Covers Classic STP, RSTP, PVST/+
Spanning Tree Versions
Industry Standards (IEEE) | Cisco Versions |
---|---|
Spanning Tree Protocol (802.1D) - The original STP - All VLANs share one STP instance - Therefore, cannot load balance | Per-VLAN Spanning Tree Plus (PVST+) - Cisco’s upgrade to 802.1D - Each VLAN has its own STP instance - Can load balance by blocking different ports in each VLAN |
Rapid Spanning Tree Protocol (802.1w) - Much faster at converging/adapting to network changes than 802.1D - All VLANs chare one STP instance - Therefore, cannot load balance | Rapid Per-VLAN Spanning Tree Plus (Rapid PVST+) - Cisco’s upgrade to 802.1w - Each VLAN has its own STP instance - Can load balance by blocking diff. ports in each VLAN |
Multiple Spanning Tree Protocol (802.1s) - Uses modified RSTP mechanics - Can group multiple VLANs into diff. instances (i.e. VLANs 1-5 in instance 1, VLANs 6-10 in instance 2) to perform load balancing | No Cisco equivalent — Cisco devices typically run MSTP802.1s |
While MSTP is technically superior, RPVST+ is what’s covered on the CCNA, and typically more than adequate on medium - small networks. In larger networks MSTP is preferred.
With the exception of MSTP, Cisco switches do not support their IEEE counterparts
STP
- Spanning Tree Protocol - a standard protocol on all switches. It solves 2 problems: Broadcast Storms and MAC Address Flapping.
- ‘Classic Spanning Tree Protocol’ is IEEE 802.1D
- Switches from ALL vendors run STP by default
- STP prevents Layer 2 loops by placing redundant ports in a ‘blocking’ state
- essentially disables the interface until it is needed
- These interfaces act as backups that can enter a forwarding state if an active (i.e. currently forwarding) interface fails
- Interfaces in a ‘forwarding’ interface behave normally; they send and receive all normal traffic
- interfaces in a blocking state only send or receive STP specific messages, called BPDUs (Bridge Protocol Data Units)
- STP still uses the term ‘bridge’ even though they are not at all common in modern networking
- Bridges were an interstitial device with capabilities somewhere between a hub and a modern switch
- In nearly all contexts, when the term ‘bridge’ is used, we mean ‘switch’
- STP still uses the term ‘bridge’ even though they are not at all common in modern networking
Port States
-
STP automatically selects which ports will be designated (forwarding) and non-designated (blocking)
- By blocking and forwarding specific ports, STP can essentially create only a single usable path between any two points in a given network.
-
Four states a STP port can be in:
- Forwarding - Root/Designated remain stable in a Forwarding state
- Blocking - Non-designated remain stable in a Blocking state
- Listening and Learning - transitional states which are passed through when an interface is activated, or when a Blocking port must transition to a Forwarding state due to a change in network topology.
- Technically, there is a fifth state, Disabled, which isn’t very important because it, y’know, doesn’t do anything.
STP Port State | Stable/Transitional |
---|---|
Blocking | Stable |
Listening | Transitional |
Learning | Transitional |
Forwarding | Stable |
Disabled | Stable |
- Blocking
- Non-designated ports are in a Blocking state
- interfaces in a Blocking state are effectively disabled to prevent loops.
- Interfaces in a Blocking state do not send/receive regular network traffic.
- Interfaces in a Blocking state receive STP BPDUs.
- Interfaces in a Blocking state do NOT forward STP BPDUs.
- Interfaces in a Blocking state do NOT learn MAC addresses.
- Listening
- After the Blocking state, interfaces with the Designated or Root role enter the Listening state.
- Only Designated or Root ports enter the Listening state (Non-designated ports are always Blocking).
- The Listening state is 15 seconds long by default. This is determined by the Forward Delay timer.
- An interface in the Listening state ONLY forwards/receives STP BPDUs.
