Spanning Tree Protocol (1)
Network redundancy
Redundancy is an essential part of network design. A network that is not redundant is simply not acceptable.
Modern networks are expected to run all the time. Even a short downtime can be disastrous for a business.
If one network component fails, you must ensure that other components will take over with little or no downtime.
You must implement redundancy at every possible point in the network.
Network engineers are responsble to make sure that business-critical infrastructure is resilient to failures as much as possible.
Poorly-designed network
Here, there are many points of failure which could cut off connectivity.
If the connection between router and cloud is cut off due to hardware failure, the entire network loses connectivity to the internet.
Good network design
If a router has a hardware problem and goes down, the PCs can reach the internet via an alternate path.
But if the switch connected to the PC fails, all hosts connected to that switch would lose connectivity.
Unfortunately, most PCs only have a single network interface card (NIC), so they can only be plugged into a single switch.
However, important servers have multiple NICs, so they can be plugged into multiple switches for redundancy.
Spanning Tree Protocol (STP) is one among the many protocols that are used to enable network redundancy.
Spanning tree is a Layer 2 protocol. It enables redundant Layer 2 networks. So it within the LAN in the above picture, and not routing out to the internet and between networks at Layer 3.
Benifits of redundant LAN : having multiple paths between the switches providing alternate path if one connection fails.
Broadcast storms
PC1 wants to send some traffic to PC2. For that it needs to know PC2's MAC address.
So PC1 sends an ARP request frame, which is a broadcast frame using broadcast MAC address of all F's as its Layer2 address.
When SW1 receives the frame, it floods out of all interfaces, except the one it was received on.
So, SW2 and SW3 receive a copy of the frame. They then flood it out of all their interfaces, except the one it was received on.
So PC2 receives the ARP request and will reply with a unicast ARP reply.
Although PC2 received the ARP request and sent its reply, these broadcast frames still remain in the network (between SW2 and SW3).
SW2 and SW3 will continue flooding them and now SW1 receives 2 broadcast frames on 2 different interfaces. It will once again flood them. Now SW2 and SW3 receives the broadcast frames. This repeats.
TTL (Time To LIve) field of the IP header is used to prevent infinite loops at Layer 3, but the ethernet header does not have a TTL field.
These broadcast frames will loop around the network indefinitely. If enough of these looped broadcasts accumulate in the network, the network will be too congested for legitimate traffic to use the network. This is called a broadcast storm.
Each time a frame arrives on a switchport, the switch uses the source MAC address field to learn the MAC address and update its MAC address table. When frames with same source MAC address repeatedly arrive on different interfaces, the switch is continuously updating the interface in its MAC address table. This is known as MAC Address Flapping.
Spanning Tree Protocol is one answer to design a network with redundant paths that doesn't result in Layer 2 loops.
Spanning Tree Protocol
'Classic STP' is IEEE 802.1D
Switches from all vendors run STP by default, because it is important to prevent Layer 2 loops.
STP prevents Layer 2 loops by placing redundant ports in a blocking state, essentially disabling the interface.
These interfaces act as backups that can enter a forwarding state if an active (currently forwarding) interface fails.
Interfaces in a forwarding state behave normally. They send and receive normal traffic.
Interfaces in blocking state only send or receive STP messages (called BPDU - Bridge Protocol Data Units)
(Bridge was like a transitional stage between the hub and the switch. Bridges are not used in modern networks. 'Bridge' in STP refer to 'switch')
STP working
By selecting which ports are forwarding and which ports are blocking, STP created a single path to/from each point in the network. This prevents Layer 2 loops.
There is a set process that STP uses to determine which ports should be forwarding and which should be blocking.
STP-enabled switches send/receive Hello BPDUs out of all interfaces, the default timer is 2 seconds (the switch will send a Hello BPDU out of every interface, once every 2 seconds).
If a switch receives a Hello BPDU on an interface, it knows that interface is connected to another switch (routers, PCs do not use STP).
Switches use these BPDUs to advertise themselves to other switches, and to learn about other switches.
Root bridge
Switches use one field in STP BPDU, the Bridge ID field, to elect a root bridge for the network.
The switch with the lowest Bridge ID becomes the root bridge.
All ports on the root bridge are put in a forwarding state, and other switches in the topology must have a path to reach the root bridge.
Traditional Bridge ID
| Bridge priority | MAC Address |
|---|---|
16 bits | 48 bits |
The default bridge priority is 32768 on all switches, so by default the MAC address is used as the tie-breaker (lowest MAC becomes the root bridge, as the priority is same).
