Presentation on theme: "Part 2: Preventing Loops in the Network"— Presentation transcript:
1Part 2: Preventing Loops in the Network Spanning Tree Protocol
2Chapter 3 - Implementing Spanning Tree Objectives Summarise how 802.1D STP works to eliminate Layer 2 loops in a converged network.Explain the enhancements that can be used to optimise and protect STP.Describe the operation of per-VLAN STPDescribe the operation of 802.1w Rapid STP.
3Switching LoopsThe addition of redundant paths creates switching loops, leading to the following problems:Multiple Frame TransmissionMAC Database InstabilityBroadcast StormsFa0/1Fa0/2Networks with redundant paths and devices allow for more network uptime. Redundant topologies eliminate single points of failure. If a path or device fails, the redundant path or device can take over the tasks of the failed path or device.
4Spanning Tree Protocol 802.1d (STP) The solution is to allow physical loops, but create a loop free logical topology called a tree.It is a spanning-tree because all devices in the network are reachable or spanned.The algorithm used to create this loop free logical topology is the spanning-tree algorithm.STP exchanges information called Bridge Protocol Data Units (BPDUs).A new algorithm called the rapid spanning-tree algorithm was developed to reduce the time for a network to compute a loop free logical topology.
5STP VariantsCommon Spanning Tree (CST) assumes one 802.1D spanning-tree instance for the entire bridged network, regardless of the number of VLANs. Because there is only one instance, the CPU and memory requirements for this version are lower than the others. However, because there is only one instance, there is only one root bridge and one tree. This means that traffic for all VLANs flows over the same path. This can lead to suboptimal traffic flows. Also the network is slow in converging after topology changes due to inherent 802.1D timing mechanisms.Per VLAN Spanning Tree Plus (PVST+) is a Cisco enhancement of STP that provides a separate 802.1D spanning-tree instance for each VLAN configured in the network. The separate instance supports enhancement such as PortFast, BPDU guard, BPDU filter, root guard, and loop guard. Creating an instance for each VLAN increases the CPU and memory requirements but allows for per-VLAN root bridges. This allows the STP tree to be optimized for the traffic of each VLAN. Convergence of this version is similar to 802.1D; however, convergence is per-VLAN.Rapid STP (RSTP), or IEEE 802.1w, is an evolution of STP that provides faster convergence of STP. This version addresses many of the convergence issues, but because it still had a single instance of STP, it did not address the suboptimal traffic flow issues. To support that faster convergence, the CPU usage and memory requirements of this version are slightly more than CST but less than PVRST+.Multiple Spanning Tree (MST) is an IEEE standard inspired from the earlier Cisco proprietary Multi-Instance Spanning Tree Protocol (MISTP) implementation. To reduce the number of required STP instances, MST maps multiple VLANs that have the same traffic flow requirements into the same spanning-tree instance. The Cisco implementation provides up to 16 instances of RSTP (802.1w) and combines manyVLANs with the same physical and logical topology into a common RSTP instance. Each instance supports PortFast, BPDU guard, BPDU filter, root guard, and loop guard. The CPU and memory requirements of this version are less than PVRST+ but more than RSTP.PVRST+ is a Cisco enhancement of RSTP that is similar to PVST+. It provides a separate instance of 802.1w per VLAN. The separate instance supports PortFast, BPDU guard, BPDU filter, root guard, and loop guard. This version addressed both the convergence issues and the suboptimal traffic flow issues. To do this, this version has the largest CPU and memory requirements.
6Bridge Protocol Data Unit A bridge uses a four-step decision sequence to save a copy of the "best" BPDU seen on every port:Lowest root Bridge ID (BID)Lowest path cost to root bridgeLowest sender bridge IDLowest sender port IDWhen making this evaluation, it considers all the BPDUs received on the port as well as the BPDU that would be sent on that port.As every BPDU arrives, it is checked to see if it is more attractive (that is, lower in value) than the existing BPDU saved for that port.If the new BPDU (or the locally generated BPDU) is more attractive, the old value is replaced.
