STP: 802.1d and PVST

Traditional Spanning Tree Protocol:

  • To avoid bridging loops in L2 network with redundant paths.
  • Defined in IEEE 802.1d standard.
  • Bridge Protocol Data Unit (BPDU)s’ are used to communicate among all switches(bridges).
    • SRC MAC = Mac address of the port on which it is sent out.
    • DES MAC = Known multicast address. 01-80-c2-00-00-00
  • Two types of BPDU exist:
    • Configuration BPDU: Generated by Root bridge. Other non-root bridges receive this BPDU on root-port and forward to all other STP ports after updating ‘Root path cost’.
      • Sent out every 2 sec. Fields in configuration BPDU are:
        • Protocol ID: set to 0
        • Version: set to 0
        • Message Type: set to 0 for Configuration BPDU
        • TCN/TCN-ACK flags
        • Root bridge ID – 8 bytes
        • Root path cost – 4 bytes
        • Sender bridge ID – 8 bytes
        • Port ID : Internal sender port ID on which BPDU was sent out.
        • Message Age
        • Timers: Max Age, Hello time and Forward delay time.
    • Topology change notification(TCN) BPDU:
      • Generated by any STP bridge when it detects link state change.
      • Fields in TCN BPDU are:
        • Protocol ID: set to 0
        • Version: set to 0
        • Message Type
  • Bridge ID – 8 bytes:
    • All STP speaking switches will have unique bridge ID (8 bytes) = bridge priority (2 bytes) + switch_unique_mac-address ( 6 bytes)
    • Default bridge priority is 32768.
  • Port ID – 2 bytes:
    • Port priority (8 bits) + Internal Port number.
    • Default port priority is 128.
    • Can be seen as “Prio.Nbr” in the output of “show spanning-tree interface x/y
  • Root bridge:
    • When a switch boots up, it assumes itself as root and sends BPDU with its own ID as Root and Sender Bridge ID. On receiving other switches BPDU, it compares the root ID with its own ID. If its value is lower, it keeps sending root bridge ID as its own ID. Else, it accepts the root ID value in the received BPDU as root bridge ID.
    • Lower bridge ID is preferred. If there is tie with bridge priority, lower MAC address switch will be the root.
    • Always recommend to have Root Bridge at the center of the network and configure with lowest priority (can be even 0).
  • Port/path cost:
    • Each port is assigned a STP cost. Higher the speed, lower the port cost. Lowest port cost is preferred. STP cost for;
      • 10M – 100
      • 100M – 19
      • 1G – 4
      • 10G – 2
    • ‘Root path cost’ is the cumulative cost of all the links from the local bridge to the root.
    • When a switch receives BPDU, it adds the cost of the received interface to the ‘root path cost’ field value and forwards this BPDU with the new calculated value in ‘root path cost’ field.
  • STP Port roles:
    • Root port: Port closest to the root bridge (lowest root path cost)
    • Designated port: In a network segment, port with the lowest root path cost will be designated port. The bridge which has DP for a segment is the designated bridge. All ports in the root bridge will be designated port.
    • Blocking port: Ports which are neither root nor designated.
    • Alternate port: Candidate Root port which are in blocked state. (Cisco proprietary)
  • STP Port states:
    • Disabled: Not an STP state. When the interface is shutdown, it is in disabled state.
    • Blocking:When we enable a port, it begins in ‘blocking state’.
      • No data traffic can be received or transmitted.
      • Cannot learn new MAC address to CAM table.
      • Switch send a BPDU after which it can only receive BPDU
      • Ports will be in blocking state to remove loop in the network. Blocking port need to receive BPDU from other end. If not, after max_time, the port is moved through STP states.
    • Listening:Switch moves a port from blocking to listening, if that port can become root or designated port.
      • No data traffic can be received or transmitted.
      • Cannot learn new MAC address to CAM table.
      • Send and receive BPDU
      • By the end, a port might be moved to root or designated port. If neither, it will be moved to blocking state.
