Student Notes on STP

Index:

Chapter Title Page

5.1 Redundant Layer 2 Topologies 2
5.1.1 Redundancy 2
5.1.2 Issues with Redundancy 2
5.1.3 Real World Redundancy Issues 3

5.2 Introduction to STP 4

5.2.1 Spanning Tree Algorithm 4
5.2.2 STP BPDU 7
5.2.3 Port Roles 10
5.2.4 STP Port States and BPDU Timers 12

5.3 STP Convergence 14

5.3.1 Step 1 – Elect a Root Bridge 14
5.3.2 Step 2 – Elect Root Ports 15
5.3.3 Step 3 – Elect Designated and Non-designated Ports 16
5.3.4 STP Topology Change 16

5.4 PVST+, RSTP, and Rapid PVST+ 17

5.4.1 Cisco and IEEE STP Variants 17
5.4.2 Design STP for Trouble Avoidance 18
5.4.3 Troubleshoot STP Operation 19

Page 1 of 20
4. STP

5.1 Redundant Layer 2 Topologies

5.1.1 Redundancy

- In a switched network, redundancy can be provided by using additional links.

These links are backups between switches.
They are switched on when required, and switched out once the fault is fixed.
This provides availability
It is achieved at the distribution and core layer through extra links and switches.
Even at the access layer, it can be connected to multiple distribution layer switches.
This removes the “single point of failure”.
STP is used to block certain ports, avoiding switching loops (at layer 2).
The redundant link is only used if (and whilst) the primary link fails.
Redundancy provides flexibility in path selection on the switched network.
A failure at the core or distribution layer can be overcome.
Of course, if the access layer switch fails, the user loses connectivity.

5.1.2 Issues with Redundancy

- If a layer 2 loop occurs, problems will result.

This occurs if there is a loop and STP isn’t enabled on all switches.
The problem is that unlike IP packets, Ethernet frames don’t have a TTL field.
Therefore, the frames circulate until the network is taken down.

This problem is made worse by broadcasts.

These frames are flooded out all other ports (on the same VLAN) when a switch gets it.
As the frame passes through a switch, the switch updates the source MAC vs. port.
This causes a processing overhead.
These broadcasts get circulated around the loop, causing the work to be repeated.
The process continues until the loop is broken, or the switches are powered down.
It slows down performance of the switch for legitimate users.
Legitimate traffic to the source address is blocked as the switching tables are wrong.

Unicast frames will also loop around the network.

Both frame types can cause a “broadcast storm”, bringing down the network.

Page 2 of 20
- Broadcast Storms:

This occurs when so many broadcast frames are caught in the layer two loop that the ALL
available bandwidth is consumed.

This is inevitable in a physically looped network with STP disabled.

End devices can also fail as they are sent these broadcasts by the access layer switches.
When the network is saturated with broadcasts, the switch can’t process legitimate traffic.
This is effectively a DoS situation.

- Duplicate Unicast Frames:

Another problem with layer two loops is the creation of duplicate unicast frames.
If the access layer switch doesn’t have the entry in the table, it floods the packet out.
This can go to multiple switches that both send the packet on.
One switch sends it to the correct end user; the other switch sends it to the correct switch.
The result is that the end user gets two instances of the same frame.
Many upper-layer protocols can’t handle this double up, and therefore fail.

5.1.3 Real World Redundancy Issues

Redundancy is necessary, so STP is required to avoid switching loops.

These loops can appear in wiring closets or workplace cubicles:

- Loops in the Wiring Closet:

Cables between access and distribution layer switches are terminated in wiring closets.
This can result in a confusion of cables if not properly labelled.
A problem is if two cables join an access layer switch to the same distribution switch.
It’s OK if they’re EtherChannelled, but not if they are access ports.
A loop occurs, causing broadcast storms.

The same thing occurs if the access layer switch connects to two distribution switches.
These distribution layer switches may complete a loop, resulting in the same problem.

- Loops in Cubicles:

This is more likely, as administrators cannot control access at the workplace cubicle.
Here, a user could plug in two hubs to the switch, and link the hubs together.
Again, this causes a layer two loop.
Page 3 of 20
5.2 Introduction to STP

5.2.1 Spanning Tree Algorithm

- Redundancy increases availability, protecting from a single point of failure.