The g0/2 interface in each switch is connected to a PC, and because it isn't receiving any BPDUs, it knows it is safe to go into forwarding mode as there is no risk of creating a Layer 2 loop.
All the switches have the same default priority but SW1 has the lowest MAC address, so it will become the root bridge of this network.
All ports on the root bridge become designated ports, in a forwarding state.
Updated Bridge ID
Bridge Priority has been updated to be made of 2 parts.
| Bridge priority | Extended system ID | MAC address |
|---|---|---|
4 bits | VLAN ID - 12 bits | 48 bits |
(VLAN number is 12 bits in length).
Cisco switches use a version of STP called PVST - Per VLAN Spanning Tree.
PVST runs a separate STP instance in each VLAN, so in each VLAN different interfaces can be forwarding or blocking.
One interface could be forwarding in VLAN1, but blocking in VLAN2.
By adding the VLAN ID into the bridge priority, the switch will have a different bridge ID in each VLAN.
Bridge priority field
Because the total field is 16 bits in length, and the most significant bit (2^16) is set to 1 by default, the default bridge priority was 32768.
However, with the addition of the extended-system ID (adding the VLAN ID number to the bridge priority), the default bridge priority is actually 32769, because the default VLAN ID is 1.
In the default VLAN of 1, the default bridge priority is actually 32769 (32768+1).
If you want to increase the switch's bridge priority without changing VLAN numbers, what is the minimum unit of increase/
The bridge priority + extended system ID is a single field of the bridge ID, however the extended system ID is set and cannot be changed because it is determined by the VLAN ID.
Therefore you can only change the total bridge priority (bridge priority + extended system ID) in units of 4096, the value of the least significant bit of the bridge priority portion (2^13).
The STP bridge priority can only be changed in units of 4096. So, the valid values are 0, 4096, 8192, 12288 etc. The extended system ID will then be added to this number to make the total bridge priority value.
When in VLAN1, the priority for each switch is 32769.
If there are multiple VLANs, say VLAN2, VLAN3, the priority would be 32770, 32771 respectively.
We could also change the bridge priority on the switches for a specific VLAN. For eg, SW1 is the root bridge in VLAN1, SW2 could be the root bridge in VLAN2 etc.
Root bridge extras
When a switch is powered on, it assumes it is the root bridge.
It will only give up its position if it receives a 'superior' BPDU (lower bridge ID).
Once the topology has converged and all switches agree on the root bridge, only the root bridge sends BPDU.
The reason all switches send BPDUs at first is because they all think they are the root bridge.
Other switches in the network will forward BPDUs from the root bridge, but will not generate their own BPDUs.
Step 1 : The switch with the lowest bridge ID is elected as the root bridge. All ports on the root bridge are designated ports (forwarding state).
Root port
Step 2 : Each remaining switch will select ONE of its interfaces to be its root port.
1.) The interface with the lowest root cost will be the root port. Root ports are also in forwarding state.
(That means there is one root port on each switch in the network, EXCEPT on the root bridge).
Root cost
| Speed | STP cost |
|---|---|
10 mbps | 100 |
100 mbps | 19 |
1 gbps | 4 |
10 gbps | 2 |
The root cost is the total cost of the outgoing interfaces along the path to the root bridge.
SW1 is the root bridge, so it has a cost of 0 on all interfaces. You don't count the cost of the receiving interface, just the sending (outgoing) interface.
So, SW1 advertises its root cost of 0 in its BPDUs.
SW2 will receive the BPDU and add the cost of its outgoing interface, g0/1. which is 4 (gigabit ethernet), when it floods those BPDUs out of its interfaces.
SW3 will do the same.
SW2's logic:
On g0/1,
I was advertised a cost of 0
My interface cost = 4
Total cost via g0/1 = 4
On g0/0,
I was advertised a cost of 4
My interface cost = 4
Total cost via g0/0 = 4
So, it will select g0/1 as the root port.
SW3's logic:
On g0/0,
I was advertised a cost of 0
My interface cost = 4
Total cost via g0/0 = 4
On g0/1,
I was advertised a cost of 4
My interface cost = 4
Total cost via g0/1 = 4
So, it will select g0/0 as the root port.
In this case, the ports directly across each root port are the root bridge's, so they are already designated ports. However, the port connected to another switch's root port MUST be designated. Because the root port is the switch's path to the root bridge, another switch must not block it. Ports connected to root ports are always designated ports.
2.) The interface connected to the neighbor with the lowest bridge ID will be selected as the root port.
Exercise
Which switch will become the root bridge?
SW2, because it has the lowest priority. So, SW2's ports are all designated
Which ports will become root ports?
