Categories R&S

L2 technologies – Spanning-Tree Protocol

Here is one good topic.

I’m going to have a look only at rapid-PVST+.

The standard spanning-tree isn’t really used any more in Cisco networks.

 

L2 technologies – Spanning-Tree Protocol – Physical network diagram

L2 technologies - Spanning-Tree Protocol

L2 technologies – Spanning-Tree Protocol – configuration:

Let’s first make sure that rapid-PVST+ is enable on all switches.

SW10(config)#spanning-tree mode rapid-pvst

 

L2 technologies – Spanning-Tree Protocol – STP Root Bridge Election:

Looking at our network, we want to make sure that SW10 is the root bridge for all the vlans.

In case of failure, SW11 should become the root bridge.

 

I usually configure the root bridge in order to make sure that it works as expected.

SW10(config)#spanning-tree vlan 1-4094 priority 0

SW11(config)#spanning-tree vlan 1-4094 priority 4096

 

Let’s make sure that SW10 is the root bridge for all the vlans.

SW10#sh spanning-tree root
                                        Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
VLAN0001             1 aabb.cc00.0400         0    2   20  15
VLAN0010            10 aabb.cc00.0400         0    2   20  15
VLAN0011            11 aabb.cc00.0400         0    2   20  15
VLAN0012            12 aabb.cc00.0400         0    2   20  15
VLAN1500          1500 aabb.cc00.0400         0    2   20  15

 

Now we can check on all switches what the status of the interfaces is.

Here is the spanning-tree status of our interfaces.

L2 technologies - spanning-tree protocol

 

STP Path Selection with Port Cost – Path Selection with Port Cost:

So let’s say we want SW12 to go over SW11 instead of directly to SW10.

We can manipulate the root interface cost to make it higher than the alternate interface.

 

On SW12, we increase the cost of the root interface to 500.

Current spanning-tree situation.

SW12#sh spanning-tree
VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    1
             Address     aabb.cc00.0400
             Cost        100
             Port        1 (Ethernet0/0)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Root FWD 100       128.1    Shr
Et0/1               Altn BLK 100       128.2    Shr

 

When we increase Eth0/0 cost:

SW12(config)#int Et0/0
SW12(config-if)#spanning-tree cost 500

SW12#sh spanning-tree
VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    1
             Address     aabb.cc00.0400
             Cost        156
             Port        2 (Ethernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Altn BLK 500       128.1    Shr
Et0/1               Root FWD 100       128.2    Shr

 

The interface to the root bridge has now change to Eth0/1.

The spanning-tree path cost default value is derived from the media speed of an interface.

 

STP Path Selection with Port Cost – STP Path Selection with Port Priority:

Another way to select the STP path is to play with port priority.

Currently SW14 goes through SW11 to reach the root bridge SW10.

 

Because the link between SW10 and SW11 have a cost of 56 (Port-channel), we need to give it the same cost than a normal link. (This is for the example).

I also set back the priority to default on SW11

Let’s make it go over SW13.

For this, on SW13, we change the port priority to SW14

 

Well in fact this doesn’t work…

This is because of the root port selection sequence:

– Selects the lowest root bridge ID

– Selects the lowest path cost to the root switch

– Selects the lowest designated bridge ID

– Selects the lowest designated path cost

– Selects the lowest port ID

So in our case, the tiebreaker will always be the lowest designated bridge ID.

Path selection with port-priority only works when you connect to the same switch.

You can search it in google, all examples show two switches connected together with 2 or more links.

Let’s have a closer look.
So I have change the port-priority to 64 on SW13 to SW14.
Still the root port on SW14 is the interface to SW11.

SW14#sh spanning-tree vlan 1 det
Port 1 (Ethernet0/0) of VLAN0001 is root forwarding
   Port path cost 100, Port priority 128, Port Identifier 128.1.
   Designated root has priority 1, address aabb.cc00.0400
   Designated bridge has priority 32769, address aabb.cc00.0500
   Designated port id is 128.6, designated path cost 100
   Timers: message age 16, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   Link type is shared by default
   BPDU: sent 24, received 186

 Port 2 (Ethernet0/1) of VLAN0001 is alternate blocking
   Port path cost 100, Port priority 128, Port Identifier 128.2.
   Designated root has priority 1, address aabb.cc00.0400
   Designated bridge has priority 32769, address aabb.cc00.0700
   Designated port id is 64.2, designated path cost 100
   Timers: message age 16, forward delay 0, hold 0
   Number of transitions to forwarding state: 3
   Link type is shared by default
   BPDU: sent 40, received 327

 

So for both interfaces, the lowest root bridge ID is the same.

The lowest path cost to the root bridge is the same.

The lowest designed bridge ID is different because it uses the mac address which is unique. In our case the MAC address from SW11 is lower than the one from SW13.

 

If I change the priority on SW13, then it changes, but our tiebreaker will still be the lowest designated bridge ID and not the port-priority.