With redundancy come loops.
Loops can cause broadcast storms and duplicate frames to occur.
The Spanning Tree Protocol (STP) (AKA 802.1D) was developed to stop these loops.

STP ensures that there is only one path between all destinations in the network.
It intentionally blocks redundant paths that would cause a loop.
A switch port is “blocked” if it has been disabled by STP.
This DOES NOT include BPDU frames used by STP to negotiate the port states.
As required, STP will unblock the port to maintain connectivity.

- STP Topology:

In a loop, one of the switch ports will be set to “blocked”, thus avoiding layer 2 loops.
If the main link fails, the above mentioned port is “unblocked”.
This allows the redundant path to carry the traffic.
When the better link is fixed, STP reverts the network to the original condition.

- Port Types in the Spanning-Tree Algorithm (STA):

The STA determines which ports to block.

A single switch is first elected as the “Root Bridge”.
This is the reference point for ALL subsequent calculations.
All switches exchange BPDU frames to elect the root bridge.
Each BPDU contains the Bridge ID (BID) of the switch sending the frame.
The BID consists of the priority value concatenated by the MAC address.
Once the root bridge is elected, STA calculates the shortest path to this bridge.
Other paths to the root bridge are blocked.
Whilst this is occurring, all traffic is blocked from using the network.
“Path Cost” is calculated using the speed of each port in the link to the root.

Page 4 of 20
All switch ports are defined to be one of the following:

- Root Ports:
These ports NEVER occur on the root bridge.
Only ONE port on all other switches will have a root port.
This is the “open” port used to forward traffic towards the root bridge.
This will be a trunk port pointing to the root bridge.

- Designated Ports:
ALL ports on the root bridge are “Designated Ports”
Each segment of wire has exactly one “Designated Port”.
So, on a given segment, one port may be blocked, the other a Designated port.
This port is used to accept traffic and forward it to the root bridge.
The switch with a designated port is the “Designated bridge”.

- Non-Designated Port:
These are ports that are in a “Blocked” state to prevent the loop.

- Root Bridge:

Every STA instance has a single “Root Bridge”.

This is the reference point for all the spanning-tree calculations.
An election process determines the switch that will be made the root bridge.
It is based on the value of the switch’s BID.

The 8-byte BID consists of either 2 (old method) or 3 (new method) fields.
This consists of the priority + Extended ID + MAC address of the switch.
All switches broadcast this frame into the network every 2 seconds (by default).
Along with this information, they also send who they think in the root bridge.
Initially, every switch thinks they’re the root.
Page 5 of 20
 If it receives a frame with a BID lower than their own, they update their role.
The switch with the LOWEST BID becomes the root bridge.

- Best Paths:

Once the root is elected, STA works out the best path for all switches to this root.
This is performed by summing the cost of all egress ports to the root.
Costs are as follows:

Link Cost Cost

Speed (New IEEE) (Old IEEE)
10 Gbps 2 1
1 Gbps 4 1
100 Mbps 19 10
10 Mbps 100 100

This is the default port cost – the value can be changed at the interface:

Switch(config-if)# spanning-tree cost <value>

The value can range from 1 to 200,000,000.

The sum of the path costs is the total cost from source to destination switches.
The lowest path cost becomes the uplink to the root bridge (the “Root Port”)
Any redundant path will be either a “Designated Port”, or “Non-Designated Port”.
To check the switch configuration by STP, issue the command:

Switch# show spanning-tree [detail]

This provides the following details for each STA instance (perhaps one per VLAN):
- The priority and MAC address of this switch (its “BID”).
- Cost to the root, and which port is the “Root Port”.
- The hello time interval (2 seconds by default).
- Each interface, including:
- The role it’s in (root, designated, non-designated).
- The port priority and number.
- etc.

5.2.2 STP BPDU

Page 6 of 20
- The Bridge PDU (BPDU) are frames exchanged between switches.
Each 35 byte BPDU contains a wealth of information, including:

Bytes Field
2 Protocol ID
1 Version
1 Message Type
1 Flags
8 Root ID
4 Cost of Path
8 Bridge ID
2 Port ID
2 Message Age
2 Max Age
2 Hello Time
2 Forward Delay

The frame is encapsulated in an Ethernet frame.

