What is STP? Spanning Tree Protocol (STP) is enabled by default on Cisco switches. Because it works so well, it is disregarded by many network engineers who regret doing so when faced with an STP issue, which will quickly bring down even enterprise-level networks. Cisco expects you to have a good grasp of STP and RSTP (Rapid STP) for the exam, including how they operate, how to tweak the configurations, and how to troubleshoot common issues.
You will configure advanced STP in the Cisco CCNP ENCOR course.
What is STP – Spanning Tree Protocol?
Imagine for a moment that you drive a delivery truck in a large city. There is a large network of roads for you to choose from, and you know the name of the building you need to reach. Your boss doesn’t permit you to use a map or satellite navigation, so you have to drive around random streets until you find your destination.
FIG 11.1 – Taking the long route
You eventually reach your destination but the journey was a nightmare, and you still have to find your way back. Having a grid of roads you can take is useful, but if they are all open, you run the risk of going around in circles. Now imagine that the next time you need to make the journey, the fastest route has been made available to you because the longer routes have been closed off.
FIG 11.2 – Longer paths shut down
This time it’s impossible to become lost. If one of the main routes was no longer available, an alternative route would be opened for you. This is a simplified explanation of how Spanning Tree Protocol works.
STP was originally created by Radia Perlman and was later standardized by IEEE 802.1D as a messaging service between switches designed to provide a loop-free topology in a layer 2 network that has multiple redundant paths. In order to achieve this, STP prevents some interfaces (referred to as ports in this context) from forwarding traffic.
In theory, the remaining ports will all forward traffic in a loop-free network. STP works so well, in fact, that its importance is often forgotten, and many network engineers find it very difficult to troubleshoot (because they don’t understand it). When I was working at Cisco TAC, we would regularly have to assist even CCIEs who were struggling to configure or troubleshoot STP issues in their network. Cisco have written a STP guide if you want to read it.
Figure 11.3 below shows a full-mesh network, a good redundant setup where, if one link fails, there are two more links for traffic to go through. However, could this lead to any problems? Let’s say a host is connected to port fa0/1 on Switch A (MAC address AAA), and this switch sends a broadcast out to the network advertising this MAC. Of course, this is the desired behavior because we need the switched network to build a map of which MAC addresses are connected to which interfaces.
FIG 11.3 – Beginning of a switching loop
Switch A has to forward this frame out of every port except fa0/1. Part of what happens next is shown below:
- Switch B receives the packet on fa0/10 and sends it out on every port except that one;
- Switch D receives the packet on fa0/10 and sends it out on every port except that one, but including fa0/11; and
- Switch A receives the packet on fa0/11 and sends it out on every port except fa0/11, but including fa0/1 and fa0/10.
As a result, not only has the original source received the frame back, but now Switch A has to send the packet back out of fa0/10 also. Soon enough, all ports are advertising the fact that they can reach host AAA. The network will shortly become unusable, as demonstrated in Figure 11.4 below:
FIG 11.4 – Full switching loop
As you can see in Figure 11.4, a loop has been created. Such loops can bring a network to a grinding halt. Layer 2 LAN protocols have no method to stop traffic from endlessly traveling around, possibly carrying inaccurate information. At layer 3, you can make packets expire after a certain amount of time or after they have traveled a certain distance (using the TTL value or route poisoning, for example).
As layer 2 networks grew, it quickly became evident that a system to prevent loops was needed if LANs were to continue to function. STP allows switches to communicate with each other so they can create a loop-free topology. It does this by electing a root bridge, which becomes the logical center of the switched network. It then builds a loop-free path leading toward the root bridge. Note that the logical root switch does not have to be at the center of the network physically.
STP is enabled by default on all bridges (switches). This means that you can install several switches, configure VLANs, and STP will work to prevent loops. For this reason, it isn’t compulsory to add any configuration, but as the network administrator, you may want to add some of the configuration commands discussed in this section to determine where your layer 2 traffic goes, for example, to a more powerful switch or load balanced per VLAN.
In the network in Figure 11.5 below, the network hosts are missing but are all connected to the access layer switches using VLANs 20 and 30. The load for all the VLAN traffic has been distributed using configuration commands so that each distribution layer switch is the root for just one VLAN. It can switch traffic for both VLANs should the primary switch for that VLAN fails.
FIG 11.5 – Correct root bridge placement
If you connected all the devices without any configuration, you might find that one of the lower-powered access layer switches becomes the root for all your layer 2 traffic, which is certainly not a desired outcome. This is illustrated in Figure 11.6 below. As a CCNA-level engineer, you will quickly be able to troubleshoot and resolve this type of issue. Although it may seem unlikely, I’ve had to deal with it on many occasions when taking over from an IT engineer who just expected to plug-and-play multiple network switches.
FIG 11.6 – Allowing STP to run automatically can lead to problems
Each bridge runs the Spanning Tree algorithm, which calculates how the loop (as seen in Figure 11.6 above) can be prevented. When STP is applied to a looped LAN topology, all VLANs will be reachable but any open ports that would create a traffic loop are blocked. When it sees a loop in the network, it blocks one or more redundant paths, preventing a loop from forming. As you can guess, STP calculates the best-cost path to reach the root bridge, and then the best-cost interfaces are put into forwarding state while the others are put into blocking state.
All this is achieved by swapping Bridge Protocol Data Units (BPDUs). STP also uses BPDUs to continually monitor the network for failures on switch ports or changes in the network topology. If a change in the LAN is detected, STP can make redundant ports available and close other ports to ensure that the network continues to function loop-free. This entire process can take quite some time but improvements have been developed to speed this up, which we’ll cover shortly.
Figure 11.7 below shows a packet capture of a BPDU. There are actually two types—a Topology Change Notification (TCN) BPDU, which is used for topology changes (such as an interface going down), and a configuration BPDU, which is used for initial STP configuration. Can you tell which one is in the packet capture below?
FIG 11.7 – BPDU packet capture
Before you learn more about STP, you need to understand some of the common terms associated with it. To see some of the values on a switch, you would issue the show spanning-tree vlan [vlan#] command. As always, it would be a great idea to get access to a live switch and try these out for yourself.
Switch#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.4272.A095
Cost 19
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0001.C934.3988
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ———————–
Fa0/1 Root FWD 19 128.1 P2p
- Root ID – This is the ID of the bridge (switch) assumed to be the root. The switch usually assumes it is the root until the BPDUs have all been exchanged between the switches. You can see the root details, including the root cost (covered later), with the show spanning-tree root command, which I recommend you try during any STP labs:
Switch#show spanning-tree root
Vlan Root Hello Max Fwd
Root Port Root ID Cost Time Age Dly
———- ———————- —— —– — —
VLAN0001 32769 0011.9247.db00 0 2 20 15
- Bridge ID – The BID is the unique identification number of each switch in the network. It consists of bridge priority, the VLAN ID, and the base MAC address of the switch. In the previous show spanning-tree vlan 1 output, the BID is 32768 plus the VLAN ID, which is 1 and 0001.C934.3988.
