BPDUs

BPDUs are transmitted every two seconds to the wellknown multicast MAC address 01-80-c2-00-00-00. We've actually got two different BPDU types:

  • Topology Change Notification (TCN) - a switch sends a TCN when there is a change in the network topology.
  • Configuration

Configuration BPDUs

  • Configuration BPDUs are used for the actual STP calculations. Once a root bridge is elected, only that root bridge will originate Configuration BPDUs; the non-root bridges will forward copies of that BPDU.
  • BPDUs also carry out the election to decide which switch will be the Root Bridge. The Root Bridge is the "boss" of the switching network - this is the switch that decides what the STP values and timers will be. Each switch will have a Bridge ID Priority value, more commonly referred to as a BID.
  • This BID is a combination of a default priority value and the switch's MAC address, with the priority value listed first. For example, if a Cisco switch has the default priority value of 32,768 and a MAC address of 11-22-33-44-55-66, the BID would be 32768:11-22-33-44-55-66. Therefore, if the switch priority is left at the default on all switches, the MAC address is the deciding factor in the root bridge election.

Topology Change Notifications (TCNs)

Configuration BPDUs are originated only by the root bridge, but a TCN BPDU will be generated by any switch in the network when one of two things happen:

  • A port goes into Forwarding mode
  • A port goes from Forwarding or Learning mode into Blocking mode

While the TCN BPDU is important, it doesn't give the other switches a lot of detail. The TCN doesn't say exactly what happened, just that something happened.

Portfastenabled ports cannot result in TCN generation, which makes perfect sense. The most common usage of Portfast is when a single PC is connected directly to the switch port, and since such a port going into Forwarding mode doesn't impact STP operation, there's no need to alert the entire network about it.

Process of choosing a Root Port

Here's the process of choosing a Root Port.

  • Choose the port with the lowest Root Path Cost to the root bridge. If there is a tie, go next.
  • Choose the port receiving the BPDU with the lowest Sender BID. If there is a tie, go next.
  • Choose the lowest sender Port ID. That is the tiebreaker.
How Root Path Costs Are Determined

The root bridge will transmit a BPDU with the Root Path Cost set to zero. When a neighboring switch receives this BDPU, that switch adds the cost of the port the BPDU was received on to the incoming Root Path Cost. Root Path Cost increments as BPDUs are received, not sent. That new root path cost value will be reflected in the BDPU that switch then sends out.

The default STP Path Costs are determined by the speed of the port. These path costs have changed from their original values, so you'll be shown both here.

Link Speed Cost (Revised IEEE Spec) Cost (Previous IEEE Spec)
10 Gbps 2 1
1 Gbps 4 1
100 Mbps 19 10
10 Mbps 100 100

STP port state

  • Disabled : it isn't generally thought of as an STP port state. Cisco does officially consider this to be an STP state. A disabled port is one that is administratively shut down. A disabled port obviously isn't forwarding frames, but it's not even officially taking place in STP. We will not see it into the STP table of a VLAN.
  • Blocking : once the port is opened, the port will go into blocking state. As the name implies, the port can't do much in this state - no frame forwarding, no frame receiving, and therefore no learning of MAC addresses. About the only thing this port can do is accept BPDUs from neighboring switches.
  • Listening : a port will then go from blocking mode into listening mode. Listening for BPDUs - and this port can now send BPDUs as well. The port still can't forward or receive data frames, and the MAC address table is not yet being updated.
  • Learning : When the port goes into learning mode, it's not yet forwarding frames, but the port is learning MAC addresses by adding them to the switch's MAC address table.
  • Forwarding : Finally, a port enters forwarding mode. This allows a port to forward and receive data frames, send and receive BPDUs, and place MAC addresses in its MAC table.

To see the STP mode of a given interface, use the show spanning-tree interface command.

SW1# show spanning-tree interface fa 0/6

Vlan               Role Sts Cost      Prio.Nbr Type

VLAN0001           Altn BLK 19        128.12   P2p
VLAN0020           Altn BLK 19        128.12   P2p
VLAN0100           Root FWD 4         128.12   P2p

Timers

That change must be configured on the root bridge! The root bridge will inform the nonroot switches of the change via BPDUs.

  • Hello Time defines how often the Root Bridge will originate Configuration BPDUs. By default, this is set to 2 seconds.
  • Forward Delay is the length of both the listening and learning STP stages, with a default value of 15 seconds.
  • Maximum Age, referred to by the switch as MaxAge, is the amount of time a switch will retain the superior BPDU's contents before discarding it. The default is 20 seconds.
SW1(config)# spanning-tree vlan 100 ?
forward-time  Set the forward delay for the spanning tree
hello-time    Set the hello interval for the spanning tree
max-age       Set the max age interval for the spanning tree

In the following example, some exchanges have been made on the root bridge but not on the switch. The switch will use the timers of the root bridge.