This is sent to the multicast address of: 01:80:C2:00:00:00 which is reserved for STP.

- BPDU Process:

Upon booting, each switch believes that they are the root.
They send out BPDUs every two seconds announcing that they are the root.
Each switch maintains local information consisting of:
- Its own BID (priority + MAC)
- The Root ID (itself initially)
- Path cost to the root (0 initially).

As BPDUs arrive from neighbours, the switch may revise who is the root.
If a neighbour’s BID is lower, they update their information.
They now believe that the neighbour (with the lower BID) is the root.
They change the local information about the Root ID and local path cost to the root.
All subsequent advertisements (every 2 seconds) advertise the new BID of the root.

Notice that the configurable switch priority takes precedence over switch MAC address.
This allows the administrator to effectively nominate which switch will be the root.

Page 7 of 20
- Bridge ID (BID):

The BID used to be a 2 field frame, but now it consists of three fields.

The Bridge priority:

This used to be a two byte number, with a range from 1 to 65535.
The default was (and still is) mid-way: 32768.
The lower the priority, the better the chance of being elected as root bridge.

The Extended System ID:

This is for newer systems that support multiple STA, one per VLAN.
Therefore, this field represents the VLAN for which the STA is representing.
PVST+ uses this type of BID.
This allows for up to 212 VLANs (4096).

Note: there are now only 4-bits for the bridge priority.
It maintains its values from 0 to 65535.
However, they must be in increments of 4096.
0000 = 0
0001 = 4096
etc.

Page 8 of 20
 The MAC Address:
This is the MAC address of the switch.
This is only used to find the root bridge if the priority values are identical.

- Configure and Verify the BID:

The root bridge will be the one with the lowest bridge priority.
If the priorities are tied, the switch with the lowest MAC address wins.
There are two ways to set the bridge priority:

Switch(config)# spanning-tree vlan 1 root primary

Switch(config)# spanning-tree vlan 1 root secondary

Above, the first command adjusts the priority of the switch to 24576, or the next 4096
increment value less than the lowest priority detected on the network.

The second command sets the priority of the switch to 28672.

This ensures that it becomes the backup root.
If the root fails, then this will become the root.
This assumes that the rest of the switches have a default priority of 32768.

To set a specific priority (a multiple of 4096), issue the command below:

Switch(config)# spanning-tree vlan <vlan> priority <value>

The <value> can be from 0 to 65535, in increments of 4096.

To verify the configuration, issue the command: show spanning-tree [detail]

Page 9 of 20
5.2.3 Port Roles

- Each instance of STP has a root bridge elected.

Ports on all switches are then assigned roles depending upon their speed and location.
A port is automatically configured by STP to be in one of four roles.

- The “Root Port”:

These ports NEVER occur on the root bridge.
Only ONE port on all other switches will have a root port.
This is the “open” port used to forward traffic towards the root bridge.
This will be a trunk port pointing to the root bridge.

- The “Designated Port”:

ALL ports on the root bridge are “Designated Ports”
Each segment of wire has exactly one “Designated Port”.
This port is used to accept traffic and forward it to the root bridge.
So, on a given segment, one port may be blocked, the other a Designated port.
Alternatively, one port may be the root port, the other the designated port
The switch with a designated port is the “Designated bridge”.

- The “Non-Designated Port”:

This is port that is blocked.
This is to stop logical loops.

- The “Disabled” Port:

This port has been administratively shut down.

- Once the root bridge election finishes, STA calculates the root ports.
This port provides the smallest path cost to the root bridge.
If two ports have the same path cost, it chooses by:
- Port priority (configurable).
- If port priority is the same, then lowest port number wins.
The port priority is a number from 1 to 240 (default of 128) in increments of 16.
The combination is expressed like this: 128:1 (default priority for port 1).

Page 10 of 20
- Configure Port Priority:

- This is rarely required.

Switch(config-if)# spanning-tree port-priority <value>

Where <value> is a number from 1 to 240.

The default of 128, and can be adjusted in increments of 16.
The lowest port priority takes precedence.

