STP (Spanning Tree Protocol)

INTRO TO SPANNING TREE:

• To see current STP configuration: #show run section span
• To configure STP, #spanning-tree mode rstp

• • There are many modes of spanning tree but legacy is unsupported. Only rapid STP is supported
  • To use STP per vlan, #spanning-tree mode r-pvst //don’t use this, use rstp itself

• #show spanning-tree detail
• If we tcpdump the interface (et 18) , we see some frames having same source mac address (this mac address is the physical interface’s mac address...not the Switch’s MAC. Thus the interface mac address is used for L2 communications) and a multicast destnation MAC address (that are assigned for Spanning Tree as per wireshark). These frames are called BPDU (Bridge Protocol Data Unit)

• • BPDU stands for bridge protocol data unit. BPDUs are data messages that are exchanged across the switches within an extended LAN that uses a spanning tree protocoltopology. BPDU packets contain information on ports, addresses, priorities and costs and ensure that the data ends up where it was intended to go. BPDU messages are exchanged across bridges to detect loops in a network topology. The loops are then removed by shutting down selected bridge interfaces and placing redundant switch ports in a backup, or blocked, state.

• To see port mac address, use (config)#show interface et 19
• The format of BDPU is:

• • Protocol Identifier: STP
  • Version: Rapid
  • BDPU flags: “tell whether it is a forwarding or blocked port”
  • Root Identifier: “It is the system MAC of the switch that is taken as the root for STP calculation”
  • Root Path Cost: “tells the cost to the root switch to the current switch that is sending the configuration message”
  • Bridge Identifier: “tells the mac address of the current switch”
  • Port Identifier: “tells the current port from which the configuration message was sent. Eg) et 18”

• Each link has a cost. Higher the Bandwidth, lower is the cost.
• Steps:

• • First each switch sees it own mac address and sends a BPDU by taking its own mac address as root Identifier and as bridge Identifier
  • Then, with all the BPDUs from all the switches, the switch that has a lower mac address is taken as root. This information is shared to all the switches and they change their root identifier if a lower mac address is there in BPDU of another switch. For example, in figure, the switch A is taken as root identifier as it has a lower mac.
  • Also, when B sends BPDUs with B as root identifier, the cost will be 0. Then, after it gets to know that A is the root bridge, it sends cost as 10. Also, it will send in other directions other than the direction of root bridge (this is compulsory for all the switches).
  • Note: The order in which the port to be blocked is decided:

• • • 1. Higher cost path is blocked
    • 2. Higher Uplink- MAC address port is blocked
    • 3. Higher Uplink- Port Number port is blocked.

• To check current spanning-tree root bridge. (conf)#show spanning-tree
• To force a switch to become root, set the priority to zero: (conf)#spanning-tree priority 0. The max value is 65536. The default value is 32768 (half of max priority).
• Reason of why the priority should be multiple of 16?

• • Initially, we had 1 Byte for Port number and 1 byte for Priority.
  • But, the 256 ports were not enough after some time. SO, we borrowed 4 bits from priority for port number.
  • So, we have only 4 bits left in priority and the 4th bit is 16. Hence, any change should be in multiple of 16.

PORT IDENTIFIER FORMAT:

• • Similarly, for the same reason, the max number of vlans can be 4096 due to similar format in the BRIDGE IDENTIFIER format where

Legacy STP or Common STP:

• Older version, not used much now.
• There are 3 timers- Hello (2 sec), Forward Delay (15 sec) , Max. Age (20 sec).

Thus, minimum of 32 seconds is taken to create a converged topology.

• There are 3 states-

• • Blocking—The interface does not participate in frame forwarding.
  • Listening—The first transitional state after the blocking state when the spanning tree determines that the interface should participate in frame forwarding.
  • Learning—The interface prepares to participate in frame forwarding.
  • Forwarding—The interface forwards frames to other switches.
• Once a topology is converged and then there is a change in topology of one switch, then, that particular switch sends a TCN (Topology Change BPDU). This TCN is sent continuously every 2 sec till it receives an acknowledgement from its root.

• In CSTP, only the root bridge can generate a BPDU. Others will only relay it. Thus, it is called relayed.
• We can see the no. of topology changes in last X seconds using (config)#show spanning-tree detail
• To stop this unnecessary TCN and flushing process, we can configure spanning-tree port-fast on the ports where the hosts are connected. Since, the hosts do not participate in STP, there is no need to send TCN for connection and removal of hosts.
• Even if we port fast the ports where switch is connected, then, even then since both the switches will send BPDU, it will get converged and automatically the command is overridden. But, during the convergence, we will have a loop for sometime.
• If we enable BPDU guard and, if we get a BPDU on a FastPort, it immediately error disables that port. #show interface status error-disabled to see the reason why a port was disabled.
• BPDU filter is used to control the BPDU in and out. For eg, if we don’t want to show the BPDU to other connected devices on a port.
• The root guard feature provides a way to enforce the root bridge placement in the network.

• • The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together.
  • If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.

RSTP:

• http://www.cisco.com/c/en/us/td/docs/switches/metro/me1200/controller/guide/b_nid_controller_book/b_nid_controller_book_chapter_0111.html
• http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24062-146.html#topchng - Recommended by Vijay
• https://eos.arista.com/how-rapid-spanning-tree-protocol-rstp-handles-topology-changes/
• In CSTP, the disadvantage is that it is very slow (50 sec) in re-converging after topology change due to link failure, etc…
• SO, Cisco brought many features in CSTP. In RSTP, all these features are built in.
• In RSTP, all switches can generate a BPDU.
• ALso, there is no Hello timer. SO, immediately after a Proposal is sent by a switch, it gets back an Agreement.
• RSTP mode is backward compatible with CSTP. So, if any CSTP switch is connected to a port of an RSTP switch, then, it puts only that port in CSTP mode.
• In RSTP, a switch will send BPDU (2 sec). If within 3 BPDUs (6 sec), it doesn’t get back a BPDU it assumes that a host is connected and makes it as EDGEport. Similar to FastPort
• See here for RSTP Sync Process: https://ccieblog.co.uk/spanning-tree/rstp-a-detailed-guide
• In RSTP, when a port transitions into the forwarding state, it means there has been a topology change. In RSTP, the topology change process is generated only when a port moves into forwarding mode.
• There are 4 port roles:

• • EDGE- connected to a host
  • ALTERNATE- state is discarding. .ie. blocked (alternate path to root)
  • BACKUP- state is discarding..ie. blocked (backup path to designated)
  • ROOT- connected to root bridge
  • DESIGNATED- connected to non-root bridge

• If any topology changes after convergence,

• • We don’t have a TCN BPDU in RSTP.
  • Here, we use the normal BPDU by setting the TC (Topology Change) bit and send to other switches.
  • Note that the BPDU is sent only by the switch that notices the topology change on all the forwarding ports (.ie. both root and designated) to other switches.
  • After this, the entire mac address table is NOT cleared. Only the designated port on that mac address table is cleared and relearnt.

• To set the max time interval for a BPDU to be valid : #span max-age <time in sec. Eg:10> . Similarly, we have max-hops which is the max hops the bpdu can travel (max- hops is shown in wireshark as message age).
• Indicators to notice a loop:

• One is seeing the mac flap in #show mac-address table
• Another is checking an interface #show interface et19 status . If we see very high no. of broadcasts than unicasts, then, looping is happening.

• Note: One easy way to make a switch as the root is by changing priority. It can be done automatically using the command #span root primary (OR) #span priority <priority_number>

(Q) Configuring MT701 to MT705.

Mn431        #int et 43

#ip addresss 10.1.10.1/24

MT701        #span mode rstp

        #span priority 0 //setting it as root bridge

        

------------

MT702        #int et 1/1, 1/2, 1/3

        #span cost 8000   //If it checks the cost, then, et ¼ will have the lowest cost. Hence, it will become root port

-----

MT702# terminal monitor //use this on the switch where we are going to configure BPDU guard

        #show log

        

MT701        #int et 20

        #span bpdufilter enable

MN701        #ping  //to send broadcasts

MT702        #watch diff show int et ⅓ //we see that there is very high broadcast which shows that there is looping

        (OR) #watch diff show int et ⅓ counters //this command shows unicast, multicast and broadcasts separately

        #int et ⅓

        #span bpduguard enable //enabling the BPDU guard

MT701        #int et 20

        #no span bpdufilter enable //disabling BPDU filter on port 20 of MT701

MT702         #show int status //we will see that the interface et ⅓ will be shown as error-disabled due to BPDU guard which disables it due to the broadcasts

        #show int et ⅓ status error //we can see the reason for the error-disabled- shown as bpduguard

-------

MT704        #int et 19         #shutdown         #no shutdown

In another computer, MT704   #watch diff show span \\we can see how fast an port is changing from alternate to root and to original again MT704   #watch diff show span detail \\we can the number of topology changes and the time

In another computer, MT704   #tcpdump int et 20

------

MT701        #watch diff show mac add //we will see that only the mac addresses on designated ports are cleared. The mac addresses on root port are unaffected.

MT702        #int et1/1

#shut //we will see that the mac table on MT701 is cleared for the interface et 19 (since et 19 is connected to 1/1)

#no shut

-------

MT702        #int et ½

        #span guard root

MT704        #span priority 0

//thus, now for MT702, it gets a superior BPDU to a root bridge MT704. But, already it thinks MT701 is the root bridge

MT702        #show span //it shows inconsistent state on et ½ since we have configured root guard. If we had not configured, then, this port would have become root port and MT704 would have become the root bridge.

