Spanning-Tree

/ networkingjournalblog

Everything Spanning-Tree Protocol

The point of spanning-tree protocol (STP) is to prevent L2 loops in the local network. Since switches regularly forward and flood packets based on MAC address in a LAN, there needs to be a way to control this process instead of switches pumping packets around without any regard. So, without this protocol, it is likely you would have constant looping of packets between switches that eat up tons of bandwidth, processing time, and that never age out. STP can be disabled to verify such behavior, but of course it is not recommended in a production environment.

Every switch in the LAN is a player in STP. However, there is at least one key piece – sometimes two – that ensure the topology stays loop-free at the L2 level:

Primary root bridge: The main and most important switch in the STP topology. It essentially dictates the STP topology when configured and affects how and which ports on neighboring switches will be set as forwarding, alternate, or blocked. The root bridge is on a per-VLAN basis, or applies to all VLANs, and therefore has all ports as forwarding for that VLAN.

Secondary root bridge: Takes over as the root bridge for one or ALL VLANs if the root fails.

Root Bridge Election

Election by default is based on switch MAC address. The winner of an election is like the winner of a golf tournament – lowest score is the best.

There are a few ways to decide which switch will become the primary and secondary root:

1.  By using the default MAC address of a switch for a VLAN
2. By setting the priority for a VLAN.
3. By explicitly setting a switch as primary and a neighbor as secondary (the easiest and most effective method)

s1_bridge

Based on this configuration, we can see that S1 is the root for VLAN 1. The top of the output is the root MAC address, and priority, and the bottom is your priority and MAC address. Since they are the same and the fact it says in the output “this bridge is the root,” therefore this switch is the root.

This output shows that on VLAN 10 however, this switch is not the primary bridge because it has a lower priority value in this instance. Priority values come in increments of 4096. 4096 (best), 8192, 12,888; and so on. The maximum value is 61,440.

Furthermore, priority always takes the value assigned to it, such as 28672, and appends the VLAN number to it. So this is always a way to extract VLAN number based on the priority increment. 28672 + 10 (VLAN 10) = VLAN priority 28682.

s1_secondary

Lastly, we can set a root bridge as primary and secondary based on the commands:

# spanning-tree vlan 10 root primary

and

# spanning-tree vlan 10 root secondary

It’s important to note that while explicitly stating the switch for a VLAN as primary or secondary, you are given a priority of 24567, and a secondary priority 0f 28,672. These are not firm and setting another switch with a priority less than this will make THAT switch the new bridge.  Also, if we have tied priority values, such is the default 32768, then MAC address is the tie breaker.

It is also noted that as each primary switch dies, the secondary becomes the new primary and a new secondary is established. This process continually happens until there is only one switch left.

Root Port Election

Root ports are our most important port; it has the most functionality and is responsible for pushing packets around. This occurs on a per-VLAN basis, usually, or can be a per-switch basis. In this scenario it is a per-VLAN basis.

Root ports only exist on non-root switches are chosen as ports deemed “closest” to the root. In the case of S1, port fa0/22 has been declared the root port by STP – we have multiple paths to the root so the port with the lowest cost becomes the root.

STP port costs

  • 10 GB/s: 1
  • 1 GB/s: 4
  • 622 MB/s: 6
  • 155 MB/s: 14
  • 100MB/s: 19
  • 45 MB/s: 39
  • 16 MB/s: 62
  • 10 MB/s: 100
  • 4 MB/s: 250

In this case, every port is 100 MB/s and therefore a cost of 19. A tie-breaker is still required: having multiple ports to the root bridge with the same cost requires we observe port-id.  The port with the lowest port interface number becomes root port as evidenced here:

s1_root_port

s1_cdp_neighbors

The last tie breaker scenario is between two connected non-root bridges. If an upstream switch is the root, and two downstream switches are directly connected, a port between them MUST be closed to ensure a loop free topology.

Here, both switches would have the same costs, priority, and port-id value. The tie breaker then becomes once again the MAC address generated by the VLAN and observed by #show spanning-tree vlan x. Whichever switch for this VLAN has the lower MAC address – that port remains open while the port on the other switch is forced to block and eliminate the loop.

In short:

  • Closest ports to the root become the bridge
  • Multiple paths to bridge? Tie breaker: lowest cost becomes root port
  • Multiple ports same cost? Lowest port-ID value wins
  • Directly connected non-root bridge switch ports with the same port-ID? The lowest MAC address for that VLAN wins

It is also important to remember that port cost is influenced by incoming BPDUs. In other words, upstream switch changes to path cost and port priority will affect downstream switch decisions.

topology_stp_2

An example here with a different topology is that configuring S2 fa 0/23 with a cost of 18 will result in S4 choosing S2 as the next hop. Priority and MAC values are then ignored by S4 because path selection is ultimately about cost and the cost through S2 would then be less than that through S3.

Another example would be changing port cost value less than that of fa0/23 effectively making S4 prefer port 24, which is blocked, over port 23.