- Port Role Decisions:

Consider a triangle of switches.

The root bridge has both trunk ports set as “Designated Ports”.
The other ends of these trunks are set as “Root Ports”.
Finally, the link between the two non-root switches needs to be worked out.
One will be the “Designated Port”, the other “Non-Designated” (blocked).
BPDUs are exchanged between these two switches to determine this selection.
If the path cost is the same, the switch with the lowest BID has its port as designated.
The other end has the port set to non-designated (blocked).

To view port roles and priority values, issue the command: show spanning-tree
This provides the role of each port (Root / Designated / Altn).
It also shows the status of each port (FWD / BLK).
It also shows the priority and number of each switch port (E.g.: 128:1).

Page 11 of 20
5.2.4 STP Port States and BPDU Timers

- STP exchanges BPDUs to determine a loop-free topology in the switch fabric.

All ports transition through 5 possible states, using 3 different timers.
Once the switch boots, all ports are blocked whilst STP determines what to do.
These states are listed below:

1. Blocking:
The “Non-designated” port is set to this state.
It does not forward frames; it won’t send or receive data frames.
It receives BPDU frames, telling it what to do.

2. Listening:
This port could become either a root port or designated port.
It both sends and receives BPDU frames.
The port will return to a “blocking” state if STP deems it necessary to block a loop.
While in this state, it discards any data frames sent to it.
It is NOT learning any MAC addresses yet.

3. Learning:
This port will end up forwarding frames.
While in this state, it discards any data frames sent to it.
It is populating the MAC address table.
It is also sending and receiving BPDU frames.

4. Forwarding:
The topology is now active.
This port is that topology; it sends and receives data frames.
It is also sending and receiving BPDU frames.
It is learning addresses.

5. Disabled:
The port doesn’t participate in the active topology.
It has been administratively shut down.

Page 12 of 20
- There are several timers used to transition between states. The default values follow:

1. Hello Time:
This is the time between BPDUs being sent out a port.
The default is 2 seconds, but it can be configured from 1 to 10 seconds.

2. Forward Delay:
This is the time spent in the “Listening” and “Learning” states.
The default is 15 seconds, but it can be configured from 4 to 30 seconds.

3. Maximum Age:
This is the time that a switch saves the BPDU information from neighbours.
The default is 20 seconds, but it can be configured from 6 to 40 seconds.

- Typically, a port goes through Blocking → Listening → Learning → Forwarding.

These timer values are correct for a network diameter of 7 switches or less.
These values shouldn’t be altered without expert guidance.

To configure a different network diameter for STP, issue the command:

Switch(config)# spanning-tree vlan <vlan> root primary diameter <value>

Where <value> is a number between 2 and 7.

- Cisco PortFast:

This is a proprietary Cisco protocol applied to access ports.

When applied, the port transitions immediately from blocking to forwarding.
STP checks are not performed, so it doesn’t wait 30 seconds to start forwarding.
“BPDU Guard” is used to block the port if it detects a BPDU.
This is often used when a PC calls on a DHCP server for an IP address.
The DHCP request could time out before the port starts forwarding.
To configure PortFast on an access port, issue the command:

Switch(config-if)# spanning-tree portfast

Page 13 of 20
5.3 STP Convergence

- This examines the whole STP process from start to finish.

“Convergence” is the time taken for all switches to be up and functioning.
Once the STP process is complete, the network has converged.
There are three steps to the STP process:
- Elect the root bridge.
- Elect the root ports (on non-root switches).
- Elect designated and non-designated ports (on non-root switches).

5.3.1 Step 1 – Elect a Root Bridge

- Once elected, all switch ports are assigned based upon this assignment.
Upon boot up, all switches have their ports set to “blocked” for 20 seconds.
This prevents loops whilst STP determines which ports to block.
Whilst blocked, the ports still send and receive BPDUs.

Spanning Tree supports a network diameter of up to 7 switches between end-nodes.

This ensures that the election process is completed within 14 seconds.

Once booted, the switches send out BPDUs, advertising their BID to neighbours.
Initially, all switches believe that they are the root bridge.
These BPDUs are sent out every 2 seconds.

