP) – 802.1w – converges much faster than STP.

RSTP is backward compatible with STP.

In RSTP BPDUs are originated by all switches individually versus STP that BPDUs are originated by the Root Bridge inclusively.

RSTP Port States

  • Disabled
  • Discarding
  • Learning
  • Forwarding

RSTP Port Roles

  • Root Port
  • Alternate Port
  • An Alternate Port is a port that has an alternate path to the Root Bridge but less desirable. In other words, an Alternate port is a port that receive BPDUs that are inferior that BPDUs that are received on Root Port.

If a switch stops to receive BPDU on the Root Port, choose the best alternate port ac the new Root Port (~Uplinkfats).

  • Designated Port
  • Backup Port

A Backup Port is a port that provides a redundant path to a segment but less desirable. In other words, two or more ports on a switch that are connected to the same segment (attached to a hub).

If a Designated/Forwarding port fails to a segment, RSTP immediately place the backup port in Forwarding state (?!).

RSTP Timers

  • Max Age: 6 Sec

RSTP Link/Port Types

  • Point-to-Point

Full duplex ports if connected to another switch are considered Point-to-Point links by default.

RSTP runs only on Point-to-Point Non-Edge links.

  • Shared

Half duplex ports are considered Shared links by default.

Legacy STP runs on Shared links.

  • Edge

Legacy STP runs on Edge ports that are connected to a single host unless they are configured as Portfast.

RSTP Process

Non-Edge ports begin in discarding state.

Switches exchange Proposal/Agreement to decide about port states.

If a superior BPDU is received on a port, that port is selected as Root Port. All non-Edge ports go to discarding state.

For any non-Edge discarding port a proposal is sent.

RSTP Topology Change

Only when a non-Edge port goes to Forwarding state …

No Uplinkfats/Backbonefast configuration needed.

Configuration:

 

STP and VLANs (CST, PVST+, MST)

CST

Using 802.1q only one instance of STP is formed for all VLANs. This instance is called Common Spanning Tree (CST).

Although Cisco implementation of 802.1q supports PVST+, 802.1q does not support PVST+ natively. Therefore, when using non-Cisco switches only 1 STP instance is formed for native VLAN (VLAN 1) and is used for all VLANs.

 

PVST+

Cisco proprietary PVST+ forms one instance of STP for each active VLAN.

 

MST

MST (802.1s) maps one or more VLANs to an MST instance.

MST has less overhead in comparison with PVST+ especially when the number of VLANs is very high.

MST Regions Parameters:

  • MST Name (32 char)
  • MST Revision Number (0~65535)
  • MST Instance (0~15) to VLAN Mapping

If two switches have the same parameters, they belong to the same MST region.

Re-convergence in one region does not impact other regions.

The entire MST mapping is not sent in BPDUs but a digest is sent.

MST mapping and other parameters should be configured identically on all switches manually.

MST mapping is advertised by VTP V3. Not supported by major IOS switches.

16 MST instances (0~15) can be configured in each region.

MST instance 0 is the default instance and called IST. When mapping is not configured, all VLANs are mapped to MST 0 by default.

MST runs RSTP in background.

MST is interpretable with CST and PVST+.

When MST regions meet CST/PVST+ sub-network, IST presents the entire MST region as a single virtual bridge to CST/PVST+.

BPDUs are exchanged on the native VLAN at region boundary.

Configuration:

(config)#spanning-tree mode mst

(config)#spanning-tree mst configuration
(config-mst)#name …
(config-mst)#revision …
(config-mst)#instance … vlan …

(config)#spanning-tree mst … priority | root [primary | secondary] diameter | hello-time | forward-time | max-age

(config)#spanning-tree mst … [cost | port-priority]

Share

Leave a Reply

%d bloggers like this: