Home » Layer-2 Switching » Few notes on Spanning Tree Operations

Few notes on Spanning Tree Operations

Default Behavior in STP (802.1D)

In Spanning Tree Protocol, the first step is to choose a root bridge for a vlan.
Root Election is  Based on Bridge Priority the tie breaker is Mac address when the Bridge Priority on both the switches is equal.
In PVST the ext-sys-id (Vlan Instance ID) value is mapped to the 12 low order bits of Bridge Priority field and the Switch mac address is same for all STP instances

The default Bridge Priority is 32768, and lets say you are using the van id of 120 then the bridge priority value becomes 32768+120 = 32888

show span tree van 120  output will show the line
Bridge ID  Priority    32888  (priority 32768 sys-id-ext 120)

Bridge ID = Bridge Priority (4 bits) + Ext-Sys-ID (12 bits) + Mac address (6 Bytes)

In the below example  we have 4 switches and the mac addresses are as shown:
Bridge Priority is not changed and is left to the default value.

stp-net

I will list the lowest mac address on each of these switches, since these switches will making use of them when the priority is left to default values.
SW1: 0018.183a.8f80
SW2: 0024.5031.0c80
SW4: 0024.5031.1880
SW3: 0024.503c.d480

Being default Priority of 32768, SW1 will always win with its lower mac address and will become the root bridge for all vlans.

All Ports on the Root Bridge will be always in designated forwarding state.
Non Root Bridges will have the links towards the root bridge in  Forwarding state too and will be identified as root ports (ports going towards the root bridge).

On Non Root Bridges the ports connecting to the other Non Root Bridges will be in either of 2 states depending on the bridge priority and mac address values
1. Root Port – the port closest to the Root bridge depends on the cost primarily.
2. Designated Forwarding State OR
3. Alternate Blocking State

Root Ports:
Are the ports closest to the Root switch, depending on the cumulative cost path towards the Root.
If the cost of two or more links towards the Root switch is equal then the tie breaker order will be
1. Lowest Bridge ID ( Priority + mac address)
2. Lowest Port ID ( considered when the Bridge ID is same)

Designated Ports:
These ports are facing away from the root bridge towards the downstream switches and are in forwarding state.

Blocking Ports:
These are the ports which are blocked dynamically by STP to avoid loops. No traffic flows through them in this state, but they are still receiving the BPDUs only. When there is a topology change these ports may dynamically go to forwarding state depending on the topology change.

When making decision for Port to be put in either forwarding or blocking state, the switch will always look into the bridge ID of the BPDU received to make the decision.
*** The switch port which has the  lower (better) bridge ID will have the port forwarding
*** The switch port which has higher bridge ID will be blocking
(Lower is better in STP)

Default STP Behavior Example: (reference to the diagram)

Create vlan 102 on all 4 switches. ( I used all 4 switches as VTP servers in the TEST domain and created the vlan 102 – not a good practice)
Note: For VTP to work the trunk ports should be up between all the switches, the trunk ports do not have to be carrying the traffic for this VLAN in order for the VLAN to be propagated and created on to other switches via VTP in the VTP domain.

Since the priority is 32870 on all these switches for vlan 102, the mac address will come into play and the root bridge for vlan 102 will be SW1 based on the lowest mac address

Note: Default Priority on all switches is 32768. The Priority shown in the show span tree output below is 32870 that is because Cisco PVST uses the Ext-Sys-ID that is it adds the vlan instance value to the Priority value

stp-net
switch-lab

SW1: output for STP on VLAN 102
All Ports on the Root Bridge are always Designated Forwarding.