The default bridge priority of a Cisco switch is 32768. This is a configurable value between 0 and 61440, but the value has to be in increments of 4096 (i.e., 4096, 8192, 12288, and so on). Priority plays a very big role in STP and how well the network will function, which we will examine in detail shortly.
- Root bridge – All switches in the network take part in an election to decide the root of the spanning tree; this then leads to them making further decisions, such as which redundant path to block and which to open. The election is won by the switch with the lowest BID. Switches that do not become a root bridge are called non-root bridges.
- BPDU – A Bridge Protocol Data Unit contains information exchanged between switches to select a root bridge, as well as to configure the network after that. A decision on which port to block is made after examining BPDUs from neighbors. Cisco switches send BPDUs every two seconds by default. This value can be configured from one second to 10 seconds.
- Root port – Each switch has to have a path to the root bridge, if not directly connected. The root port is the directly connected link or the fastest path to the root bridge from a non-root bridge. The root bridge will never have a root port, which is always closest to the root bridge.
- Port cost – Each port has a cost that is determined by the bandwidth of the link. Port cost determines which of the redundant links will not be blocked. The lower the cost, the better it is. Port cost also determines which port will become the root port if multiple paths to the root bridge exist. Default port costs are shown in Table 11-1 below:
Table 11-1: STP port costs
| Link Speed | STP Cost |
| 4 Mbps | 250 |
| 10 Mbps | 100 |
| 16 Mbps | 62 |
| 100 Mbps | 19 |
| 1 Gbps | 4 |
| 10 Gbps | 2 |
It’s important that you learn the costs above for the exam so that you can look at a diagram and determine the best path. As a BPDU traverses the switched network, the cost is incremented. This is how the switch determines the least cost.
- Designated port – The bridges on a network segment collectively determine which bridge has the least-cost path from the network segment to the root. The port connecting this bridge to the network segment is then the designated port for the segment. Ports that are not selected as a designated port are called non-designated ports. Designated ports point away from the root bridge.
Port States in STP
Switch ports (the interfaces on the switch) running STP can be in one of five states. Please ensure that you understand all of these for the CCNA exam:
- Blocking
- Listening
- Learning
- Forwarding
- Disabled
User data is only passed by a port in forwarding state.
First State – Blocking
None of the ports will transmit or receive any data, but they will listen to BPDUs. The BPDU carries various pieces of information that are used by STP to determine which state the ports should be in and what the STP topology should be.
Second State – Listening
The switch listens for frames but does not learn or act on them. The switch does receive the frames but discards them before any action is taken. MAC addresses are not placed into the CAM table while the port is listening.
Third State – Learning
The switch will start to learn MAC addresses it can see and will populate its CAM table with the addresses and the ports on which they were found. In this state, the switch will start to transmit its own BPDUs.
Fourth State – Forwarding
The switch has learned MAC addresses and corresponding ports and populates its CAM table with this information. The switch can now forward traffic.
Fifth State – Disabled
In disabled state, the port will receive BPDUs but will not forward them to the switch processor. Instead, it discards all incoming frames from both the port and other forwarding ports on the switch.
The port states are transitional and allow other BPDUs to arrive in good time from other switches. Port transition times are shown below, and the process from start to finish can typically take 50 seconds (15 seconds each for learning and listening and 20 seconds for the MAX age timer, which will be covered shortly):
- Initialization to blocking
- Blocking to listening
- Listening to learning (15 seconds)
- Learning to forwarding (15 seconds)
- Forwarding to disabled (if there is a failure)
FIG 11.8 – STP port states
All ports start in the blocking state (except for a few exceptions, which will be discussed later). After STP convergence, some ports will transition to the listening, learning, and, finally, forwarding states, and the rest will remain in the blocking state. Keeping this and the time needed to transition from one state to another in mind, a layer 2 network running STP takes 50 seconds to start switching data!
What is STP Convergence?
Remember that STP works by selecting a root bridge in the LAN. It is selected by comparing the Bridge ID of each switch, and the switch with the lowest BID wins. As the network administrator, you can manually configure which switch you prefer to be the root (and secondary root). We’ll look at how to do this shortly.
STP can be considered converged after three steps have taken place (all ports will either be blocking or forwarding):
- Elect one root bridge (switch)
- Elect root ports
- Elect designated ports
FIG 11.9 – STP convergence
We will use the network shown in Figure 11.9 above to go through the STP convergence process. VLAN 5 has been configured and all the interfaces shown have been placed into VLAN 5.
Elect One Root Bridge
The bridge with the lowest BID becomes the root bridge. The BID used to consist of just two values in an 8-byte field—the bridge priority (32768 by default), which is two bytes, and the base MAC address of the backplane or supervisor module (depending on the switch model), which is six bytes.
Here is an extract from a show version command on a 2960 Switch. You can see the base MAC address:
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0C:BE:D4:3C:40
Motherboard assembly number: 34-7410-05
The 802.1T standard introduced an extended system ID in order to conserve MAC addresses while still allowing for a unique BID. With extended system ID enabled (VLAN 10 in this example), the bridge priority is set to either 4096 as a minimum or a multiple of 4096, depending on which bridge priority bits are set. The default priority of 32768 is a multiple of 4096. Figure 11.10 below shows the old BID format and the new one below that:
FIG 11.10 – Bridge ID format
The output below is from a 3550 Switch. The command below won’t work on Packet Tracer:
Switch#show spanning-tree vlan 10 bridge
Vlan Hello Max Fwd
Protocol Bridge ID Time Age Dly
————- —————————– —– — — —
VLAN0010 4106 (4096,10) 000d.bd06.4100 2 20 15 ieee
Here you can see that the priority value is 4096, to which is added the VLAN ID of 10 and the MAC address.
The root bridge on a VLAN is selected by an election. Each switch running STP passes its BID information using BPDUs. BPDUs are multicast frames that are sent out every two seconds from every port (you can see the Hello time in the output above). This is necessary to maintain a loop-free topology. The bridge with the lowest ID is selected as the root bridge. This means that the switch with the lowest priority is elected as the root bridge. If all the switches have the same priority, then the switch with the lowest MAC address is selected as the root bridge, which in this instance is Switch A with MAC 0013.c3e8.2500.
All ports on the root bridge are set as designated ports and are always set to the forwarding state. We will discuss port roles shortly.
