Spanning Tree Protocol

Spanning Tree Protocol is used to give redundancy in layer 2.
STP is enabled by default in cisco switches.

Problem in redundancy is Broadcast Storm. when a broadcast frame is sent, it'll be sent to every port except the incoming port. in a network that has redundant link (more than one link to reach a point/switch), the frame will be sent forever, in a loop or something.

root bridge (switch) is the bridge/switch that all other bridges need to reach via the shortest path possible.

when a switch first boot, it'll asssume that it is the root bridge.

Ethernet frames do not have TTL, so a broadcast storm is possible.

assume that PC1 sends broadcast, a network with redundancy path without STP will cause broadcast storm. a switch that's connected to PC1 records that PC1's mac address it at the connecting port. but then after the broadcast storm, the switch may receive the frame from another switch on another prot. because it's still the same frame with the source MAC address is PC1's. the CAM table in the switch change the records of PC1's MAC address with the associated port. this is called MAC ADDRESS INSTABILITY.

a broadcast storm (loop) repeats over and over again until a link is disconnected or turning off a switch participating in the loop, that's breaking the loop.

loop results in high CPU load and slows down performance because processing the same traffic again and again. until more broadcast frames are sent from other host, then all of the bandwidth is consumed and no other frame can be processed by the switches.

REAL WORLD REDUNDANCY ISSUE : redundancy is needed in a high availability demand network, however cabling that's not well maintained and not labeled may confuse some people. the cables may go into the wall jack and run into the patch pannel that's connected to the distribution layer switches. a common mistake is connecting two devices again, that's making a duplicate connection.

Every bridge in the network that supports spanning tree will send out BPDU every two seconds.

Inside BPDU
the combination of Bridge Priority and Bridge's MAC, makes the Bridge ID. (this is the 802.1D standard )
Bridge Priority (2 bytes) -
|-> 1 2 | 1 2 3 4 5 6 (Bridge ID)
Bridge MAC (6 bytes) -

Steps in STP :
-Elect the root. the switch with the lowest Bridge ID will be the root bridge. Default Bridge Priority value is 0x8000 (32768).
-Every non root switches will have to determine the port nearest/smallest cost needed to reach the root, and put this port in forwarding state. this port is called the root port
-For multiple swtiches occupy a common segment. a port nearest to the root is selected and put this port in forwarding state. this port is called the designated port.
-For all other ports that are receiving BPDU, put this port in blocked state.

Additional Feature:
PortFast, allows a port to bypass all of the other spanning tree states and proceed directly to the forwarding state. Spanning tree takes about 30 seconds to put a normal port into the forwarding state. PortFast should be enabled only on ports that will not have switches connected (the port is connected to a host). if a switch were to be connected to a port configured with PortFast, a loop could occur that would not be detected. PortFast can be used to support DHCP, a host could a send DHCP request before the port is in forwarding state, therefore denying the request.command.
spanning-tree portfast

BPDU Guard, if a PortFast-enabled port receives a BPDU, BPDU Guard automatically disables the port. the port is put into ErrDisable state. when this happen, the interface must be reset. (CNAP version, STP will put the port to the blocking state). command
spanning-tree bpduguard enable

UplinkFast, when a designated port fails, a port with an alternate path to the root bridge is cycled through the listening and learning states then the forwarding state. this can take 45 seconds or more. UplinkFast allows a blocked port to bypass the listening and learning states when the deignated port fails. this allows the network to recover in five secs or less. this feature affect all vlan. it also sets the bridge's priority to 49,512 to ensure that the switch will not become the root bridge (this is why UplinkFast should be configured only on access-layer switches, because it changes the bridge's priority, which is usually an unwanted result in core / distribution layer switches). Command (enter the command not at the interface configuration level, this is a global configuration)
spanning-tree uplinkfast

BackboneFast, when a switch receives a BPDU telling a less desirable root than the current one. it will ignore it until the max_age value exceeded (default value is 20 secs). if BackboneFast is used, it must be enabled on every switch in the network. command (global configuration)
spanning-tree backbonefast

STP works by ensuring that there's only one logical path to all destinations by blocking any other alternate path, that's preventing loops. traffic is prohibited to pass through the link, this doesn't include the BPDU (Bridge Protocol Data Unit). when one of the path is down, the alternate path, if there's any, is taken to forwarding state.