7802.1D Bridge Protocol Data Unit By default BPDUs are sent every two seconds.The BID consists of a bridge priority that defaults to (0x8000) and the switch MAC address.The BID uses one of the MAC addresses from a pool of MAC addresses that are assigned to the switch backplane.Cisco Catalyst switch uses one of the MAC addresses from a pool of MAC addresses that are assigned to the switch backplane or supervisory module.The default priority is (0x8000), but this can be changed as required - the lower it is, the more chance the switch has of becoming the root.BIDBridgePriorityMACAddress2 Bytes6 Bytes
8Bridge Protocol Data Unit BPDUs contain information that allow switches to perform specific actions:Select a single switch that will act as the root of the spanning-tree.Calculate the shortest path from itself to the root switch.Designate one of the switches as the closest one to the root, for each LAN segment. This switch is called the designated switch. The designated switch handles all communication from that LAN segment towards the root bridge.Each non-root switch chooses one of its ports as its root port - the interface that gives the best path to the root switch.Non-designated ports are blocked.Root PortDesRoot SwitchDesBlock
9Step 1 - Root Bridge Election Process Cost = 19MAC=Priority = 32768MAC=Priority = 32768Fa0/1Fa0/1Fa0/2Fa0/2Cost = 19Cost = 19All switches initially send their own inferior BPDUs, advertising themselves as the root, with a path cost of 0.Once they receive a BPDU containing a lower BID, they will add the cost of the interface on which it was received, and send it out of all interfaces, apart from the one on which it was received.Example:Switch S3 receives BPDU from S1. S1 has the lowest BID, so S3 sends the BPDU out of Fa0/2, after adding 19 to the cost.Switch S2 receives this BPDU, and will also acknowledge that S1 is the root. It will now add another 19 to the cost, (total 38) and send it out of Fa0/1.Switch S4 will receive this BPDU, but will not recirculate it. It has received a BPDU from S1, at a cost of 19, and it therefore knows that it’s shortest route to S1 is via Fa0/2. Therefore S4 will send a BPDU advertising S1 with a cost of 19 from Fa0/1, which will circulate in the other direction.Fa0/2Fa0/2Fa0/1Fa0/1MAC=Priority = 32768MAC=Priority = 32768Cost = 19S2S4
10Step 1 - Root Bridge Election Process Upon completion of the root bridge election process, the switches continue to forward the root BPDU frames advertising the root ID of the root bridge every 2 seconds.Each switch is configured with a max age timer that determines how long a switch retains the current BPDU configuration in the event it stops receiving updates from its neighboring switches. By default, the max age timer is set to 20 seconds.Therefore, if a switch fails to receive 10 consecutive BPDU frames from one of its neighbors, the switch assumes that a logical path in the spanning tree has failed and that the BPDU information is no longer valid. This triggers another spanning-tree root bridge election.
11Step 2 - Root Port Election Process S1 - RootRootPortCost = 19MAC=Priority = 32768MAC=Priority = 32768When determining the root port on a switch, the switch compares the path costs on all switch ports participating in the spanning tree. The switch port with the lowest overall path cost to the root is automatically assigned the root port role because it is closest to the root bridge. In a network topology, all switches that are using spanning tree, except for the root bridge, have a single root port defined.From the root election, it is apparent that BPDUs from the root are now circulating in two directions around the network.Switch S1 is the root of the spanning tree, and will therefore not configure any of its ports as root.Switch S3- receives BPDUs from S1 at a cost of 0 on Fa0/1, Therefore Switch S3 Fa0/1 is the root port.Switch S4 - receives BPDUs from S1 at a cost of 0 on Fa0/2, Therefore Switch S4 Fa0/2 is the root port.Switch S2 – receiving BPDUs of equal cost from S3 and S4, but the switch needs to determine which switch port is the root port. The switch examines the sender BID values from S3 and S4.Port F0/1 and F0/2 on switch S2 have the same path cost value back to the root bridge. However, port F0/2 on switch S2 becomes the root port because it is receiving a lower sender BID from S3 which has a a lower BID value than S4.The port ID is appended to the port priority. For example, switch port F0/1 has a default port priority value of 128.1, where 128 is the configurable port priority value, and .1 is the port ID. Switch port F0/2 has a port priority value of 128.2, by default.Fa0/1Fa0/1Fa0/2Fa0/2Shortest path is based on cumulative link costs.Link costs are based on the speed of the linkCost = 19Cost = 19RootPortRootPortFa0/2Fa0/2Fa0/1Fa0/1MAC=Priority = 32768MAC=Priority = 32768Cost = 19S2S4Lowest root Bridge ID (BID)Lowest path cost to root bridgeLowest sender bridge IDLowest port ID
