It7370-En Switch v6 Ch03

8/15/2019 It7370-En Switch v6 Ch03

1/27

2006, Cisco Systems, Inc. All rights reserved. 1

8/15/2019 It7370-En Switch v6 Ch03

2/27


8/15/2019 It7370-En Switch v6 Ch03

3/27

2006, Cisco Systems, Inc. All rights reserved.

Use this diagram if it is helpful

Top line shows the algorithms for convergence protocols used for convergence. These are the realspanning tree protocols

Middle line shows the IEEE methods for using the algorithms in the presents of VLANs

The bottom line shows Cisco proprietary methods for using the algorithms in the presents of VLANs

Two aspects of Spanning Tree:

• The algorithm (and protocol) used for convergence (1.D and .1w)

• The way instances applied in the presence of VLANS

CST: One STP instance means less CPU load. All traffic from all VLANs travels over the same path so can be suboptimal, no

load balancing.

PVST: Load balancing – different links forward different VLANs and are blocked (standby) for others. ISL required.

PVST+: Tunnels BPDUs through CST using unique multicast address (which switch ignores and forwards), enhancements

such as PortFast, BPDU guard, BPDU filter, root guard and loop guard

RSTP: Faster convergence. Single or multiple instances.

Rapid PVST+: Cisco RSTP with PVST+

MST: 802.1s (then 802.1Q-2005) IEEE standard for RSTP in the presents of several VLANs

See also table 3-1 for resource requirements and convergence

3

8/15/2019 It7370-En Switch v6 Ch03

4/27


See Table 3-2 for port roles

Port States

• Blocking: The Layer 2 port is a nondesignated port and does not participate in frame forwarding.

The port receives BPDUs to determine the location and root ID of the root switch and which portroles (root, designated, or nondesignated) each switch port should assume in the final active STPtopology. By default, the port spends 20 seconds in this state (max age).

• Listening: Spanning tree has determined that the port can participate in frame forwarding accordingto the BPDUs that the switch has received so far. At this point, the switch port is not only receivingBPDUs, but it is also transmitting its own BPDUs and informing adjacent switches that the switchport is preparing to participate in the active topology. By default, the port spends 15 seconds in thisstate (forward delay).

• Learning: The Layer 2 port prepares to participate in frame forwarding and begins to populate theCAM table. By default, the port spends 15 seconds in this state (forward delay).

• Forwarding: The Layer 2 port is considered part of the active topology; it forwards frames and alsosends and receives BPDUs.

• Disabled: The Layer 2 port does not participate in spanning tree and does not forward frames.

Port cost example – page 124

Tie Breaks

1. Lowest Root Bridge ID

2. Lowest Root Cost Path

3. Lowest Sender ID

4. Lowest Sender Port ID

4

8/15/2019 It7370-En Switch v6 Ch03

5/27


• The IEEE 802.1w standard (RSTP) is an evolution, rather than a revolution, of the 802.1D standard.The 802.1D terminology remains primarily the same, and most parameters are left unchanged, sousers who are familiar with 802.1D can rapidly feel at home when configuring the new protocol. Inmost cases, RSTP performs better than the Cisco proprietary extensions, with negligible additionalconfiguration. In addition, 802.1w can revert to 802.1D to interoperate with legacy bridges on aper-port basis. Reverting to 802.1D negates the benefits of 802.1w for that particular segment.

See table 3-3 for port states

Port Roles

• Root: The root port is the switch port on every nonroot bridge that is the chosen path to the rootbridge. Only one root port can be on every switch. The root port assumes the forwarding state in astable active topology. In Figure 3-4, the root port is marked as R.

• Designated: Each segment has at least one switch port as the designated port for that segment. In astable, active topology, the switch with the designated port receives frames on the segment that

are destined for the root bridge. There can be only one designated port per segment. Thedesignated port assumes the forwarding state. All switches that are connected to a given segmentlisten to all BPDUs and determine the switch that will be the designated switch for a particularsegment. In Figure 3-4, the designated port is marked as D.

