CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Wireshark
          • WCNA
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • Python
          • PCEP
          • PCAP
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Google
          • Cloud Architect
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • ITIL
          • ITIL Foundations
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • EC Council
          • Certified Ethical Hacker
        • ISC2
          • SSCP
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Wireshark
          • WCNA
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • Python
          • PCEP
          • PCAP
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Google
          • Cloud Architect
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • ITIL
          • ITIL Foundations
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • EC Council
          • Certified Ethical Hacker
        • ISC2
          • SSCP
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets

Spanning Tree Protocol Explained

What is STP? Spanning Tree Protocol (STP) is enabled by default on Cisco switches. Because it works so well, it is disregarded by many network engineers who regret doing so when faced with an STP issue, which will quickly bring down even enterprise-level networks. Cisco expects you to have a good grasp of STP and RSTP (Rapid STP) for the exam, including how they operate, how to tweak the configurations, and how to troubleshoot common issues.

You will configure advanced STP in the Cisco CCNP ENCOR course.

Back to book index.

Contents hide
What is STP – Spanning Tree Protocol?
Port States in STP
First State – Blocking
Second State – Listening
Third State – Learning
Fourth State – Forwarding
Fifth State – Disabled
What is STP Convergence?
Elect One Root Bridge
Elect Root Ports
Elect Designated Ports
Mini-lab – STP Operations
STP Timers
Cisco’s Enhancements to STP
PortFast
UplinkFast
Mini-lab – Configuring UplinkFast
BackboneFast
STP Security
BPDU Guard
Mini-lab – Configuring BPDU Guard
BPDU Filter
Root Guard
Rapid Spanning Tree Protocol
RSTP Link Types
RSTP Port Roles
RSTP Port States
Per-VLAN STP and per-VLAN Rapid STP
Mini-lab – Configuring PVRST+
Load Balancing Using RSTP/STP
End of Chapter Questions
Root Bridge Challenge
Chapter 11 Labs
Lab 1: Spanning Tree Protocol
Lab Exercise
Purpose
Lab Objectives
Lab Walk-through
Running Configuration

What is STP – Spanning Tree Protocol?

Imagine for a moment that you drive a delivery truck in a large city. There is a large network of roads for you to choose from, and you know the name of the building you need to reach. Your boss doesn’t permit you to use a map or satellite navigation, so you have to drive around random streets until you find your destination.

Taking the long route

FIG 11.1 – Taking the long route

You eventually reach your destination but the journey was a nightmare, and you still have to find your way back. Having a grid of roads you can take is useful, but if they are all open, you run the risk of going around in circles. Now imagine that the next time you need to make the journey, the fastest route has been made available to you because the longer routes have been closed off.

Longer paths shut down

FIG 11.2 – Longer paths shut down

This time it’s impossible to become lost. If one of the main routes was no longer available, an alternative route would be opened for you. This is a simplified explanation of how Spanning Tree Protocol works.

STP was originally created by Radia Perlman and was later standardized by IEEE 802.1D as a messaging service between switches designed to provide a loop-free topology in a layer 2 network that has multiple redundant paths. In order to achieve this, STP prevents some interfaces (referred to as ports in this context) from forwarding traffic.

In theory, the remaining ports will all forward traffic in a loop-free network. STP works so well, in fact, that its importance is often forgotten, and many network engineers find it very difficult to troubleshoot (because they don’t understand it). When I was working at Cisco TAC, we would regularly have to assist even CCIEs who were struggling to configure or troubleshoot STP issues in their network. Cisco have written a STP guide if you want to read it.

Figure 11.3 below shows a full-mesh network, a good redundant setup where, if one link fails, there are two more links for traffic to go through. However, could this lead to any problems? Let’s say a host is connected to port fa0/1 on Switch A (MAC address AAA), and this switch sends a broadcast out to the network advertising this MAC. Of course, this is the desired behavior because we need the switched network to build a map of which MAC addresses are connected to which interfaces.

Longer paths shut down

FIG 11.3 – Beginning of a switching loop

Switch A has to forward this frame out of every port except fa0/1. Part of what happens next is shown below:

  • Switch B receives the packet on fa0/10 and sends it out on every port except that one;
  • Switch D receives the packet on fa0/10 and sends it out on every port except that one, but including fa0/11; and
  • Switch A receives the packet on fa0/11 and sends it out on every port except fa0/11, but including fa0/1 and fa0/10.

As a result, not only has the original source received the frame back, but now Switch A has to send the packet back out of fa0/10 also. Soon enough, all ports are advertising the fact that they can reach host AAA. The network will shortly become unusable, as demonstrated in Figure 11.4 below:

Full switching loop

FIG 11.4 – Full switching loop

As you can see in Figure 11.4, a loop has been created. Such loops can bring a network to a grinding halt. Layer 2 LAN protocols have no method to stop traffic from endlessly traveling around, possibly carrying inaccurate information. At layer 3, you can make packets expire after a certain amount of time or after they have traveled a certain distance (using the TTL value or route poisoning, for example).

As layer 2 networks grew, it quickly became evident that a system to prevent loops was needed if LANs were to continue to function. STP allows switches to communicate with each other so they can create a loop-free topology. It does this by electing a root bridge, which becomes the logical center of the switched network. It then builds a loop-free path leading toward the root bridge. Note that the logical root switch does not have to be at the center of the network physically.

STP is enabled by default on all bridges (switches). This means that you can install several switches, configure VLANs, and STP will work to prevent loops. For this reason, it isn’t compulsory to add any configuration, but as the network administrator, you may want to add some of the configuration commands discussed in this section to determine where your layer 2 traffic goes, for example, to a more powerful switch or load balanced per VLAN.

In the network in Figure 11.5 below, the network hosts are missing but are all connected to the access layer switches using VLANs 20 and 30. The load for all the VLAN traffic has been distributed using configuration commands so that each distribution layer switch is the root for just one VLAN. It can switch traffic for both VLANs should the primary switch for that VLAN fails.

Correct root bridge placement

FIG 11.5 – Correct root bridge placement

If you connected all the devices without any configuration, you might find that one of the lower-powered access layer switches becomes the root for all your layer 2 traffic, which is certainly not a desired outcome. This is illustrated in Figure 11.6 below. As a CCNA-level engineer, you will quickly be able to troubleshoot and resolve this type of issue. Although it may seem unlikely, I’ve had to deal with it on many occasions when taking over from an IT engineer who just expected to plug-and-play multiple network switches.

Allowing STP to run automatically can lead to problems

FIG 11.6 – Allowing STP to run automatically can lead to problems

Each bridge runs the Spanning Tree algorithm, which calculates how the loop (as seen in Figure 11.6 above) can be prevented. When STP is applied to a looped LAN topology, all VLANs will be reachable but any open ports that would create a traffic loop are blocked. When it sees a loop in the network, it blocks one or more redundant paths, preventing a loop from forming. As you can guess, STP calculates the best-cost path to reach the root bridge, and then the best-cost interfaces are put into forwarding state while the others are put into blocking state.

All this is achieved by swapping Bridge Protocol Data Units (BPDUs). STP also uses BPDUs to continually monitor the network for failures on switch ports or changes in the network topology. If a change in the LAN is detected, STP can make redundant ports available and close other ports to ensure that the network continues to function loop-free. This entire process can take quite some time but improvements have been developed to speed this up, which we’ll cover shortly.

Figure 11.7 below shows a packet capture of a BPDU. There are actually two types—a Topology Change Notification (TCN) BPDU, which is used for topology changes (such as an interface going down), and a configuration BPDU, which is used for initial STP configuration. Can you tell which one is in the packet capture below?

BPDU packet capture

FIG 11.7 – BPDU packet capture

Before you learn more about STP, you need to understand some of the common terms associated with it. To see some of the values on a switch, you would issue the show spanning-tree vlan [vlan#] command. As always, it would be a great idea to get access to a live switch and try these out for yourself.