12Step 3 - Designated Port Election Process S1 - RootRootPortCost = 19MAC=Priority = 32768MAC=Priority = 32768Fa0/1Fa0/1Fa0/2DesignatedPortFa0/2DesignatedPortDesignatedPortSwitch S1 is the root of the spanning tree, so it designates both of its ports as designated.Switch S3 - sends the BPDUs from Fa0/2 at cost 19 to S2. The BPDUs received from S2 will be at cost 38. Therefore Switch S3 Fa0/2 is the designated port for the link to S2.Switch S4 sends the BPDUs from Fa0/1 at a cost of 19, and the BPDUs from S2 will be received at a cost of 38. Therefore Switch S4 Fa0/1 is the designated port for the link to S2.Switch S2 – Already has Fa0/2 set as a root port. Its other port, Fa0/1 has a higher cost to get to the root that S4 Fa0/1, so it becomes the non-designated port.Note - The switches on the LAN segment in question exchange BPDU frames, which contain the switch BID. Generally, the switch with the lower BID has its port configured as a designated port, while the switch with the higher BID has its port configured as a non-designated port. However, keep in mind that the first priority is the lowest path cost to the root bridge and that only if the port costs are equal, is the BID of the sender considered.Cost = 19Cost = 19RootPortRootPortNon-DesignatedPort (Blocking)DesignatedPortFa0/2Fa0/2Fa0/1Fa0/1MAC=Priority = 32768MAC=Priority = 32768Cost = 19S2S4Lowest root Bridge ID (BID)Lowest path cost to root bridgeLowest sender bridge IDLowest port ID
13STP Port RolesThe root port exists on non-root bridges and is the switch port with the best path to the root bridge. Root ports forward traffic toward the root bridge.The designated port exists on root and non-root bridges. For root bridges, all switch ports are designated ports. For non- root bridges, a designated port is the switch port that receives and forwards frames toward the root bridge as needed. Only one designated port is allowed per segment.The non-designated port is a switch port that is blocked, so it is not forwarding data frames and not populating the MAC address table with source addresses. A non-designated port is not a root port or a designated port. For some variants of STP, the non-designated port is called an alternate port.
14802.1d BPDU TimersBlocking(moves to listening after decides whether it is a root or designated port)Blocking(max age = 20 secs)Link comes upListening(forward delay = 15 secs)Adjust spanning tree timers with care!Defaults are calculated based on a network diameter of 7 switches.Set the diameter on the root switch, and it will propagate new timers to the other switches via its BPDUs.On a nonroot bridge, the spanning tree determines each port’s role in the topology and the most desirable forwarding path for data frames as the switch receives BPDUs on the ports. Each Layer 2 port on a switch running STP exists in one of these five port states :Blocking: The Layer 2 port is a nondesignated port and does not participate in frame forwarding. The port receives BPDUs to determine the location and root ID of the root switch and which port roles (root, designated, or nondesignated) each switch port should assume in the final active STP topology. By default, the port spends 20 seconds in this state (max age). Does not send BPDUs.Listening: Spanning tree has determined that the port can participate in frame forwarding according to the BPDUs that the switch has received. At this point, the switch port is receiving BPDUs and also transmitting its own BPDUs and informing adjacent switches that the switch port is preparing to participate in the active topology. By default, the port spends 15 seconds in this state (forward delay).Learning: The Layer 2 port prepares to participate in frame forwarding and begins to populate the CAM table. The port is still sending and receiving BPDUs. By default, the port spends 15 seconds in this state (forward delay).Forwarding: The Layer 2 port is considered part of the active topology. It forwards frames and also sends and receives BPDUs.Disabled: This is not really an STP state; rather it is the state resulting from administratively shutting down a switch port. In this state, the Layer 2 port does not participate in spanning tree and does not forward frames.Learning(forward delay = 15 secs)ForwardingS1(config)#spanning-tree vlan 10 root primary diameter 414
