1. Describing the STP

2. IEEE Documents IEEE 802.1D - Media Access Control (MAC) bridges
IEEE 802.1Q - Virtual Bridged Local Area Networks
IEEE 802.1w - Rapid Reconfiguration (Supp. to 802.1D)
IEEE 802.1s - Multiple Spanning Tree (Supp. to 802.1Q)

3. Enhancements to STP STP Per VLAN Spanning Tree (PVST+)
PortFast
BPDU Guard
Root Guard
UplinkFast
BackboneFast
Per VLAN Spanning Tree (PVST+)
Rapid Spanning Tree Protocol (RSTP)
Multiple Spanning Tree Protocol (MST)
MST is also known as Multiple Instance Spanning Tree Protocol (MISTP) on Cisco Catalyst 6500 switches and above

4. Download this file
Download: PT-Topology-STP2.pkt

5. Powercycle a host and watch link lights…
How long until switch link light turns green?

6. I’m adding any addresses on this port to my MAC Address Table.
PortFast
Forwarding State
Learning State
Listening State
Blocking State
I’m adding any addresses on this port to my MAC Address Table.
Powered On
Host powered on.
Port moves from blocking state immediately to listening state (15 seconds).
Determines where switch fits into spanning tree topology.
After 15 seconds port moves to learning state (15 seconds).
Switch learns MAC addresses on this port.
After 15 seconds port moves to forwarding state (30 seconds total).

7. PortFast – Problem DHCP
Forwarding State
Blocking State
Learning State
Listening State
Powered On
DHCP Discovery
Timeout
IP Address = 169.x.x.x
Host sends DHCP Discovery
Host never gets IP addressing information
Also: Insignificant Topology Change
A users PC causes the link to go up or down (normal booting or shutdown process).
No significant impact but given enough hosts switches could be in a constant state of flushing MAC address tables.
Causes unknown unicast floods.

8. PortFast
Forwarding State
Portfast enabled
Powered On
DHCP Discovery
DHCP Offer
The purpose of PortFast is to minimize the time that access ports wait for STP to converge.
When a port comes up, the port immediately moves into Forwarding state.
The advantage of enabling PortFast is to prevent DHCP timeouts.
Host sends DHCP Discovery
Host can now can IP addressing information.

9. Configuring Portfast
Warning: PortFast should only be enabled on ports that are connected to a single host.
If hubs or switches are connected to the interface when PortFast is enabled, temporary bridging loops can occur.
If a loop is detected on the port, it will move into Blocking state.

10. UplinkFast
Uplinkfast allows access layer switches that have redundant links to multiple distribution switches the ability to converge quickly when a link has failed.
For “Leafs” (end nodes) of the spanning tree.
Not for use within backbone or distribution switches (BackboneFast).
Uplinkfast allows access layer switches the ability to converge quickly when a link has failed.
Allows a blocked port on a switch to almost immediately begin forwarding frames when it detects the failure of the forwarding link.
Uplinkfast is designed for to only operate on switches that are “leaves” (end nodes) of the spanning tree.
Uplinkfast is not designed for use within backbone or distribution switches.

11. UplinkFast
Root
Unblock G 1/1 skips listening and learning and goes directly to forwarding X
UplinkFast must have direct knowledge of the link failure in order to move a blocked port into a forwarding state.
Single Root Port but multiple potential root ports.
If Root Port fails, next-lowest path cost is unblocked and used without delay (almost).
This switchover occurs within 1 second.
UplinkFast must have direct knowledge of the link failure in order to move a blocked port into a forwarding state.
When Access 1 detects a link failure on the currently active link, the root port (a direct link failure), UplinkFast unblocks the blocked port on Access 1 and transitions it to the forwarding state without going through the listening and learning states.
This switchover occurs within 5 seconds.

12. UplinkFast Access1(config)#spanning-tree uplinkfast
Not supported with Packet Tracer
Access1(config)#spanning-tree uplinkfast
Uplinkfast is enabled for the entire switch and all VLANs.
Not supported on a per-VLAN basis.
Uplinkfast keeps track of all possible paths to the Root Bridge.
So, not allowed on the Root Bridge
Switches BID: Raised to 49,152 to make it unlikely it will be the Root Bridge.