Switch#show spanning-tree vlan 1

VLAN0001

Spanning tree enabled protocol ieee

Root ID    Priority    32769

Address     0001.4272.A095

Cost        19

Port        1(FastEthernet0/1)

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)

Address     0001.C934.3988

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type

—————- —- — ——— ——– ———————–

Fa0/1            Root FWD 19        128.1    P2p

 

  • Root ID – This is the ID of the bridge (switch) assumed to be the root. The switch usually assumes it is the root until the BPDUs have all been exchanged between the switches. You can see the root details, including the root cost (covered later), with the show spanning-tree root command, which I recommend you try during any STP labs:

Switch#show spanning-tree root

Vlan                              Root   Hello Max Fwd

Root Port  Root ID                Cost   Time  Age Dly

———- ———————- —— —– — —

VLAN0001   32769 0011.9247.db00   0      2     20  15

 

  • Bridge ID – The BID is the unique identification number of each switch in the network. It consists of bridge priority, the VLAN ID, and the base MAC address of the switch. In the previous show spanning-tree vlan 1 output, the BID is 32768 plus the VLAN ID, which is 1 and 0001.C934.3988.

The default bridge priority of a Cisco switch is 32768. This is a configurable value between 0 and 61440, but the value has to be in increments of 4096 (i.e., 4096, 8192, 12288, and so on). Priority plays a very big role in STP and how well the network will function, which we will examine in detail shortly.

  • Root bridge – All switches in the network take part in an election to decide the root of the spanning tree; this then leads to them making further decisions, such as which redundant path to block and which to open. The election is won by the switch with the lowest BID. Switches that do not become a root bridge are called non-root bridges.
  • BPDU – A Bridge Protocol Data Unit contains information exchanged between switches to select a root bridge, as well as to configure the network after that. A decision on which port to block is made after examining BPDUs from neighbors. Cisco switches send BPDUs every two seconds by default. This value can be configured from one second to 10 seconds.
  • Root port – Each switch has to have a path to the root bridge, if not directly connected. The root port is the directly connected link or the fastest path to the root bridge from a non-root bridge. The root bridge will never have a root port, which is always closest to the root bridge.
  • Port cost – Each port has a cost that is determined by the bandwidth of the link. Port cost determines which of the redundant links will not be blocked. The lower the cost, the better it is. Port cost also determines which port will become the root port if multiple paths to the root bridge exist. Default port costs are shown in Table 11-1 below:

Table 11-1: STP port costs

Link Speed STP Cost
4 Mbps 250
10 Mbps 100
16 Mbps 62
100 Mbps 19
1 Gbps 4
10 Gbps 2

It’s important that you learn the costs above for the exam so that you can look at a diagram and determine the best path. As a BPDU traverses the switched network, the cost is incremented. This is how the switch determines the least cost.

  • Designated port – The bridges on a network segment collectively determine which bridge has the least-cost path from the network segment to the root. The port connecting this bridge to the network segment is then the designated port for the segment. Ports that are not selected as a designated port are called non-designated ports. Designated ports point away from the root bridge.

Port States in STP

Switch ports (the interfaces on the switch) running STP can be in one of five states. Please ensure that you understand all of these for the CCNA exam:

  1. Blocking
  2. Listening
  3. Learning
  4. Forwarding
  5. Disabled

User data is only passed by a port in forwarding state.

First State – Blocking

None of the ports will transmit or receive any data, but they will listen to BPDUs. The BPDU carries various pieces of information that are used by STP to determine which state the ports should be in and what the STP topology should be.

Second State – Listening

The switch listens for frames but does not learn or act on them. The switch does receive the frames but discards them before any action is taken. MAC addresses are not placed into the CAM table while the port is listening.

Third State – Learning

The switch will start to learn MAC addresses it can see and will populate its CAM table with the addresses and the ports on which they were found. In this state, the switch will start to transmit its own BPDUs.

Fourth State – Forwarding

The switch has learned MAC addresses and corresponding ports and populates its CAM table with this information. The switch can now forward traffic.

Fifth State – Disabled

In disabled state, the port will receive BPDUs but will not forward them to the switch processor. Instead, it discards all incoming frames from both the port and other forwarding ports on the switch.

The port states are transitional and allow other BPDUs to arrive in good time from other switches. Port transition times are shown below, and the process from start to finish can typically take 50 seconds (15 seconds each for learning and listening and 20 seconds for the MAX age timer, which will be covered shortly):

  • Initialization to blocking
  • Blocking to listening
  • Listening to learning (15 seconds)
  • Learning to forwarding (15 seconds)
  • Forwarding to disabled (if there is a failure)

STP port states - What is STP?

FIG 11.8 – STP port states

All ports start in the blocking state (except for a few exceptions, which will be discussed later). After STP convergence, some ports will transition to the listening, learning, and, finally, forwarding states, and the rest will remain in the blocking state. Keeping this and the time needed to transition from one state to another in mind, a layer 2 network running STP takes 50 seconds to start switching data!

What is STP Convergence?

Remember that STP works by selecting a root bridge in the LAN. It is selected by comparing the Bridge ID of each switch, and the switch with the lowest BID wins. As the network administrator, you can manually configure which switch you prefer to be the root (and secondary root). We’ll look at how to do this shortly.

STP can be considered converged after three steps have taken place (all ports will either be blocking or forwarding):

  1. Elect one root bridge (switch)
  2. Elect root ports
  3. Elect designated ports

STP convergence

FIG 11.9 – STP convergence

We will use the network shown in Figure 11.9 above to go through the STP convergence process. VLAN 5 has been configured and all the interfaces shown have been placed into VLAN 5.

Elect One Root Bridge

The bridge with the lowest BID becomes the root bridge. The BID used to consist of just two values in an 8-byte field—the bridge priority (32768 by default), which is two bytes, and the base MAC address of the backplane or supervisor module (depending on the switch model), which is six bytes.

Here is an extract from a show version command on a 2960 Switch. You can see the base MAC address:

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:0C:BE:D4:3C:40

Motherboard assembly number: 34-7410-05

The 802.1T standard introduced an extended system ID in order to conserve MAC addresses while still allowing for a unique BID. With extended system ID enabled (VLAN 10 in this example), the bridge priority is set to either 4096 as a minimum or a multiple of 4096, depending on which bridge priority bits are set. The default priority of 32768 is a multiple of 4096. Figure 11.10 below shows the old BID format and the new one below that:

Bridge ID format

FIG 11.10 – Bridge ID format

The output below is from a 3550 Switch. The command below won’t work on Packet Tracer:

Switch#show spanning-tree vlan 10 bridge

Vlan                                          Hello  Max  Fwd

Protocol        Bridge ID                     Time   Age  Dly

————-   —————————– —–  —  —  —

VLAN0010        4106 (4096,10) 000d.bd06.4100 2      20   15   ieee

Here you can see that the priority value is 4096, to which is added the VLAN ID of 10 and the MAC address.

The root bridge on a VLAN is selected by an election. Each switch running STP passes its BID information using BPDUs. BPDUs are multicast frames that are sent out every two seconds from every port (you can see the Hello time in the output above). This is necessary to maintain a loop-free topology. The bridge with the lowest ID is selected as the root bridge. This means that the switch with the lowest priority is elected as the root bridge. If all the switches have the same priority, then the switch with the lowest MAC address is selected as the root bridge, which in this instance is Switch A with MAC 0013.c3e8.2500.

All ports on the root bridge are set as designated ports and are always set to the forwarding state. We will discuss port roles shortly.