- An interface in the Listening state does NOT send/receive regular traffic.
- An interface in the Listening state does NOT learn MAC addresses from regular traffic that arrives on the interface.
- Learning
- After the Listening state, a Designated or Root port will enter the Learning state.
- The Learning state is 15 seconds long by default. This is determined by the Forward Delay timer. (The same timer is used for both the Listening and Learning states)
- An interface in the Learning state ONLY sends/receives STP BPDUs.
- An interface in the Learning state does NOT send/receive regular traffic.
- An interface in the Learning state learns MAC addresses from regular traffic that arrives on the interface.
- Forwarding
- Rood and Designated ports are in a Forwarding state.
- A port in the Forwarding state operates as normal.
- A port in the Forwarding state sends/receives BPDUs.
- A port in the Forwarding state send/receives normal traffic.
- A port in the Forwarding state leans MAC addresses.
STP Timers
STP Timer | Purpose | Duration (Default) |
---|---|---|
Hello | How often the root bridge sends Hello BPDUs | 2s |
Forward Delay | How long the switch will stay in the Listening and Learning states (each state is 15s = total 30s) | 15s |
Max Age | how long an interface will wait after ceasing to receive Hello BPDUs to change the STP topology. | 20s (10 * Hello) |
Max Age |
- If another BPDU is received before the max age timer counts down to 0, the time will reset to 20 seconds and no changes will occur.
- If another BPDU is not received, the max age timer counts down to 0 and the switch will reevaluate its STP choices, including root bridge, and local root, designated and non-designated ports.
- If a non-designated port is selected to become a designated or root port, it will transition from the blocking state to the listening state (15 seconds), learning state (15 seconds), and then finally the forwarding state. So, it can take a total of 50 seconds for a blocking interface to transition to forwarding.
- These timers and transitional states are to make sure that loops aren’t accidentally created by an interface moving to forwarding state too soon.
- Forwarding interfaces can move directly and immediately to blocking, as there is no chance of a loop being created, but the reverse is not possible without passing through Listening and Learning states.
Note that STP timers are set by the root bridge, even if the other switches are configured differently.
BPDUs
- Bridge Protocol Data Units - STP specific messages
- STP-enabled switches will transmit ‘Hello’ BPDUs out of all interfaces every 2 seconds (by default)
- If a switch receives a Hello BPDU it knows that interface is connected to another switch
- Routers, PCs, any non-switch device, will not use STP and thus the router will not get a Hello BPDU from that device
- BPDUs contain a Bridge ID field, which is used to elect a root bridge for the network. The Bridge ID contains the following fields:
- Bridge Priority - 16 bits
- Used to elect root bridge/switch - lower values are higher priority, default value is 32768
- ties are broken with the lowed MAC address
- all ports on a root bridge are designated/forwarding; all other switches automatically change their configurations to reach the root
- Originally 1 contiguous field, updated to be split into two parts:
- Bridge Priority - 4 bits
- Extended System ID - 12 bits
- Not always present; uses the last 12 bits of the Bridge ID when it is
- Holds VLAN ID - used by PVST
- since 12 bits are determined by the VLAN ID, only 4 bits can be used to change bridge priority - it can only be incremented in units of 4096 (surprisingly not usually a problem)
- Used to elect root bridge/switch - lower values are higher priority, default value is 32768
- MAC Address - 48 bits
- The switch’s MAC Address, used to break ties in Bridge Priority - lower is higher priority
- Bridge Priority - 16 bits
Root Selection
- The root is the switch with the lowest configured Bridge Priority
- In the case of a tie, the switch with the lowest MAC is made root
Port Designation/Role Selection
- Designated = forwarding, non-designated = blocked
- All ports on a root bridge are designated
- All other switches will select one root port. It will be the interface with the lowest root cost. Root ports are in a forwarding state.