SW1#sh span vlan 102
VLAN0102
Spanning tree enabled protocol ieee
Root ID    Priority    32870
Address     0018.183a.8f80
This bridge is the root
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32870  (priority 32768 sys-id-ext 102)
Address     0018.183a.8f80
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Gi0/1            Desg FWD 4         128.1    P2p
Gi0/15           Desg FWD 4         128.15   P2p
Gi0/47           Desg FWD 4         128.47   P2p

SW2:
Will have a root port connecting to SW1(Port-47)
Since it has the second lowest mac address in all 4 switches, so ports connecting to other non-root switches will also be in designated forwarding state. (Port-5 and Port 43) This is because the other non-root switches SW3 and SW4 have a higher mac address than SW2 – so the ports on SW3 and SW4 will goto blocking state.

SW2#sh span vlan 102
VLAN0102
Spanning tree enabled protocol ieee
Root ID    Priority    32870
Address     0018.183a.8f80
Cost        4
Port        47 (GigabitEthernet0/47)
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32870  (priority 32768 sys-id-ext 102)
Address     0024.5031.0c80
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Gi0/5               Desg FWD 4         128.5    P2p
Gi0/43              Desg FWD 4         128.43   P2p
Gi0/47              Root FWD 4         128.47   P2p

SW3:
Will have one root port connecting to SW1 (port 15)
Since it has a higher mac address than SW2 so the port connecting to SW2 will be blocking and also since the mac address of SW3 is higher than mac address of SW4, so the port connecting to SW4 will also go into blocking state as well, this means that the port on SW4 connecting to SW3 will be in forwarding state. This leaves only the root port  on the switch in forwarding state as the Root port is  always in forwarding state.

SW3#sh span vlan 102
VLAN0102
Spanning tree enabled protocol ieee
Root ID    Priority    32870
Address     0018.183a.8f80
Cost        4
Port        15 (GigabitEthernet0/15)
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32870  (priority 32768 sys-id-ext 102)
Address     0024.503c.d480
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Gi0/5               Altn BLK 4         128.5    P2p
Gi0/15              Root FWD 4         128.15   P2p
Gi0/19              Altn BLK 4         128.19   P2p

 

SW4: output from the switch for vlan 102
One Root Port Forwarding
Port towards SW2 will be blocking since SW2 has a better(lower) mac address
Port towards SW3 will be forwarding since SW3 has a worst (higher) mac address and therefor port onSW3 will be blocking while port on SW4 will be in forwarding.

SW4#sh spanning-tree vlan 102
VLAN0102
Spanning tree enabled protocol ieee
Root ID    Priority    32870
Address     0018.183a.8f80
Cost        4
Port        1 (GigabitEthernet0/1)
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32870  (priority 32768 sys-id-ext 102)
Address     0024.5031.1880
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Gi0/1               Root FWD 4         128.1    P2p
Gi0/19              Desg FWD 4         128.19   P2p
Gi0/43              Altn BLK 4         128.43   P2p

STP Port States:
* Disabled: If the port is shut down
* Listening: State where BPDUs are being exchanged with neighbor switches. No  traffic forwaring
* Learning: State where the CAM table is being built. No traffic forwarding
* Forwarding: State where STP made a decision for a normal loop-free forwarding. Traffic forwarding starts.
* Blocking: State where STP made a decision to block the port to avoid loops. Only BPDUs will be received in this state and no other traffic received or sent from the port in this state.

Port State Transitions:
Disabled -> Listening -> Learning ->Forwarding
Blocking -> Listening -> Learning ->Forwarding

STP Timers:

Hello Timer: 2 Seconds
Determines how often the BPDUs are sent out a port.

Max Age Timer: 20 Seconds.
Determines how long a switch will wait in the blocking state after it has stopped hearing BPDU on that STP blocked port. 20 Seconds is default and thats how much time the switch will wait in the blocking state without hearing a BPDU.
After 20 Seconds and not hearing a BPDU, the port transitions to Listening and then Learning states and forward delay comes into picture as well.

Forward Delay Timers:
Forward delay =  time spent in listening state + time spent in Learning state
When the ports are in Listening and Learning state this is called as forward delay. The approximate time the port spends in each state is 15 seconds. ( Listening 15 Seconds + Learning 15 Seconds) so the total forward delay in STP is 30 Seconds.