STP elections take place using the following order:
- Lowest root bridge ID
- Lowest root path cost to the root bridge
- Lowest sender bridge ID
- Lowest sender port ID
In the network in Figure 11.9, the priority of all the switches has been left at default, so the switch with the lowest MAC address will be selected as the root bridge. In this case, it will be Switch A. To verify this, issue the show spanning tree vlan [vlan#] command on Switch A:
SwitchA#show spanning-tree vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 32773 – 32768 plus 5 (the VLAN ID)
Address 0013.c3e8.2500
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address 0013.c3e8.2500
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
Fa0/15 Desg FWD 100 128.15 P2p
Fa0/18 Desg FWD 100 128.18 P2p
Notice that there is no Cost field displayed under the Address field because this switch is the root for this VLAN. If you wanted Switch C to be the root bridge, then you would need to give it a lower priority than 32773 using either of the following commands:
Switch(config)#spanning-tree vlan 5 root primary
Switch(config)#spanning-tree vlan 5 priority 8192
The first command lets the switch set its own priority for the specified VLAN to 4096 less than the lowest spanning tree switch priority value. You can also configure the secondary root bridge on any switch you want to take over as the root bridge in case the current root bridge fails.
The second command lets you manually choose the priority. Which command you choose will depend on your network policy; however, you need to know both for the CCNA exam and beyond, so do try them both. If you added the priority 8192 command to a switch and the root primary to the second switch, then the second switch would set its priority to 4096, thus becoming the root bridge.
Let’s check the show spanning-tree output on Switch C (after you have made it the root with one of the commands above) and on Switch A. The VLAN information is added to the priority value in the output:
SwitchC#show spanning-tree vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 8197
Address 0014.a93f.8380
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8197 (priority 8192 sys-id-ext 5)
Address 0014.a93f.8380
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
SwitchA#show spanning-tree vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 8197
Address 0014.a93f.8380
Cost 100
Port 18 (FastEthernet0/18)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address 0013.c3e8.2500
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Note that Switch A now shows Switch C’s MAC address as the root bridge’s MAC address, and Switch C says that it is the root bridge. Now please set the priority value on Switch C back to 32768 and make Switch A the root bridge for the next section. Note that even though you set the priority value back to 32768, the VLAN # will be added to that value, so for VLAN 5, the priority will be 32673.
Elect Root Ports
For non-root bridges, there will be only one root port. The root port will be the port with the lowest path cost to the root bridge (i.e., the best/fastest path). The root port will be set to forwarding state.
Path cost is the cost of transmitting a frame to the root bridge. The value is set according to the bandwidth of the link on the LAN, so the slower the link, the higher the cost.
In order to determine which port should be a root port, STP runs through the decision-making process below:
- Lowest root bridge ID
- Lowest root path cost to the root bridge
- Lowest sender bridge ID
- Lowest sender port ID
The primary factor in deciding the root bridge is the root bridge ID and in deciding the root ports on the non-root bridges is the path cost, which is cumulative (i.e., each path cost is added to the frame as it traverses the network). If there is a tie in the path cost, then STP moves down the list in order to make a decision, finally coming to the sender bridge ID and the port ID.
In the network below, Switch B’s and Switch C’s fa0/15 ports will be the root ports. Switch D has two options—fa0/17 toward Switch B and fa0/20 toward Switch C. The total cost of the link on fa0/17 is 200 (10 Mbps = 100). The total cost of the link on fa0/20 is 119 (10 Mbps = 100 and 100 Mbps = 19), so fa0/20 will be the root port for Switch D and fa0/17 will be blocked. For default costs, see Table 11-1. Costs are cumulative, adding up in the BPDU cost field as the frame traverses the network.
FIG 11.11 – STP port statuses
Let’s verify Switch D’s root port using the show spanning-tree [vlan#] command:
SwitchD#show spanning-tree vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 32773
Address 0013.c3e8.2500
Cost 119
Port 20 (FastEhternet0/20)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address 0018.1841.7680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
fa0/17 Altn BLK 100 128.17 P2p
fa0/20 Root FWD 19 128.20 P2p
You can see that the cumulative cost is 119, which is the 100 Mbps link (19) plus the 10 Mbps link (100) (i.e., the interface port costs). The port priority always defaults to 128 plus the interface number. P2P indicates a point-to-point connection.
If you want to make fa0/17 on Switch D a root port instead of fa0/20, then you will need to change the cost on fa0/17 so that the total cost would be something better (less) than the current cost of 119, which you can see in the output above. To do this, you need the cost of interface fa0/17 to be less than 19. This can be adjusted using the spanning-tree cost # interface-level command (or spanning-tree vlan # cost # command if you just want to affect one VLAN, which is preferred) and can be used on fa0/17, as shown in the output below:
SwitchD(config)#int fa0/17
SwitchD(config-if)#spanning-tree vlan 5 cost 1
SwitchD(config-if)#do show spanning-tree vlan 5 – The “do” command lets you issue a show command while in config mode
[output truncated]Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——-
fa0/17 Root LIS 1 128.17 P2p
fa0/20 Altn BLK 119 128.20 P2p
You can see that fa0/17 becomes the root port with a cost of 1 (as specified in the command) and fa0/20 goes into a blocking (BLK) state. Notice that fa0/17 is in the listening (LIS) state because it needs to transition through the listening and learning states, and the port can spend up to 15 seconds in each of these states.
Elect Designated Ports
If a switch has redundant ports connecting it to a LAN segment (another downstream switch or hub, for example), then the port with the lowest cost will be elected the designated port. Designated ports forward BPDUs onto the LAN segment and traffic to and from the LAN segment. In simple terms, the designated port becomes the only link for the LAN segment toward the rest of the network and the root bridge. By default, all ports on a root switch are designated ports. The criteria used for electing the designated port on a segment are listed in order below:
- Lowest root bridge ID
- Lowest root path cost to the root bridge
- Lowest sender bridge ID
- Lowest sender port ID
In Figure 11.11 above, the fa0/20 port on Switch C will be the designated port for the link to Switch D. This is because Switch C has the lowest cost to the root bridge. The root bridge is the same, and Switch C has a better path cost to the root bridge (100) versus Switch D’s path cost (200). (Switch D’s Fa0/17 interface has been reverted to its normal cost.) If there were multiple links, then an election would have taken place. Let’s verify this on Switch C:
SwitchC#show spanning-tree vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 32773
Address 0013.c3e8.2500
Cost 100
Port 15 (Fasthernet0/15)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address 0014.a93f.8380
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
fa0/15 Root FWD 100 128.15 P2p
fa0/20 Desg FWD 19 128.20 P2p
In summary, all root ports forward information to the root bridge, and designated ports send traffic away from the root bridge. Any remaining ports will be non-designated and set to the blocking state. Blocking ports listen to configuration BPDUs but do not send or forward them.
It’s worth noting that on larger networks you could have multiple switch segments separated by routers, and for each of these segments, you would have one root bridge with all ports in designated (forwarding) state and neighbor switches with one root port.
Mini-lab – STP Operations
You can put much of what you have learned so far into context with this mini-lab. First, you’ll use two switches connected with two Fast Ethernet links. You’ve already learned how to make ports access ports and put them into a VLAN, so I’ll skip these steps. All ports are in VLAN 5.
