Daniels networking blog

Electing the root

Only one switch can be the root bridge. From the start all switches announce themselves as the root, when a switch hears of a superior BPDU it stops announcing itself as the root and instead forwards the superior BDPUs. The switch with the lowest priority will be elected the root, the priority can range from 0 to 65535 where lower is better. If there is a tie in priority the lowest MAC address will decide which bridge becomes the root.

Electing a root port

The port with the lowest cost to the root will be elected the root port. The switch adds its incoming cost on an interface when receiving BPDU hellos. If there is a tie in cost these are the tie breakers.

1. Pick the lowest value of the forwarding switch’s bridge ID
2. Use the lowest port priority of the neighboring switch.
3. Use the lowest internal port number of the forwarding switch.

Note that if multiple links exist between two switches the ID will be the same and port priority may be the same but the port number will always differ.

Electing a designated port

For every segment there can only be one designated port and one designated switch. The switch that sends a hello with the lowest path cost will be the designated port. If there is a tie the same tie breakers as for electing a root port will be used.

STP normal behaviour

The root switch generates hello packets every two seconds. Each non root switch receives the hello on its root port. Each switch updates and forwards the hello out of its designated ports. On each blocked port the switch will receive a copy of the hello from the designated switch on the segment. Hellos are not forwarded out blocking ports.

Changes in the topology

If there is a change in the topology the switch needs to notify the other switches about the change. It will send a TCN BPDU out its root port, it will repeat this message every hello time until acknowledged. The next switch receiving the BPDU will send back an acknowledgement via the next forwarded hello message and set the Topology Change Acknowledgement (TCA) bit. Eventually the TCN will reach the root which will then send hellos with the TC flag set on the next hellos. When the switches receive hellos with TC set they know they should age out their Content Addressable Memory (CAM) tables. This takes 15 seconds default (forward delay timer).

802.1D port states

• Blocking
• Listening
• Learning
• Forwarding

Taking a port from blocking to forwarding takes between 30 to 50 seconds. If there is an intermediate failure max age has to expire first (20 seconds). After that the port will be listening for 15 seconds (forward delay), if it hears no BPDUs it will move to learning and stay there for 15 seconds. Finally the port will be forwarding. The switch doesn’t learn any MAC addresses until it is in the learning state.

Making a switch the root

The switch that should become the root can be configured with spanning tree vlan vlan-id root primary. If the current root has a higher priority than 24576 the switch sets 24576 as its priority. If the current root has a lower value than 24576 the switch sets its priority to 4096 lower than the current value. Note that the value can not be zero when using this command. If the current root has a priority of 4096 this command will fail. Setting the priority to zero is a safer bet to make sure the root doesn’t change. This command can also be used with the secondary option, this sets the priority to 28672. The second best switch might already have a lower priority than this but there is no way of knowing this from the show spanning tree output.

Spanning tree enhancements

Portfast – Immiediately transitions a port into forwarding mode. Should be set on end user ports. Make sure no switches will ever connect to this port.
Uplinkfast – Used on access layer switches with multiple uplinks to distribution/core. If RP is lost immediately switch to other port as RP and start forwarding. Also notifies other switches to flush their CAM tables.
Backbonefast – Used to detect indirect failures, usually in the core. Avoids waiting for the maxage timer to expire, queries the switch attached to its RP.

These actions are taken when enabling uplinkfast:

• Increases the root priority to 49152
• Sets the port cost to 3000
• Tracks alternate RPs, which are ports in which root hellos are being received.

When a failure has occured the switch with uplinkfast sends frames with the source of its locally learned MAC addresses to the multicast destination 0100.0CCD.CDCD. This forces the upstream switch to relarn the MAC addresses.

When backbonefast is used (should be enabled everwhere if used) then when a hello goes missing the local switch ask its upstream if there is a failure by using a Root Link Query (RLQ). If the upstream has a failure it can reply to the local switch which can now converge to another port without waiting for maxage to expire.

Portchannels

Used for loadbalancing and redundancy. Multiple physical links bundled to one logical link, STP will see the port as one logical link. Can loadbalance on different fields like source and destination MAC address, source and destination IP and layer four port numbers. Can be hardcoded to form a portchannel or use PAgP or LACP. PAgP is Cisco proprietary and LACP is an IEEE standard (802.1AD). PAgP uses the modes auto and desirable (same as DTP) and LACP used active and passive. To be able to form a portchannel some conditions must be met:

• Same speed and duplex on ports
• If not trunking use the same access VLAN
• If trunking use the same trunk type, allowed VLANs and native VLAN
• On a single switch port costs per VLAN must be the same
• Must not be a port of a span session

Rapid Spanning Tree

Defined in IEEE 802.1W
Waits for only three missed hellos on RP before reacting
Fewer portstates, uses only discarding, learning and forwarding
Standardization of portfast, uplinkfast and backbonefast
Allows the use of backup RP when a switch has multiple links connected to the same shared segment.

RSTP link types

Point-to-point – Connects to another switch. Full duplex links are treated as point-to-point.
Shared – The link is shared, connected to a hub or using half duplex.
Edge – Connects a switch to a single end user device.

RSTP port roles

RP – Same as in 802.1D
DP – Same as in 802.1D
Alternate port – Same as in upinkfast, alternate port to RP
Backup port – Backup port for DP, can take over for the DP if the DP fails

Multiple Spanning Tree

Specified in IEEE 802.1S. Allows multiple instaces of spanning tree to run (like RSTP) but can have several VLANs mapped to every instance. Relies on RSTP for convergence. A group of switches that use MST is called an MST region. To be part of the same region some parameters must match:

• Globally enable MST with the spanning-tree mode mst command
• Set the name for the region with the name command
• Set a revision number with the revision command
• Map VLANs to the different instances

These parameters must be identical on the switches in the same region. MST can connect to non MST switches and to the outside world the MST region will be looked at as if it was one switch. MST uses an Internal Spanning Tree (IST) to communicate with the outside switches and ensure the link between is loop-free.

Protecting the spanning tree

To protect the spanning tree from choosing the wrong root or loops that form on end use ports there are some ways of protecting the spanning tree.

BPDU guard – Enabled on ports where switches never will connect (end user ports). If a BPDU is received on the port the port is put into error-disabled state. The port will not recover until the port is shutdown and then no shutdown unless error recovery has been configured.
Root guard – Protects from choosing the wrong RP, could happen by accident or a rougue switch has been connected. If a superior BPDU is received the port is put in the root-inconsistent state and will recover when the superior BPDUs ceases.

UDLD – UniDirectional Link Detection is used to detect unidirectional links which can leed to loops and loss of network connectivity. UDLD has a normal mode and aggressive mode. The normal mode can detect misconnect fibre strands but can not detect unidirectional links where interfaces are connected correctly.

Loop-guard – When BPDUs are no longer received on a port instead of going into forwarding mode the port ends up in a loop-inconsistent mode.