Influencing STP process for one switch is always forced by those upstream. It is not done so locally unless start making new primary and secondary roots altogether.

This is not true in the sense where we plug in a cable in the S3 gigabit port, with a default cost of 4, and connecting to S4 fastEthernet port. Cost remains the same (38 (19+19) vs 23 (19+4)) because the gigabit port has to adapt at the speed the other end is operating at.

Lastly, if we chose to use fa0/24 on S4 as the root port over fa 0/23, in addition to changing link cost, we can merely change port priority on a per-VLAN basis with the command:

S4(config)#int fa0/24
S4(config-if)#spanning-tree vlan 1 port-priority 16

Then verify:

Switch#sh spanning-tree

Hierarchy for root port declaration: costs, priority, MAC address, and lastly port ID.

STP Modes of Operation

Basic (common) STP: Only one path and bridge for ALL VLANs. Traffic traverses the same route for all VLANs. Slow converging is the biggest knock against it.

PVST+: separate STP instances per VLAN. Per VLAN STP. More CPU and memory required, but gives you more control with overall data flow. Slow converging. Cisco proprietary. Default mode in all Cisco switches and used in demonstration above.

RSTP: rapid STP. Like default STP, but drastically faster. No timers required.

RSTP has only three port states: forwarding, learning, and discarding.

Forwarding: only occurs when the topology is fully converged.

Learning: accepts frames and populates the MAC table.

Discarding: breaks any L2 loop by preventing frame forwarding

RSTP has different port roles as well:

Root port: best path to root bridge

Designated port: each segment has a designated port. This port receives frames destined for the root bridge. Forwarding state. Root bridge has nothing but designated ports.

Alternate: alternative path to root bridge. Discard/blocking state. Transitions to designated if designated fails.

Backup: redundant link to another non-root bridge. Possesses highest port ID hence it is the backup port. Discarding/blocking state.

RSTP edge ports: connect to end devices. Equivalent to portfast ports. This status is lost if a BPDU is received.

Only non-edge ports moving to a forwarding state generate a topology change. RSTP flushes all MACs associated with all non-edge ports.

RSTP is much faster because the BPDU is flooded out all ports like with basic STP.  There is no need to wait for the root bridge to acknowledge or be notified about the port changes.

PVRST: per-vlan STP+ combined with RSTP. Separate VLAN instances that converge almost immediately. Cisco proprietary.

Uses a separate STP instance for each VLAN.

The bridge ID (BID) carries the VLAN ID, unlike basic STP or RSTP, to distinguish difference between BPDUs.

Each switch uses the VLAN MAC so the BID is always unique.

MSTP: maps multiple VLANs with the same traffic flow requirements into an STP instance. 16 total instances supported.

Miscellaneous STP Facts

MAC flapping is a L2 issue caused by misleading ARP requests. May occur by disabling STP in our topology or a bungled addressing scheme with a mishmash of hosts on incorrect subnets which are also connected at L2.

Root ID of the root bridge is the same as the bridge ID. Root switch forwards BPDUs out all ports, which are designated ports.

Root ports of the root bridge are advertised with a cost of 0. In the topology, S4 has a maximum cost of 38 by default

Blocked ports between two non-root bridges is dependent on cost, priority, MAC address, and lastly port-ID as the final tie breaker.

Link types for STP ports may be changed from point-to-point, or full duplex, to shared port which is half duplex.

A downstream switch is receiving different BPDUs. If cost in the BPDU packtes is equal, the bridge ID of the upstream switches are checked next. If BID is equal, MAC address of those switches (on that VLAN) are checked and the switch with the lower MAC becomes the switch you join your root port to.

#show spanning-tree interface fa x/x detail: port identifier is port priority followed by the port ID, which is the interface number. If we ran this command for interface fa0/24, we would see 128.24 where 128 is the port-priority value 128 by default and 24 being the interface number

#show processes cpu sorted: useful to determine who is flooding us with BPDUs. Shows us the affect of a broadcast storm.

Other Switch Port States & STP Timers

Timers ensure the STP operation proceeds accordingly:

STP BPDU: bridge protocol data unit: practically a hello advertised every two seconds

Forward Delay Timer: total time spent in listening and learning states; 15 seconds total.

Max Age Timer: the length of time before a port flushes BPDU information. 20 seconds; 10x the hello timer by default.

Listening and Learning Timer: 15 seconds each.

The default STP operation is around 50 seconds to 1 minute before convergence.

Basic and PVST operation has 4 states: listening, learning, forwarding, and blocking. The two that concern us most are forwarding and blocking.

Listening: the sending and receiving of BPDUs. User data cannot be transferred yet.

Learning: construction of the STP topology. User data still cannot be transferred yet.

Forwarding: STP topology has converged. User data may be transferred.

Blocking: traffic is not sent out this port; only BPDUs can be received here.

When the Max age timer activates and flushes the STP table, reconvergence happens: listening, then learning, then ports enter the forwarding or blocking state

 

 

Leave a comment