      • Will be in this state for ‘Forward delay time’(Default 15 sec) and moved to next.
    • Learning:
      • No data traffic can be received or transmitted.
      • Send and receive BPDU
      • Learns MAC address of other switches.
      • Will be in this state for ‘Forward delay time’(Default 15 sec)
    • Forwarding:
      • Fully operational switch port in loop-free network.
    • So it takes minimum 30 seconds for a port from disabled state to forwarding state. If it is part of PAgp, addition 15/20 seconds will be added
    • Port status can be viewed by ‘Show spanning-tree interface x/y’ and above port transitions can be viewed by ‘debug spanning-tree switch state’.
  • Tie-breaking STP decision:
    • Lowest root bridge ID
    • Lowest root path cost
    • Lowest sender bridge ID
    • Lowest sender port ID.
  • Timers:
    • Hello timer: Interval between configuration BPDUs. Default- 2 seconds.
    • Forward delay: Time spent by switch in listening and learning state. Default – 15 sec
    • Max Age: Switch will save the best BPDU it receives on a port for a period of ‘Max Age’. After which it flushes that BPDU and indicates some indirect failure or BPDU loss. 20 sec
    • Above default values are recommended by IEEE, assuming the diameter of the network is 7. Ie. There can be maximum of 7 switches/hop in serial including root bridge.
  • How direct topology change handled:
    • When there is any STP enabled link-state change, the bridge sends TCN BPDU towards Root Bridge (via root port) and expects ACK from its upstream bridge. If the bridge didn’t receive ACK within 2 sec, it sends another TCN BPDU and repeats till ACK.
    • Upstream bridge ACK by sending configuration BPDU with TCA bit set, though it does not receive configuration BPDU from root.
    • Root bridge on receiving TCN BPDU, it ACKs back and sends ‘configuration BPDU’ with TCN flag set to all switches. (for max_age+forward_delay time duration = 35 secs)
    • All switches on seeing TCN flag set, shortens the mac-address-table aging time down to forward delay (300 seconds to 15 seconds)
    • Blocking/designated port might become root port depending on topology change.
  • In-direct topology changes, like BPDU miss/drop, are handled by ‘Max Age’ timers.
  • Topology change(TC) occurs when:
    • When port that was forwarding is moved to block/down.
    • When a port moves to forwarding and it has a designated port.
  • TCN does not start topology change. It is the consequence of a topology change.
  • If STP is disabled on the switch, packets destined to 01-80-c2-00-00-00 will be flooded as unknown unicast packet. If enabled, packets are forwarded to CPU.
  • Few points:
    • C3560 switch supports PVST+, RSTP and MSTP. But only one at a time.
    • In C3560, only 128 STP instances are possible. STP instance is created when an active port is added to a vlan. Removed when the last port is removed from a vlan.
  • Types of STP:
    • Traditional Spanning Tree Protocol or IEEE 802.3d
    • Common spanning Tree Protocol (CST)
      • IEEE, after introducing trunk/vlan tag concept in 802.1q, specifies single instance for all vlans.
      • CSTP BPDUs are transmitted on trunk using native vlan with untagged frames.
      • If a link is in block state, it will be block for all vlans.
    • Per-Vlan spanning Tree Protocol (PVST)
      • 1 instance of STP per VLAN.
      • Cisco proprietary and requires use of ISL encapsulation.
      • Cannot interop with CST (based on 802.1q)
    • Per-Vlan spanning Tree Protocol Plus (PVST+)
      • 1 instance of STP per VLAN.
      • Can interop with both CST and PVST.
      • Default spanning tree mode enabled on VLAN-1.
    • Rapid PVST+:
      • IEEE 802.1w standard.
      • Based on tradition STP, but has different port states, roles, TC propagation methods.
      • 1 RSTP instance per vlan.
    • MSTP:
      • IEEE 802.1s standard.
      • VLANs are mapped to MST instances.
      • 1 RSTP instance per MST and not per vlan.
      • Load sharing possible and less CPU usage.