STP elections take place using the following order:

  • Lowest root bridge ID
  • Lowest root path cost to the root bridge
  • Lowest sender bridge ID
  • Lowest sender port ID

In the network in Figure 11.9, the priority of all the switches has been left at default, so the switch with the lowest MAC address will be selected as the root bridge. In this case, it will be Switch A. To verify this, issue the show spanning tree vlan [vlan#] command on Switch A:

SwitchA#show spanning-tree vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID   Priority    32773 – 32768 plus 5 (the VLAN ID)

Address     0013.c3e8.2500

This bridge is the root

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    32773 (priority 32768 sys-id-ext 5)

Address     0013.c3e8.2500

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————–

Fa0/15              Desg FWD 100       128.15   P2p

Fa0/18              Desg FWD 100       128.18   P2p

Notice that there is no Cost field displayed under the Address field because this switch is the root for this VLAN. If you wanted Switch C to be the root bridge, then you would need to give it a lower priority than 32773 using either of the following commands:

Switch(config)#spanning-tree vlan 5 root primary

Switch(config)#spanning-tree vlan 5 priority 8192

The first command lets the switch set its own priority for the specified VLAN to 4096 less than the lowest spanning tree switch priority value. You can also configure the secondary root bridge on any switch you want to take over as the root bridge in case the current root bridge fails.

The second command lets you manually choose the priority. Which command you choose will depend on your network policy; however, you need to know both for the CCNA exam and beyond, so do try them both. If you added the priority 8192 command to a switch and the root primary to the second switch, then the second switch would set its priority to 4096, thus becoming the root bridge.

Let’s check the show spanning-tree output on Switch C (after you have made it the root with one of the commands above) and on Switch A. The VLAN information is added to the priority value in the output:

SwitchC#show spanning-tree vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID   Priority    8197

Address     0014.a93f.8380

This bridge is the root

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    8197 (priority 8192 sys-id-ext 5)

Address     0014.a93f.8380

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

 

SwitchA#show spanning-tree vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID   Priority    8197

Address     0014.a93f.8380

Cost        100

Port        18 (FastEthernet0/18)

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    32773 (priority 32768 sys-id-ext 5)

Address     0013.c3e8.2500

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

Note that Switch A now shows Switch C’s MAC address as the root bridge’s MAC address, and Switch C says that it is the root bridge. Now please set the priority value on Switch C back to 32768 and make Switch A the root bridge for the next section. Note that even though you set the priority value back to 32768, the VLAN # will be added to that value, so for VLAN 5, the priority will be 32673.

Elect Root Ports

For non-root bridges, there will be only one root port. The root port will be the port with the lowest path cost to the root bridge (i.e., the best/fastest path). The root port will be set to forwarding state.

Path cost is the cost of transmitting a frame to the root bridge. The value is set according to the bandwidth of the link on the LAN, so the slower the link, the higher the cost.

In order to determine which port should be a root port, STP runs through the decision-making process below:

  • Lowest root bridge ID
  • Lowest root path cost to the root bridge
  • Lowest sender bridge ID
  • Lowest sender port ID

The primary factor in deciding the root bridge is the root bridge ID and in deciding the root ports on the non-root bridges is the path cost, which is cumulative (i.e., each path cost is added to the frame as it traverses the network). If there is a tie in the path cost, then STP moves down the list in order to make a decision, finally coming to the sender bridge ID and the port ID.

In the network below, Switch B’s and Switch C’s fa0/15 ports will be the root ports. Switch D has two options—fa0/17 toward Switch B and fa0/20 toward Switch C. The total cost of the link on fa0/17 is 200 (10 Mbps = 100). The total cost of the link on fa0/20 is 119 (10 Mbps = 100 and 100 Mbps = 19), so fa0/20 will be the root port for Switch D and fa0/17 will be blocked. For default costs, see Table 11-1. Costs are cumulative, adding up in the BPDU cost field as the frame traverses the network.

STP port statuses

FIG 11.11 – STP port statuses

Let’s verify Switch D’s root port using the show spanning-tree [vlan#] command:

SwitchD#show spanning-tree vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID   Priority    32773

Address     0013.c3e8.2500

Cost        119

Port        20 (FastEhternet0/20)

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    32773 (priority 32768 sys-id-ext 5)

Address     0018.1841.7680

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————–

fa0/17              Altn BLK 100       128.17    P2p

fa0/20              Root FWD 19        128.20    P2p

You can see that the cumulative cost is 119, which is the 100 Mbps link (19) plus the 10 Mbps link (100) (i.e., the interface port costs). The port priority always defaults to 128 plus the interface number. P2P indicates a point-to-point connection.

If you want to make fa0/17 on Switch D a root port instead of fa0/20, then you will need to change the cost on fa0/17 so that the total cost would be something better (less) than the current cost of 119, which you can see in the output above. To do this, you need the cost of interface fa0/17 to be less than 19. This can be adjusted using the spanning-tree cost # interface-level command (or spanning-tree vlan # cost # command if you just want to affect one VLAN, which is preferred) and can be used on fa0/17, as shown in the output below:

SwitchD(config)#int fa0/17

SwitchD(config-if)#spanning-tree vlan 5 cost 1

SwitchD(config-if)#do show spanning-tree vlan 5 – The “do” command lets you issue a show command while in config mode

[output truncated]

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——-

fa0/17              Root LIS 1         128.17    P2p

fa0/20              Altn BLK 119       128.20    P2p

You can see that fa0/17 becomes the root port with a cost of 1 (as specified in the command) and fa0/20 goes into a blocking (BLK) state. Notice that fa0/17 is in the listening (LIS) state because it needs to transition through the listening and learning states, and the port can spend up to 15 seconds in each of these states.

Elect Designated Ports

If a switch has redundant ports connecting it to a LAN segment (another downstream switch or hub, for example), then the port with the lowest cost will be elected the designated port. Designated ports forward BPDUs onto the LAN segment and traffic to and from the LAN segment. In simple terms, the designated port becomes the only link for the LAN segment toward the rest of the network and the root bridge. By default, all ports on a root switch are designated ports. The criteria used for electing the designated port on a segment are listed in order below:

  • Lowest root bridge ID
  • Lowest root path cost to the root bridge
  • Lowest sender bridge ID
  • Lowest sender port ID

In Figure 11.11 above, the fa0/20 port on Switch C will be the designated port for the link to Switch D. This is because Switch C has the lowest cost to the root bridge. The root bridge is the same, and Switch C has a better path cost to the root bridge (100) versus Switch D’s path cost (200). (Switch D’s Fa0/17 interface has been reverted to its normal cost.) If there were multiple links, then an election would have taken place. Let’s verify this on Switch C:

SwitchC#show spanning-tree vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID   Priority    32773

Address     0013.c3e8.2500

Cost        100

Port        15 (Fasthernet0/15)

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    32773 (priority 32768 sys-id-ext 5)

Address     0014.a93f.8380

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————–

fa0/15              Root FWD 100         128.15   P2p

fa0/20              Desg FWD 19          128.20   P2p

In summary, all root ports forward information to the root bridge, and designated ports send traffic away from the root bridge. Any remaining ports will be non-designated and set to the blocking state. Blocking ports listen to configuration BPDUs but do not send or forward them.

It’s worth noting that on larger networks you could have multiple switch segments separated by routers, and for each of these segments, you would have one root bridge with all ports in designated (forwarding) state and neighbor switches with one root port.

Mini-lab – STP Operations

You can put much of what you have learned so far into context with this mini-lab. First, you’ll use two switches connected with two Fast Ethernet links. You’ve already learned how to make ports access ports and put them into a VLAN, so I’ll skip these steps. All ports are in VLAN 5.

Mini-lab: STP operations

FIG 11.12 – Mini-lab: STP operations

In Figure 11.12 above, you can see that Switch B has a lower base MAC address (you must choose the switch with the lowest MAC address as your Switch B), so it would be chosen as the root bridge. The root bridge should have all ports as designated/forwarding (which is another way to tell if a switch is the root bridge, by the way).