13. X BackboneFast Root Switch(config)#spanning-tree backbonefast
Backbone fast is a Cisco proprietary feature that, once enabled on all switches can save a switch up to 20 seconds (Max Age) when it recovers from an indirect link failure.
Configured in global configuration mode and should be enabled on all switches in the network.
Disabled by default.

14. X Root I just heard from Core that they are still the Root. I will:
Send BPDU to D1
Transition port immediately to listening state saving 20 seconds (Max Age)
This new BPDU is inferior to the one it had stored for this port so I will ignore it.
Let me send my current Root a query (RLQ).
My link to the Root has gone down. I have no alternate path to it. So, I’m the new root and send out my BPDUs on all ports.
Root
Thanks for telling me Core is the Root. I will change my RP to Fa 0/5. X
Listening
Forwarding
Blocking RP RP
After 20 seconds this port will now go into Forwarding state.
Inferior BPDU
BackboneFast is initiated when a root port or blocked port on a switch receives inferior BPDUs from a designated bridge.
Inferior BPDUs are sent from a designated bridge that has lost its connection to the root bridge.
Normally, a switch must wait for Max Age (20 seconds) to expire before responding to an inferior BPDU.
With Backbonefast, switch determines alternate paths to Root.
This indicates that a link to which the switch is not directly connected, an indirect link, has failed and the designated switch has lost its connection with the root bridge.
When a switch receives an inferior BPDU, it indicates that a link to which the switch is not directly connected (an indirect link) has failed (that is, the designated bridge has lost is connection to the root bridge).
Under normal STP rules, the switch ignores inferior BPDUs for the configured maximum aging time.
Link fails, Distribution 2 detects this failure as an indirect failure, since it is not connected directly to that link.
Distribution 1 no longer has a path to the root switch.
BackboneFast allows the blocked port on Distribution 2 to move immediately to the listening state without waiting for the maximum aging time for the port to expire.
BackboneFast then transitions the port on Distribution 2 to the forwarding state, providing a path from Distribution 1 to Distribution 2.
This switchover takes approximately 30 seconds.

15. BackboneFast FYI – More Information
Normal BPDU
= Core
= Dist1
FYI – More Information
An inferior BPDU identifies one switch as both the root bridge and the designate bridge.
Distribution 1 is the Designated Bridge.
Normally, sends BPDUs with Root Bridge as the Core BID.
Inferior BPDU – A received BPDU that identifies the root bridge and the designated bridge as the same switch. (“I was only just the Designated Bridge, but now that I can’t get to the Root Bridge, so now I am also the Root Bridge.”)
Inferior BPDU
= Dist1
Same Switch
= Dist1

16. Protecting against unexpected BPDUs
Root Guard
BPDU Guard
Loop Guard
Coast Guard

17. Problem: Unexpected BPDUs
Blocking and now listening to BPDUs
BPDU X
Forwards BPDUs to other switches.
Portfast
STP Reconvergence?
A port configured with PortFast will go into blocking state if it receives a Bridge Protocol Data Unit (BPDU).
This could lead to false STP information that enters the switched network and causes unexpected STP behavior.
Newly connected switch could advertise itself as the root.
BPDU Guard: Developed to protect integrity of switch ports with PortFast enabled but also keeps maintains STP integrity by disallowing unauthorized switches.
Enabling PortFast can create a security risk in a switched network.
A port configured with PortFast will go into blocking state if it receives a Bridge Protocol Data Unit (BPDU).
An unauthorized device can send BPDUs into the PortFast interface and set a port to blocking.
When the port is in blocking state it will accept all BPDUs.
This could lead to false STP information that enters the switched network and causes unexpected STP behavior.

18. | Solution: BPDU Guard BPDU Portfast & BPDU Guard
Err-Disable, Shutdown
BPDU |
No BPDUs sent
Portfast & BPDU Guard
Not supported with Packet Tracer
Distribution1(config)#interface range fa 0/
Distribution1(config-if-range)#spanning-tree bpduguard enable
When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state.
PortFast-enabled interfaces do not receive BPDUs in a valid configuration.
The BPDU guard feature blocks BPDUs by placing the interface in the ErrDisable state.
BPDU guard will also keep switches added outside the wiring closet by users from impacting and possibly violating Spanning Tree Protocol.
When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state.
Errdisable: Port must be manually re-enabled or automatically recovered via timers.
BPDU guard will also keep switches added outside the wiring closet by users from impacting and possibly violating Spanning Tree Protocol.

