Electing the root
Only one switch can be the root bridge. From the start all switches announce themselves as the root, when a switch hears of a superior BPDU it stops announcing itself as the root and instead forwards the superior BDPUs. The switch with the lowest priority will be elected the root, the priority can range from 0 to 65535 where lower is better. If there is a tie in priority the lowest MAC address will decide which bridge becomes the root.
Electing a root port
The port with the lowest cost to the root will be elected the root port. The switch adds its incoming cost on an interface when receiving BPDU hellos. If there is a tie in cost these are the tie breakers.
1. Pick the lowest value of the forwarding switch’s bridge ID
2. Use the lowest port priority of the neighboring switch.
3. Use the lowest internal port number of the forwarding switch.
Note that if multiple links exist between two switches the ID will be the same and port priority may be the same but the port number will always differ.
Electing a designated port
For every segment there can only be one designated port and one designated switch. The switch that sends a hello with the lowest path cost will be the designated port. If there is a tie the same tie breakers as for electing a root port will be used.
STP normal behaviour
The root switch generates hello packets every two seconds. Each non root switch receives the hello on its root port. Each switch updates and forwards the hello out of its designated ports. On each blocked port the switch will receive a copy of the hello from the designated switch on the segment. Hellos are not forwarded out blocking ports.
Changes in the topology
If there is a change in the topology the switch needs to notify the other switches about the change. It will send a TCN BPDU out its root port, it will repeat this message every hello time until acknowledged. The next switch receiving the BPDU will send back an acknowledgement via the next forwarded hello message and set the Topology Change Acknowledgement (TCA) bit. Eventually the TCN will reach the root which will then send hellos with the TC flag set on the next hellos. When the switches receive hellos with TC set they know they should age out their Content Addressable Memory (CAM) tables. This takes 15 seconds default (forward delay timer).
802.1D port states
Taking a port from blocking to forwarding takes between 30 to 50 seconds. If there is an intermediate failure max age has to expire first (20 seconds). After that the port will be listening for 15 seconds (forward delay), if it hears no BPDUs it will move to learning and stay there for 15 seconds. Finally the port will be forwarding. The switch doesn’t learn any MAC addresses until it is in the learning state.
Making a switch the root
The switch that should become the root can be configured with spanning tree vlan vlan-id root primary. If the current root has a higher priority than 24576 the switch sets 24576 as its priority. If the current root has a lower value than 24576 the switch sets its priority to 4096 lower than the current value. Note that the value can not be zero when using this command. If the current root has a priority of 4096 this command will fail. Setting the priority to zero is a safer bet to make sure the root doesn’t change. This command can also be used with the secondary option, this sets the priority to 28672. The second best switch might already have a lower priority than this but there is no way of knowing this from the show spanning tree output.
Spanning tree enhancements
Portfast – Immiediately transitions a port into forwarding mode. Should be set on end user ports. Make sure no switches will ever connect to this port.
Uplinkfast – Used on access layer switches with multiple uplinks to distribution/core. If RP is lost immediately switch to other port as RP and start forwarding. Also notifies other switches to flush their CAM tables.
Backbonefast – Used to detect indirect failures, usually in the core. Avoids waiting for the maxage timer to expire, queries the switch attached to its RP.
These actions are taken when enabling uplinkfast:
- Increases the root priority to 49152
- Sets the port cost to 3000
- Tracks alternate RPs, which are ports in which root hellos are being received.
When a failure has occured the switch with uplinkfast sends frames with the source of its locally learned MAC addresses to the multicast destination 0100.0CCD.CDCD. This forces the upstream switch to relarn the MAC addresses.
When backbonefast is used (should be enabled everwhere if used) then when a hello goes missing the local switch ask its upstream if there is a failure by using a Root Link Query (RLQ). If the upstream has a failure it can reply to the local switch which can now converge to another port without waiting for maxage to expire.
Used for loadbalancing and redundancy. Multiple physical links bundled to one logical link, STP will see the port as one logical link. Can loadbalance on different fields like source and destination MAC address, source and destination IP and layer four port numbers. Can be hardcoded to form a portchannel or use PAgP or LACP. PAgP is Cisco proprietary and LACP is an IEEE standard (802.1AD). PAgP uses the modes auto and desirable (same as DTP) and LACP used active and passive. To be able to form a portchannel some conditions must be met:
- Same speed and duplex on ports
- If not trunking use the same access VLAN
- If trunking use the same trunk type, allowed VLANs and native VLAN
- On a single switch port costs per VLAN must be the same
- Must not be a port of a span session
Rapid Spanning Tree
Defined in IEEE 802.1W
Waits for only three missed hellos on RP before reacting
Fewer portstates, uses only discarding, learning and forwarding
Standardization of portfast, uplinkfast and backbonefast
Allows the use of backup RP when a switch has multiple links connected to the same shared segment.