FIG 11.12 – Mini-lab: STP operations
In Figure 11.12 above, you can see that Switch B has a lower base MAC address (you must choose the switch with the lowest MAC address as your Switch B), so it would be chosen as the root bridge. The root bridge should have all ports as designated/forwarding (which is another way to tell if a switch is the root bridge, by the way).
SwitchB#show spanning-tree vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 32773
Address 000d.292e.1180
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address 000d.292e.1180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ———————–
Fa0/11 Desg FWD 19 128.11 P2p
Fa0/12 Desg FWD 19 128.12 P2p
So far, you can see that Switch B is, in fact, the root bridge. Now check Switch A:
SwitchA#show span vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 32773
Address 000d.292e.1180
Cost 19
Port 11 (FastEthernet0/11)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address 0011.9247.db00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ———————–
Fa0/11 Root FWD 19 128.11 P2p
Fa0/12 Altn BLK 19 128.12 P2p
One port is set to root and forwarding. You can see F0/12 is blocking. It’s also set to alternate (Altn), which means that it’s an alternative path between two switches. There must have been a tie as STP went down the list:
- Lowest root bridge ID
- Lowest root path cost to the root bridge
- Lowest sender bridge ID
- Lowest sender port ID
The root bridge ID would have been identical, as with the path cost and sender bridge ID. This leaves the port ID. STP would have checked the MAC address of both ports and set the lowest to forward. You can confirm this by checking the interface MAC addresses.
SwitchA#show int f0/11
FastEthernet0/11 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0011.9247.db0b (bia 0011.9247.db0b)
SwitchA#show int f0/12
FastEthernet0/12 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0011.9247.db0c (bia 0011.9247.db0c)
The MAC addresses have been allocated sequentially, and F0/11 is lower as it ends in b as opposed to c for F0/12.
I’d like you to do this lab on your own equipment. Obviously, your Switch B may not be the root because it might have a higher MAC address, so check first which one is the root, and then name it Switch B or just force it to be the root with one of the two command options you already know.
First, enable debugs for STP events, and then add timestamps on the debug messages (these commands probably won’t work on Packet Tracer):
SwitchA#debug spanning-tree events
SwitchA(config)#service timestamps debug datetime msec
Next, shut the root port on Switch A to force the timers to start:
SwitchA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)#int f0/11
SwitchA(config-if)#shut
*Mar 1 00:29:34.627: STP: VLAN0005 new root port Fa0/12, cost 19
*Mar 1 00:29:34.627: STP: VLAN0005 Fa0/12 -] listening
00:29:36: %LINK-5-CHANGED: Interface FastEthernet0/11, changed state to administratively down
*Mar 1 00:29:36.627: STP: VLAN0005 sent Topology Change Notice on Fa0/12
00:29:37: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to down
SwitchA(config-if)#end
SwitchA#show span vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 32773
Address 000d.292e.1180
Cost 19
Port 12 (FastEthernet0/12)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address 0011.9247.db00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15
Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ———————–
Fa0/12 Root LRN 19 128.12 P2p
You can see that the debug messages appear and that F0/12 has gone into the learning (LRN) state. The debug messages below show that F0/12 has moved into the forwarding state.
SwitchA#
*Mar 1 00:29:34.627: STP: VLAN0005 Fa0/12 -] learning
*Mar 1 00:30:04.627: STP: VLAN0005 Fa0/12 -] forwarding
SwitchA#show span vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 32773
Address 000d.292e.1180
Cost 19
Port 12 (FastEthernet0/12)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address 0011.9247.db00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ———————–
Fa0/12 Root FWD 19 128.12 P2p
The total time from blocking at 00:29:34.627 to learning at 00:30:04.627 was 30 seconds, which is faster than the usual 50 seconds because it was a very simple topology with no switches in between.
[END OF MINI-LAB]STP Timers
We have briefly mentioned these but it’s worth looking at STP timers separately.
Three timers monitor and age BPDUs:
- Hello
- Forward delay
- Max age
Although you shouldn’t change these without advice from a Cisco TAC, I’ll demonstrate how to do this below:
- Hello – Sent by the root bridge every two seconds by default
Switch(config)#spanning-tree vlan 1 Hello-time ?
<1-10> number of seconds between generation of config BPDUs
- Forward delay – the default 15 seconds switches wait while they build their bridging table (the listening and learning states each use this 15-second timer)
Switch(config)#spanning-tree vlan 1 forward-time ?
<4-30> number of seconds for the forward delay timer
- Max age – How long a BPDU is stored before it is flushed from the table (a new BPDU should be received every two seconds; this timer is set to 20 seconds (Hello interval multiplied by 10) and when it is reached, it usually indicates a link failure); the interface then moves to the listening state
Switch(config)#spanning-tree vlan 1 max-age ?
<6-40> maximum number of seconds the information in a BPDU is valid
The total time for STP to recover from a link failure is 20 seconds max age plus 15 seconds listening plus 15 seconds learning, which is 50 seconds to recovery.
Switch#show spanning-tree detail
VLAN0001 is executing the ieee compatible Spanning Tree Protocol
Bridge Identifier has priority 32768, sysid 1, address 0011.9247.db00
Configured Hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
[output truncated]Cisco’s Enhancements to STP
STP, as we know, keeps the network loop-free but reconvergence can take up to 50 seconds. That is a very long time in networking terms. For almost a minute, data cannot flow across the network. In most cases, this is a critical issue, especially for important network services.
To deal with this issue (before the industry standard for Rapid STP was ratified), Cisco added the following features to STP implementation on its switches:
- PortFast
- UplinkFast
- BackboneFast
PortFast
PortFast is typically enabled on an interface connected directly to a host. If you have a laptop or a server connected to a switch port, then you know that:
- It will not need to listen to BPDUs because it is not a layer 2 device
- It will not create loops because it has a single link to the layer 2 network
Therefore, you can safely disable Spanning Tree on such ports. It is very important to ensure that such ports never have an STP-enabled layer 2 device connected on them (think port security!), or else a loop or a breakdown in the network is quite possible. You will even get a warning message on certain switches stating this when you enable PortFast on a switch port!
When you configure a switch port as PortFast, STP will skip the listening and learning states, and the port will transition to forwarding state when it comes up, so it will never be blocked. Other manuals state that STP is disabled on a port using PortFast; however, this is not the case because the port can still send and forward BPDUs. This is not a problem when the port is connected to a network device that does not send or respond to BPDUs, such as the NIC in a workstation, for example. However, this may result in a switching loop if the port is connected to a device that does send BPDUs, such as another switch.
FIG 11.13 – PortFast
The command to configure PortFast is spanning-tree portfast. Note the system-generated warning message:
SwitchA(config)#int FastEthernet0/44
SwitchA(config-if)#spanning-tree portfast
%Warning: PortFast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc… to this interface when PortFast is enabled can cause temporary bridging loops. Use with CAUTION
%PortFast has been configured on FastEthernet0/44 but will only take effect when the interface is in a nontrunking mode.
