Spanning Tree protocol (STP)

By default, a switch will forward a broadcast or multicast out all ports, excluding the port the broadcast/multicast was sent from. When a loop is introduced into the network, a highly destructive broadcast storm can develop within seconds. Broadcast storms occur when broadcasts are endlessly switched through the loop, choking off all other traffic.
 Spanning Tree Protocol
Switches needed a mechanism to prevent loops from forming, and thus Spanning Tree Protocol (STP, or IEEE 802.1D) was developed. STP is enabled by default on all VLANs on Catalyst switches. STP-enabled switches communicate to form a topology of the entire switching network, and then shutting down (or blocking) a port if a loop exists. The blocked port can be reactivated if another link on the switching network goes down, thus preserving fault-tolerance. Once all switches agree on the topology database, the switches are considered converged. STP switches send BPDU’s (Bridge Protocol Data Units) to each other to form their topology databases. BPDU’s are sent out all ports every two seconds, are forwarded to a specific MAC multicast address: 0180.c200.0000.

Spanning-tree Terms

1. Root bridge & Election : The root bridge is the bridge with the lowest and, therefore, the best bridge ID. The switches within the STP network elect a root bridge, which becomes the focal point in the network. All other decisions in the network, like which ports on the non root bridges should be blocked or put in forwarding mode, are made from the perspective of the root bridge, and once it has been elected, all other bridges must create a single path to it. The port with the best path to the root bridge is called the root port.

Election is perform on the basis of Bridge ID which is of 8 bytes. In which 2 bytes is of priority and 6 byte is od MAC address. By default priority is 32768. The lower bridge id is preferred for RB. First priority is taken and is it is tie then mac address is seen. In below topology both using the default priority of 32,768, the MAC address will be the determining factor instead. And because Switch A’s MAC address is 0000.0cab.3274 and Switch B’s MAC address is 0000.0cf6.9370, Switch A becomes the root bridge.
 Spanning Tree Protocol
2. Non-root bridge : These are all bridges that aren’t the root bridge. Non-root bridges exchange BPDUs with all the other bridges and update the STP topology database on all switches. This prevents loops and helps defend against link failures.
3. BPDU : All switches exchange information to use for the subsequent configuration of the network. Each switch compares the parameters in the Bridge Protocol Data Unit (BPDU) that it sends to a neighbor with the parameters in the BPDU that it receives from other neighbors. Inside the BPDU is the bridge ID.
4. Bridge ID : The bridge ID is how STP keeps track of all the switches in the network. It’s determined by a combination of the bridge priority, which is 32,768 by default on all Cisco switches, and the base MAC address. The bridge with the lowest bridge ID becomes the root bridge in the network. Once the root bridge is established, every other switch must make a single path to it.
5. Path cost : A switch may encounter one or more switches on its path to the Root Bridge, and there may be more than one possible path. All unique paths are analyzed individually, and a path cost is calculated for each unique path by adding the individual port costs encountered on the way to the Root Bridge.

Bridge Port Roles

1. Root port (RP) : The root port is the link with the lowest path cost to the root bridge. If more than one link connects to the root bridge, then a port cost is found by checking the bandwidth of each link. The lowest-cost port becomes the root port. When multiple links connect to the same device, the port connected to the lowest port number on the upstream switch will be the one that’s used. The root bridge can never have a root port designation, while every other switch in a network must have one and only one root port.
2. Designated port (DP) : A designated port is one that’s been determined to have the best i.e lowest cost to get to on a given network segment, compared to other ports on that segment. A designated port will be marked as a forwarding port, and you can have only one forwarding port per network segment.
3. Blocked port : A blocked port won’t forward frames in order to prevent loops. A blocked port will still always listen to BPDU frames from neighbor switches, but it will drop any and all other frames received and will never transmit a frame.

Spanning-tree Port States

The ports on a bridge or switch can transition data through five different states:

  • 1. Disable : A port in the administratively disabled state doesn’t participate in frame forwarding or STP.
  • 2. Blocked : A blocked port won’t forward frames; it just listens to BPDUs. The purpose of the blocking state is to prevent the use of looped paths. All ports are in blocking state by default when the switch is powered up.
  • 3. Listening : This port listens to BPDUs to make sure no loops occur on the network before passing data frames. A port in listening state prepares to forward data frames without populating the MAC address table. Time taken by this state is 15 Sec to enter learning state.
  • 4. Learning : The switch port listens to BPDUs and learns all the paths in the switched network. A port in learning state populates the MAC address table but still doesn’t forward data frames. Time taken by this state is 15 Sec.
  • 5. Forwarding : This port sends and receives all data frames on the bridged port. If the port is still a designated or root port at the end of the learning state, it will enter the forwarding state. Time taken by this state is 2 Sec.