- Ties are broken by using the lowest bridge ID of the neighboring switch
- Further ties are broken by using the lowest port ID of the neighboring switch’s interfaces
- Likely to happen in the even two switches are directly connected on multiple interfaces
- Ports connected to another switch’s root port must be designated.
- All remaining collision domains will select ONE interface to be designated. The other will be non-designated.
- First, lowest cost will be designated
- if tied, lowest bridge ID will determine designated
Calculating Root Cost
- Every interface has a spanning tree cost based on its speed. Common speeds and costs are in the table below.
- From the interface in question, add the costs of each interface along the path to the root bridge to get that interface’s root cost.
- Costs are advertised via BPDUs
Speed | Cost |
---|---|
10 Mbps | 100 |
100 Mbps | 19 |
1 Gbps | 4 |
10 Gbps | 2 |
PVST
- Per-VLAN Spanning Tree - Cisco proprietary, runs a separate STP ‘instance’ in each VLAN, so in each VLAN different interfaces can be designated
- PVST BPDUs use a destination MAC of
01:00:0c:cc:cc:cd
- as opposed to regular STP’s dst. MAC
0180.c200.0000
- as opposed to regular STP’s dst. MAC
- Technically, PVST is the older format that only supports ISL trunk encapsulation. PVST+ is updated to support the standard 802.1Q encapsulation.
Broadcast Storms
- When several switches are connected in a loop, if they receive a broadcast message they will constantly sent each other the same broadcast packets forever. Eventually the network will become so congested that it is unusable.
- You might think to just never connect switches together in a loop; unfortunately this is useful/necessary for redundancy in large networks.
- Remember that Ethernet/Layer2 headers don’t have a TTL field, and will never be dropped in this situation
MAC Address Flapping
- Each time a frame arrives on a switchport, the source MAC is used to ‘learn’ the MAC address and update the switch’s MAC address table. When frames with the same source MAC repeatedly arrive on different interfaces (like in a broadcast storm) the switch will be constantly updating its MAC address table.
- Wastes comp. resources, and can result in sub-optimal paths for network traffic
STP Optional Features
Portfast
- Allows a port to move immediately to the Forwarding state, bypassing Listening and Learning.
- If used, it must be enabled only on ports connected to end hosts.
- If enabled on a port connected to another switch it could cause a layer 2 loop.
- Risky! If a switch with portfast enabled on some interfaces is connected to an existing network, its possible a layer 2 loop could be formed. Can be prevented with BPDU Guard.
BPDU Guard
- If an interface with BPDU Guard enabled receives a BPDU from another switch , the interface will be shut down to prevent a loop from forming.
- To restart the interfaces, simply
shutdown
thenno shutdown
the interface - it will automatically disable itself again if you haven’t resolved the issue
- To restart the interfaces, simply
Root Guard
- If enabled on an interface, even if it receives a superior BPDU (lower Bridge ID) on that interface, the switch will not accept the new switch as the root bridge. The interface will be disabled.
Loop Guard
- If enabled on an interface, even if the interface stops receiving BPDUs, it will not start forwarding. The interface will be disabled.
STP Modes
spanning-tree mode (mode)
to change STP modes in global conf.- 3 modes:
- Multiple Spanning Tree -
mst
- not necessary for CCNA - Per-VLAN Spanning Tree -
pvst
- see PVST - Per-VLAN rapid Spanning Tree -
rapid-pvst
- covered later
- Multiple Spanning Tree -
Configuring Primary/Secondary Root Bridge
Rapid STP
Cisco’s summary:
- “RSTP is not a timer-based spanning tree algorithm like 802.1D. Therefore, RSTP offers an improvement over the 30 seconds or more that 802.1D takes to move a link to forwarding. The heart of the protocol is a new bridge-bridge handshake mechanism, which allows ports to move directly to forwarding.”