• Alternate: The alternate port is a switch port that offers an alternative path toward the root bridge.The alternate port assumes a discarding state in a stable, active topology. An alternate port ispresent on nondesignated switches and makes a transition to a designated port if the currentdesignated path fails. In Figure 3-4, the alternate port is marked as A.

• Backup: The backup port is an additional switch port on the designated switch with a redundant linkto the segment for which the switch is designated. A backup port has a higher port ID than thedesignated port on the designated switch. The backup port assumes the discarding state in a stable,active topology. In Figure 3-4, the backup port is marked as B.

• Disabled: A port that has no role within the operation of spanning tree.

5

8/15/2019 It7370-En Switch v6 Ch03

6/27


Link Types

• P-P: Port operating in full-duplex mode. It is assumed that the port is connected to a single switchdevice at the other end of the link.

• Shared: Port operating in half-duplex mode. It is assumed that the port is connected to shared

media where multiple switches might exist.

• Designated ports make the most use of the link type parameter. Rapid transition to the forwardingstate for the designated port occurs only if the link type parameter indicates a point-to-point link.

6

8/15/2019 It7370-En Switch v6 Ch03

7/27


See pages 133-

7

8/15/2019 It7370-En Switch v6 Ch03

8/27


• Top: no VLANs (CST)

• Bottom: VLANs (PVST+, RPVST+ and MST)

• In MST, ESI carries instance number

9

8/15/2019 It7370-En Switch v6 Ch03

9/27


8/15/2019 It7370-En Switch v6 Ch03

10/27


• The main purpose of MST is to reduce the total number of spanning-tree instances to match thephysical topology of the network and thus reduce the CPU cycles of a switch.

• Problem when there are a large number of VLANs: PVSTP requires 1 ST instance per VLAN whichtakes CPU cycles, memory and bandwidth

• MST requires only 2 ST instances in this scenario

11

8/15/2019 It7370-En Switch v6 Ch03

11/27


8/15/2019 It7370-En Switch v6 Ch03

12/27


• Page 145

13

8/15/2019 It7370-En Switch v6 Ch03

13/27


• Also

• show spanning-tree mst

• show spanning-tree interface fa0/1

• show spanning-tree mst 1 detail

14

8/15/2019 It7370-En Switch v6 Ch03

14/27


• STP is a mature protocol, benefiting from years of development and production

deployment; however, STP makes assumptions about the quality of the network and it

can fail. Those failures are generally high profile failures because of the extent to which

they impact the network. STP is designed to never open, even temporarily, a loop during

its operation. However, like any protocol, it is based on some assumptions that might notbe valid in the network. To help STP converge faster and for the protocol behavior to

match your network infrastructure, several features are available to filter the way Bridge

Protocol Data Units (BPDU) are sent or received, and to alter the way the network should

react if an unexpected network topology change occurs. 802.1D does not prevent

unwanted devices from becoming the root bridge of the spanning tree, and no

mechanism exists to selectively discard BPDUs from certain ports. The Cisco STP toolkit

provides tools to better manage STP. Features such as Root Guard and BPDU Guard solve

the problem of unauthorized or inappropriate devices causing network topology

changes.

• In addition, network device failures can cause bridging loops or black holes in the

network. The Cisco Unidirectional Link Detection (UDLD) and loop guard features

prevent network device failures that are due to faulty hardware or software errors.

Problems such as link duplex mismatch, unidirectional link failure, frame corruption,

resource errors, and misconfigurations can disrupt the spanning tree, which in turn

disrupts network traffic. As a result, understanding how to troubleshoot spanning-tree

problems is critical in maintaining high network availability. The following best practices

for spanning tree prevent problems and aid in quick network recovery if unforeseen

anomalous events occur. This remaining section of this chapter introduces the STP

enhancements with sample configurations. This section also discusses how to tune STP

for higher availability and resiliency. STP does not provide for checks and balances to

ensure high availability in multilayer switched networks.

15

8/15/2019 It7370-En Switch v6 Ch03

15/27


8/15/2019 It7370-En Switch v6 Ch03

16/27


• Caution: Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can

result in spanning-tree loop.