Port Transitions Times for Blocking to Forwarding.
Blocking (max-age-timer-expire) + Listening (Fwd Delay) + Learning (Fwd Delay) = 20+15+15 = 50 Seconds.

Manipulating this default behavior using spanning tree cost and Bridge Priority.

Cost can be configured for a an interface
Under Interface
SW2(config-if)#spanning-tree cost 1
makes this interface more preferable to other interfaces with higher cost. Best practice is to set the cost on both the sides on the switch link.

To use Vlan Priority to influence the root switch election.
Under global configuration mode
SW2(config)#spanning-tree vlan 102 priority 4096
Makes SW2 as the root switch, as 4096 is the lowest possible bridge priority value.
Again, if two switches have the same priority then the switch with the lower mac address will win the root election.

Manipulating via Spanning-Tree Vlan Root Command

Global Command
SW1(config)#spanning-tree vlan 102 root primary

Command Structure :  Spanning-tree vlan [VLAN No] Root [Primary | Secondary]

This command analyzes the Priority on other switches and configures the priority for itself as the lowest. This is only a one time command, that means if later on someone else sets a lower priority on any other switch then this switch will lose its Root Status. This command just analyzes the priorities on other switches and sets itself to lowest priority for only one time. All its doing internally is just issuing the command  ‘spanning-tree vlan X priority <lowest Priority>’ for one time.

How to use the Spanning Tree Port Priority to manipulate which interface traffic flows on.

In the diagram
SW1 is the root switch for vlan 102.
SW2 is connected to SW1 on ports 43 and 47

With normal STP operations SW2 should elect port 43 as the root port ( as port 43 has the lower port id)
For changing the port priority on the a port to influence which port on SW2 becomes root port, has to be done on the root switch (SW1)  port connecting to SW2. Even if you lower the port priority on port 47 on SW2 the root port will still be port 43. To influence SW2 to make port 47 as root port, you need to do the priority change on the uplink switch that is SW1 port 47 – lower the priority on the SW1 port 47 and the root port on SW2 changes from port 43 to port 47.

SW2 output with lower priority on port 47 – no effect as port 43 is still root port, the lower port number with higher priority still remains the root port.

SW2(config)#int gi 0/47
SW2(config-if)#spanning-tree port-priority 16
SW2#sh spanning-tree vlan 102

VLAN0102
Spanning tree enabled protocol ieee
Root ID    Priority    32870
Address     0018.183a.8f80
Cost        4
Port        43 (GigabitEthernet0/43)
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32870  (priority 32768 sys-id-ext 102)
Address     0024.5031.0c80
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Gi0/5               Desg FWD 4         128.5    P2p
Gi0/43              Root FWD 4         128.43   P2p
Gi0/47              Altn BLK 4          16.47   P2p

Now Making the change on SW1 which is the uplink switch (root in this case)
Also put the priority to normal default values on SW2 port 47 since we determined it is not influencing the root port decision.

SW2(config)#int gi0/47
SW2(config-if)#no span port-priority

SW1(config)#int gi 0/47
SW1(config-if)#spanning-tree port-priority 16

Now time to check the output on the downstream switch SW2 after this change.  At this time  Port 47 on SW2 becomes the root port  even though 47 is a higher interface number than 43.

SW2#sh spanning-tree vlan 102

VLAN0102
Spanning tree enabled protocol ieee
Root ID    Priority    32870
Address     0018.183a.8f80
Cost        4
Port        47 (GigabitEthernet0/47)
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32870  (priority 32768 sys-id-ext 102)
Address     0024.5031.0c80
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time 15

Interface           Role Sts Cost      Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Gi0/5               Desg FWD 4         128.5    P2p
Gi0/43              Altn BLK 4         128.43   P2p
Gi0/47              Root FWD 4       128.47   P2p

So, to influence the STP using the port priority, the port priority should be changed on the uplink switch port and not on the switch port where you want the traffic to flow through.