UplinkFast
The purpose of UplinkFast is to optimize convergence when an uplink on an access layer switch fails. Let’s consider the network shown in Figure 11.14 below:
FIG 11.14 – Redundant links to the root bridge
If the link between Switch C and Switch A fails for some reason, UplinkFast will almost immediately transition the alternate port to the forwarding state as per Figure 11.15 below:
FIG 11.15 – UplinkFast detects disabled port
Mini-lab – Configuring UplinkFast
You will need three switches for this lab. Set all ports as access ports in VLAN 5. Of course, you might have a different root from mine due to MAC addressing. You know how to set the switch to be the root, so feel free to do this. The network in Figure 11.16 below does not have UplinkFast enabled yet.
FIG 11.16 – Mini-lab: Configuring UplinkFast
In Figure 11.16 above, Switch A is the root bridge. Now consider the following output from Switch C:
SwitchC#show spanning-tree vlan 5
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 32773
Address 0013.c3e8.2500
Cost 19
Port 14 (FastEthernet0/14)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5)
Address 0017.94bd.1680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
Fa0/14 Root FWD 19 128.14 P2p
Fa0/15 Altn BLK 19 128.15 P2p
SwitchC#show spanning-tree uplinkfast
UplinkFast is disabled
Use the following debug commands on the switch:
SwitchC#debug spanning-tree event
Spanning Tree event debugging is on
SwitchC#debug spanning-tree uplinkfast
Spanning Tree uplinkfast debugging is on
These debugs will show you the STP events and UplinkFast messages. They probably won’t work on Packet Tracer. Now shut down port fa0/14 on Switch C, which is currently the root port as per the output above.
Because UplinkFast brings up the alternate port so quickly, enable milliseconds on the debugs with the service timestamps debug datetime msec command in the global configuration mode:
SwitchC(config-if)#shutdown
*Mar 2 22:14:30.504: STP: VLAN0005 new root port Fa0/15, cost 19
*Mar 2 22:14:30.504: STP: VLAN0005 Fa0/15 -] listening
*Mar 2 22:14:30.504: STP: UFAST: removing prev root port Fa0/14 VLAN0005 port-id 800E
*Mar 2 22:14:32.420: %LINK-5-CHANGED: Interface FastEthernet0/14, changed state to administratively down
*Mar 2 22:14:32.504: STP: VLAN0005 sent Topology Change Notice on Fa0/15
*Mar 2 22:14:33.420: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to down
*Mar 2 22:14:45.504: STP: VLAN0005 Fa0/15 -] learning
*Mar 2 22:15:00.504: STP: VLAN0005 Fa0/15 -] forwarding
Note that the time taken for F0/15 to transition to the forwarding state is 30 seconds. This is faster than the expected 50 seconds because the listening and learning times were short in this P2P link between switches, and no other hosts/switches are connected here.
Next, enable no shutdown on the F0/15 port, and then enable uplinkfast on Switch C and repeat the process:
SwitchC(config)#spanning-tree uplinkfast
SwitchC(config)#exit
SwitchC#show spanning-tree vlan 5
[output truncated]Uplinkfast enabled
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
Fa0/14 Root FWD 3019 128.14 P2p
Fa0/15 Altn BLK 3019 128.15 P2p
SwitchC(config)#int fa0/14
SwitchC(config-if)#shutdown
*Mar 2 22:28:23.300: STP: VLAN0005 new root port Fa0/15, cost 3019
*Mar 2 22:28:23.300: STP FAST: UPLINKFAST: make_forwarding on VLAN0005 FastEthernet0/15 root port id new: 128.15 prev: 128.14
*Mar 2 22:28:23.300: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0005 FastEthernet0/15 moved to Forwarding (UplinkFast).
*Mar 2 22:28:23.300: STP: UFAST: removing prev root port Fa0/14 VLAN0005 port-id 800E
*Mar 2 22:28:25.216: %LINK-5-CHANGED: Interface FastEthernet0/14, changed state to administratively down
*Mar 2 22:28:25.300: STP: VLAN0005 sent Topology Change Notice on Fa0/15
*Mar 2 22:28:26.216: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/14, changed state to down
SwitchC(config-if)#do show spanning-tree vlan 5
[output truncated]
Uplinkfast enabled
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
Fa0/15 Root FWD 3019 128.15 P2p
Note that the time taken for fa0/15 to transition to the forwarding state has changed from 30 seconds downtime to less than a second with UplinkFast enabled. Now that you have seen the difference it makes, let’s define what, exactly, it does.
[END OF MINI-LAB]If a switch has multiple links toward the root bridge, then UplinkFast marks the redundant link as an alternate port and brings it up quickly in case the root port fails. This is possible because blocked ports keep listening for BPDUs.
When you enable UplinkFast on a switch globally (rather than per port), the switch does three things:
- Increases the root priority to 49152
- Sets the port costs to 3000
- Tracks alternate root ports (ports on which root Hellos are received)
You can see this in the outputs below (which are truncated to save space). Bear in mind that you have to add the VLAN # as well as the original port cost, which for Fast Ethernet is 19.
Cisco recommends caution when using UplinkFast. You should enable it on switches that have blocked ports so the access layer switch does not become a root or transit switch (one that forwards frames between other switches). Note that your switch was the root for VLAN 1, but after enabling UplinkFast this is no longer the case. The large root priority value coupled with the large costs per link make this switch unlikely to become the root.
Switch#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0017.0e31.d180
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0017.0e31.d180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/3 Desg FWD 19 128.3 P2p
Switch(config)#spanning-tree uplinkfast
Switch(config)#end
Switch#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000c.3018.3700
Cost 3019
Port 7 (FastEthernet0/7)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 49153 (priority 49152 sys-id-ext 1)
Address 0017.0e31.d180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Uplinkfast enabled
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
Fa0/1 Desg FWD 3019 128.1 P2p
Fa0/3 Desg FWD 3019 128.3 P2p
BackboneFast
UplinkFast works by finding alternate ports for directly connected links. Similarly, BackboneFast works by finding an alternate path when an indirect link to the root port goes down. The difference between these two processes is that the indirect link doesn’t have the option of bypassing the max age timer. This time, the switch learns about a failure due to the lack of Hellos from other switches. If a failure is learned this way, the switch has to wait for the max age timer to expire before trying to change the topology using STP.
BackboneFast allows any switch learning about an indirect failure to send a Root Link Query (RLQ) BPDU out of the port the Hello was expected on, asking the neighbor switch if Hellos are still being received from the root. If the RLQ response states that there has been a direct link failure, it can converge and bypass the max age timer.
Let’s consider the network in Figure 11.17 below:
FIG 11.17 – Redundant path to the root bridge
Switch A is the root bridge in Figure 11.17. F0/20 on Switch D is the root port.