SwitchB#show spanning-tree vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID   Priority    32773

Address     000d.292e.1180

This bridge is the root

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    32773 (priority 32768 sys-id-ext 5)

Address     000d.292e.1180

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

Interface        Role Sts Cost      Prio.Nbr Type

—————- —- — ——— ——– ———————–

Fa0/11           Desg FWD 19        128.11   P2p

Fa0/12           Desg FWD 19        128.12   P2p

 

So far, you can see that Switch B is, in fact, the root bridge. Now check Switch A:

 

SwitchA#show span vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID   Priority    32773

Address     000d.292e.1180

Cost        19

Port        11 (FastEthernet0/11)

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    32773 (priority 32768 sys-id-ext 5)

Address     0011.9247.db00

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

Interface        Role Sts Cost      Prio.Nbr Type

—————- —- — ——— ——– ———————–

Fa0/11           Root FWD 19        128.11   P2p

Fa0/12           Altn BLK 19        128.12   P2p

One port is set to root and forwarding. You can see F0/12 is blocking. It’s also set to alternate (Altn), which means that it’s an alternative path between two switches. There must have been a tie as STP went down the list:

  • Lowest root bridge ID
  • Lowest root path cost to the root bridge
  • Lowest sender bridge ID
  • Lowest sender port ID

The root bridge ID would have been identical, as with the path cost and sender bridge ID. This leaves the port ID. STP would have checked the MAC address of both ports and set the lowest to forward. You can confirm this by checking the interface MAC addresses.

SwitchA#show int f0/11

FastEthernet0/11 is up, line protocol is up (connected)

Hardware is Fast Ethernet, address is 0011.9247.db0b (bia 0011.9247.db0b)

 

SwitchA#show int f0/12

FastEthernet0/12 is up, line protocol is up (connected)

Hardware is Fast Ethernet, address is 0011.9247.db0c (bia 0011.9247.db0c)

The MAC addresses have been allocated sequentially, and F0/11 is lower as it ends in b as opposed to c for F0/12.

I’d like you to do this lab on your own equipment. Obviously, your Switch B may not be the root because it might have a higher MAC address, so check first which one is the root, and then name it Switch B or just force it to be the root with one of the two command options you already know.

First, enable debugs for STP events, and then add timestamps on the debug messages (these commands probably won’t work on Packet Tracer):

SwitchA#debug spanning-tree events

SwitchA(config)#service timestamps debug datetime msec

Next, shut the root port on Switch A to force the timers to start:

SwitchA#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

SwitchA(config)#int f0/11

SwitchA(config-if)#shut

*Mar  1 00:29:34.627: STP: VLAN0005 new root port Fa0/12, cost 19

*Mar  1 00:29:34.627: STP: VLAN0005 Fa0/12 -] listening

00:29:36: %LINK-5-CHANGED: Interface FastEthernet0/11, changed state to administratively down

*Mar  1 00:29:36.627: STP: VLAN0005 sent Topology Change Notice on Fa0/12

00:29:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to down

SwitchA(config-if)#end

SwitchA#show span vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID   Priority    32773

Address     000d.292e.1180

Cost        19

Port        12 (FastEthernet0/12)

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    32773 (priority 32768 sys-id-ext 5)

Address     0011.9247.db00

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  15

Interface        Role Sts Cost      Prio.Nbr Type

—————- —- — ——— ——– ———————–

Fa0/12           Root LRN 19        128.12   P2p

You can see that the debug messages appear and that F0/12 has gone into the learning (LRN) state. The debug messages below show that F0/12 has moved into the forwarding state.

SwitchA#

*Mar  1 00:29:34.627: STP: VLAN0005 Fa0/12 -] learning

*Mar  1 00:30:04.627: STP: VLAN0005 Fa0/12 -] forwarding

SwitchA#show span vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID   Priority    32773

Address     000d.292e.1180

Cost        19

Port        12 (FastEthernet0/12)

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    32773 (priority 32768 sys-id-ext 5)

Address     0011.9247.db00

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

Interface        Role Sts Cost      Prio.Nbr Type

—————- —- — ——— ——– ———————–

Fa0/12           Root FWD 19        128.12   P2p

The total time from blocking at 00:29:34.627 to learning at 00:30:04.627 was 30 seconds, which is faster than the usual 50 seconds because it was a very simple topology with no switches in between.

[END OF MINI-LAB]

STP Timers

We have briefly mentioned these but it’s worth looking at STP timers separately.

Three timers monitor and age BPDUs:

  • Hello
  • Forward delay
  • Max age

Although you shouldn’t change these without advice from a Cisco TAC, I’ll demonstrate how to do this below:

  • Hello – Sent by the root bridge every two seconds by default

Switch(config)#spanning-tree vlan 1 Hello-time ?

<1-10> number of seconds between generation of config BPDUs

 

  • Forward delay – the default 15 seconds switches wait while they build their bridging table (the listening and learning states each use this 15-second timer)

Switch(config)#spanning-tree vlan 1 forward-time ?

<4-30> number of seconds for the forward delay timer

 

  • Max age – How long a BPDU is stored before it is flushed from the table (a new BPDU should be received every two seconds; this timer is set to 20 seconds (Hello interval multiplied by 10) and when it is reached, it usually indicates a link failure); the interface then moves to the listening state

Switch(config)#spanning-tree vlan 1 max-age ?

<6-40> maximum number of seconds the information in a BPDU is valid

 

The total time for STP to recover from a link failure is 20 seconds max age plus 15 seconds listening plus 15 seconds learning, which is 50 seconds to recovery.

 

Switch#show spanning-tree detail

VLAN0001 is executing the ieee compatible Spanning Tree Protocol

Bridge Identifier has priority 32768, sysid 1, address 0011.9247.db00

Configured Hello time 2, max age 20, forward delay 15

We are the root of the spanning tree

[output truncated]

Cisco’s Enhancements to STP

STP, as we know, keeps the network loop-free but reconvergence can take up to 50 seconds. That is a very long time in networking terms. For almost a minute, data cannot flow across the network. In most cases, this is a critical issue, especially for important network services.

To deal with this issue (before the industry standard for Rapid STP was ratified), Cisco added the following features to STP implementation on its switches:

  • PortFast
  • UplinkFast
  • BackboneFast

PortFast

PortFast is typically enabled on an interface connected directly to a host. If you have a laptop or a server connected to a switch port, then you know that:

  • It will not need to listen to BPDUs because it is not a layer 2 device
  • It will not create loops because it has a single link to the layer 2 network

Therefore, you can safely disable Spanning Tree on such ports. It is very important to ensure that such ports never have an STP-enabled layer 2 device connected on them (think port security!), or else a loop or a breakdown in the network is quite possible. You will even get a warning message on certain switches stating this when you enable PortFast on a switch port!

When you configure a switch port as PortFast, STP will skip the listening and learning states, and the port will transition to forwarding state when it comes up, so it will never be blocked. Other manuals state that STP is disabled on a port using PortFast; however, this is not the case because the port can still send and forward BPDUs. This is not a problem when the port is connected to a network device that does not send or respond to BPDUs, such as the NIC in a workstation, for example. However, this may result in a switching loop if the port is connected to a device that does send BPDUs, such as another switch.

PortFast

FIG 11.13 – PortFast

The command to configure PortFast is spanning-tree portfast. Note the system-generated warning message:

SwitchA(config)#int FastEthernet0/44

SwitchA(config-if)#spanning-tree portfast

%Warning: PortFast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc… to this interface when PortFast is enabled can cause temporary bridging loops. Use with CAUTION

%PortFast has been configured on FastEthernet0/44 but will only take effect when the interface is in a nontrunking mode.