NOTES : if the main path is down, an alternate path is taken to forwarding state. however, if later that the main path is up again, the alternate path is taken to blocking state again and the network will use the main path again to forward traffic.

STP uses Spanning Tree ALgorithm (STA).

Bridge ID contains a priority value, MAC address of the sending switch and an optional extended system ID.
- Bridge priority, 4 bits
- Extend System ID, 12 bits
- MAC address, 48 bits

Ports Role in STP (there are 4 roles):
- Root ports : ports with the bast path (lowest cost) to the root bridge. root ports forward traffic toward the root bridge.only one root port exist per bridge (except root bridge doesn't have any root port). when there are more than one port with equal path cost, the lowest port priority or the lowest port ID is used (if equal port priority value) to determine which will become the port root.
- Designated ports : ports that RECEIVE and forward fames to root bridge. designated ports also forward packets, but since that only one designated port per segment, the broadcasted frame will be discarded. only one designated port allowed in a segment. if multiple switches exist in a segment, an election process determines which will become the designated switch. all ports at the root bridge is designated ports. path cost is the first priority to determine which switch will has its port as a designated port, only if the path costs are equal the Brdige ID is used.
- Non-designated ports : all ports that are configured to be in a blocked state to prevent loops. so it's not forwarding data frames and not populating MAC address table with source addresses.
- Disabled ports : a disabled port is a port that's administratively down. a disabled port doesn't participate in spanning-tree process.

Port States (there are 5 states). each switch port transitions throug five states and three BPDU timers :
- Blocking : receives and process BPDU and also sends BPDU. doesn't forward frames, doesn't learn MAC addresses. this port is a non-designated ports.
- Listening : receives and process BPDU and also sends BPDU informing adjacent switches that the port is preparing to participate in the active technology. doesn't forward frames, doesn't learn MAC addresses.
- Learning : the ports prepare to be active and learning MAC addreses.
- Forwarding : the port is active forwarding traffic and is a part of the topology and also sends and receives BPDU frames.
Disabled : an administratively down port.

each BPDU contains the sendin switch ID, and the root ID
EVERY SWITCH ASSUME THAT itself is the root bridge when first boot up.

when a switch receive a BPDU that has lower root ID than the current one. it updates the information and send the new BPDU to other adjecent switches.

path cost is the sum of all port cost passed through to the root bridge. inside the BPDU is the path cost not the port cost, so the receiving switch just add its port cost to the path cost received to find out the path cost using that port to the root bridge.

STA (Spanning Tree Algorithm) calculates the best path to the rootbridge by summing each port cost to the rootbridge. each port cost depends on the speed tho port is operating.
Default port cost is determined by IEEE.
10 Gb/s : 2
1 Gb/s : 4
100 Mb/s: 19
10 Mb/s : 100

however, the port cost is configurable.
setting a port cost (at interface configuration level)
spanning-tree cost value
resetting a port cost
no spanning tree cost

BPDU fields
the first 4 fields identifies the protocol, version, message type and status flags.
the next 4 fields identifiy the rootID, the bridgeID, path cost, and port id
the last 4 fields are the BPDU timers which are
-Message age : Records the time since the Root Bridge originally generated the information that the current BPDU is derived from. when a BPDU is sent, the age field is incremented by 1. eventually, the switch discards the BPDU when the age field goes beyond the maximum age.
-Max age : maximum times the switch port save the BPDU configuration. indicates when the current configuration should be deleted. once the message age reaches the maximum age, the switch expires the current configuration and initiates a new election to determine a new root bridge since it assume that is has lost connection to the root. (default 20secs, can be configured 6 to 40 secs).
-Hello time : the interval between sending the bridge configuration messages. (default 2 secs, can be configured 1 to 10 secs).
Forward delay : the time before a switch transitions to a new state after a topology change. the time that a port spend at the learning and listening states. if configured too fast, possible thsat not all links are ready to change its state, and a temporary loop may occur. (default 15 secs, can be configured 4 to 30 secs).