Let’s assume that the link between Switch A and Switch C goes down. Switch C will advertise itself as the root bridge to Switch D. This BPDU is known as an inferior BPDU. Switch B discards this new information because it knows that Switch A is the root bridge and Switch C is a non-root bridge. Eventually, Switch C will receive a BPDU from Switch D and mark F0/20 as its root port toward Switch A. BackboneFast ensures a quick failover as soon as the inferior BPDU is received. It saves roughly 20 seconds out of the 50 seconds of convergence time.
Configuring BackboneFast can be accomplished easily with the command below:
Switch(config)#spanning-tree backbonefast
BackboneFast must be enabled on all switches in order for this feature to work.
STP Security
As you have learned, PortFast disables STP on a switch port, but an important fact is that a PortFast switch port will keep listening for BDPUs. If someone adds a switch to a port that has been configured as PortFast, the consequences will be unpredictable and, in some cases, disastrous. To guard against this situation, Cisco provides the BPDU Guard, BPDU Filter, and Root Guard features.
BPDU Guard
If a switch is plugged into a switch port configured as PortFast, it could change the STP topology without the administrator knowing about it and could even bring down the network. To prevent this, BPDU Guard can be configured on the switch port. With this configured, if a BPDU is received on a switch port, it will be put into an err-disabled mode and an administrator will have to bring up the port. This can be configured on the port using the spanning-tree bpduguard enable command.
The administrator must recover this port via the command line by issuing a shutdown command and then a no shutdown command on the interface (i.e., bounce the interface). Until this is done, the status light on the port will show as amber and frames cannot pass.
FIG 11.18 – BPDU Guard
Mini-lab – Configuring BPDU Guard
In Figure 11.19 below, I’ve connected a PC to F0/1 on Switch 0. You can configure any IP address on your PC connected to your switch.
FIG 11.19 – Mini-lab: Configuring BPDU Guard
Switch0#config t
Switch0(config)#int f0/1
Switch0(config-if)#switchport mode access
Switch0(config-if)#spanning-tree bpduguard enable
Switch0(config-if)#end
Switch0#show int f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Switch0#show run int f0/1
Building configuration… Current configuration: 89 bytes
interface FastEthernet0/1
switchport mode access
spanning-tree bpduguard enable
end
The port will operate normally until I swap the PC for another switch, which sends a BPDU causing Switch 0 to shut interface F0/1:
%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with BPDU Guard enabled. Disabling port.
%PM-4-ERR_DISABLE: bpduguard error detected on 0/1, putting 0/1 in err-disable state
Switch0#show int f0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
Hardware is Lance, address is 00e0.a3b4.7601 (bia 00e0.
[END OF MINI-LAB]BPDU Filter
When BPDU Filter is configured on a switch port that has been configured as PortFast, it will prevent the port from sending and receiving BPDUs on that port. This effectively disables STP on the port. This is unlike the behavior seen with BPDU Guard, where the port is put into an err-disabled mode. BPDU Filter can be enabled on the switch port using the spanning-tree bpdufilter enable command:
Switch(config-if)#spanning-tree bpdufilter enable
FIG 11.20 – BPDU Filter
Root Guard
Root Guard is configured per port and, as with BPDU Guard, it monitors for incoming BPDUs. Root Guard is designed to prevent the port from becoming a root port. If a superior BPDU is received on the port, the port is placed into a root-inconsistent state, preventing it from forwarding or receiving frames until the superior BPDUs cease.
As mentioned, Root Guard is enabled on an interface. The command to configure it is shown below:
Switch(config-if)#spanning-tree guard root
FIG 11.21 – Root Guard
Rapid Spanning Tree Protocol
The features discussed in the previous section—PortFast, UplinkFast, and BackboneFast—were added by Cisco, and because of this, they worked only on Cisco switches. IEEE added these features to a new STP protocol called Rapid Spanning Tree Protocol (RSTP) under the (layer 2) 802.1W standard. The goal of RSTP is to improve STP convergence.
NOTE: People using a home lab and wanting to configure RSTP will need a 2960T Catalyst Switch as a minimum hardware requirement.
Similar to the traditional Spanning Tree, RSTP will also elect a root bridge using the same parameters as STP. All RSTP ports will be in a forwarding state (designated ports), while other ports could be an alternate port, root port, backup port, or disabled. RSTP has defined variations of BPDUs, new port roles and states, and backward compatibility with 802.1D switches.
RSTP dramatically improves STP convergence times by using a few key concepts:
- Transitions from the discarding (rather than blocking) state to the learning state, thereby bypassing the listening state
- Integration and standardization of Cisco’s PortFast, UplinkFast, and BackboneFast
- Waits for three missed Hellos on a root port instead of 10
RSTP has simplified the STP logic where possible, as well as defined link types and port roles, to speed up convergence times.
RSTP Link Types
802.1D was devised when shared hubs were in common usage on live networks. On modern networks, most links are point-to-point (switch-to-switch). The remaining link types must be connected to a host of some sort (edge), so PortFast logic would need to be applied here (ports set to forward immediately).
RSTP allows a switch to query its neighbor on point-to-point links to establish its status. It would do this, for example, if no periodic Hello was received. As with BackboneFast, the neighbor switch would respond stating whether it had lost its neighbor.
There are three RSTP link types:
- Point-to-point – switch-to-switch
- Shared – switch connects to a hub (other switches connect to the hub)
- Edge – a host device is connected (end-user)
RSTP Port Roles
As mentioned earlier, RSTP has defined new port roles, adding alternate and backup ports. Table 11-2 below lists these roles:
Table 11-2: RSTP port roles
| Root Port | This elected port forwards data in the active topology. |
| Designated Port | This is an elected port that forwards data for every switched LAN segment. |
| Alternate Port | This is an alternative path to the root bridge but is different from the root port path. |
| Backup Port | This port provides a redundant path (less desirable) to a segment to which another switch port already connects. (They can only exist when there are two ports connected between the switches.) |
| Disabled | This type of port does not participate in the active topology. |
There is a port type known as an edge port, which is considered to be the same as a port configured with the spanning-tree portfast command. The root port and the designated port are the same as the 802.1D root port and designated port. The alternate port is similar to the UplinkFast concept of tracking alternate paths to the root, thus preventing the loss of a switch’s root port.
The backup port is a new concept and its role is to prevent the loss of the designated port attached to a shared link when there is another physical port attached to the same shared LAN, as shown in Figure 11.22 below.
RSTP Port States
A comparison of the STP port states and the RSTP port states is shown in Table 11-3 below. You can see that the listening and disabled states have been removed from RSTP, and it has a new role of discarding.
Table 11-3: Comparison of STP port states and RSTP port states
| Operational Status | STP Port State | RSTP Port State | Port in Active Topology |
| Enabled | Blocking/Disabled | Discarding | No |
| Enabled | Listening | Discarding | No |
| Enabled | Learning | Learning | Yes |
| Enabled | Forwarding | Forwarding | Yes |
| Disabled | Disabled | Discarding | No |
A discarding port does not forward or receive frames or learn source MAC addresses. As you can see, after a port is set to forward, it participates in the active topology and behaves in the same manner as an 802.1D port. The listening state is no longer required because RSTP actively queries its neighbors, thereby preventing any loop creation during convergence.
