Presentation on theme: "Part 2: Preventing Loops in the Network Spanning Tree Protocol."— Presentation transcript:
Part 2: Preventing Loops in the Network Spanning Tree Protocol
Chapter 3 - Implementing Spanning Tree Objectives Summarise how 802.1D STP works to eliminate Layer 2 loops in a converged network. Explain the enhancements that can be used to optimise and protect STP. Describe the operation of per-VLAN STP Describe the operation of 802.1w Rapid STP.
Switching Loops The addition of redundant paths creates switching loops, leading to the following problems: Multiple Frame Transmission MAC Database Instability Broadcast Storms Fa0/1 Fa0/2
Spanning Tree Protocol 802.1d (STP) The solution is to allow physical loops, but create a loop free logical topology called a tree. It is a spanning-tree because all devices in the network are reachable or spanned. The algorithm used to create this loop free logical topology is the spanning-tree algorithm. STP exchanges information called Bridge Protocol Data Units (BPDUs). A new algorithm called the rapid spanning-tree algorithm was developed to reduce the time for a network to compute a loop free logical topology.
A bridge uses a four-step decision sequence to save a copy of the "best" BPDU seen on every port: 1. Lowest root Bridge ID (BID) 2. Lowest path cost to root bridge 3. Lowest sender bridge ID 4. Lowest sender port ID When making this evaluation, it considers all the BPDUs received on the port as well as the BPDU that would be sent on that port. As every BPDU arrives, it is checked to see if it is more attractive (that is, lower in value) than the existing BPDU saved for that port. If the new BPDU (or the locally generated BPDU) is more attractive, the old value is replaced. Bridge Protocol Data Unit
802.1D Bridge Protocol Data Unit By default BPDUs are sent every two seconds. The BID consists of a bridge priority that defaults to 32768 (0x8000) and the switch MAC address. The BID uses one of the MAC addresses from a pool of MAC addresses that are assigned to the switch backplane. Bridge Priority MAC Address 2 Bytes6 Bytes BID
BPDUs contain information that allow switches to perform specific actions: Select a single switch that will act as the root of the spanning-tree. Calculate the shortest path from itself to the root switch. Designate one of the switches as the closest one to the root, for each LAN segment. This switch is called the designated switch. The designated switch handles all communication from that LAN segment towards the root bridge. Each non-root switch chooses one of its ports as its root port - the interface that gives the best path to the root switch. Non-designated ports are blocked. Bridge Protocol Data Unit Root Switch Des Root Port Block
Upon completion of the root bridge election process, the switches continue to forward the root BPDU frames advertising the root ID of the root bridge every 2 seconds. Each switch is configured with a max age timer that determines how long a switch retains the current BPDU configuration in the event it stops receiving updates from its neighboring switches. By default, the max age timer is set to 20 seconds. Therefore, if a switch fails to receive 10 consecutive BPDU frames from one of its neighbors, the switch assumes that a logical path in the spanning tree has failed and that the BPDU information is no longer valid. This triggers another spanning-tree root bridge election. Step 1 - Root Bridge Election Process
Step 2 - Root Port Election Process MAC=1111.1111.1111 Priority = 32768 MAC=3333.3333.3333 Priority = 32768 MAC=2222.2222.2222 Priority = 32768 MAC=4444.4444.4444 Priority = 32768 Cost = 19 Fa0/1 Fa0/2 Fa0/1 Fa0/2 S3S1 - Root Root Port Root Port Root Port Shortest path is based on cumulative link costs. Link costs are based on the speed of the link 1.Lowest root Bridge ID (BID) 2.Lowest path cost to root bridge 3.Lowest sender bridge ID 4.Lowest port ID S2S4
Step 3 - Designated Port Election Process MAC=1111.1111.1111 Priority = 32768 MAC=3333.3333.3333 Priority = 32768 MAC=2222.2222.2222 Priority = 32768 MAC=4444.4444.4444 Priority = 32768 Cost = 19 Fa0/1 Fa0/2 Fa0/1 Fa0/2 S3S1 - Root Root Port Root Port Root Port Designated Port Designated Port Designated Port Designated Port Non-Designated Port (Blocking) 1.Lowest root Bridge ID (BID) 2.Lowest path cost to root bridge 3.Lowest sender bridge ID 4.Lowest port ID S2 S4
STP Port Roles The root port exists on non-root bridges and is the switch port with the best path to the root bridge. Root ports forward traffic toward the root bridge. The designated port exists on root and non-root bridges. For root bridges, all switch ports are designated ports. For non- root bridges, a designated port is the switch port that receives and forwards frames toward the root bridge as needed. Only one designated port is allowed per segment. The non-designated port is a switch port that is blocked, so it is not forwarding data frames and not populating the MAC address table with source addresses. A non-designated port is not a root port or a designated port. For some variants of STP, the non-designated port is called an alternate port.