it's recommended that the timers are not to be adjusted directly. you can adjust the timer by specifying the largest diameter (number of switch hop from one end to another, STP permits max of 7) of your network.
spanning-tree vlan vlan-id root primary diameter value

value : the max diameter of your network
by entering the commands, the STP timers are proportionally adjusted.

when STP is enabled (when switch boots), every switch port start from blocking state (which by default lasts for 20 secs) and moves to listening state after it decides that it's a root port or a designated port.

when a switch receives a BPDU. it compares the root ID in the BPDU with the local root ID. if the BPDU root ID is lower than the local one. it updates the local's root ID and path cost to the root. then it sends BPDU with the new root ID and path cost within its own BPDU.

Because the needs to identify vlan (some STP environment runs different STP instance for each vlan, such as PSVT+) 802.1D bridge ID standard is modified to add extended system ID information (Extended system ID = vlan id).
Bridge ID with extended system ID enabled.

| bridge priority | Extend System ID | MAC address |
      4 bits                 12 bits                 48 bits

Extended system ID = vlan id
STP was used before vlan is common use in netwrok infrastructure. when vlan became common, extended system id is added to tell which vlan does the BPDU is associated with.
when you increment the bridge priority by 1, the bridge id increments by 4096 (2^12). therefore, you can set bridge id in multiples of 4096. (bridge priority can be set from 1 to 65535).

Methods to set Bridge ID of a switch (at global configuration level)
spanning-tree vlan vlan-id root primary

vlan id : vlan id for this spannting-tree configuration

by entering this command, ensures that this switch will be the root bridge in the network (the bridge priority is set to 24576 or the next 4096 lower value than the lowest bridge priority foun in the network).

spanning-tree vlan vlan-id root secondary

this actually will set the bridge priority to 28672. this to make this switch will be the root bridge, should the primary root happened to fail assuming that all other switches have default priority value (32768).

spanning-tree vlan vlan-id priority value

value : a number in multiple of 4096
this will set the priority value of this switch to a predefined value.

port priority by default it 128. port ID is simply the interface id of the port on the switch (Fa0/1 , Fa0/2, Fa0/3). for interface Fa0/1 port default priority value is 128.1 for Fa0/2 is 128.2.

setting port priority (at interface configuration level)
spanning-tree port-priority value

value : 0 - 240. in multiples of 16

STP Convergence
to make STP steps to convergence easier, the steps are divided into three major steps.

the first step of STP convergence is to elect a root bridge. (the root bridge is the center of all path cost calculations and leads to the assignment of different port roles to prevent loops).
-step in electing the root bridge is actually by comparing the received root ID from BPDU with the switch's local root ID. if the root ID information received from BPDU is lower, than the switch updates the local root ID with the BPDU root ID and the path cost. then the switch's BPDU now advertising the new root ID to other adjacent switches.

next step is to set port roles. the first role needs to be determined is the root port. EVERY SWITCH EXCEPT THE ROOT BRIDGE HAS A ROOT PORT. a root port is simply a port with the lowest path cost (path to the root bridge).
-determining the root port is just by comparing each port's path cost and choose the port that has the lowest cost to be the root port. when there are more than one ports with equal cost (this can happen when a switch is attached to another switch with two physical connection, without etherchannel configured) the port priority will determine who's gonna be the root port.
port roles is determine, as soon as a BPDU telling a new root ID or redundant path is received (becaues the path cost is updated). therefore, a port may change multiple times before it finally settles on its final port after the root ID changes for the last time.

next step is electing designated-port and non-designated port. to finish creating a loop free network, the remaining ports must be configured as designated port or non-designated port. each segment can only has one designated-port. all ports at the root bridge are designated-ports.
-when there are more than one non-root ports connected to the same segment. the lowest path cost port will be the determiner, than if only the path cost are equal the Bridge ID is used. the losing port will become the non-designated port, that is put into blocking state to prevent loops.
determining designated and non-designated ports happen concurrently with the root election and the root port election. therefore the ports role may change mulitple times before the final root bridge is determined.