Figure 11.22 below illustrates the various port roles and states. You can see which switch is the root by the fact that all ports are set to designated (marked as DP).
FIG 11.22 – RSTP port roles and states
You can see in Figure 11.22 above that an alternate port has received a more useful BPDU from another switch on the same segment. This port will be put into the discarding state. The backup port has received a more useful BPDU from the same switch they are on. This is considered to be a backup port for the designated port on the same switch.
Per-VLAN STP and per-VLAN Rapid STP
This is a good time to introduce you to another very significant change that Cisco made to STP.
When the original bridging standard (802.1D) was drafted, VLANs did not exist. Hence, one Spanning Tree instance worked across the entire switch. Eventually, VLANs were introduced, and they created different logical networks on the same switch. This gave rise to the need to have different topologies for load balancing and flexible Spanning Trees. A strong reason for implementing Per-VLAN STP on a switch is for efficient utilization of the ports on the switch. This is illustrated with the following network:
FIG 11.23 – Multiple exits, multiple VLANs
Let’s assume that all the switches have two VLANs configured. Switch D has two ways to reach Switch A. If one STP instance was running across the network, then fa0/17 would be in the blocked state. With two STP instances running, you can have fa0/20 blocked for one VLAN and fa0/17 blocked for another, and utilize both links by load balancing traffic across them.
To achieve this, Cisco added the Per-VLAN Spanning Tree Plus (PVST+) feature on its switches. When 802.1W (RSTP) was introduced by the IEEE, it still did not accommodate multiple Spanning Tree instances on a switch. Cisco introduced Per-VLAN Rapid Spanning Tree Plus (PVRST+) to support Rapid Spanning Tree instances on each VLAN on the switch. PVST+ and PVRST+ both provide the same functionality across both 802.1D and 802.1W standards. PVST+ has only three port states (discarding, learning, and forwarding), while STP has five port states (blocking, listening, learning, forwarding, and disabled).
Figure 11.24 below shows a simplified version of how this works. You can see the physical topology on the left and then the logical topologies on the right for two other VLANs. Each has a different root bridge and blocked and forwarding ports.
FIG 11.24 – Physical versus logical PVST+ topology
PVST+ and PVRST+ both change the BID in the BPDU by adding the VLAN number to the configured priority. PVRST+ is a combination of PVST+ and RSTP, and it provides rapid (under one second) convergence, with the added benefit of PVST+.
Mini-lab – Configuring PVRST+
You can use any switch to create VLAN 10.
Switch#show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address 0015.63f6.b700
Cost 3019
Port 107 (FastEthernet3/0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 49162 (priority 49152 sys-id-ext 10)
Address 000f.f794.3d00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
[output truncated]
To enable RSTP for each VLAN in the switched network, use the following command:
Switch(config)#spanning-tree mode rapid-pvst
This is all that is needed if you need only one instance of STP. Later on in this section, we will show what is needed to enable load-sharing capabilities.
Using the show spanning-tree vlan [vlan#] command, you can verify which type of Spanning Tree is running:
Switch#show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 24586
Address 0015.63f6.b700
Cost 3019
Port 107 (FastEthernet3/0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 49162 (priority 49152 sys-id-ext 10)
Address 000f.f794.3d00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
UplinkFast enabled but inactive in rapid-pvst mode
[output truncated]Two items are of interest in the output above. The first is the Spanning tree enabled protocol rstp and the second is the sys-id-ext 10. This shows that the bridge priority was configured as 49152 and VLAN id 10 was added to it.
[END OF MINI-LAB]Load Balancing Using RSTP/STP
How can load balancing be achieved in the network shown in Figure 11.24 above if VLAN 1 and VLAN 5 are being used in the LAN? You can achieve this by configuring Switch A with a better priority for VLAN 1 and configuring Switch B with a better priority for VLAN 5. This can be done using the following commands:
SwitchA(config)#spanning-tree vlan 1 priority 4096
SwitchB(config)#spanning-tree vlan 5 priority 4096
The show spanning-tree output for both VLANs on Switch D to verify load balancing is shown below:
SwitchD#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 0013.c3e8.2500
[output truncated]
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
Fa0/17 Desg FWD 119 128.17 P2p
Fa0/20 Root FWD 19 128.20 P2p
VLAN0005
Spanning tree enabled protocol ieee
Root ID Priority 4101
Address 0017.94bd.1680
[output truncated]Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
Fa0/17 Root FWD 19 128.17 P2p
Fa0/20 Desg FWD 119 128.20 P2p
You can see that the root bridge for VLAN 1 is Switch A, whereas the root bridge for VLAN 5 is Switch B. Fa0/20 is the root port for VLAN 1 and Fa0/17 is the root port for VLAN 5.
End of Chapter Questions
Please also visit https://www.howtonetwork.com/ccnasimplified to take the free Chapter 11 exam.
Root Bridge Challenge
Mark on Figure 11.25 below the root bridge and the interface states on each switch for designated, blocking, and root:
FIG 11.25 – Mark the port roles
FIG 11.26 – Solution
Chapter 11 Labs
Lab 1: Spanning Tree Protocol
FIG 11.27 – STP election
VLAN 2 and VLAN 3 exist on all switches.
Lab Exercise
Your task is to configure the network above so that Switch 2 is always the root bridge for VLAN 2 and Switch 3 is the root bridge for VLAN 3. You will need to connect the three switches together with crossover cables.
Purpose
STP is a very important topic for the CCNA exam, and you can expect to be tested on both your theoretical knowledge and hands-on ability. For this lab, you will configure the switches to ensure that the correct switch is the root bridge. In the real world, if the incorrect switch becomes the root bridge, the network will experience delays.
Lab Objectives
- Configure Ports F0/1 and F0/2 on all switches as 802.1Q trunks (default on 2960 Switches).
- Create VLAN 2 and VLAN 3 on all the switches.
- Configure bridge priority on Switch 2 and Switch 3 for VLAN 2 and VLAN 3, respectively.
Lab Walk-through
- First, check the status of the switches. The VTP domain name should match. You will also want to check whether there are any interfaces already trunking. You will check the outputs on Switch 1, and you can do the same on Switch 2 and Switch 3.
Switch1#sh vtp status
VTP Version: 2
Configuration Revision: 1
Maximum VLANs supported locally: 250
Number of existing VLANs: 10
VTP Operating Mode: Server
VTP Domain Name: howtonetwork
VTP Pruning Mode: Disabled
VTP V2 Mode: Enabled
VTP Traps Generation: Disabled
MD5 digest: 0xB7 0xE3 0x3A 0x57 0x1D 0x41 0x42 0x40
Configuration last modified by 0.0.0.0 at 3-1-93 01:11:38
Local updater ID is 0.0.0.0 (no valid interface found)
You can see that the VTP domain name is howtonetwork. Please set all the switches to the same VTP domain name. Please also make sure that all switches are set to the VTP server (this should be the default, but it varies depending on IOS version and whether another user changed this).