UplinkFast

The purpose of UplinkFast is to optimize convergence when an uplink on an access layer switch fails. Let’s consider the network shown in Figure 11.14 below:

Redundant links to the root bridge

FIG 11.14 – Redundant links to the root bridge

If the link between Switch C and Switch A fails for some reason, UplinkFast will almost immediately transition the alternate port to the forwarding state as per Figure 11.15 below:

UplinkFast detects disabled port

FIG 11.15 – UplinkFast detects disabled port

Mini-lab – Configuring UplinkFast

You will need three switches for this lab. Set all ports as access ports in VLAN 5. Of course, you might have a different root from mine due to MAC addressing. You know how to set the switch to be the root, so feel free to do this. The network in Figure 11.16 below does not have UplinkFast enabled yet.

Mini-lab: Configuring UplinkFast

FIG 11.16 – Mini-lab: Configuring UplinkFast

In Figure 11.16 above, Switch A is the root bridge. Now consider the following output from Switch C:

SwitchC#show spanning-tree vlan 5

VLAN0005

Spanning tree enabled protocol ieee

Root ID   Priority    32773

Address     0013.c3e8.2500

Cost        19

Port        14 (FastEthernet0/14)

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    32773 (priority 32768 sys-id-ext 5)

Address     0017.94bd.1680

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————–

Fa0/14              Root FWD 19        128.14   P2p

Fa0/15              Altn BLK 19        128.15   P2p

 

SwitchC#show spanning-tree uplinkfast

UplinkFast is disabled

 

Use the following debug commands on the switch:

 

SwitchC#debug spanning-tree event

Spanning Tree event debugging is on

SwitchC#debug spanning-tree uplinkfast

Spanning Tree uplinkfast debugging is on

These debugs will show you the STP events and UplinkFast messages. They probably won’t work on Packet Tracer. Now shut down port fa0/14 on Switch C, which is currently the root port as per the output above.

Because UplinkFast brings up the alternate port so quickly, enable milliseconds on the debugs with the service timestamps debug datetime msec command in the global configuration mode:

SwitchC(config-if)#shutdown

*Mar  2 22:14:30.504: STP: VLAN0005 new root port Fa0/15, cost 19

*Mar  2 22:14:30.504: STP: VLAN0005 Fa0/15 -] listening

*Mar  2 22:14:30.504: STP: UFAST: removing prev root port Fa0/14 VLAN0005 port-id 800E

*Mar  2 22:14:32.420: %LINK-5-CHANGED: Interface FastEthernet0/14, changed state to administratively down

*Mar  2 22:14:32.504: STP: VLAN0005 sent Topology Change Notice on Fa0/15

*Mar  2 22:14:33.420: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to down

*Mar  2 22:14:45.504: STP: VLAN0005 Fa0/15 -] learning

*Mar  2 22:15:00.504: STP: VLAN0005 Fa0/15 -] forwarding

Note that the time taken for F0/15 to transition to the forwarding state is 30 seconds. This is faster than the expected 50 seconds because the listening and learning times were short in this P2P link between switches, and no other hosts/switches are connected here.

Next, enable no shutdown on the F0/15 port, and then enable uplinkfast on Switch C and repeat the process:

SwitchC(config)#spanning-tree uplinkfast

SwitchC(config)#exit

SwitchC#show spanning-tree vlan 5

[output truncated]

Uplinkfast enabled

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————–

Fa0/14              Root FWD 3019      128.14   P2p

Fa0/15              Altn BLK 3019      128.15   P2p

SwitchC(config)#int fa0/14

SwitchC(config-if)#shutdown

 

*Mar  2 22:28:23.300: STP: VLAN0005 new root port Fa0/15, cost 3019

*Mar  2 22:28:23.300: STP FAST: UPLINKFAST: make_forwarding on VLAN0005 FastEthernet0/15 root port id new: 128.15 prev: 128.14

*Mar  2 22:28:23.300: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0005 FastEthernet0/15 moved to Forwarding (UplinkFast).

*Mar  2 22:28:23.300: STP: UFAST: removing prev root port Fa0/14 VLAN0005 port-id 800E

*Mar  2 22:28:25.216: %LINK-5-CHANGED: Interface FastEthernet0/14, changed state to administratively down

*Mar  2 22:28:25.300: STP: VLAN0005 sent Topology Change Notice on Fa0/15

*Mar  2 22:28:26.216: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to down

 

SwitchC(config-if)#do show spanning-tree vlan 5

[output truncated]

 

Uplinkfast enabled

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————–

Fa0/15              Root FWD 3019      128.15   P2p

Note that the time taken for fa0/15 to transition to the forwarding state has changed from 30 seconds downtime to less than a second with UplinkFast enabled. Now that you have seen the difference it makes, let’s define what, exactly, it does.

[END OF MINI-LAB]

If a switch has multiple links toward the root bridge, then UplinkFast marks the redundant link as an alternate port and brings it up quickly in case the root port fails. This is possible because blocked ports keep listening for BPDUs.

When you enable UplinkFast on a switch globally (rather than per port), the switch does three things:

  1. Increases the root priority to 49152
  2. Sets the port costs to 3000
  3. Tracks alternate root ports (ports on which root Hellos are received)

You can see this in the outputs below (which are truncated to save space). Bear in mind that you have to add the VLAN # as well as the original port cost, which for Fast Ethernet is 19.

Cisco recommends caution when using UplinkFast. You should enable it on switches that have blocked ports so the access layer switch does not become a root or transit switch (one that forwards frames between other switches). Note that your switch was the root for VLAN 1, but after enabling UplinkFast this is no longer the case. The large root priority value coupled with the large costs per link make this switch unlikely to become the root.

Switch#show spanning-tree vlan 1

VLAN0001

Spanning tree enabled protocol ieee

Root ID   Priority    32769

Address     0017.0e31.d180

This bridge is the root

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    32769 (priority 32768 sys-id-ext 1)

Address     0017.0e31.d180

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————–

Fa0/1               Desg FWD 19        128.1    P2p

Fa0/3               Desg FWD 19        128.3    P2p

Switch(config)#spanning-tree uplinkfast

Switch(config)#end

 

Switch#show spanning-tree vlan 1

VLAN0001

Spanning tree enabled protocol ieee

Root ID   Priority    32769

Address     000c.3018.3700

Cost        3019

Port        7 (FastEthernet0/7)

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID Priority    49153 (priority 49152 sys-id-ext 1)

Address     0017.0e31.d180

Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

Aging Time  300

Uplinkfast enabled

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————–

Fa0/1               Desg FWD 3019      128.1    P2p

Fa0/3               Desg FWD 3019      128.3    P2p

BackboneFast

UplinkFast works by finding alternate ports for directly connected links. Similarly, BackboneFast works by finding an alternate path when an indirect link to the root port goes down. The difference between these two processes is that the indirect link doesn’t have the option of bypassing the max age timer. This time, the switch learns about a failure due to the lack of Hellos from other switches. If a failure is learned this way, the switch has to wait for the max age timer to expire before trying to change the topology using STP.

BackboneFast allows any switch learning about an indirect failure to send a Root Link Query (RLQ) BPDU out of the port the Hello was expected on, asking the neighbor switch if Hellos are still being received from the root. If the RLQ response states that there has been a direct link failure, it can converge and bypass the max age timer.

Let’s consider the network in Figure 11.17 below:

Redundant path to the root bridge

FIG 11.17 – Redundant path to the root bridge

Switch A is the root bridge in Figure 11.17. F0/20 on Switch D is the root port.

Let’s assume that the link between Switch A and Switch C goes down. Switch C will advertise itself as the root bridge to Switch D. This BPDU is known as an inferior BPDU. Switch B discards this new information because it knows that Switch A is the root bridge and Switch C is a non-root bridge. Eventually, Switch C will receive a BPDU from Switch D and mark F0/20 as its root port toward Switch A. BackboneFast ensures a quick failover as soon as the inferior BPDU is received. It saves roughly 20 seconds out of the 50 seconds of convergence time.