STP  Convergence After a Link Failure.

TCN – Topology change BPDU.
TCN is used to age out the CAM table in case of port state change, the CAM aging table is reduced to the forward delay.

When a port goes down, a TCN is generated and sent up the root port to the root switch. The root switch will then forward the TCN out on all of its ports so all other switches receive the TCN and age out their CAM table.

Some Useful Spanning Tree Features which can be configured

Port Fast:
Can be setup on switch interface connecting to end host system (servers/workstations which tend to go down and come up frequently)
Port Fast will put the port immediately in forwarding state when the port goes offline and comes back online. When a port is in port fast, the TCN notifications  will no go out and the STP re-covergence process will not kick in.
Since port fast gets the port immediately to forwarding state, it is not recommended to connect to switches, as this can create temporary loops.

command on a 3560 switch:
SW2(config)#int gi 0/10
SW2(config-if)#spanning-tree portfast

By default Port fast feature will only have effect when the interface is in a non-trunking mode. To make port fast feature available on trunk ports the command is:

SW2(config-if)#spanning-tree portfast trunk
This is not normal and can only be done when you have a run port going to a router on stick model.

Uplink Fast:
If there is a failure on root port uplink fast will converge quickly to its upstream switch. Its normally to be configured on the downstream access switches connecting to upstream core/distribution switches.

its configured in global configuration mode and command syntax on a 3560 switch is
SW2(config)#spanning-tree uplinkfast

Backbone Fast
Backbone Fast is also a feature used on the access or downstream switches to converge quickly when there is an indirect link failure (that is not a link on the local switch but in-between local and root switch)
Backbone Fast needs to be enabled on all the switches for it to work properly.

its configured in global configuration mode and command syntax on 3560 switch  is
SW2(config)#spanning-tree backbonefast

BPDU Guard:
If a BPDU is received on an interface where BPDU guard is configured, then the port is put in error disabled state. BPDU guard can be configured globally and also on interface.

command syntax on 3560 switch for global configuration:
SW2(config)#spanning-tree portfast bpduguard default
Then on the interface where you do not want BPDU guard to be active (that is links connecting to other switches) you can issue these commands
SW2(config)#int gi 0/10
SW2(config-if)#spanning-tree bpduguard disable

command syntax on 3560 switch for interface configuration:
SW2(config)#int gi 0/11
SW2(config-if)#spanning-tree bpduguard enable

BPDU Filter:
At Interface level, this command will stop sending and listening BPDUs and can potentially create loops if the interface is connected to another switch.

configuration:
SW2(config)#int gi 0/12
SW2(config-if)#spanning-tree bpdufilter enable

When configured in global configuration mode, and if a BPDU is received on the interface then the interface will lose its  port-fast status.

If needed then configuring BPDU filtering in the global configuration mode is recommended and more safer.
command syntax on 3560 switch:
SW2(config)#spanning-tree portfast bpdufilter default

UDLD- Uni-directional link detection:
Is applicable to the links which get broken in bi-directional communication like fiber links.
Used on the fiber links and it shuts the port when the fiber  has only one way communication instead of bi-directional communication.

command:
SW2(config-if)#udld port aggressive

Loop Guard:
Is always configured under the interface.  It will block the port if it sees a loop on the port.
If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Once the BPDU is received on a port in a loop-inconsistent STP state, the port transitions into another STP state.

command:
SW2(config)#int gi 0/1
SW2(config-if)#spanning-tree guard loop

Root Guard:
Is used to protect the root switch by the administrator. Its always configured under interface mode to the interface towards the downstream switch.

command:
SW2(config)#int gi 0/13
SW2(config-if)#spanning-tree guard root

Spanning Tree Root Inconsistent Situation.

By not using the root guard feature properly i was able to create a situation where the root is inconsistent and network connectivity is broken between the 4 switches.