RSTP link types
Point-to-point – Connects to another switch. Full duplex links are treated as point-to-point.
Shared – The link is shared, connected to a hub or using half duplex.
Edge – Connects a switch to a single end user device.
RSTP port roles
RP – Same as in 802.1D
DP – Same as in 802.1D
Alternate port – Same as in upinkfast, alternate port to RP
Backup port – Backup port for DP, can take over for the DP if the DP fails
Multiple Spanning Tree
Specified in IEEE 802.1S. Allows multiple instaces of spanning tree to run (like RSTP) but can have several VLANs mapped to every instance. Relies on RSTP for convergence. A group of switches that use MST is called an MST region. To be part of the same region some parameters must match:
- Globally enable MST with the spanning-tree mode mst command
- Set the name for the region with the name command
- Set a revision number with the revision command
- Map VLANs to the different instances
These parameters must be identical on the switches in the same region. MST can connect to non MST switches and to the outside world the MST region will be looked at as if it was one switch. MST uses an Internal Spanning Tree (IST) to communicate with the outside switches and ensure the link between is loop-free.
Protecting the spanning tree
To protect the spanning tree from choosing the wrong root or loops that form on end use ports there are some ways of protecting the spanning tree.
BPDU guard – Enabled on ports where switches never will connect (end user ports). If a BPDU is received on the port the port is put into error-disabled state. The port will not recover until the port is shutdown and then no shutdown unless error recovery has been configured.
Root guard – Protects from choosing the wrong RP, could happen by accident or a rougue switch has been connected. If a superior BPDU is received the port is put in the root-inconsistent state and will recover when the superior BPDUs ceases.
UDLD – UniDirectional Link Detection is used to detect unidirectional links which can leed to loops and loss of network connectivity. UDLD has a normal mode and aggressive mode. The normal mode can detect misconnect fibre strands but can not detect unidirectional links where interfaces are connected correctly.
Loop-guard – When BPDUs are no longer received on a port instead of going into forwarding mode the port ends up in a loop-inconsistent mode.
Commonly used in SP networks to put users in common subnet but no direct forwarding of packets between customers in same VLAN. Enforce security by forcing traffic to go through router instead of switched locally. There are three different types of VLANS that can be used, primary VLAN, community VLAN and isolated vLAN. The primary VLAN can talk to all the other VLANS, community VLANS can talk to the primary VLAN and others in the same community VLAN. The isolated VLAN can only talk to the primary VLAN.
Virtual Trunking Protocol
VTP is used for provisiong VLANs to switches in the same VTP domain. Switches can either be
servers, clients or transparent. Servers are responsible for sending the VLANs to the clients, VLANs can be created on the servers but not on the clients. The clients receive VLANs from the servers. Switches that are in transparent mode only forward VTP messages, they do not use the information contained within. Transparent switches can create VLANs locally.
VTP uses a revision number to keep track of changes in the database. When a VLAN is added, modified or deleted the revision number increases by one. A higher revision number indicates a newer database. Under the right circumstances it is possible that a client can originate an update and if it has a higher revision number than the servers all the VLAN information will be replaced. This is the major flaw with VTP and the reason why most engineers stay away from it.
VLANs on trunk
Active – VLAN is allowed, can be added or removed with switchport trunk allowed vlan add/remove
Allowed and active – Allowed on trunk and VLAN exists in configuration, if PVST+ is used STP is active for VLAN
Active and not pruned – Same as “allowed and active” but removes VTP pruned VLANs
Switchport mode trunk sets interface to always trunk but DTP is still active
Switchport nonegotiate – Disable sending of DTP frames
Switchport mode dynamic desirable – Trunk if other end is set to trunk, desirable or auto
Switchport mode dynamic auto – Trunk if other end is set to trunk or desirable
Uses an eight byte header. Common method for DSL access earlier but not widely spread any longer (at least not in Sweden). Assign the outside interface to a dial pool with pppoe-client dial-pool-number 1 and use the command pppoe enable. Create the interface dialer 1 and set IP address negotiated to receive IP from ISP. Set the encapsulation to PPP and configure authentication if needed. Create the dialer pool 1 and assign dialer-group 1 to it. Use a dialer-list to specify what traffic gets to activate the dialer interface. The static default route should point to the dialer interface.