15802.1D Spanning Tree Protocol Topology Changes S1 - RootAfter a topology change, S3 sends a topology change notification (TCN) BPDU from its root port, and is forwards by subsequent switches, until the root switch is informed of the change.When the root bridge receives the TCN BPDU, it sends out a normal BPDU with the topology change flag set.This causes all switches to shorten their CAM table aging timers from the default to the forward delay interval.RootDesBPDU ACKBPDU ACKDesDesTCNAn 802.1D topology change occurs when a switch either moves a port into the forwarding state or moves a port from the forwarding or learning states into the blocking state. The switch sends a topology change notification (TCN) BPDU from its root port, and is forwards by subsequent switches, until the root switch is informed of the change.The TCN BPDU carries no data about the change, only that a change has occurred. The switch continues sending TCN BPDUs every hello interval until it receives an acknowledgement from its upstream neighbour. When the root bridge receives the TCN BPDU it sends out an acknowledgment in the form of a normal BPDU with the topology change flag set. This is done to signal the topology change, causing all the switches in the tree to shorten their CAM table aging timers from the default of 300 seconds to the forward delay interval (15 seconds by default).This causes the learned locations of MAC addresses to be flushed out much sooner than they normally would, easing the CAM table corruption that might be caused by a change in topology. Any stations that are actively communicating during this time are kept in the CAM table.In the slide, the PC connected to Fa0/8 will cause a TCN to be generated every time it shuts down, or is otherwise disconnected from the port. This will obviouslyBlkRootS3Fa0/8
16802.1D Spanning Tree Protocol Portfast S1 - RootWhen a switch port configured with PortFast is configured as an access port, it transitions from blocking to forwarding state immediately, bypassing the typical STP listening and learning states.RootDesDesDesS3(config)#int fa0/8S3(config-if)#spanning-tree portfastorS3(config)#spanning-tree portfast defaultWarning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc..to this interface when portfast is enabled, can cause temporary bridging loops.Use with CAUTIONPortfast has been configured on FastEthernet0/8 but will only have effect when the interface is in non-trunking mode.Spanning Tree PortFast causes an interface configured as a Layer 2 access port to enter the forwarding state immediately, bypassing the listening and learning states. Enable PortFast on Layer 2 access ports connected to a single workstation or server to allow those devices to connect to the network immediately, rather than waiting for spanning tree to converge.With portfast enabled, the STP state jumps directly from blocking to forwarding without going through the listening and learning state. In addition, PortFast suppresses topology change notifications, minimising the amount of CAM refreshes when user PCs are disconnnected.Note: The purpose of PortFast is to minimize the time that access ports wait for STP to converge. The advantage of enabling PortFast is to prevent DHCP timeouts. Use this feature solely on access ports except in specific network designs. When enabling PortFast on a port connecting to another switch, there is a risk of creating a bridging loop.BlkRootS3Fa0/8
17802.1D Spanning Tree Protocol BPDU Guard In a valid configuration, PortFast-configured interfaces should not receive BPDUs. Reception of a BPDU by a PortFast-configured interface signals an invalid configuration, such as connection of an unauthorized deviceThe STP BPDU Guard shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the STP blocking state (the default behaviour).S2S1 - RootRootDesDesDesThe STP BPDU Guard shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the STP blocking state (the default behavior). In a valid configuration, PortFast-configured interfaces should not receive BPDUs. Reception of a BPDU by a PortFast-configured interface signals an invalid configuration, such as connection of an unauthorized device. STP will eventually converge to include the new device into the tree, but initially, there is the possibility of a bridging loop being formed.BPDU Guard puts an interface configured for STP PortFast in the err-disable state upon receipt of a BPDU, disabling the interface as a preventive step to avoid a potential bridging loop.BPDU Guard provides a secure response to invalid configurations, because the administrator must manually re-enable the err-disabled interface after fixing the invalid configuration. It is also possible to set up a time-out interval after which the switch automatically tries to re-enable the interface. However, if the invalid configuration still exists, the switch err-disables the interface again.BlkRootS3S3(config)#int fa0/8S3(config-if)#spanning-tree bpduguard enableorS3(config)#spanning-tree portfast bpduguard defaultFa0/8