Types of Spanning-tree Protocols

There are several varieties of spanning-tree protocols in use today.
1. CST : The original standard for bridging and STP, which is really slow but requires very little bridge resources. It’s also referred to as Common Spanning Tree (CST).
2. PVST+ : The Cisco proprietary enhancement for STP that provides a separate 802.1d spanning-tree instance for each VLAN. Know that this is just as slow as the CST protocol, but with it, we get to have multiple root bridges. This creates more efficiency of the links in the network, but it does use more bridge resources than CST does.
3.RSTP (Rapid Spanning Tree Protocol) : Also called IEEE 802.1w, this iteration enhanced the BPDU exchange and paved the way for much faster network convergence, but it still only allows for one root bridge per network like CST. The bridge resources used with RSTP are higher than CST’s but less than PVST+.
4. Rapid PVST+ : Cisco’s version of RSTP that also uses PVST+ and provides a separate instance of 802.1w per VLAN. It gives us really fast convergence times and optimal traffic flow but predictably requires the most CPU and memory of all.

STP Timers

STP utilizes three timers to ensure all switches remain synchronized, and to allow enough time for the Spanning Tree process to ensure a loop-free environment.
• Hello Timer – Default is 2 seconds. Indicates how often BPDU’s are sent by switches.
• Forward Delay – Default is 15 seconds. Indicates a delay period in both the listening and learning states of a port, for a total of 30 seconds. This delay ensures STP has ample time to detect and eliminate loops.
• Max Age – Default is 20 seconds. Indicates how long a switch will keep BPDU information from a neighboring switch before discarding it. In other words, if a switch fails to receive BPDU’s from a neighboring switch for the Max Age period, it will remove that switch’s information from the STP topology database.

All timer values can be adjusted, and should only be adjusted on the Root Bridge. The Root Bridge will propagate the changed timers to all other switches participating in STP. Non-Root switches will ignore their locally configured timers. The timers are measured in seconds. To adjust the three STP timers for VLAN 10:
Switch(config)# spanning-tree vlan 10 hello-time 10
Switch(config)# spanning-tree vlan 10 forward-time 20
Switch(config)# spanning-tree vlan 10 max-age 40

STP Topology Changes

 Spanning Tree Protocol

An STP topology change will occur under two circumstances:
• When an interface is placed into a Forwarding state.
• When an interface already in a Forwarding or Learning state is placed into a Blocking state.

The switch recognizing this topology change will send out a TCN (Topology Change Notification) BPDU, destined for the Root Bridge. The TCN BPDU does not contain any data about the actual change – it only indicates that a change occurred. For example, if the interface on Switch 4 connecting to Switch 5 went down, Switch 4 would send a TCN out its Root Port to Switch 2. Switch 2 will acknowledge this TCN by sending a BPDU back to Switch 4 with the Topology Change Acknowledgement (TCA) bit set. Switch 2 would then forward the TCN out its Root Port to Switch 1 (the Root Bridge).
Once the Root Bridge receives the TCN, it will send out a BPDU with the Topology Change (TC) bit set to all switches. When a switch receives this Root BPDU, it will temporarily lower its MAC-address Aging Timer from 300 seconds to 15 seconds, so that any erroneous MAC addresses can be quickly flushed out of the CAM table. The MAC-Address Aging Timer will stay lowered to 15 seconds for a period of 35 seconds by default, or one Max Age (20 seconds) plus one Forward Delay (15 seconds) timer.