SW13(config)#spanning-tree vlan 1-4094 priority 28672

Port 1 (Ethernet0/0) of VLAN0001 is alternate blocking
   Port path cost 100, Port priority 128, Port Identifier 128.1.
   Designated root has priority 1, address aabb.cc00.0400
   Designated bridge has priority 32769, address aabb.cc00.0500
   Designated port id is 128.6, designated path cost 100
   Timers: message age 16, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   Link type is shared by default
   BPDU: sent 38, received 427

 Port 2 (Ethernet0/1) of VLAN0001 is root forwarding
   Port path cost 100, Port priority 128, Port Identifier 128.2.
   Designated root has priority 1, address aabb.cc00.0400
   Designated bridge has priority 28673, address aabb.cc00.0700
   Designated port id is 64.2, designated path cost 100
   Timers: message age 16, forward delay 0, hold 0
   Number of transitions to forwarding state: 4
   Link type is shared by default
   BPDU: sent 46, received 567

 

L2 technologies – Spanning-Tree Protocol – Optional STP Features:

First uplink fast and backbone fast are disable for rapid-PVST+. You can still configure them but they will remain disable until you switch back to PVST+.

In today’s network this is unnecessary.

 

Optional STP Features  – PortFast:

When portfast is configured under an interface, it moved directly to the spanning-tree forwarding state without waiting for the standard forward-time delay.

This is usually configure on interface to end host.

Not that if you have a trunk link to an ESX for example, you can enable portfast too.

SW13(config-if)#spanning-tree portfast

SW13(config-if)#spanning-tree portfast trunk

 

You always get a warning when you use this command.

 

Optional STP Features  – BPDU Guard:

Cisco definition:

“When you enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port Fast-operational state), spanning tree continues to run on the ports. They remain up unless they receive a BPDU.

You also can use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any port without also enabling the Port Fast feature.”

 

Here is what happens when a BPDU is received on an interface where portfast is enable.

Let’s change the config on SW14 interface to SW13.

SW14(config)#int Eth 0/1
SW14(config-if)#shut
SW14(config-if)#spanning-tree portfast trunk

SW14(config)#spanning-tree portfast bpduguard default
SW14(config)#int eth 0/1
SW14(config-if)#no shut

%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Ethernet0/1 with BPDU Guard enabled. Disabling port.
%PM-4-ERR_DISABLE: bpduguard error detected on Et0/1, putting Et0/1 in err-disable state

SW14(config-if)#do sh int Ethernet0/1
Ethernet0/1 is down, line protocol is down (err-disabled)

 

I use this feature to prevent someone in the office to plug a switch on his desk to connect more device than what he is allowed.

The interface is shut down and then he has to call to get his connection back…

 

Optional STP Features  – BPDU Filter:

Cisco definition:

“When you enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs.

If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature.”

 

Let’s try it again on the interface between SW14 and SW13.

This time we use the interface level command.

SW14(config)#int eth 0/1
SW14(config-if)#spanning-tree bpdufilter enable

 

I’m reloading the switch, we should see that the BPDU counters are not increasing any more.

Port 2 (Ethernet0/1) of VLAN0001 is designated forwarding
   Port path cost 100, Port priority 128, Port Identifier 128.2.
   Designated root has priority 1, address aabb.cc00.0400
   Designated bridge has priority 32769, address aabb.cc00.0800
   Designated port id is 128.2, designated path cost 200
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is shared by default
   Bpdu filter is enabled
   BPDU: sent 0, received 0

 

So we have no BPDU sent or received while on the other interface it is already 26.

If we shutdown the interface to SW11, the switch is isolated and become root.

SW14(config-if)#do sh spann
VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    32769
             Address     aabb.cc00.0800
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0800
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/1               Desg FWD 100       128.2    Shr

 

 

Optional STP Features  –  Root Guard:

Root guard will prevent an upstream switch to become root in the switch network by blocking the port.

 

If we take our diagram, we will have to configure root guard on the following port.

L2 technologies - Spanning-tree protocol - rootguard

To test it, I change the priority of SW10 to 4096 and SW11 to 8192.

SW10(config-if)#int range  Eth 1/1 , Eth 1/0
SW10(config-if-range)#spanning-tree guard root
%SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet1/1

 

I do the same on all the relevant interface.

Now what happens if we configure a lower priority on SW13 ?

The port gets blocked.

SW13(config)#spanning-tree vlan 1-4094 prio 0

SW10 %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Ethernet1/1 on VLAN0001.

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    4106
             Address     aabb.cc00.0400
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    4106   (priority 4096 sys-id-ext 10)
             Address     aabb.cc00.0400
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec
Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et1/0               Desg FWD 100       128.5    Shr
Et1/1               Desg BKN*100       128.6    Shr *ROOT_Inc
Po10                Desg FWD 56        128.65   Shr

 

One last thing about the spanning-tree timers, they can be changed to improve convergence however I do not recommend to change them when using rapid-PVST+.

 

That’s all for spanning-tree.

In the next post I will have a look at MSTP;

 

Thank you for reading.

 

Have a look at my previous L2 technologies posts.

L2 technologies – VLANs & Trnking configuration

L2 technologies – VTP

L2 technologies – Etherchannel

 

 

L2 technologies – Spanning-Tree Protocol

Leave a Reply

Your email address will not be published.