Similarities with STP
- RSTP serves the same purpose as STP, blocking specific ports to prevent Layer 2 loops
- RSTP elects a root bridge with the same rules as STP
- RSTP elects root ports with the same rules as STP
- RSTP elects designated ports with the same rules as STP
STP Optional Feats. Built-in to RSTP
- These functionalities are built-in to RSTP and do not need to be configured
- UplinkFast - see Alternate Ports
- BackboneFast - in the event of a broken connection to the root switch, a given switch will assume that it is now the root. It will send BPDUs to other connected switches, until they can update their disabled ports to forward the true root’s BPDUs — BackboneFast allows them to immediately expire their max age timers and forward superior BPDUs to the switch with the broken connection.
- PortFast - see Link Types > Edge
Port Costs
- Updated to handle more and faster connection types
Speed | STP Cost | RSTP Cost |
---|---|---|
10 Mbps | 100 | 2,000,000 |
100 Mbps | 19 | 200,000 |
1 Gbps | 4 | 20,000 |
10 Gbps | 2 | 2,000 |
100 Gbps | x | 200 |
1 Tbps | x | 20 |
Port States
STP Port State | Send/Rec. BPDUs | Frame Forwarding (regular traffic) | MAC Add. Learning | Stable/Transitional |
---|---|---|---|---|
Discarding | NO/YES | NO | NO | Stable |
Learning | YES/YES | NO | YES | Transitional |
Forwarding | YES/YES | YES | YES | Stable |
- If a port is administratively disabled (shutdown command) = discarding state
- If a port is enabled but blocking traffic to prevent Layer 2 loops = discarding state
Port Roles
- Root port - unchanged; the port with the lowest root cost (the “closest” port) will become root port for the switch
- The root bridge is the only switch that doesn’t have a root port
- Designated ports are also unchanged in RSTP
- The port on a segment (collision domain) that sends the best BPDU is that segment’s designated port (max 1 per segment)
- Non-designated port role has been split into two separate roles in RSTP:
- The alternate port role
- The backup port role
Alternate Ports
- The RSTP alternate port role is a discarding port that receives a superior BPDU from another switch
- This is the same as blocking ports in classic STP
- Functions as a backup to the root port:
- If the root port fails, the switch can immediately move its best alternate port to forwarding
- This immediate move to forwarding state functions like a classic STP optional feature called UplinkFast
- Since it’s built into RSTP you don’t need to activate UplinkFast when using RSTP/Rapid PVST+
Backup Ports
- The RSTP Backup port role is a discarding port that receives a superior BPDU from another interface on the same switch
- This only happens when two interfaces are connected to the same collision domain (via a hub)
- Since hubs are not used in modern networks you will probably never encounter an RSTP backup port outside of a classroom
- Function as a backup for a designated port
- Interface with the lowest port id is selected as the designated port; the other will be the backup
BPDUs, Timers, Aging
- All switches running Rapid STP send their own BPDUs every hello time (2 seconds)
- Switches ‘age’ the BPDU information much more quickly. In classic STP, a switch waits 10 hello intervals (20s). in Rapid STP, a switch considers a neighbor lost if it misses 3 BPDUs (6 seconds). It will then ‘flush’ all MAC addresses learned on that interface.
Link Types
- RSTP distinguishes between three different ‘link types’
- None of these need to be manually configured; the switch(es) should work it out automatically. However, if you ever want or need to manually designate link types, the commands are listed below.
- Edge: a port that is connected to an end host. Moves directly to forwarding, without negotiation.
- This is a built-in version of PortFast from classic STP
spanning-tree portfast
- Point-to-point: a direct connection between two switches
spanning-tree link-type point-to-point
- Shared: a connection to a hub. Must operate in half-duplex mode.
spanning-tree link-type shared
- *Note that an interface can both be an edge AND a point-to-point or shared type
- P-T-P and Shared really just tell you if the interface is in full or half-duplex. Edge interfaces will necessarily be one or the other in addition to being an edge type.