SW1#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    24577
             Address     0016.4791.0b80
             Cost        19
             Port        10 (FastEthernet0/10)
             Hello Time   5 sec  Max Age 30 sec  Forward Delay 20 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     000b.5f71.3a00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type

Fa0/9            Altn BLK 19        128.9    P2p Peer(STP)
Fa0/10           Root FWD 19        128.10   P2p Peer(STP)

Change the priority of a switch

It is possible to specify to a switch to become root primary or secondary with a single command:

SW3(config)#spanning-tree vlan 20 root primary
SW1(config)#spanning-tree vlan 20 root secondary

You will not see that command in your configuration, it is replaced by the priority command. So that command permits to a switch to become primary for now but not for ever. For example, we set SW1 primary root with that command, then we set the priority of SW2 lower than the priority set automaticaly to SW1, SW1 will not stay root bridge, SW2 will become.

Ever wondered how the STP process decides what priority should be set when the spanning-tree vlan root command is used? After all, we're not configuring an exact priority with that command. Here's how the STP process handles this:

  • If the current root bridge's priority is greater than 24,576, the switch sets its priority to 24576 in order to become the root. You saw that in the previous example.
  • If the current root bridge's priority is less than 24,576, the switch subtracts 4096 from the root bridge's priority in order to become the root.

So the best way to fix the root bridge is to configure manually the priority:

SW1(config)#spanning vlan 20 priority 4096

Change the priority of a port

Lors de l'élection du designated port, il peut être utile de configurer manuellement la priorité d'un port.

SW1(config)# int fa 0/12
SW1(config-if)# spanning-tree vlan 15-20 port-priority 16

Vérification

SW1# show spanning vlan 15
...
Interface           Role Sts Cost         Prio.Nbr Type

Fa0/11              Desg FWD 19           128.11 P2p
Fa0/12              Desg FWD 19            16.12 P2p

Advanced STP Features

Portfast

Suitable only for switch ports connected directly to a single host, Portfast allows a port running STP to go directly from blocking to forwarding mode.

SW1(config)#int fa 0/3
SW1(config-if)# spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on FastEthernet0/3 but will only
 have effect when the interface is in a non-trunking mode.

PVRST

Voici la différence des états STP et RSTP:

  • STP : disabled > blocking > listening > learning > forwarding
  • RSTP : discarding > learning > forwarding
Activer PVRST
SW1(config)#spanning-tree mode rapid-pvst
Vérification

Il est possible de regarder si la commande est bien passée:

SW1#sh spanning-tree summary
Switch is in rapid-pvst mode

Dans l'exemple suivant, on voit qu'on utilise le rstp mais les voisins en Fa0/9 et Fa0/10 utilise encore STP - message P2p Peer (STP). Sur le port Fa0/3, nous avons un PC configuré un spanning-tree porfast, nous avons donc un message Edge P2p.

SW1#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol rstp
...

Interface        Role Sts Cost      Prio.Nbr Type

Fa0/3            Desg FWD 19        128.3    Edge P2p
Fa0/9            Root FWD 19        128.9    P2p Peer(STP)
Fa0/10           Altn BLK 19        128.10   P2p Peer(STP)
Fa0/11           Altn BLK 19        128.11   P2p
Fa0/12           Altn BLK 19        128.12   P2p

Configurer MSTP

Instance, Domaine et Revision

Le domaine et le numéro de révision doit être identique sur tous les switchs du domaine.

SW1(config)# spanning-tree mst configuration
SW1(config-mst)# name building1
SW1(config-mst)# revision 1
SW1(config-mst)# instance 1 vlan 1, 11, 14
SW1(config-mst)# instance 2 vlan 12-13

Configurer les priorités par instance

SW1(config)# spanning-tree mst 1 priority 4096
SW1(config)# spanning-tree mst 2 priority 8192

Activer MSTP

SW1(config)# spanning-tree mode mst

Vérifier

Vérifier le mode de fonctionnement
SW1#sh spanning-tree summary
Switch is in mst mode
...
Vérifier les instances MST

La commande suivante permet de savoir quel vlan est dans quelle instance MST.

