Spanning Tree Protocol (2)
Spanning tree runs by default, so you don't actually have to do any configurations, but you can change which switch becomes the root switch etc, so you can make sure traffic follows the best path.
STP port states
| Port state | Mode |
|---|---|
Blocking | Stable |
Listening | Transitional |
Learning | Transitional |
Forwarding | Stable |
(Disabled) |
Root/designated ports remain stable in a forwarding state.
Non-designated ports remain stable in a blocking state.
They only remain stable as long as there are no changes in the network topology. If a new device is added, an interface is shutdown, or a hardware failure occurs somewhere, they may have to change states.
As long as the network is stable, each spanning tree interface will be stable.
Listening and Learning are transitional states which are passed through when an interface is activated, or when a Blocking port must transition to a Forwarding state due to a change in the network topology.
Disbaled state refers to an interface that is administratively disabled, meaning shutdown.
Blocking state
Non-designated ports are in a blocking state.
Interfaces in a blocking state are effectively disabled to prevent loops. This is what makes spanning tree work, disabling redundant interfaces to avoid loops.
Interfaces in a blocking state do not send/receive regular traffic. Any regular traffic that arrives on an interface in a blocking state will simply be dropped.
Interfaces in a blocking state do receive STP BPDUs. They need to receive and process BPDUs to be aware of the spanning tree topology, and be ready to transition toward a forwarding state if they need to.
Interfaces in a blocking state do not forward STP BPDUs.
Interfaces in a blocking state do not learn MAC addresses. If regular traffic arrives on the interface it is dropped without adding the MAC address to the table.
Listening state
After the blocking state, interfaces with the designated or root role enter the listening state.
Only the designated or root ports enter the listening state (non-designated ports are always blocking).
That's because listening is a transitional state that eventually leads to the forwarding state, so there is no need for a non-designated port to enter this state.
Listening state is 15 seconds by default. This is determined by the forward delay timer.
An interface in the listening state only forwards/receives STP BPDUs and does not send/receive regular traffic.
If a regular unicast frame is received on a port in the listening state, it will be discarded.
An interface in the listening state does not learn MAC addresses from regular traffic.
(When a frame arrives on a switch interface, the switch uses the source MAC addr field to learn that MAC addr and it updates the MAC addr table with the MAC addr, interface and VLAN info. If an interface is in the spanning tree listening state, it will not do this. The traffic is simply dropped).
Learning state
After the listening state, a designated or root port will enter the learning state.
The learning state is 15 seconds long by default. This is determined by the forward delay timer, as in listening state.
It takes a total of 30 seconds to move through both states and enter a forwarding state.
An interface in the learning state only sends/receives STP BPDUs and does not send/receive regular traffic.
An interfaces in the learning state learns MAC addresses from regular traffic that arrives on the interface.
So the interface in the learning state is preparing to forward traffic by building up some of its MAC address table beforehand.
Forwarding state
Root and designated ports are in a forwarding state.
A port in the forwarding state acts as normal (sends/receives BPDUs and normal traffic).
A port in the forwarding state learns MAC addresses from the frames that arrive on it, and adds them to the MAC address table.
STP timers
| Timer | Duration | Purpose |
|---|---|---|
Hello | 2 sec | How often the root bridge sends Hello BPDUs |
Forward delay | 15 sec | How long the switch will stay in the listening and learning states (each 15) |
Max age | 20 sec (10x hello) | How long an interface will wait after ceasing to receive Hello BPDUs to change STP topology |
Hello timer
Switches in the network other than root bridge do not originate their own BPDUs, but they will forward BPDUs.
The switches will only forward BPDUs on their DESIGNATED PORTs.
Assuming these switches all come online at the same time, each assumes they are the root bridge, and each will send BPDUs out of all interfaces.
However, once the network has converged and all switches and ports are stabilized in their roles, only the root bridge sends BPDUs.
Then, the other switches will forward these BPDUs on their designated ports, updating information like the bridge root cost, sending bridge ID, sending port ID, etc.
Then, two seconds later, the root bridge will send BPDUs again, and the other switches will again forward these BPDUs on their designated ports.
(Switches do not forward the BPDUs out of their root ports and non-designated ports).
Forward delay timer
This is the length of the Listening and Learning transitional states that a port goes through when it moves to forwarding.
So, with the default timer of 15 seconds, it takes a total of 30 seconds for the switchport to move through both states and forward traffic.
Max age timer
This timer indicat, es how long an interface will wait to change the spanning tree topology after ceasing to receive BPDUs.
Each collision domain has one designated port, and BPDUs are forwarded out of designated ports.