Basic STP Configuration

To enable STP for a specific VLAN:
Switch(config)#spanning-tree vlan 10

To disable STP for a specific VLAN:
Switch(config)# no spanning-tree vlan 10

To adjust the Bridge Priority of a switch from its default of 32,768, to increase its chances of being elected Root Bridge of a VLAN:
Switch(config)# spanning-tree vlan 10 priority 150

To change an interface’s Path Cost from its defaults:
Switch(config)# int fa0/24
Switch(config-if)# spanning-tree cost 42

To force a switch to become the Root Bridge:
Switch(config)# spanning-tree vlan 10 root primary

The root primary parameter in the above command automatically lowers the switch’s priority to 24,576. If another switch on the network has a lower priority than 24,576, the above command will lower the priority by 4096 less than the priority of the other switch. It is possible to assign a Secondary Root Bridge for redundancy. To force a switch to become a Secondary Root Bridge:
Switch(config)# spanning-tree vlan 10 root secondary

The root secondary parameter in the above command automatically lowers the switch’s priority to 28,672. To specify the diameter of the switching topology:
Switch(config)# spanning-tree vlan 10 root primary diameter 7

The diameter parameter in the preceding command indicates the length of the STP topology (number of switches). The maximum (and default) value for the diameter is 7. Note that the switching topology can contain more than seven switches; however, each branch of the switching tree can only extend seven switches deep, from the Root Bridge.

STP Link Failure

1. Direct Link failure
When main path goes down and backup path is available for that particular destination from source, is called Direct Link Failure. When the main link goes down then next link takes time to be active. So to make backup path immediately active Uplink fast is used in trunk port.
switch# spanning-tree uplinkfast
 Spanning Tree Protocol
2. Indirect Link Failure
When link between A and B is failed then B says to C that i am Root Brodge and sends BPDU & switch sees that and checks Bridge ID of Switch A and BPDU and sends bridge of of A to B and switc B knows there is a lower bridge in topology.
C waits for 20 sec before deciding which is max age timer and after 20 sec it start converge the topology. for whole process it takes 52 sec but we can save max age time i.e 20 sec by using backbone fast command.
switch# spanning-tree backbone-fast  Spanning Tree Protocol

STP PortFast

PortFast allows switch ports that connect a host device to bypass the usual progression of STP states. A port connecting to a host device can never create a switching loop. Thus, Port Fast allows the interface to move from a blocking state to a forwarding state immediately, eliminating the normal 30 second STP delay.

To configure PortFast on an interface:
Switch(config)# int fa0/10
Switch(config-if)# spanning-tree portfast

To enable PortFast globally on all interfaces:
Switch(config)# spanning-tree portfast default

PortFast should not be enabled on switch ports connecting to another hub/switch, as this may result in a loop. Note that PortFast does not disable STP on an interface - it merely speeds up the convergence.

STP Protection

STP is vulnerable to attack for two reasons:
• STP builds its topology information by accepting a neighboring switch’s BPDU’s.
• The Root Bridge is always determined by the lowest Bridge ID.
Switches with a low priority can be maliciously placed on the network, and elected the Root Bridge. This may result in a suboptimal or unstable STP topology.

Cisco implemented three mechanisms to protect the STP topology:
• Root Guard
• BPDU Guard
• BPDU Filtering

All three mechanisms are configured on an individual interface basis, and are disabled by default. When enabled, these mechanisms apply to all VLANs for that particular interface.

1. Root Guard :
Root Guard prevents an unauthorized switch from advertising itself as a Root Bridge.
Switch(config)# interface fa0/10
Switch(config-if)# spanning-tree guard root

The above command will prevents the switch from accepting a new Root Bridge off of the fa0/10 interface. If a Root Bridge advertises itself to this port, the port will enter a root-inconsistent state.

2. BPDU Guard :
BPDU Guard is employed on interfaces that are PortFast-enabled. NOrmally a PortFast-enabled interface connects to a host device, and thus the interface should never receive a BPDU. If another switch is accidentally or maliciously connected into a PortFast interface, BPDU Guard will place the interface into an errdisable state. To enable BPDU Guard:
Switch(config)# interface fa0/10
Switch(config-if)# spanning-tree bpduguard enable

To take an interface out of an errdisable state, simply disable and re-enable the interface:
Switch(config)# interface fa0/10
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

3. BPDU Filter :
BPDU Filtering essentially disables STP on a particular interface, by preventing it from sending or receiving BPDU’s:
Switch(config)# interface fa0/10
Switch(config-if)# spanning-tree bpdufilter enable

Want to read PVST+? Click Here

Want to read RSTP? Click Here