SW1#sh spanning-tree mst configuration
Name      [building1]
Revision  1
Instance  Vlans mapped

0         2-10,15-4094
1         1,11,14
2         12-13
Détails

La commande show spanning-tree ne fait plus voir une configuration pas vlan mais par instance MST. Nous voyons dans l'exemple suivant que les switchs connectés sur les interfaces Gi1/0/9 et Gi1/0/10 n'utilisent pas MSTP mais encore STP - message P2p Bound(STP).

SW1#sh spanning-tree

MST00
  Spanning tree enabled protocol mstp
  Root ID    Priority    8192
             Address     0016.478c.6d80
             Cost        0
             Port        5 (GigabitEthernet1/0/5)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32768  (priority 32768 sys-id-ext 0)
             Address     0016.4791.0b80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface        Role Sts Cost      Prio.Nbr Type

Gi1/0/1          Desg FWD 200000    128.1    P2p
Gi1/0/9          Desg FWD 20000     128.9    P2p Bound(STP)
Gi1/0/10         Desg FWD 20000     128.10   P2p Bound(STP)

Controles

Adresse MAC sur root bridge

La commande show spanning-tree indique qui est root bridge d'un vlan, on retrouve l'adresse mac de ce root.

SW1#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    4097
             Address     0016.4791.0b80
             Cost        19
             Port        9 (FastEthernet0/9)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

On retrouve l'adresse MAC du root bridge avec un show version sur celui-ci

SW2#sh version
Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1)
...
Base ethernet MAC Address       : 00:16:47:91:0B:80
...

Voir les ports bloqués

SW1#show spanning-tree blockedports

Name                 Blocked Interfaces List

VLAN0001             Fa0/10, Fa0/11, Fa0/12
VLAN0011             Fa0/10, Fa0/11, Fa0/12
VLAN0013             Fa0/9, Fa0/10, Fa0/12

Number of blocked ports (segments) in the system : 9

Voir le mode de spanning-tree utilisé et les options activés

La meilleur commande pour cela est sh spanning-tree summary. Dans l'exemple suivant nous voyons que nous utilisons pvst et que nous avons activé uplinkfast.

SW1#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                      is enabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active

VLAN0001                     3         0        0          2          5
VLAN0011                     3         0        0          1          4
VLAN0013                     3         0        0          1          4
 
3 vlans                      9         0        0          4         13

Station update rate set to 150 packets/sec.

UplinkFast statistics

Number of transitions via uplinkFast (all VLANs)            : 4
Number of proxy multicast addresses transmitted (all VLANs) : 40

Il est aussi possible de voir le mode avec la commande suivante plus habituelle:

SW1#sh spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    4097
             Address     0016.4791.0b80
             Cost        19
             Port        9 (FastEthernet0/9)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
 ...

STP Security

BPDU Guard

Cette commande est utilisé sur les ports configurés en portfast sur lesquelles aucun switch ne doit venir se connecter. Si un BPDU est reçu sur ce port, le port est automatiquement mise en shutdown (err-disabled).

SW1(config-if)# spanning-tree bpduguard enable

BPDU filtering

Le fonctionnement est différent si cette commande est configurée de façon globale ou sur une interface

Configuration Globale
SW1(config)# spanning-tree portfast bpdufilter default

Dans ce cas, BPDU filtering est activé sur tous les ports configurés en portfast. Si un message BPDU arrive sur le port, le port perd son statut portfast et fonctionne alors comme un port normal (envoie/réception de BPDU).

Configuration par Port
SW1(config-if)# spanning-tree bpdufilter enable

Dans ce cas, le port va ignorer tous les messages BPDU qui vont arriver sur lui et les dropper et n'envoie aucun message BPDU non plus.

BPDU Root Guard

Cette option permet d'éviter à n'importe quelle switch de devenir root bridge. Si un switch descend sa priorité, il peut devenir root bridge alors que nous le souhaitons pas. Ainsi, cette option utilisé sur les ports des switchs de distribution permet de bloquer les BPDU de switch souhaitant devenir root bridge, le port passe en root-inconsistent et plus aucun trafic ne peut passer.

UDLD

Loop Guard

Conclustion

STP

En cas de problème sur un lien, nous avons un temps de coupure d'environ 30 secondes.

STP + uplinkfast

En cas de problème sur un lien, nous avons un temps de coupure très faible.

RSTP

En cas de problème sur un lien, nous avons un temps de coupure très faible. Attention, si un port portfast est en half duplex, il y aura une coupure d'environ 6 secondes car le switch ne sait si c'est un lien P2P ou shared.

MSTP

En cas de problème sur un lien, nous avons un temps de coupure très faible.

Liens