Fast convergence techniques:

  • PortFast feature:
    • Can be enabled on all access ports which are connected to end-devices/host.
    • Once enabled, access ports will be moved to forward state immediately without going through listening and learning stages. So, servers can send packet immediately. Need not to wait for 30 secs.
    • “(config)#spanning-tree portfast default”. To enable portfast in all access ports.
    • “(config-if)#[no] spanning-tree portfast”. To enable/disable on individual port. Append “trunk” if portfast has to be enabled on trunk interface. By default, only on access port.
    • switchport host” macro also enables this feature. It set the interface to access mode, enable portfast and disable etherchannel.
    • When portfast interface goes down, the bridge will not send TCN BPDU.
    • BPDU will be sent out even portfast feature is enabled on that interface.
    • show spanning-tree int gi x/y portfast
    • This feature is enabled automatically if voice VLAN is enabled. It is not automatically disabled when disabling voice VLAN.
  • UplinkFast feature:
    • Should be enabled on leaf-node switches which have uplinks to distro switches.
    • Switch keeps record of all parallel paths to the root bridge.
    • When one uplink root-port went down, the traffic is sent out immediately via next-best root uplink port which was in blocking state.
    • This feature is not allowed in Root Bridge.
    • This feature affects all vlan. Cannot configure for specific VLAN.
    • When this feature is enabled, switch’s bridge priority is set to 49,152 and all port cost are incremented by 3000 (only if current cost<3000), not making this switch as transit.
    • Disabling this, makes the switch to revert back to default/configured priority/cost.
    • “(config)#spanning-tree uplinkfast max-update-rate <x>” enables this feature.
    • When the best root port goes down, all mac-address entries in CAM learned on that port will be moved to the new root port. Also, switch will send dummy multicast frames with DES MAC: 01-00-0c-cd-cd-cd and SRC MAC = each mac address learned on downstream access port, so that distro switch will learn about the end-host MAC.
    • “max-update-rate” option limits the dummy multicast frame sent rate. Default=150ps.
    • show spanning-tree uplinkfast
  • Backbone Fast feature:
    • Switch on receiving inferior BPDU from its designated bridge on either root or blocked port (which will occur if there is indirect link failure. Ie Designated bridge lost its path to root), starts to find the alternative path to the root bridge without waiting for MaxAge to expire for acting on inferior BPDU.
    • By default, the switch stores the superior BPDU and ignores inferior BPDU until the max_age time expires.
    • If the inferior BPDU arrives on root port, all blocked interface becomes alternative path.
    • If the inferior BPDU arrives on root port and no blocked interface, becomes root switch.
    • If the inferior BPDU arrives on blocked interface, then root port and all blocked interface becomes alternative path.
    • Root Link Query (RLQ) protocol is used to find the alternative path. RLQ request will be sent out all alternate paths. If a switch is root or has lost connection to the root, it sends RLQ reply. If RLQ reply is received, for the request sent, on root port, then the path to root bridge is stable. If not, MaxAge immediately expires and new root port is selected.
    • Reduces the convergence delay from 50 to 30 secs.
    • “(config)#spanning-tree backbonefast” to enable this feature.
    • Should be enabled on all switches in the network as RLQ protocol is required.
    • show spanning-tree backbonefast

Protection Feature:

  • Feature to protect from unexpected BPDU: Root guard and BPDU guard
  • Feature to protect from BPDU loss: Loop guard and UDLD
  • Feature to disable STP on an interface: BPDU filter
  • Root Guard:
    • RG enabled ports are meant to forward/relay BPDU out of that port.
    • If a superior BPDU is received on that port, instead of honoring and forward, it blocks that port and moves it to ‘root-inconsistent’ state.  No data can be sent or receive in this state. But still the port can listen for BPDU.
    • If there is no BPDU (after the lower bridge ID switch removed), the port travels through STP states to forwarding.
    • Can be enabled only on per-port basis. “(config-if)#spanning-tree guard root
    • RG affects entire port and not to any specific VLAN.
    • show spanning-tree inconsistent ports
    • Enable on ports where root is never expected. Usually on SP side facing customer.
    • In MST, RG forces the interface to be a designated port.
  • BPDU guard:
    • Enable on ports where portfast feature is enabled. Not on uplink ports.
    • Enabling portfast doesn’t mean to disable STP. Hence, the switch will honor BPDU if it receives on portfast enabled port.
    • If BPDU guard is enabled and if the port receives any BPDU, it moves the interface to errdisable state and shutdown entire port. Recover by manual re-enable or errdisable timeout. “errdisable detect cause bpduguard shutdown vlan” to shut only offending vlan.
    • To enable globally, “(config)#spanning-tree portfast bpduguard default”. This command has effect only on ports which are already configured as portfast.
    • To enable/disable per interface, “(config-if)# [no] spanning-tree bpduguard enable” . This command can be enabled on any interface. (need not to have portfast enabled).
  • Loop Guard:
    • If a blocking port didn’t receive BPDU for Max Age time (20 sec), it assumes there is no switch on the other end and try to move the port from blocking state (to forwarding).
    • When enabled, LG tracks the BPDU activity on non-designated port. If the port misses to receive BPDU, it moves that port to ‘loop-inconsistent’ state and prevent loop to occur.
    • When BPDU is received on the port, it moves through normal STP states and then active
    • To enable globally, “(config)#spanning-tree loopguard default
    • To enable/disable per interface, “(config-if)# [no] spanning-tree guard loop
    • Block action is taken on per-vlan basis and not the entire port.
    • Can be enabled on switch ports. Works only on point-point link.
    • Prevents alternate or root port to become designated due to any failure.
  • UDLD: UniDirectional Link Detection
    • In fiber link, Tx might work and there might be problem with Rx. Yet the link might be shown as status UP( UniDirectional Link). Loop might occur in this condition.
    • Cisco Proprietary STP feature. Need to be enabled on both ends to work.
    • Switch sends L2 UDLD frames with local port ID every 15 seconds. Other end switch will echo this frame with its port ID added. Both switches send UDLD test frames.
    • UDL is detected if there is no echo for 3 packets. (45 seconds to detect UDL). These detect operation starts only when we receive at least one packet with far-end port ID.
    • If it configured as ‘normal mode’, only syslog is generated and the port is marked.
    • If it configured as ‘aggressive mode’, switch sends UDLD msgs once in a second for 8 times. If there is no echo, port will be moved to errdisable state.
    • udld reset” to move from errdisable state. “show udld” to view current status.
    • “(config)#udld { enable | aggressive | message time <x> }”
    • (config-if)#udld { enable | aggressive | disable }
    • Test frames are sent every ‘x’ seconds configured. There can be mismatch on both ends.
  • BPDU filter:
    • When configured, BPDU filter disables STP on ports. Caution!
    • Globally configured:
      • “(config)#spanning-tree portfast bpdufilter default”.
      • Prevents switch from sending or receiving BPDU on all port-fast enabled interfaces. Host will not receive BPDU with this command.
      • If a BPDU is received on portfast enabled interface, it loses the portfast feature and hence BPDU filtering is disabled. (port participate in STP)
    • Interface level:
      • “(config-if)#spanning-tree bpdufilter {enable | disable }”
      • Prevents interface from sending or receiving BPDUs, independent of whether portfast is enabled or disabled.
  • Etherchannel Guard:
    • If there is any ether channel misconfiguration between two end ports, (one end configured with ether channel and other end has no configuration, or mismatch in parameters) switch detects this misconfig and places the port in errdisable state.
    • Default: Enable by global config mode: “spanning-tree etherchannel guard misconfig”
  • Both loop guard and root guard cannot be configured at the same time.