NOTE THAT WHEN A SWITCH BOOTS, ALL OF ITS PORTS ARE PUT INTO BLOCKING STATE UNTIL THE FIRST 20 SECS. then we may not see the change of the port role (LED color of the port), because STP may converge before 20 secs (in a network with maximum diameter of 7).

Evolutions of STP
Cisco propietary
- PVST, Per-Vlan Spanning Tree Protocol. runs on ISL trunking protocol. ISL treats vlan as seperate network, so it can load balance layer 2 traffics by forwarding some vlans traffic on a trunk link and other vlans on another trunk. PVST has some propietary extension such as backbone fast, uplinkfast and portfast.
- PVST+, Per-Vlan Spanning Tree Protocol plus. works as much like PVST, but with additions it supports IEEE 802.1Q trunking protocol, and some propietary extension additions for portfast which are BPDU guard and root guard.
- rapid-PVST+, Rapid Per-Vlan Spanning Tree Protocol plus. based on IEEE 802.1w standard which converges faster than STP (standard 802.1D). supports propietary extensions.

IEEE standard
- RSTP, Rapid spanning Tree Protocol (IEEE standard 802.1w). first introduced in 1982, as an evolution of STP (standard 802.1D). it provides faster convergence and support for cisco-propietary extensions. in 2004 IEEE incorporated RSTP into 802.1D and identified by IEEE 802.1D-2004. now when you hear STP, think of RSTP.
- MSTP, Multiple STP. provides a single spanning-tree for multiple vlans. reducing the number of running instances needed to support a large number of vlans. MSTP was inspired by cisco-propieatary MISTP (Multiple Instances of STP).

More Detail

cisco developed PVST+, so that a network can run an STP instance for each vlan in the network. therefore some links can be used to forward some of the vlans traffice while another link use used to forward the rest vlans. this could be achieved by choosing different switch to be the root bridge in each vlan. however, the switch port must accomodate more bandwidth for each STP instance to send its own BPDU.
PSVT is the default STP mode in cisco Catalyst 2960 series.

port roles in RSTP, discarding, learning and forwarding. in a properly configured network, RSTP can achieve converge network in as little as a few hundred milliseconds. an alternate port can directly switch to a forwarding port without waiting the network to converge. Brief RSTP characteristics:
- the preffered protocol for preventing layer 2 loops. many of the differences were informed by cisco-propietary enhancements to 802.1D . such as BPDUs carrying and sending information about port roles only to neighboring switches. Generally perform better than the earlier cisco-propietary versions.
- cisco-propietary enhancements to 802.1D such as uplinkfast and backbone fast are not compatible with RSTP.
- much of STP terminology remain in RSTP. Root election process stay the same in RSTP, RSTP BPDUs use the same format as 802.1D except that the version is set to 2 and the flags field uses all 8 bits. RSTP can do compatibility with legacy switches on a per-port basis.
- RSTP able to actively confirm a port to transit to the forwarding state without the use of any timer.
- doesn't use 802.1D timers.

RSTP BPDU. BPDU is sent every 2 secs. in RSTP a lost connection is marked by three consecutive time BPDU is not receive on the link (this means 6 secs) so failures can be detected quickly. RSTP use the flag field (flag field is 8 bits) differently as STP
- bits 0 and 7 are used for topology change notification (bit 7) and the acknowledgement (bit 0) as in 802.1D
- bits 1 and 6 are used for the proposal agreement process (used for rapid convergence)
- bit 2 used to mark the port's state as forwarding
- bit 3 used to mark the port's state as learning
- bit 4 and 5 are used to encode the port's role
00 unknown port
01 alternate or backup port
10 root port
11 designated port

RSTP's edge port = cisco propietary portfast feature, but unlike portfast, edge port that receives a BPDU loses its edge port status immediately and becomes normal spanning-tree port (configuring an edge port to be attached to another switch can have negative implications for RSTP when it is in sync state because a temporary loop can result, possibly delaying the convergence of RSTP due to BPDU contention with loop traffic). edge port is a port that
- will never has a switch connected to it.
- immediately transitions to forwarding.
configuring edge port in cisco by entering the command "spanning-tree portfast" making transitions to RSTP seamless.