19. Root Guard Root Guard prevents a switch from becoming the root bridge.
Protect
Protect
Potential Root
Potential Root
Root Guard prevents a switch from becoming the root bridge.
Typically access switches
Configured on switches that connect to this switch.
Root Guard is used if the network administrator wants to prevent a switch (usually access switch) from becoming the root bridge or from being in the path to the root bridge.
Root guard will be used to prevent switches from becoming the root bridge.
Configured on switches that connect to this switch.

20. Root Guard
UplinkFast must be disabled because it cannot be used with root guard.
Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure. However, if root guard is also enabled, all the backup interfaces used by the UplinkFast feature are placed in the root-inconsistent state (blocked) and are prevented from reaching the forwarding state.

21. Root Guard This message appears after root guard blocks a port:
I no longer want to be root. I have been reconfigured to be a non-root bridge.
I want to be root bridge!
Superior BPDU
I will now transition to listening sate, then learning state, then forwarding sate.
STP Inconsistent State – no traffic is passed.
This message appears after root guard blocks a port:
%SPANTREE-2-ROOTGUARDBLOCK: Port 0/3 tried to become non-designated in VLAN 1. Moved to root-inconsistent state
After the switch receives a superior BPDU. Root guard puts the port in the root-inconsistent STP state. No traffic passes through the port in this state. After the switch ceases to send superior BPDUs, the port is unblocked again. Via STP, the port goes from the listening state to the learning state, and eventually transitions to the forwarding state. Recovery is automatic; no human intervention is necessary.

22. Unidirectional Link Detection Protocol (ULDP)
Designated Port
Blocked Port
Spanning-Tree Protocol (STP) resolves redundant physical topology into a loop-free, tree-like forwarding topology.
This is done by blocking one or more ports.

23. ULDP Loop! BPDU BPDU BPDU BPDU BPDU No BPDU’s Received BPDU
Change to Forwarding State
STP uses Bridge Protocol Data Units (BPDUs).
If a switch’s port in blocking port stops receiving BPDUs:
STP eventually ages out the STP information for the port (up to 50 secs)
Moves port to forwarding state.
This creates a forwarding loop or STP loop.
How is it possible for the switch to stop receiving BPDUs while the port is up?
The reason is unidirectional link.

24. ULDP BPDU No BPDU’s Received Change to Forwarding State
RFC 5171: “Issues arise when, due to mis-wirings or to hardware faults, the communication path behaves abnormally and generates forwarding anomalies.
Link fails in the direction of SwitchC.
SwitchC stops receiving traffic from SwitchB.
However, SwitchB still receives traffic from C.
UDLD is a Layer 2 (L2) protocol that works with the Layer 1 (L1) mechanisms to determine the physical status of a link.

25. ULDP Layer 1: Auto-negotiation configured (speed/duplex)
My device/port ID & your device port ID
Layer 1: Auto-negotiation configured (speed/duplex)
My device/port ID & your device port ID
Layer 2: UDLD configured
Enable both auto-negotiation and UDLD to prevent unidirectional connection.
With UDLD switches share Device/Port ID information.

26. X ULDP Port shutdown by UDLD remains disabled until:
My device/port ID & your device port ID X
Unidirectional link failure
My device/port ID & your device port ID
UDLD-3-DISABLE: Unidirectional link detected on port 1/2. Port disabled
Port disabled
Port shutdown by UDLD remains disabled until:
Manually reenabled or
errdisable timeout expires (if configured)

27. Rapid Spanning Tree Protocol

28. Configuring ULDL Switch(config)# udld {enable | aggressive} or
Switch(config)# interface fa 1/2
Switch(config-if)# udld {enable | aggressive}
Normal mode (enable) – Port is allowed to continue it’s operation merely marks the port as being in undetermined state and generates a syslog message.
Aggressive mode – Port is place in Errdisable state and cannot be used.

29. X Loopguard Loop! BPDU No Loopguard Configured
No BPDU’s Received
No Loopguard Configured
Change to Forwarding State
Loopguard also protects against ports erroneously transitioning to forwarding mode.
Loopguard will also protect against STP failures, designated switch not sending BPDUs due to software problems.