Example Root Inconsistency

In this diagram,
SW1 is the current root switch for vlan 102
SW4 Port 43 was configured with root guard feature.
SW1 port 15 was configured with root guard feature.
Then SW3 was configured with a lower priority than SW1.
Affect of configuring SW3 with a lower priority makes SW3 as root, SW2 will see SW3 as root
Since SW1 has a root guard on its port connecting to SW3, SW1 will not accept SW3 as root and will put the port 15 in Root Inconsistent state.
SW4 will hear a better BPDU for a root change from SW2, it will put its port connecting to SW2 in Root Inconsisten port as it has root guard enabled on that interface.
Root Inconsistent ports are blocking and will block all traffic.
So, its important to note that if you are configuring Root Guard then it should be configured properly on all or required devices or interfaces to avoid any disruptions.

SW1(config)#int gi 0/15
SW1(config-if)#spanning-tree guard root

SW4(config)#int gi 0/43
SW4(config-if)#spanning-tree guard root

SW3(config)#spanning-tree vlan 102 priority 4096

Now see the output on the switches

SW1: Thinks its the root and blocks the port towards SW3

SW1#sh span vlan 102

VLAN0102
Spanning tree enabled protocol ieee
Root ID    Priority    4198
Address     0024.503c.d480
Cost        8
Port        1 (GigabitEthernet0/1)
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32870  (priority 32768 sys-id-ext 102)
Address     0018.183a.8f80
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Gi0/1            Root FWD 4         128.1    P2p
Gi0/15           Desg BKN*4         128.15   P2p *ROOT_Inc

 

SW2: SW2 no longer thinks SW1 is the root, but it accepts the new root as SW3, hence the root port is the port connecting to SW3

SW2#sh span vlan 102

VLAN0102
Spanning tree enabled protocol ieee
Root ID    Priority    4198
Address     0024.503c.d480
Cost        4
Port        5 (GigabitEthernet0/5)
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32870  (priority 32768 sys-id-ext 102)
Address     0024.5031.0c80
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Gi0/5               Root FWD 4         128.5    P2p
Gi0/43              Desg FWD 4         128.43   P2p

SW3: SW3 thinks its the root and puts all its ports in Desg Forwarding State, even the port connecting to SW1- which SW1 has marked as root-inconsistent and blocked it.

SW3#sh span vlan 102

VLAN0102
Spanning tree enabled protocol ieee
Root ID    Priority    4198
Address     0024.503c.d480
This bridge is the root
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    4198   (priority 4096 sys-id-ext 102)
Address     0024.503c.d480
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Gi0/5               Desg FWD 4         128.5    P2p
Gi0/15              Desg FWD 4         128.15   P2p

SW4: Since SW4 had a root guard on its port connecting to SW2, SW4 will reject the BPDUs from SW2 which state new root is SW3. SW4 will also block the port and mark it as root-inconsitent.

SW4#sh span vlan 102

VLAN0102
Spanning tree enabled protocol ieee
Root ID    Priority    4198
Address     0024.503c.d480
Cost        4
Port        19 (GigabitEthernet0/19)
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Bridge ID  Priority    32870  (priority 32768 sys-id-ext 102)
Address     0024.5031.1880
Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Gi0/1               Desg FWD 4         128.1    P2p
Gi0/43              Desg BKN*4         128.43   P2p *ROOT_Inc

If you see “*ROOT_Inc “ in the output of show span vlan command then you need to check which switches are claiming to be root and configure which one you want to be the root of spanning-tree for that vlan. Also you will see this only when you have root guard enabled, maybe time to check and implement root guard on all or all required interfaces or switches.

Note:
If you do not have root guard configured then you will never see this message, and not seeing this message can put you in an even more worst situation as some rouge switch or an attack on the ownership of root switch happens and you will never learn about it. Root Guard is a feature to protect the Root Switch and is a recommended feature, just remember to implement it properly at all interfaces or switches as required.

 

 

Incoming search terms for the article:

Leave a Reply