-------

MT701        #int et23

        #span fastport auto

        

MN431        #ping 10.1.10.2

In another computer first type this and watch, MT701  #logging console 7              #logging monitor debugging              #terminal monitor //this command displays the debugging and changes on the monitor (no need to use show logging separately)

MT701        #int et 23         #shut         #no shut

        

//we will see that in debugging, it takes around 20 seconds to move the port to listening port and then to designated port.

MT701        #int et23

        #span fastport edge

 & repeat the above steps   // we will see that the moving only takes 1 second.

--------

ASSIGNMENT QUESTIONS:

1. Diameter of spanning tree= 7 (by using the default configurations of IEEE802.1D). If we tune the timers, then, it is possible to increase the diameter.

2. Problem with RSTP:

Counting to Infinity http://blog.ine.com/wp-content/uploads/2011/11/understanding-stp-rstp-convergence.pdf

3. RSTP Sync Process:

Proposal and Agreement

http://blog.ine.com/wp-content/uploads/2011/11/understanding-stp-rstp-convergence.pdf

4) Difference b/w STP and RSTP:

https://cciethebeginning.wordpress.com/2008/11/20/differences-between-stp-and-rstp/

(Q) Configuring MT701 to MT705.

Mn431        #int et 43

#ip addresss 10.1.10.1/24

MT701        #span mode rstp

        #span priority 0 //setting it as root bridge

        

------------

MT702        #int et 1/1, 1/2, 1/3

        #span cost 8000   //If it checks the cost, then, et ¼ will have the lowest cost. Hence, it will become root port

-----

MT702# terminal monitor //use this on the switch where we are going to configure BPDU guard

        #show log

        

MT701        #int et 20

        #span bpdufilter enable

MN701        #ping  //to send broadcasts

MT702        #watch diff show int et ⅓ //we see that there is very high broadcast which shows that there is looping

        (OR) #watch diff show int et ⅓ counters //this command shows unicast, multicast and broadcasts separately

        #int et ⅓

        #span bpduguard enable //enabling the BPDU guard

MT701        #int et 20

        #no span bpdufilter enable //disabling BPDU filter on port 20 of MT701

MT702         #show int status //we will see that the interface et ⅓ will be shown as error-disabled due to BPDU guard which disables it due to the broadcasts

        #show int et ⅓ status error //we can see the reason for the error-disabled- shown as bpduguard

-------

MT704        #int et 19         #shutdown         #no shutdown

In another computer, MT704   #watch diff show span \\we can see how fast an port is changing from alternate to root and to original again MT704   #watch diff show span detail \\we can the number of topology changes and the time

In another computer, MT704   #tcpdump int et 20

------

MT701        #watch diff show mac add //we will see that only the mac addresses on designated ports are cleared. The mac addresses on root port are unaffected.

MT702        #int et1/1

#shut //we will see that the mac table on MT701 is cleared for the interface et 19 (since et 19 is connected to 1/1)

#no shut

-------

MT702        #int et ½

        #span guard root

MT704        #span priority 0

//thus, now for MT702, it gets a superior BPDU to a root bridge MT704. But, already it thinks MT701 is the root bridge

MT702        #show span //it shows inconsistent state on et ½ since we have configured root guard. If we had not configured, then, this port would have become root port and MT704 would have become the root bridge.

-------

MT701        #int et23

        #span fastport auto

        

MN431        #ping 10.1.10.2

In another computer first type this and watch, MT701  #logging console 7              #logging monitor debugging              #terminal monitor //this command displays the debugging and changes on the monitor (no need to use show logging separately)

MT701        #int et 23         #shut         #no shut

        

//we will see that in debugging, it takes around 20 seconds to move the port to listening port and then to designated port.

MT701        #int et23

        #span fastport edge

 & repeat the above steps   // we will see that the moving only takes 1 second.

--------

ASSIGNMENT QUESTIONS:

1. Diameter of spanning tree= 7 (by using the default configurations of IEEE802.1D). If we tune the timers, then, it is possible to increase the diameter.

2. Problem with RSTP:

Counting to Infinity http://blog.ine.com/wp-content/uploads/2011/11/understanding-stp-rstp-convergence.pdf

3. RSTP Sync Process:

Proposal and Agreement

http://blog.ine.com/wp-content/uploads/2011/11/understanding-stp-rstp-convergence.pdf

4) Difference b/w STP and RSTP:

https://cciethebeginning.wordpress.com/2008/11/20/differences-between-stp-and-rstp/