So, all root ports and non-designated ports expect to receive BPDUs.
The root bridge, SW3, sends BPDUs, and then SW1 and SW4 forward them out of their designated ports.
Take SW2’s G0/1 interface. It just received a BPDU, so the max age timer is reset to 20.
It counts down (19, 18) ad then the root bridge sends BPDUs, because of the 2 second hello timer.
They are forwarded by the SW1 and SW4, and SW2 resets its max age timer to 20.
If a failure occurs on SW1's G0/0 interface, SW2 no longer receives a BPDU on its G0/1 interface.
The max age timer continues counting down and if the failure doesn’t recover and SW2 doesn’t receive any more BPDUs on its G0/1 interface, its max age timer will count all the way down to 0.
Summary :
If another BPDU is received before the max age timer counts down to 0, the time will reset to 20 seconds and no changes will occur.
If another BPDU is not received, the max age timer counts down to 0 and the switch will re-evaluate its STP choices, including root bridge, local root, designated, and non-designated ports.
If a non-designated port is selected to become a designated or root port, it will transition from the blocking state to the listening state (15 sec), learning state (15 sec), and then finally the forwarding state.
It can take a total of 50 seconds for a blocking interface to transition to forwarding.
These timers and transitional states are to make sure that loops aren’t accidentally created by an interface moving to forwarding state too soon.
A forwarding interface can move directly to a blocking state, because there is no worry about creating a loop by blocking an interface.
STP BPDU
In the destination under Ethernet header section, it shows Cisco’s PVST+ uses the destination MAC address of 0100.0ccc.cccd for its BPDUs.
PVST (older version), only supports Cisco’s ISL for trunk encapsulation. PVST+ (newer version) supports dot1q.
Regular spanning tree uses a destination MAC address of 0180.c200.0000.
STP BPDU
Protocol identifier : 0x0000 (spanning tree)
Protocol version identifier : 0 (classic spanning tree)
BPDU type : 0x00
BPDU flags
Used to signal topology changes to other switches.
Root identifier
Bridge priority
Extended system ID (VLAN ID)
Bridge system ID
Root path cost
0, if this switch is the root bridge.
Bridge identifier
This is the root bridge if the information here is the same as in the root identifier field.
Port identifier
The interface which sent the BPDU.
eg: 0x8002
0x80 is the priority (128 in decimal) Spanning Tree Protocol (1)#portid
02 is the number of the port.
Timers
Message age : 0
It starts at 0 at the root bridge and is increased by 1 each time it is forwarded by another switch.
It is subtracted from the max age when a switch receives the BPDU
For eg, if the BPDU is passed through 5 switches, when it reaches the 6th bridge it will immediately reduce its max age timer to 15, meaning each time it receives a BPDU its max age will reset to 15 instead of 20, even though the max age timer is 20.
Max age
Hello Time
Forward Delay
(STP timers on the root bridge determine the STP timers for the rest of the switches in the network, even if they are configured differently)
STP toolkit
(Optional features that can be enabled to improve the functionality of STP)
Portfast
It can be enabled on interfaces which are connected to end hosts. These are designated ports, in a forwarding state.
However, when they are first turned on or first connected to the PCs, it takes 30 seconds (listening and learning) before they can start forwarding traffic.
Only interfaces connected to another switch can form a Layer 2 loop. There is no risk of forming a loop with an end host.
Portfast allows a port to move immediately to the Forwarding state, bypassing Listening and Learning.
If used, it must be enabled only on ports connected to end hosts. If enabled on a port connected to another switch it could cause a Layer 2 loop.
Port fast configuration
SW1(config-ig)# spanning-tree portfast
Portfast is enabled at the interface level.
We get a warning that you should only enable portfast on ports connected to an end host.
There is also a message saying that, even though portfast was configured, it will only take effect if the interface is in a non-trunking mode, so if it is an access port (because trunk ports are typically connected to other switches).
You can still configure portfast on a trunk port, it just won’t take effect.
SW1(config)# spanning-tree portfast default
This enables portfast on all access ports, but not trunk ports.
Port fast risk
If an employee plugs another switch in place of PCs into the network between SW2 and SW3, a Layer 2 loop is formed, because portfast is putting these interfaces into a forwarding state.
Portfast can also cause loops if the network cabling is changed without proper caution, perhaps a host is moved to a different switchport and a switch is connected to its old port.
BPDU Guard
This solves the Portfast risk if you enable BPDU guard on Portfast enabled interfaces.
If an interface with BPDU Guard enabled receives a BPDU from another switch, the interface will be shut down to prevent a loop from forming.