Configuring BackboneFast can be accomplished easily with the command below:

Switch(config)#spanning-tree backbonefast

BackboneFast must be enabled on all switches in order for this feature to work.

STP Security

As you have learned, PortFast disables STP on a switch port, but an important fact is that a PortFast switch port will keep listening for BDPUs. If someone adds a switch to a port that has been configured as PortFast, the consequences will be unpredictable and, in some cases, disastrous. To guard against this situation, Cisco provides the BPDU Guard, BPDU Filter, and Root Guard features.

BPDU Guard

If a switch is plugged into a switch port configured as PortFast, it could change the STP topology without the administrator knowing about it and could even bring down the network. To prevent this, BPDU Guard can be configured on the switch port. With this configured, if a BPDU is received on a switch port, it will be put into an err-disabled mode and an administrator will have to bring up the port. This can be configured on the port using the spanning-tree bpduguard enable command.

The administrator must recover this port via the command line by issuing a shutdown command and then a no shutdown command on the interface (i.e., bounce the interface). Until this is done, the status light on the port will show as amber and frames cannot pass.

BPDU Guard

FIG 11.18 – BPDU Guard

Mini-lab – Configuring BPDU Guard

In Figure 11.19 below, I’ve connected a PC to F0/1 on Switch 0. You can configure any IP address on your PC connected to your switch.

Mini-lab: Configuring BPDU Guard

FIG 11.19 – Mini-lab: Configuring BPDU Guard

Switch0#config t

Switch0(config)#int f0/1

Switch0(config-if)#switchport mode access

Switch0(config-if)#spanning-tree bpduguard enable

Switch0(config-if)#end

Switch0#show int f0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

 

Switch0#show run int f0/1

Building configuration…                                                                                                                                                                                     Current configuration: 89 bytes

interface FastEthernet0/1

switchport mode access

spanning-tree bpduguard enable

end

 

The port will operate normally until I swap the PC for another switch, which sends a BPDU causing Switch 0 to shut interface F0/1:

 

%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with BPDU Guard enabled. Disabling port.

%PM-4-ERR_DISABLE: bpduguard error detected on 0/1, putting 0/1 in err-disable state

 

Switch0#show int f0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)

Hardware is Lance, address is 00e0.a3b4.7601 (bia 00e0.

[END OF MINI-LAB]

BPDU Filter

When BPDU Filter is configured on a switch port that has been configured as PortFast, it will prevent the port from sending and receiving BPDUs on that port. This effectively disables STP on the port. This is unlike the behavior seen with BPDU Guard, where the port is put into an err-disabled mode. BPDU Filter can be enabled on the switch port using the spanning-tree bpdufilter enable command:

Switch(config-if)#spanning-tree bpdufilter enable

BPDU Filter

FIG 11.20 – BPDU Filter

Root Guard

Root Guard is configured per port and, as with BPDU Guard, it monitors for incoming BPDUs. Root Guard is designed to prevent the port from becoming a root port. If a superior BPDU is received on the port, the port is placed into a root-inconsistent state, preventing it from forwarding or receiving frames until the superior BPDUs cease.

As mentioned, Root Guard is enabled on an interface. The command to configure it is shown below:

Switch(config-if)#spanning-tree guard root

Root Guard

FIG 11.21 – Root Guard

Rapid Spanning Tree Protocol

The features discussed in the previous section—PortFast, UplinkFast, and BackboneFast—were added by Cisco, and because of this, they worked only on Cisco switches. IEEE added these features to a new STP protocol called Rapid Spanning Tree Protocol (RSTP) under the (layer 2) 802.1W standard. The goal of RSTP is to improve STP convergence.

NOTE: People using a home lab and wanting to configure RSTP will need a 2960T Catalyst Switch as a minimum hardware requirement.

Similar to the traditional Spanning Tree, RSTP will also elect a root bridge using the same parameters as STP. All RSTP ports will be in a forwarding state (designated ports), while other ports could be an alternate port, root port, backup port, or disabled. RSTP has defined variations of BPDUs, new port roles and states, and backward compatibility with 802.1D switches.

RSTP dramatically improves STP convergence times by using a few key concepts:

  • Transitions from the discarding (rather than blocking) state to the learning state, thereby bypassing the listening state
  • Integration and standardization of Cisco’s PortFast, UplinkFast, and BackboneFast
  • Waits for three missed Hellos on a root port instead of 10

RSTP has simplified the STP logic where possible, as well as defined link types and port roles, to speed up convergence times.

RSTP Link Types

802.1D was devised when shared hubs were in common usage on live networks. On modern networks, most links are point-to-point (switch-to-switch). The remaining link types must be connected to a host of some sort (edge), so PortFast logic would need to be applied here (ports set to forward immediately).

RSTP allows a switch to query its neighbor on point-to-point links to establish its status. It would do this, for example, if no periodic Hello was received. As with BackboneFast, the neighbor switch would respond stating whether it had lost its neighbor.

There are three RSTP link types:

  • Point-to-point – switch-to-switch
  • Shared – switch connects to a hub (other switches connect to the hub)
  • Edge – a host device is connected (end-user)

RSTP Port Roles

As mentioned earlier, RSTP has defined new port roles, adding alternate and backup ports. Table 11-2 below lists these roles:

Table 11-2: RSTP port roles

 Root Port This elected port forwards data in the active topology.
Designated Port This is an elected port that forwards data for every switched LAN segment.
Alternate Port This is an alternative path to the root bridge but is different from the root port path.
Backup Port This port provides a redundant path (less desirable) to a segment to which another switch port already connects. (They can only exist when there are two ports connected between the switches.)
Disabled This type of port does not participate in the active topology.

There is a port type known as an edge port, which is considered to be the same as a port configured with the spanning-tree portfast command. The root port and the designated port are the same as the 802.1D root port and designated port. The alternate port is similar to the UplinkFast concept of tracking alternate paths to the root, thus preventing the loss of a switch’s root port.

The backup port is a new concept and its role is to prevent the loss of the designated port attached to a shared link when there is another physical port attached to the same shared LAN, as shown in Figure 11.22 below.

RSTP Port States

A comparison of the STP port states and the RSTP port states is shown in Table 11-3 below. You can see that the listening and disabled states have been removed from RSTP, and it has a new role of discarding.

Table 11-3: Comparison of STP port states and RSTP port states

Operational Status STP Port State RSTP Port State Port in Active Topology
Enabled Blocking/Disabled Discarding No
Enabled Listening Discarding No
Enabled Learning Learning Yes
Enabled Forwarding Forwarding Yes
Disabled Disabled Discarding No

A discarding port does not forward or receive frames or learn source MAC addresses. As you can see, after a port is set to forward, it participates in the active topology and behaves in the same manner as an 802.1D port. The listening state is no longer required because RSTP actively queries its neighbors, thereby preventing any loop creation during convergence.

Figure 11.22 below illustrates the various port roles and states. You can see which switch is the root by the fact that all ports are set to designated (marked as DP).

RSTP port roles and states

FIG 11.22 – RSTP port roles and states

You can see in Figure 11.22 above that an alternate port has received a more useful BPDU from another switch on the same segment. This port will be put into the discarding state. The backup port has received a more useful BPDU from the same switch they are on. This is considered to be a backup port for the designated port on the same switch.

Per-VLAN STP and per-VLAN Rapid STP

This is a good time to introduce you to another very significant change that Cisco made to STP.