Switch2(config)#vtp domain howtonetwork
And server commands:
Switch2(config)#vtp mode ?
client Set the device to client mode.
server Set the device to server mode.
transparent Set the device to transparent mode.
To configure the switches for trunking on relevant ports, follow the commands below:
Switch#configure terminal
Switch1(config)#hostname Switch1
Switch1(config)#interface range fa0/1 – 2
Switch1(config-if-range)#switchport mode trunk
Switch#configure terminal
Switch(config)#hostname Switch2
Switch2(config)#interface range fa0/1 – 2
Switch2(config-if-range)#switchport mode trunk
Switch#configure terminal
Switch(config)#hostname Switch3
Switch3(config)#interface range fa0/1 – 2
Switch3(config-if-range)#switchport mode trunk
Please note—your switch ports may be numbered 1/1, 1/2, and so on depending on your model. The interface range command may not work on your switch if it has an older IOS release, so you will have to set the configurations per interface. Please also note that this command seems to have changed as IOS levels changed, meaning that you don’t need gaps for one IOS release but you do need gaps for another, as demonstrated below on some spare switches I have:
SwitchC(config)#int range f0/1-24
SwitchC(config-if-range)#shut
SwitchA(config)#int range f0/1-24
^
% Invalid input detected at “^”marker.
SwitchA(config)#int range f0/1 – 24
You can now check which interfaces are set to trunking:
Switch1#sh int trunk
Port Mode Encapsulation Status Native
vlan
Fa0/1 on 802.1q trunking 1
Fa0/2 on 802.1q trunking 1
Port Vlans allowed and active in management domain
Fa0/1 1
Fa0/2 1
[output truncated]
- To create VLANs on all switches, enter the following commands (your model may require you to input them individually):
Switch1(config)#vlan 2,3
Switch2(config)#vlan 2,3
Switch3(config)#vlan 2,3
You should then be able to see that VLANs 2 and 3 are part of the Spanning Tree:
Switch1#show int trunk
Port Mode Encapsulation Status Native
vlan
Fa0/1 on 802.1q trunking 1
Fa0/2 on 802.1q trunking 1
Port Vlans allowed and active in management domain
Fa0/1 1,2,3
Fa0/2 1,2,3
Switch1#show vlan brief
1 default active
Fa0/3, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13,
Fa0/14
Fa0/15, Fa0/16, Fa0/17,
Fa0/18
Fa0/19, Fa0/20, Fa0/21,
Fa0/22
Fa0/23, Fa0/24, Gig1/1,
Gig1/2
2 VLAN0002 active
3 VLAN0003 active
- Check the switches to see which is the root bridge for VLANs 2 and 3. Some of the output is omitted and, of course, your output will be different due to MAC addresses; you may also have a different root bridge due to the bridge priority/MAC addressing. Note that you will see different fields depending on your switch model or if you are using Packet Tracer.
Switch2#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 0009.7c87.9081
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bri. ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 0008.21a9.4f80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Port ID Desig. Port
Name Prio.Nbr Cost Sts Cost Bridge ID ID Prio.Nbr
——— ——– —- — —- ——————— —–
Fa0/1 128.1 19 FWD 19 32770 0009.7c87.9081 128.1
Fa0/2 128.2 19 FWD 19 32770 0008.21a9.4f80 128.2
And now issue the same command on Switch 3. The output below will be slightly different due to different versions of code and switch models:
Switch3#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 0009.7c87.9081
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bri. ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 000f.23a6.8940
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
————– —- — ——— ——– —————–
Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Altn BLK 19 128.2 P2p
The Spanning Tree cost for a 100 Mbps interface is 19, and you can see that output in the Cost field.
You can issue a show interface fast 0/1 command on Switch 1 to verify that the MAC address owns the MAC address allocated as the root:
Swtch1#show int fast0/1
FastEthernet1/1 is up, line protocol is up
Hardware is Fast Ethernet, address is 0009.7c87.9081
Do the same for VLAN 3 to see where the root is.
Switch2#show spanning-tree vlan 3
VLAN0003
Spanning tree enabled protocol ieee
Root ID Priority 32768
Address 0009.7c87.9084
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
The MAC address above belongs to Switch 1 again.
- Configure bridge priority on Switch 2 and Switch 3 for VLAN 2 and VLAN 3, respectively. You want Switch 2 to be the root for VLAN 2 and Switch 3 to be the root for VLAN 3. You can use the question mark (?) to give you more information:
Switch2(config)#spanning-tree vlan 2 ?
forward-time Set the Forward Delay for the spanning tree
hello-time Set the Hello interval for the spanning tree
max-age Set the Max Age interval for the spanning tree
priority Set the bridge priority for the spanning tree
root Configure switch as root
[cr]
Switch2(config)#spanning-tree vlan 2 priority 4096
Switch3(config)#spanning-tree vlan 3 priority 4096
Next, issue the show spanning-tree vlan # command to check that the respective switches are the roots for the desired VLANs:
Switch2#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 4098
Address 0008.21a9.4f80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bri. ID Priority 4098 (priority 4096 sys-id-ext 2)
Address 0008.21a9.4f80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Port ID Desig. Port
ID Prio.Nbr
Name Prio.Nbr Cost Sts Cost Bridge ID
———- ——- —- — —- ——————– —–
Fa0/1 128.1 19 FWD 0 4098 0008.21a9.4f80 128.1
Fa0/2 128.2 19 FWD 0 4098 0008.21a9.4f80 128.2
If you do the same for VLAN 3 on Switch 3, you will see that it is the root for that VLAN:
Switch3#show spanning-tree vlan 3
VLAN0003
Spanning tree enabled protocol ieee
Root ID Priority 4099
Address 000f.23a6.8940
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bri. ID Priority 4099 (priority 4096 sys-id-ext 3)
Address 000f.23a6.8940
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– —–
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Running Configuration
[VLAN information won’t show on a show run command.]
Switch1#sh run
Building configuration…
[output truncated]
hostname Switch1
!
interface FastEthernet0/0
!
interface FastEthernet0/1
switchport mode trunk
!
interface FastEthernet0/2
switchport mode trunk
!
Switch2#sh run
Building configuration…
[output truncated]
hostname Switch2
!
spanning-tree vlan 2 priority 4096
!
interface FastEthernet0/0
!
interface FastEthernet0/1
switchport mode trunk
!
interface FastEthernet0/2
switchport mode trunk
!
Switch3#sh run
Building configuration…
[output truncated]
hostname Switch3
!
spanning-tree vlan 3 priority 4096
!
interface FastEthernet0/0
!
interface FastEthernet0/1
switchport mode trunk
!
interface FastEthernet0/2
switchport mode trunk
!