• When enabled globally, BPDU filtering has these attributes:

• It affects all operational PortFast ports on switches that do not have BPDU filtering

configured on the individual ports.

• If BPDUs are seen, the port loses its PortFast status, BPDU filtering is disabled, and STP sends

and receives BPDUs on the port as it would with any other STP port on the switch.

• Upon startup, the port transmits ten BPDUs. If this port receives any BPDUs during that time,

PortFast and PortFast BPDU filtering are disabled.

• When enabled on an interface, BPDU filtering has these attributes:

• It ignores all BPDUs received.

• It sends no BPDUs.

17

8/15/2019 It7370-En Switch v6 Ch03

17/27


• Switches A and B comprise the core of the network. Switch A is the root bridge.

• Switch C is an access layer switch. When Switch D is connected to Switch C, it begins to participate

in STP. If the priority of Switch D is 0 or any value lower than that of the current root bridge, Switch

D becomes the root bridge.

• Having Switch D as the root causes the Gigabit Ethernet link connecting the two core switches to

block, thus causing all the data to flow via a 100-Mbps link across the access layer. This is obviously

a terrible outcome.

18

8/15/2019 It7370-En Switch v6 Ch03

18/27


Enable Root Guard on Switches A, B, and C on the following ports:

• Switch A (Distribution/Core): Any access port

• Switch B (Distribution/Core): Any access port

• Switch C (Access): Any access port including the port connecting to Switch D

• The current design recommendation is to enable root guard on all access ports so that a root bridge

is not established through these ports.

• In this configuration, Switch C blocks the port connecting to Switch D when it receives a superior

BPDU. The port transitions to the root-inconsistent STP state. No traffic passes through the port

while it is in root-inconsistent state.

• When Switch D stops sending superior BPDUs, the port unblocks again and goes through regular

STP transition of listening and learning, and eventually to the forwarding state. Recovery is

automatic; no intervention is required.

19

8/15/2019 It7370-En Switch v6 Ch03

19/27


• Ports in root inconsistent recover automatically with no human intervention after the port stopreceiving superior BPDUs. The port goes through the listening state to the learning state, andeventually transitions to the forwarding state.

20

8/15/2019 It7370-En Switch v6 Ch03

20/27


• Bridging loops occur when a port erroneously transitions to forwarding state because it has stopped

receiving BPDUs.

• Ports with loop guard enabled do an additional check before transitioning to forwarding state. If a

nondesignated port stops receiving BPDUs, the switch places the port into the STP loop-inconsistent

blocking state.

• If a switch receives a BPDU on a port in the loop-inconsistent STP state, the port transitions through

STP states according to the received BPDU. As a result, recovery is automatic, and no manual

intervention is necessary.

• Prevention of forwarding loops and black holes in a network is a required aspect ofnetwork design. Black holes in the network are created when a device that receivesframes has no forwarding information for that packet and thus essentially drops all suchpackets. Cisco Catalyst switches support two important features to address suchconditions:

• Loop Guard: The Loop Guard STP feature improves the stability of Layer 2 networksby preventing bridging loops.

• UDLD: UDLD detects and disables unidirectional links.

• If a switch receives a BPDU on a port in the loop-inconsistent STP state, the porttransitions through STP states according to the received BPDU. As a result, recovery isautomatic, and no manual intervention is necessary.

21

8/15/2019 It7370-En Switch v6 Ch03

21/27


• Configure Loop Guard on a per-port basis, although the feature blocks inconsistent ports on a per-

VLAN basis; for example, on a trunk port, if BPDUs are not received for only one particular VLAN,

the switch blocks only that VLAN (that is, moves the port for that VLAN to the loop-inconsistent STP

state). In the case of an EtherChannel interface, the channel status goes into the inconsistent state

for all the ports belonging to the channel group for the particular VLAN not receiving BPDUs.

• Enable Loop Guard on all nondesignated ports. Loop guard should be enabled on root and alternate

ports for all possible combinations of active topologies.

• Loop Guard is disabled by default on Cisco switches.