When the original bridging standard (802.1D) was drafted, VLANs did not exist. Hence, one Spanning Tree instance worked across the entire switch. Eventually, VLANs were introduced, and they created different logical networks on the same switch. This gave rise to the need to have different topologies for load balancing and flexible Spanning Trees. A strong reason for implementing Per-VLAN STP on a switch is for efficient utilization of the ports on the switch. This is illustrated with the following network:

Multiple exits, multiple VLANs

FIG 11.23 – Multiple exits, multiple VLANs

Let’s assume that all the switches have two VLANs configured. Switch D has two ways to reach Switch A. If one STP instance was running across the network, then fa0/17 would be in the blocked state. With two STP instances running, you can have fa0/20 blocked for one VLAN and fa0/17 blocked for another, and utilize both links by load balancing traffic across them.

To achieve this, Cisco added the Per-VLAN Spanning Tree Plus (PVST+) feature on its switches. When 802.1W (RSTP) was introduced by the IEEE, it still did not accommodate multiple Spanning Tree instances on a switch. Cisco introduced Per-VLAN Rapid Spanning Tree Plus (PVRST+) to support Rapid Spanning Tree instances on each VLAN on the switch. PVST+ and PVRST+ both provide the same functionality across both 802.1D and 802.1W standards. PVST+ has only three port states (discarding, learning, and forwarding), while STP has five port states (blocking, listening, learning, forwarding, and disabled).

Figure 11.24 below shows a simplified version of how this works. You can see the physical topology on the left and then the logical topologies on the right for two other VLANs. Each has a different root bridge and blocked and forwarding ports.

Physical versus logical PVST+ topology

Physical versus logical PVST+ topology

FIG 11.24 – Physical versus logical PVST+ topology

PVST+ and PVRST+ both change the BID in the BPDU by adding the VLAN number to the configured priority. PVRST+ is a combination of PVST+ and RSTP, and it provides rapid (under one second) convergence, with the added benefit of PVST+.

Mini-lab – Configuring PVRST+

You can use any switch to create VLAN 10.

 

Switch#show spanning-tree vlan 10

VLAN0010

Spanning tree enabled protocol ieee

Root ID Priority 24586

Address 0015.63f6.b700

Cost 3019

Port 107 (FastEthernet3/0/1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 49162 (priority 49152 sys-id-ext 10)

Address 000f.f794.3d00

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

[output truncated]

 

To enable RSTP for each VLAN in the switched network, use the following command:

 

Switch(config)#spanning-tree mode rapid-pvst

This is all that is needed if you need only one instance of STP. Later on in this section, we will show what is needed to enable load-sharing capabilities.

Using the show spanning-tree vlan [vlan#] command, you can verify which type of Spanning Tree is running:

 

Switch#show spanning-tree vlan 10

VLAN0010

Spanning tree enabled protocol rstp

Root ID Priority 24586

Address 0015.63f6.b700

Cost 3019

Port 107 (FastEthernet3/0/1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 49162 (priority 49152 sys-id-ext 10)

Address 000f.f794.3d00

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

UplinkFast enabled but inactive in rapid-pvst mode

[output truncated]

Two items are of interest in the output above. The first is the Spanning tree enabled protocol rstp and the second is the sys-id-ext 10. This shows that the bridge priority was configured as 49152 and VLAN id 10 was added to it.

[END OF MINI-LAB]

Load Balancing Using RSTP/STP

How can load balancing be achieved in the network shown in Figure 11.24 above if VLAN 1 and VLAN 5 are being used in the LAN? You can achieve this by configuring Switch A with a better priority for VLAN 1 and configuring Switch B with a better priority for VLAN 5. This can be done using the following commands:

SwitchA(config)#spanning-tree vlan 1 priority 4096

SwitchB(config)#spanning-tree vlan 5 priority 4096

The show spanning-tree output for both VLANs on Switch D to verify load balancing is shown below:

SwitchD#show spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID    Priority    4097

Address     0013.c3e8.2500

[output truncated]

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————–

Fa0/17              Desg FWD 119       128.17   P2p

Fa0/20              Root FWD 19        128.20   P2p

VLAN0005

Spanning tree enabled protocol ieee

Root ID    Priority    4101

Address     0017.94bd.1680

[output truncated]

Interface           Role Sts Cost      Prio.Nbr Type

——————- —- — ——— ——– ——————–

Fa0/17              Root FWD 19        128.17   P2p

Fa0/20              Desg FWD 119       128.20   P2p

You can see that the root bridge for VLAN 1 is Switch A, whereas the root bridge for VLAN 5 is Switch B. Fa0/20 is the root port for VLAN 1 and Fa0/17 is the root port for VLAN 5.

End of Chapter Questions

Please also visit https://www.howtonetwork.com/ccnasimplified to take the free Chapter 11 exam.

Root Bridge Challenge

Mark on Figure 11.25 below the root bridge and the interface states on each switch for designated, blocking, and root:

Mark the port roles

FIG 11.25 – Mark the port roles

Solution

FIG 11.26 – Solution

Chapter 11 Labs

Lab 1: Spanning Tree Protocol

STP election

FIG 11.27 – STP election

VLAN 2 and VLAN 3 exist on all switches.

Lab Exercise

Your task is to configure the network above so that Switch 2 is always the root bridge for VLAN 2 and Switch 3 is the root bridge for VLAN 3. You will need to connect the three switches together with crossover cables.

Purpose

STP is a very important topic for the CCNA exam, and you can expect to be tested on both your theoretical knowledge and hands-on ability. For this lab, you will configure the switches to ensure that the correct switch is the root bridge. In the real world, if the incorrect switch becomes the root bridge, the network will experience delays.

Lab Objectives

  1. Configure Ports F0/1 and F0/2 on all switches as 802.1Q trunks (default on 2960 Switches).
  2. Create VLAN 2 and VLAN 3 on all the switches.
  3. Configure bridge priority on Switch 2 and Switch 3 for VLAN 2 and VLAN 3, respectively.

Lab Walk-through

  1. First, check the status of the switches. The VTP domain name should match. You will also want to check whether there are any interfaces already trunking. You will check the outputs on Switch 1, and you can do the same on Switch 2 and Switch 3.

Switch1#sh vtp status

VTP Version: 2

Configuration Revision: 1

Maximum VLANs supported locally: 250

Number of existing VLANs: 10

VTP Operating Mode: Server

VTP Domain Name: howtonetwork

VTP Pruning Mode: Disabled

VTP V2 Mode: Enabled

VTP Traps Generation: Disabled

MD5 digest: 0xB7 0xE3 0x3A 0x57 0x1D 0x41 0x42 0x40

Configuration last modified by 0.0.0.0 at 3-1-93 01:11:38

Local updater ID is 0.0.0.0 (no valid interface found)

You can see that the VTP domain name is howtonetwork. Please set all the switches to the same VTP domain name. Please also make sure that all switches are set to the VTP server (this should be the default, but it varies depending on IOS version and whether another user changed this).

Switch2(config)#vtp domain howtonetwork

 

And server commands:

 

Switch2(config)#vtp mode ?

client       Set the device to client mode.

server       Set the device to server mode.

transparent  Set the device to transparent mode.

To configure the switches for trunking on relevant ports, follow the commands below:

Switch#configure terminal

Switch1(config)#hostname Switch1

Switch1(config)#interface range fa0/1 – 2

Switch1(config-if-range)#switchport mode trunk

Switch#configure terminal

 

Switch(config)#hostname Switch2

Switch2(config)#interface range fa0/1 – 2

Switch2(config-if-range)#switchport mode trunk

 

Switch#configure terminal

Switch(config)#hostname Switch3

Switch3(config)#interface range fa0/1 – 2

Switch3(config-if-range)#switchport mode trunk

Please note—your switch ports may be numbered 1/1, 1/2, and so on depending on your model. The interface range command may not work on your switch if it has an older IOS release, so you will have to set the configurations per interface. Please also note that this command seems to have changed as IOS levels changed, meaning that you don’t need gaps for one IOS release but you do need gaps for another, as demonstrated below on some spare switches I have:

SwitchC(config)#int range f0/1-24

SwitchC(config-if-range)#shut

SwitchA(config)#int range f0/1-24

^

% Invalid input detected at “^”marker.