As a switch receives a BPDU, it compares their BID with the one in the packet.
The lowest BID value wins, and the switches agree on which one is the root.
Now, both switches use BPDUs to advertise the switch with the lowest BID.
This process continues until all switches agree on the root bridge.

Even at this stage, all switches still send BPDUs every 2 seconds.
Each switch has a “max age” timer that is reset every time a BPDU is received.
If the switch doesn’t receive a BPDU in this interval (20 seconds), the election process
repeats.

Page 14 of 20
- Verify Root Bridge Election:

To verify which bridge has won the election, issue the command:
Switch# show spanning-tree

The switch with the lowest BID wins.

This is first determined by the priority value, then the MAC address of each switch.

The previous command shows the priority and address of both the root and this switch.
It then shows the port role and status of every interface on this switch.

5.3.2 Step 2 – Elect Root Ports

- Now that the root bridge has been decided upon, all switch ports need to be configured.
All root bridge ports are set as “Designated Ports”.
Every other switch needs their ports set to a specific role.
Every one of these non-root bridges has a single “Root port”.
This is the port with the lowest cost to the root bridge.
Typically, path cost is what defines the root port.
It two ports on the same switch have the same cost, then a tie needs to be broken.
This is done by looking at the sender switch’s BID.
The upstream switch with the lowest BID wins.
If the upstream switch is the same for both ports, then the port priority breaks the tie.
This is a combination of port priority + port number.
So, if priority is the same, the link using the lowest port number wins.
The winner becomes the “Root Port” and is set to forwarding.
The loser becomes the “Non-Designated Port”, and is set to blocked.
Port roles for a given switch may change multiple times during convergence.

- Verify Root Port Election:

Verifiy the configuration of ports with the command: show spanning-tree

This returns:
- The root bridge’s proirity and address.
This bridge’s priority and address.
This bridge’s ports, their role, status, priority and number.

Page 15 of 20
5.3.3 Step 3 – Elect Designated and Non-designated Ports

- Once the root ports have been set, the remaining ports must be defined.
These will be either “Designated” (DP) or “Non-Designated” (ND).
Each segment (between switches) will have one DP, and one ND.
BPDUs are exchanged, and the switch with the lowest Root Path cost wins.
That switch would set its port to DP (Forwarding).
The losing switch would set its port to ND (Blocking)
The whole process of electing the root bridge and all ports occurs within 20 seconds.
This is based upon the 2 second hello timers (2 x 10 = 20 seconds).

- Verify Designated and Non-Designated Port Election:

Again, verifiy the configuration of ports with the command: show spanning-tree
This returns:
- The root bridge’s proirity and address.
This bridge’s priority and address.
This bridge’s ports, their role, status, priority and number.

5.3.4 STP Topology Change

- When a forwarding port goes down, or a port transitions to forwarding, this is a change.
The associated switch sends a message to the root bridge notifying it of the change.
The root bridge then broadcasts this to the whole domain.

Typically, the root bridge sends BPDUs to all other switches every 2 seconds.
The non-root bridges receive the BPDU, but don’t send any BPDUs back.
Upon a change, the non-root bridge sends a “Topology Change Notification” (TCN) BPDU.
When a switch receives the TCN, it replies with an Acknowledgement (a TCA) BPDU.

Page 16 of 20
5.4 PVST+, RSTP, and Rapid PVST+

5.4.1 Cisco and IEEE STP Variants

- Many variants of STP exist.

Some are Cisco proprietary variants, others are IEEE standards.

- Per-VLAN Spanning-Tree (PVST) Overview

Here, an STP is maintained for every separate VLAN.

It uses Cisco ISL trunking, which blocks certain VLANs from using the trunk.
It is a proprietary protocol, only supported on Cisco devices.
This provides “load balancing” by letting some VLANs through, but not others.
So, one trunk could carry VLAN 10, 20, and 30 traffic.
Another trunk could carry VLAN 40, 50, and 60 traffic.
This required Cisco to develop extensions to the 802.1D STP.
These include: BackboneFast, UplinKFast, and PortFast.