22

8/15/2019 It7370-En Switch v6 Ch03

22/27


8/15/2019 It7370-En Switch v6 Ch03

23/27


• UDLD is used when a link should be shut down because of a hardware failure that iscausing unidirectional communication. In an EtherChannel bundle, UDLD shuts downonly the physical link that has failed.

24

8/15/2019 It7370-En Switch v6 Ch03

24/27


• UDLD is used when a link should be shut down because of a hardware failure that iscausing unidirectional communication. In an EtherChannel bundle, UDLD shuts downonly the physical link that has failed.

• UDLD messages are sent every 60 seconds.

• Use these commands to reset an interface shut down by UDLD:

• The udld reset privileged EXEC command to reset all interfaces shut down by UDLD

• The shutdown and no shutdown interface configuration commands

• The no udld enable global configuration command followed by the udld {aggressive |enable} global configuration command to re-enable UDLD globally

• The no udld port interface configuration command followed by the udld port or udldport aggressive interface configuration command to re-enable UDLD on the specifiedinterface

• The errdisable recovery cause udld and errdisable recovery interval interval globalconfiguration commands to automatically recover from the UDLD error-disabledstate.

25

8/15/2019 It7370-En Switch v6 Ch03

25/27


• Note: on cisco.com, it is written “Flex Links”,

• Flex Links is a Layer 2 availability feature that provides an alternative solution to STP andallows users to turn off STP and still provide basic link redundancy.

• Flex Links can coexist with spanning tree on the distribution layer switches; however, the

distribution layer switches are unaware of the Flex Links feature.

• Flex Links enables a convergence time of less than 50 milliseconds. In addition, thisconvergence time remains consistent regardless of the number of VLANs or MACaddresses configured on switch uplink ports.

• Flex Links is based on defining an active/standby link pair on a common access switch. FlexLinks are a pair of Layer 2 interfaces, either switchports or port channels, that areconfigured to act as backup to other Layer 2 interfaces.

• not “FlexLinks”.

26

8/15/2019 It7370-En Switch v6 Ch03

26/27


• Use Layer 3 connectivity at the distribution and core layers.

• Use PVRST+ or MST. Do not disable STP at the access layer. Isolate different STP domains in a multivendor

environment.

• Use Loop Guard on Layer 2 ports between distribution switches and on uplink ports from access to distribution

switches.

• Use Root Guard on distribution switches facing access switches.

• Use Port security, PortFast, BPDU Guard, and Root Guard on access switch ports facing end stations.

• Use aggressive mode UDLD on ports linking switches.

• Using Layer 3 between the distribution and core layer allows multipathing (up to 16 paths) using Equal-CostMultipathing (ECMP) without dependency of STP and is strongly preferred unless there is a need to extend

layer 2 across a data center pod (distribution block). ECMP refers to the situation in which a router hasmultiple equal-cost paths to a prefix, and thus load-balances traffic over each path. Newer technologies suchas Catalyst 6500 Virtual Switching System or Nexus 7000 virtual Port Channel (vPC) enable multipathing atLayer 2.

• Spanning tree should be used and its topology controlled by root bridge manual designation. When the treeis created, use the STP toolkit to enhance the overall mechanism performance and reduce the time lostduring topology changes. To configure a VLAN instance to become the root bridge, enter the spanning-treevlan vlan_ID root command to modify the bridge priority from the default value (32768) to a significantlylower value. Manually placing the primary and secondary bridges along with enabling STP toolkit optionsenables you to support a deterministic configuration where you know which ports should be forwarding andwhich ports should be blocking.

• Even if the recommended design does not depend on STP to resolve link or node failure events, STP isrequired to protect against user-side loops. A loop can be introduced on the user-facing access layer ports in

many ways. Wiring mistakes, misconfigured end stations, or malicious users can create a loop. STP isrequired to ensure a loop-free topology and to protect the rest of the network from problems created in theaccess layer.

27

8/15/2019 It7370-En Switch v6 Ch03

27/27

It7370-En Switch v6 Ch03

Documents

Transcript of It7370-En Switch v6 Ch03