SwitchA(config)#int range f0/1 – 24

You can now check which interfaces are set to trunking:

Switch1#sh int trunk

Port        Mode         Encapsulation  Status        Native

vlan

Fa0/1       on           802.1q         trunking      1

Fa0/2       on           802.1q         trunking      1

Port        Vlans allowed and active in management domain

Fa0/1       1

Fa0/2       1

[output truncated]

 

  1. To create VLANs on all switches, enter the following commands (your model may require you to input them individually):

 

Switch1(config)#vlan 2,3

Switch2(config)#vlan 2,3

Switch3(config)#vlan 2,3

 

You should then be able to see that VLANs 2 and 3 are part of the Spanning Tree:

 

Switch1#show int trunk

Port        Mode         Encapsulation  Status        Native

vlan

Fa0/1       on           802.1q         trunking      1

Fa0/2       on           802.1q         trunking      1

Port        Vlans allowed and active in management domain

Fa0/1       1,2,3

Fa0/2       1,2,3

 

Switch1#show vlan brief

1    default                     active

Fa0/3, Fa0/4, Fa0/5, Fa0/6

Fa0/7, Fa0/8, Fa0/9, Fa0/10

Fa0/11, Fa0/12, Fa0/13,

Fa0/14

Fa0/15, Fa0/16, Fa0/17,

Fa0/18

Fa0/19, Fa0/20, Fa0/21,

Fa0/22

Fa0/23, Fa0/24, Gig1/1,

Gig1/2

2    VLAN0002                    active   

3    VLAN0003                    active

  1. Check the switches to see which is the root bridge for VLANs 2 and 3. Some of the output is omitted and, of course, your output will be different due to MAC addresses; you may also have a different root bridge due to the bridge priority/MAC addressing. Note that you will see different fields depending on your switch model or if you are using Packet Tracer.

Switch2#show spanning-tree vlan 2

VLAN0002

Spanning tree enabled protocol ieee

Root ID Priority    32770

Address     0009.7c87.9081

Cost        19

Port        1 (FastEthernet0/1)

Hello Time  2 sec Max Age 20 sec Forward Delay 15 sec

Bri. ID Priority    32770  (priority 32768 sys-id-ext 2)

Address     0008.21a9.4f80

Hello Time  2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time  300

Interface Port ID                                  Desig. Port

Name      Prio.Nbr  Cost Sts Cost Bridge ID        ID Prio.Nbr

——— ——–  —- — —- ——————— —–

Fa0/1     128.1     19   FWD 19   32770 0009.7c87.9081  128.1

Fa0/2     128.2     19   FWD 19   32770 0008.21a9.4f80  128.2

And now issue the same command on Switch 3. The output below will be slightly different due to different versions of code and switch models:

Switch3#show spanning-tree vlan 2

VLAN0002

Spanning tree enabled protocol ieee

Root ID Priority    32770

Address     0009.7c87.9081

Cost        19

Port        1 (FastEthernet0/1)

Hello Time  2 sec Max Age 20 sec Forward Delay 15 sec

Bri. ID Priority    32770  (priority 32768 sys-id-ext 2)

Address     000f.23a6.8940

Hello Time  2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time  300

Interface        Role Sts Cost      Prio.Nbr Type

————–   —- — ——— ——– —————–

Fa0/1            Root FWD 19        128.1    P2p

Fa0/2            Altn BLK 19        128.2    P2p

The Spanning Tree cost for a 100 Mbps interface is 19, and you can see that output in the Cost field.

You can issue a show interface fast 0/1 command on Switch 1 to verify that the MAC address owns the MAC address allocated as the root:

Swtch1#show int fast0/1

FastEthernet1/1 is up, line protocol is up

Hardware is Fast Ethernet, address is 0009.7c87.9081

Do the same for VLAN 3 to see where the root is.

Switch2#show spanning-tree vlan 3

VLAN0003

Spanning tree enabled protocol ieee

Root ID  Priority    32768

Address     0009.7c87.9084

Cost        19

Port        1 (FastEthernet0/1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

The MAC address above belongs to Switch 1 again.

  1. Configure bridge priority on Switch 2 and Switch 3 for VLAN 2 and VLAN 3, respectively. You want Switch 2 to be the root for VLAN 2 and Switch 3 to be the root for VLAN 3. You can use the question mark (?) to give you more information:

Switch2(config)#spanning-tree vlan 2 ?

forward-time  Set the Forward Delay for the spanning tree

hello-time    Set the Hello interval for the spanning tree

max-age       Set the Max Age interval for the spanning tree

priority      Set the bridge priority for the spanning tree

root          Configure switch as root

[cr]

Switch2(config)#spanning-tree vlan 2 priority 4096

Switch3(config)#spanning-tree vlan 3 priority 4096

 

Next, issue the show spanning-tree vlan # command to check that the respective switches are the roots for the desired VLANs:

 

Switch2#show spanning-tree vlan 2

VLAN0002

Spanning tree enabled protocol ieee

Root ID Priority    4098

Address     0008.21a9.4f80

This bridge is the root

Hello Time  2 sec Max Age 20 sec Forward Delay 15 sec

Bri. ID Priority   4098 (priority 4096 sys-id-ext 2)

Address    0008.21a9.4f80

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface  Port ID                               Desig. Port

ID Prio.Nbr

Name       Prio.Nbr Cost  Sts Cost Bridge ID

———- ——-  —-  — —- ——————– —–

Fa0/1      128.1    19    FWD 0    4098 0008.21a9.4f80  128.1

Fa0/2      128.2    19    FWD 0    4098 0008.21a9.4f80  128.2

 

If you do the same for VLAN 3 on Switch 3, you will see that it is the root for that VLAN:

 

Switch3#show spanning-tree vlan 3

VLAN0003

Spanning tree enabled protocol ieee

Root ID Priority    4099

Address     000f.23a6.8940

This bridge is the root

Hello Time  2 sec Max Age 20 sec Forward Delay 15 sec

Bri. ID Priority    4099   (priority 4096 sys-id-ext 3)

Address     000f.23a6.8940

Hello Time  2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time  300

Interface        Role Sts Cost      Prio.Nbr Type

—————- —- — ——— ——– —–

Fa0/1            Desg FWD 19        128.1    P2p

Fa0/2            Desg FWD 19        128.2    P2p

Running Configuration

[VLAN information won’t show on a show run command.]

 

Switch1#sh run

Building configuration…

[output truncated]

hostname Switch1

!

interface FastEthernet0/0

!

interface FastEthernet0/1

switchport mode trunk

!

interface FastEthernet0/2

switchport mode trunk

!

Switch2#sh run

Building configuration…

[output truncated]

hostname Switch2

!

spanning-tree vlan 2 priority 4096

!

interface FastEthernet0/0

!

interface FastEthernet0/1

switchport mode trunk

!

interface FastEthernet0/2

switchport mode trunk

!

Switch3#sh run

Building configuration…

[output truncated]

hostname Switch3

!

spanning-tree vlan 3 priority 4096

!

interface FastEthernet0/0

!

interface FastEthernet0/1

switchport mode trunk

!

interface FastEthernet0/2

switchport mode trunk

!

 

 

 

content-filler

ABOUT US

This site has been created to help you make the best out of your IT career. Whether you are trying to get your first job, get promoted, or start your own IT business, we have a course for you.

MOST POPULAR

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Members

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Newsletter

Subscription Form

Secure Site

website security secure

Copyright Reality Press Ltd . / Paul Browning

Insert/edit link

Enter the destination URL

Or link to existing content

    No search term specified. Showing recent items. Search or use up and down arrow keys to select an item.