18Protecting Spanning Tree Protocol Root Guard S1 - RootRootDesThe Root Guard feature was developed as a means to control where candidate root bridges can be connected and found on a network.As long as superior BPDUs are received by S2 or S3, the receiving port will be kept in the root-inconsistent state. This prevents the port sending or receiving data, but the switch can listen to BPDUs.DesRoot GuardDesS4RootDesRoot GuardThe Root Guard feature was developed as a means to control where candidate root bridges can be connected and found on a network.In the example, S2 switch learns the current root bridge’s BID – S1. If S3 advertises a superior BPDU, or one with a better bridge ID, on a port with Root Guard enabled, S2 will not allow the switch to become root. As long as superior BPDUs are received by S2, the receiving port will be kept in the root-inconsistent state. This prevents the port sending or receiving data, but the switch can listen to BPDUs.Root Guard affects the entire root port, so BPDUs are ignored fro all VLANs configured on the port.When Superior BPDUs are no longer received, the port is cycled through the normal STP states to return to normal use.BlkRootS3Superior BPDUS4(config-if)#spanning-tree guard rootS4#sh spanning-tree inconsistentportsSuperior BPDUFa0/8
19Protecting Spanning Tree Protocol Loop Guard S1 - RootThe Loop Guard feature keeps track of BPDU activity on non-designated (blocking) ports, and when BPDUs go missing, it moves the port into the loop-inconsistent state. The port is thus effectively blocking, preventing a loop from forming.Loop Guard can be configured globally, or on a specific port. Note that the corrective blocking action it performs is carried out on a per VLAN basis, not the entire port.RootDesDesDesDesBlkRootS4DesThe blocking port on S2 doesn’t forward any user data, as it is receiving BPDUs from the root, S1, and thus STP holds it in the blocking condition.If the flow of BPDUs to the blocking port from S1 is stopped for some reason, then the current BPDU will be kept for the duration of the max-age timer, after which the port will cycle through the STP states and commence forwarding. This will cause a switching loop, as S2 root port is already forwarding.The Loop Guard feature keeps track of BPDU activity on non-designated (blocking) ports, and when BPDUs go missing, it moves the port into the loop-inconsistent state. The port is thus effectively blocking, preventing a loop from forming.Loop Guard can be configured globally, or on a specific port. Note that the corrective blocking action it performs is carried out on a per VLAN basis, not the entire port.BlkRootS4(config-if)#spanning-tree guard loopS4(conf)#spanning-tree loopguard defaultS3Fa0/8
20Protecting Spanning Tree Protocol BPDU Filter S1 - RootTo prevent a port from sending or receiving BPDUs, use the BPDUfilter command.This effectively de-activates STP, so there is a potential to create switching loops if care is not exercised!BPDU filtering can be enable either globally, or on a per-port basis – the operation of BPDUfilter is different, depending how it is activatedRootDesDesDesS4RootDesSTP operates on all switch ports in an effort to eliminate switching loops before they can form. BPDUs are sent over all switch ports – even when Portfast is enabled.However, to prevent a port from sending or receiving BPDUs, use the BPDUfilter command. This effectively de-activates STP, so there is a potential to create switching loops if care is not exercised!BPDU filtering can be enable either globally, or on a per-port basis – the operation of BPDUfilter is different, depending how it is activated:When enabled globally, BPDU filtering is applied only on ports that are in an operational PortFast state. Ports still send a few BPDUs at linkup before they effectively filter outbound BPDUs. If a BPDU is received on an edge port, it immediately loses its operational PortFast status and BPDU filtering is disabled.When enabled locally on a port, BPDU filtering prevents the switch from receiving or sending BPDUs on this port.BlkRootS3BPDU FilterFa0/8S3(config-if)#spanning-tree bpdufilter enable | disableS3(config)#spanning-tree portfast bpdufilter default