802.1d BPDU Timers Blocking (max age = 20 secs) Listening (forward delay = 15 secs) Learning (forward delay = 15 secs) Blocking (moves to listening after decides whether it is a root or designated port) Link comes up Forwarding Adjust spanning tree timers with care! Defaults are calculated based on a network diameter of 7 switches. Set the diameter on the root switch, and it will propagate new timers to the other switches via its BPDUs. S1(config)#spanning-tree vlan 10 root primary diameter 4
Fa0/8 S1 - Root S2 S3 Des Root Des Blk TCN BPDU ACK After a topology change, S3 sends a topology change notification (TCN) BPDU from its root port, and is forwards by subsequent switches, until the root switch is informed of the change. When the root bridge receives the TCN BPDU, it sends out a normal BPDU with the topology change flag set. This causes all switches to shorten their CAM table aging timers from the default to the forward delay interval. 802.1D Spanning Tree Protocol Topology Changes
When a switch port configured with PortFast is configured as an access port, it transitions from blocking to forwarding state immediately, bypassing the typical STP listening and learning states. Fa0/8 S1 - Root S2 S3 Des Root Des Blk S3(config)#int fa0/8 S3(config-if)#spanning-tree portfast or S3(config)#spanning-tree portfast default Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc..to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION Portfast has been configured on FastEthernet0/8 but will only have effect when the interface is in non-trunking mode. 802.1D Spanning Tree Protocol Portfast
802.1D Spanning Tree Protocol BPDU Guard Fa0/8 S1 - Root S2 S3 Des Root Des Blk S3(config)#int fa0/8 S3(config-if)#spanning-tree bpduguard enable or S3(config)#spanning-tree portfast bpduguard default In a valid configuration, PortFast- configured interfaces should not receive BPDUs. Reception of a BPDU by a PortFast-configured interface signals an invalid configuration, such as connection of an unauthorized device The STP BPDU Guard shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the STP blocking state (the default behaviour).
Protecting Spanning Tree Protocol Root Guard Fa0/8 S1 - Root S2 S3 Des Root Blk S4(config-if)#spanning-tree guard root S4#sh spanning-tree inconsistentports The Root Guard feature was developed as a means to control where candidate root bridges can be connected and found on a network. As long as superior BPDUs are received by S2 or S3, the receiving port will be kept in the root-inconsistent state. This prevents the port sending or receiving data, but the switch can listen to BPDUs. Root Des Root Guard S4 Superior BPDU Des Root Guard Superior BPDU
Protecting Spanning Tree Protocol Loop Guard Fa0/8 S1 - Root S2 S3 Des Root Blk S4(config-if)#spanning-tree guard loop S4(conf)#spanning-tree loopguard default Root Des S4 Des Blk The Loop Guard feature keeps track of BPDU activity on non-designated (blocking) ports, and when BPDUs go missing, it moves the port into the loop-inconsistent state. The port is thus effectively blocking, preventing a loop from forming. Loop Guard can be configured globally, or on a specific port. Note that the corrective blocking action it performs is carried out on a per VLAN basis, not the entire port.
Protecting Spanning Tree Protocol BPDU Filter Fa0/8 S1 - Root S2 S3 Des Root Blk S3(config-if)#spanning-tree bpdufilter enable | disable S3(config)#spanning-tree portfast bpdufilter default To prevent a port from sending or receiving BPDUs, use the BPDUfilter command. This effectively de-activates STP, so there is a potential to create switching loops if care is not exercised! BPDU filtering can be enable either globally, or on a per-port basis – the operation of BPDUfilter is different, depending how it is activated Root Des S4 Des BPDU Filter