- Per-VLAN Spanning-Tree Plus (PVST+) Overview

This was a PVST protocol developed to support IEEE 802.1Q trunking (as opposed to ISL).
It is a proprietary protocol, only supported on Cisco devices.
Cisco developed extensions to the protocol including PortFast BPDU guard and root guard.

- Rapid Spanning-Tree Protocol (RSTP) Overview

Introduced in 1982, this is an evolutionary advance from STP (IEEE 8021D).

It provides faster convergence after topology changes.
It provides vendor independant versions of BackboneFast, UplinkFast and PortFast.
This protocol is defined as IEEE 802.1D-2004.

- Multiple Spanning-Tree Protocol (MSTP) Overview

This allows multiple VLANs to be mapped to the same STP instance.

This reduces then number of instances required to support large VLANs.
This is an open standard, inspired by Cisco’s MISTP.
It is an enolutionary advance from RSTP (IEEE 802.1D-2004).
This enables load balancing, similar to PVST.

Page 17 of 20
5.4.2 Design STP for Trouble Avoidance

- The purpose of STA is to break loops created by redundant links.

This is performed at layer 2.
Unfortunately, STP can fail.
Troubleshooting can be difficult.

- Don’t leave it up to STP to decide the root bridge, choose your own one.
Generally, choose a powerful bridge in the middle of the network.
Being in the centre, it reduces the average distance from clients to servers and routers.

- If you don’t have a hierarchical design, you may need to tune STP cost parameters.
This usually isn’t necessary in hierarchical designs.

- Make a network diagram of root bridge, and the role of each port.

- Minimise the Number of Blocked Ports

STP takes the critical action of blocking ports.

Just a single blocked port accidentally transitioning can cause catastrophic consequences.
By reducing the number of blocked ports, this reduces the chance of disaster.
Each switched network only requires a maximum of two links (one redundancy).

Any VLAN traffic that is unnecessary, should be pruned.

- Use Layer 3 Switching

Layer 3 switching is routing at layer 2 switching speeds.

The router performs the following:
- Builds a forwarding table.
- Switches packets across interfaces based on the destination IP address.

Using L3 switches, routing occurs at the same speed as switching.

Now, allow the core switches to route, not switch.
By routing, there is no possibility of a loop, as routers are a broadcast domain.
Redundancy can still be used, with a reliance on routing protocols to assign paths.
This provides convergence that is faster than 802.1D STP.

Page 18 of 20
- Keep STP Even if It Is Unnecessary

Even if you remove redundancy, don’t remove STP.

STP isn’t processor intensive as frame switching doesn’t involve the CPU (in switches).
Also, the infrequent and small BPDUs don’t use a lot of bandwidth.
Keep STP in case an access switch is looped.
Disabling STP is not worth the risk.

- Keep Traffic off of the Management VLAN

A switch typically has a single IP address bound to the management VLAN.

The switch now behaves as a host.
All broadcasts and multicasts on this network are sent to the CPU.
This traffic can affect the CPU, so keep traffic light.

5.4.3 Troubleshoot STP Operation

- No systematic procedure exists to troubleshoot STP.

Before troubleshooting, ensure you know:
- The bridge topology.
- The location of the root bridge.
- The location of blocked ports and the redundant links.

To fix the network, you need to know what it should look like.
Most troubleshooting involves simple show commands.

- PortFast Configuration Error

Imagine that an upstream interface has accidentally been configured with PortFast.
This can cause switching loops that will not be checked.
Eventually, a BPDU will be received, and the port will be set to blocked.
During that thime though, high throughputs of looped traffic may occur.
This could delay convergence, or actually bring the network down.

Cisco use “BPDU Guard” to fix this problem.

This disables a PortFast configured port if it receives a BPDU.

Page 19 of 20
- Network Diameter Issues

STP has conservative default timing values.

This is constructed assuming a maximum network diameter of seven switches.
That is, seven switches between the two most distant end-hosts.
The BPDU has an “age field”.
This is updated every time the BPDU transitions through a switch.
It holds the age since that BPDU was sent.
If it exceeds the “maximum message age” value, it is discarded.
If the root is too far away to receive the BPDU, then the network may not converge.

If you change the default timing values of STP, it may converge faster.
This is a dangerous thing to do thought; it could affect the stability of the network.

Page 20 of 20