All interfaces are gigabit ethernet, so the cost is 4 on all.
If there is a tie, in finding the root cost, the switch will select the interface connected to the neighbor with the lowest bridge ID.
One port in each switch will be selected as root ports.
SW1's g0/0 and SW4's g0/1 have a cost of 4, so they are selected.
On SW3, via g0/0 and g0/1 the cost is 8. So, use the tie-breaker.
Find the neighbor (SW1, SW4) with the lowest bridge ID. Both their priorities are the same but SW1's MAC is lower.
So, g0/0 is selected as the root port, and SW1's g0/1 becomes designated.
Port ID
What if 2 switches have 2 connections between them, so both the root cost and the neighbor bridge ID are the same?
3.)The interface connected to the interface on the neighbor switch with the lowest port ID will become the root port.
Prio.Nbr in 'SW1# show spanning-tree' lists the spanning-tree port ID of each interface on the switch.
Each port has a default priority of 128 and then a unique port number, like 1 for g0/0, 2 for g0/1 etc on the switch.
STP port ID = port priority (default 128) + port number.
Neighbor switch's port number is used as the tie-breaker if the priorities tie.
Continuing from above exercise, Now there are 2 connections between SW1 and SW3, which port will SW3 select as the root port?
g0/2 will be selected as the root port, because it is connected to a lower port ID on the neighbor switch, SW1.
g0/0 is connected to a higher port ID on SW1.
The NEIGHBOR switch's port ID is used to break the tie, not the local switch's port ID.
So, SW1's g0/1 is a designated port, because it is connected to SW3's root port.
Designated port
Step 3 : Each remaining collision domain will select ONE interface to be a designated port. The other port in the collision domain will be non-designated port (blocking state).
We need to block some ports to prevent Layer 2 loops.
Both root ports and desigated ports are always in forwarding state.
The only connection left is between SW2 and SW3.
Every collision domain has a single spanning tree designated port.
Unlike ethernet hubs, in switches, each link is a separate collision domain.
So, the collision domain between SW1 and SW2, SW1 and SW3 has one designated port each.
And the connections with PCs are all designated ports in forwarding state, because the PCs don't participate in spanning tree.
So, there should be one designated port between SW2 and SW3.
To determine designated port :
The switch with the lowest root cost will make its port designated.
If the root cost is the same, the switch with the lowest bridge ID will make its port designated.
The other switch will make its port non-designated (blocking).
Here, the root cost is the same. 4 for SW2 via g0/1 and 4 for SW3 via g0/0.
So, for the tie-breaker, SW2 has the lower bridge ID, so its g0/0 interface will be designated.
The other switch (SW3) will make its port non-designated, which means it is in a blocking state.
Steps
One switch is elected as the root bridge. All ports on the root bridge are designated ports (forwarding state). Root bridge selection :
Lowest bridge ID
Each remaining switch will select ONE of its interfaces to be its root port (forwarding state). Ports across from the root port are always designated ports. Root port selection :
Lowest root cost
Lowest neighbor bridge ID
Lowest neighbor port ID
Each remaining collision domain will select ONE interface to be a designated port (forwarding state). The other port in the collision domain will be non-designated (blocking). Designated port selection :
Interface on switch with lowest root cost
Interface on switch with lowest bridge ID
Quiz
Make sure there is one designated port for each connection, each collision domain.
Make sure there is one root port on each switch in the network, except on the root bridge
In the above topology, the interfaces on SW2 are non-designated because they have a higher root cost.
Fast ethernets (19) have a higher spanning tree cost compared to Gigabit ethernet (4).
SW1's f1/0 and f2/0 are non-designated because SW2 has a lower root cost.
Lab
SW3# show spanning-tree SW3# show spanning-tree vlan 1
At the top, it shows the VLAN number. If there were multiple VLANs on these switches, you would see all of this information listed separately for each VLAN.
You can filter the output to show a single VLAN.
'spanning tree enabled protocol ieee' in the output, means we are using the 'classic' spanning tree.
'Root ID' lists information about this spanning tree's root bridge.
'Bridge ID' lists information about this switch's information (here, SW3 is the root bridge, so they are the same).
Under these, each interface participating in the spanning tree is listed. You can see the role, status, cost, interface id etc. (in roles, 'alternate' will used in place of 'non-designated').
SW3# show spanning-tree detail
Shows the detailed explanation of all ports.
You can check the root cost of all ports here (the cost displayed in the prev step is just the interface command).
SW3# show spanning-tree summary
This lists each VLAN, amd shows how many interfaces are in each STP state.
Last updated