Configuration: (Based on Cat3560)

  • Enabling STP:
    • By default, STP is enabled for all VLANs and on all ports of a switch. If disabled, we can enable via “(config)#spanning-tree vlan x”. To disable, “(config)#no spanning-tree vlan x”. To enable on interface command, “(config-if)#spanning-tree vlan x”
  • Bridge priority:
    • Tradition 802.1d bridge priority value (16 bits)
    • 802.1t extended system ID. Priority (32768) + vlan ID (sys-id-ext). Enabled using “spanning-tree extend system-id
  • Root bridge:
    • Assign lowest priority value to make a switch as root. Should be multiple of 4096.
    • Method-1: configure “spanning-tree vlan x priority y”.
    • Method-2: Automatic way to set the priority to lowest value by a Macro: “spanning-tree vlan <x> root primary diameter <y>” command.
      • If current root priority(crp) is > 24,576, set the local priority to 24,576.
      • If current root priority is < 24,576, set the local priority to ( crp – 4096)
      • “spanning-tree vlan <x> root secondary”, set the local priority to 28,672
      • Above macro computes priority only at the time the command is applied.
      • Above macro cannot set the priority to 0.
      • Macro changes both priority and timer values.
  • Port cost change:
    • “(config-if)#spanning-tree [vlan x] cost”
  • Port priority change:
    • “(config-if)#spanning-tree [vlan x] port-priority
    • Only increments on 16. Possible values are  0,16,32.. 240.
  • Tuning Timers:
    • “(config)#spanning-tree [vlan x] hello-time y” , y= 1 to 10. Default= 2.
    • “(config)#spanning-tree [vlan x] max-age y” , y= 6 to 40. Default= 20.
    • “(config)#spanning-tree [vlan x] forward-time y” , y= 4 to 60. Default= 15.
    • Timers can be set only on Root Bridge. Other switches accept root bridge timers on receiving configuration BPDUs.
    • “(config)#spanning-tree transmit hold-count y” , y= 1 to 20. Default= 6. BPDU burst size can be configured using above command. Represents number of BPDUs that can be sent before pausing for 1sec.
  • Show commands:
    • Show spanning-tree
    • Show spanning-tree active
    • Show spanning-tree detail
    • Show spanning-tree [vlan x] summary
    • Show spanning-tree [vlan x] root
    • Show spanning-tree [vlan x] bridge
    • Show spanning-tree interface x/y
  • Root port selection:

–         Lowest cumulative cost.

      • Cost inverse value of bandwidth

–         Lowest upstream Bridge ID.

–         Lowest port ID.

Advertisements
This entry was posted in IOS, L2 switch and tagged , , , , , . Bookmark the permalink.

2 Responses to STP: 802.1d and PVST

  1. Pingback: STP: 802.1d and PVST « Security & eCommerce Blog

  2. karthikeyan thirumalai says:

    Great stuff and master piece of summarization. Thanks a lot for the wonderful doc.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s