To enable a port that was disabled by BPDU guard, simply 'shutdown', and then 'no shutdown'.
However, if you didn’t actually solve the problem and it's still connected to a switch, the interface will immediately be disabled again when the next BPDU arrives.
BPDU guard configuration
From interface config mode,
SW1(config-if)# spanning-tree bpduguard enable
To enable on all Portfast-enabled interfaces, on global config mode,
SW1(config)# spanning-tree portfast bpduguard default
Others
Root guard
If you enable root guard on an interface, even if it receives a superior BPDU (with a lower bridge ID) on that interface, the switch will not accept the new switch as the root bridge. The interface will be disabled.
This helps maintain the spanning tree topology if someone plugs another switch into the network either with bad intent, or perhaps without knowing the impact of their action.
Loop guard
If you enable loop guard on an interface, even if the interface stops receiving BPDUs, it will not start forwarding. The interface will be disabled.
This prevents loops that can happen if an interface fails only in one direction, causing a ‘unidirectional link’ that can’t receive data, but is still able to forward it, or the opposite.
Extras
UplinkFast [[Rapid STP#^uplinkfast]]
Backbone Fast [[Rapid STP#^backbonefast]]
STP configurations
STP modes
SW1(config)# spanning-tree mode ?
mst : Mulitple spanning tree mode
pvst : Per-VLAN spanning tree mode
rapid-pvst : Per-VLAN rapid spanning tree mode
Modern Cisco switches run rapid-PVST by default. If you want to try out the classic spanning tree, use 'pvst'.
Primary root bridge
With these MAC addresses and default priority values, SW1 is the root bridge.
SW3(config)# spanning-tree vlan 1 root primary
You can also manually configure the root bridge by manipulating the bridge priority of a switch.
Check with 'show spanning-tree'.
This command sets the STP priority to 24576.
If another switch already has a priority lower than 24576, it sets this switch’s priority to 4096 less than the other switch’s priority.
So, it makes this switch have the lowest priority, making it the root bridge.
If you check the running-config, you can see that the command applied in this case is 'spanning-tree vlan 1 priority 24576'.
So, this commands tells the switch to apply the spanning-tree priority command, either with the priority 24576, or 4096 less than the current lowest priority.
Secondary root bridge
SW2(config)# spanning-tree vlan 1 root secondary
This will be next in line to become the root bridge if the current root bridge fails.
This command sets the spanning tree priority for this VLAN to 28672.
However, like the root primary command, the actual command that is applied is 'spanning-tree vlan 1 priority 28672'.
The spanning-tree root command is just a simple way to do it without remembering the different increments of 4096.
STP load-balancing
The interface between SW1 and SW2 is disabled because SW1 is blocking its G0/0 interface.
This topology is running Cisco’s PVST+, so actually this is just the topology for VLAN1.
Perhaps there is another VLAN, VLAN 2, in this topology.
For VLAN 2, it will look like default topology, because the root bridge settings we configured only apply to VLAN 1.
In VLAN 2, the connection between SW1 and SW2 won't be disabled, instead the connection between SW2 and SW3 will be disabled.
If you have multiple VLANs in your network, blocking the same interface in each VLAN is a waste of interface bandwidth. That connection will be doing nothing, just waiting for another connection to fail so it can start forwarding.
However, if you configure a different root bridge for different VLANs, different VLANs will disable different interfaces.
On SW1,
SW1(config)# spanning-tree vlan 10 root primary SW1(config)# spanning-tree vlan 20 root secondary
On SW2,
SW1(config)# spanning-tree vlan 20 root primary SW1(config)# spanning-tree vlan 10 root secondary
(In Cisco's PVST+ all configurations are done on a per-VLAN basis. )
STP port settings
SW2(config-if)# spanning-tree vlan 1 ?
cost
port-priority
Both configured on a per-VLAN basis like the bridge priority.
Cost : Root cost is used primarily to determine the root port, and is also used as a tiebreaker in selecting designated and non-designated ports.
Priority : It is the first half of the port ID, which is the final tiebreaker in determining the root port.
To change the result of the root port or designated port selection process, you can change either of these values.
SW2(config-if)# spanning-tree vlan 1 cost 200 (cost range : 0-200 million)
SW2(config-if)# spanning-tree vlan 1 port-priority 32 (priority range : 0-224 in increments of 32)
Quiz
For the PC to access the network more quickly via Switch,
enable Portfast on the switch port you connect the PC to.
reduce the STP forward delay timer (recommended to leave the timers at their default settings).
Last updated