- attached to switch ports that are opearting in full-duplex mode.
- the link connects to a single switch device.
- attached to switch ports that are operating in half-duplex mode.
- the port is connected to a shared media where multiple switches might exists (example, interconnected by hub)
edge ports and point-to-point links are candidate for rapid transition to a forwarding state.non-edge ports are categorized into two link types, point-to-point and shared. edge ports are point-to-point links.

Port states. Port roles and states are different things, for example a designated port can be in the discarding state temporarily, even though its final state is to be forwarding. RSTP ports state are:
- discarding, seen at stable active topology and topology synchronization and changes. this sate prevents the forwarding of data frames.
- learning, seen at stable active topology and topology synchronization and changes. this state accepts data frames to populate the MAC table in an effor to limit flooding of unknown unicast frames.
- forwarding, only seen in stable active topology.

STP and RSTP port states association
STP                    RSTP
blocking            discarding
learning            discarding
listening            learning
forwarding       forwarding
disabled            discarding

Port roles. port roles and port states are able to transition independently. RSTP port roles are:
- root port, every non-root bridge has a root port. root ports assume the forwarding state in a stable active topology. root port is the chosen path to the root bridge.
- designated port, every segment will have at least one and only one designated port. designated ports assume the forwarding state in a stable active topology. the designated port will receive frames on the segment that are destined for the root bridge.
- alternate port, alternate ports assume a discarding state in a stable active topology. an alternate port will be present on non-designated switches and will make a transition to a designated port if the current designated path fails.

RSTP speeds up the recalculation process after a topology change, because it converges on a link-by-link basis and doesn't rely on timers expiring before a port can transition. rapid transition can only be achieved on edge ports and point-to-point links.
RSTP calculates with a proposal and agreement process. a switch send a BPDU, when the receiving switch found a new cost path it's synchronizing (during synchronization, all ports are blocked) when the receiving switch agree, the port transition to its state and role.

Rapid PVST+
rapid PVST+ is a cisco implementations of RSTP. it support spanning tree for each vlan and rapid STP variants touse in cisco-based network.
a spanning tree instance is created when an interfae is assigned to a vlan and is removed when the last interface is moved to another vlan.

The Cisco 2960 switch supports PVST+, rapid PVST+, and MSTP, but only one version can be active for all VLANs at any time.

to configure an STP mode on a switch, use the command
spanning-tree mode rapid-pvst
the command will set the running STP protocol to be rapid-pvst+.

to set the link type of a port
spanning-tree link-type type

type : the type you specified for the link, point-to-point or shared.

to clear all detected STP
clear spanning-tree detected-protocols

some tips:
- don't leave up to STP to choose the bridge. usually you can figure out the best root brdige for each vlan. generally choose the most powerfull bridge at the center of the network or near the server so you can reduce the hop for the clients to access the servers.
- prune any vlan that you don't need off your trunks.
- know the redundant links and the blocked links. and reduced the number of blocked port by STP (by physically removing the link from the port) only to give redundancy.
- keep STP alive, STP is not very processor-intensive, STP doesn't significantly reduce the available bandwidth. if a technician makes a connection error over the patch panel and the STP is disabled, the network can be brought to down.
- keep off data traffic from administrative vlan. usually a switch has an IP address associated with the administrative vlan, so that network administrator can remotely connect to the switch.
- segment the bridging domains using high-speed layer 3 switches.


renjith said...

Great tutorial !!!!!!!!!!!