30. X Loopguard BPDU BPDU Loopguard Configured
Unidirectional link failure
BPDU
%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet1/0 on VLAN0010
Loopguard Configured
Inconsistent Blocking State
If the switch begins to receive BPDUs again, it will transition through normal STP states.
Loopguard does NOT protect against problems due to wiring issues.
Highest level of protection is to enable both Loopguard and UDLD.

31. Configuring Loopguard
Switch(config)# spanning-tree loopguard default or
Switch(config)# interface fa 1/2
Switch(config-if)# spanning-tree guard loop

32. RSTP – IEEE 802.1w (Rapid Spanning Tree Protocol)

33. Rapid Spanning Tree Protocol

34. Rapid Spanning Tree Protocol
The immediate hindrance of STP is convergence.
Depending on the type of failure, it takes anywhere from 30 to 50 seconds, to converge the network.
RSTP helps with convergence issues that plague legacy STP.

35. STP vs RSTP RSTP is based on IEEE 802.1w standard.
IEEE 802.1w took 802.1D’s principle concepts and made convergence faster.
STP topology change takes 30 seconds (two intervals of Forward Delay timer).
RSTP is proactive and therefore negates the need for the 802.1D delay timers.
RSTP (802.1w) supersedes 802.1D, while still remaining backward compatible.
RSTP BPDU format is the same as the IEEE 802.1D BPDU format, except that the Version field is set to 2 to indicate RSTP.
The RSTP spanning tree algorithm (STA) elects a root bridge in exactly the same way as 802.1D elects a root.
RSTP is based on IEEE 802.1w standard.
Numerous differences exist between RSTP and STP.
RSTP requires full-duplex point-to-point connection between adjacent switches to achieve fast convergence.
Half duplex, denotes a shared medium, multiple devices.
As a result, RSTP cannot achieve fast convergence in half-duplex mode.
STP and RSTP also have port designation differences.
RSTP has alternate and backup port designations.
Ports not participating in spanning tree are known as edge ports.
The edge port becomes a nonedge port immediately if a BPDU is heard on the port.
TCNs
Nonedge ports participate in the spanning tree algorithm; hence, only nonedge ports generate Topology Changes (TCs) on the network when transitioning to forwarding state only. TCs are not generated for any other RSTP states.
In legacy STP, TCNs were generated for any active port that was not configured for PortFast.
Many of the differences stem from the Cisco proprietary enhancements.
The Cisco-based RSTP enhancements have these characteristics:
They are integrated into the protocol at a low level.
They are transparent.
They require no additional configuration.
They generally perform better than the Cisco-proprietary 802.1D enhancements.
BPDU carries information about port roles and is sent to neighbor switches only.
Because the RSTP and the Cisco-proprietary enhancements are functionally similar, features such as UplinkFast and BackboneFast are not compatible with RSTP.

36. RSTP RSTP can be applied on Cisco switches as:
A single instance per VLAN
Rapid PVST+ (RPVST+)
Multiple instances
IEEE 802.1s Multiple Spanning Tree (MST)

37. STP Port Behavior and States
Ports
Root Port
Designated Port
Blocking Port
Not Designated Port and Not Root Port
Cisco’s proprietary UplinkFast has a hidden Alternative Port offering parallel paths, but in Blocking state.
States
Disabled (Not 802.1D state)
Blocking
Listening
Learning
Forwarding
Only state that sends/receives data.

38. RSTP Root Bridge: Same election process as 802.1D (lowest BID) Ports
Root Port (802.1D Root Port)
The one switch port on each switch that has the best root path cost to the root.
Designated Port (802.1D Designated Port)
The switch port on a network segment that has the best root path cost to the root.
Alternate Port (802.1D Blocking Port)
A port with an alternate path the root.
An alternate port receives more useful BPDUs from another switch and is a port blocked.
Similar to how Cisco UplinkFast works.
Backup Port (802.1D Blocking Port)
A port that provides a redundant (but less desirable) connection to a segment where another switch port already connects.
A backup port receives more useful BPDUs from the same switch it is on and is a port blocked.

39. RSTP Port States Operational Port State STP Port State RSTP Port State
Disabled
Discarding
Enabled
Blocking
Listening
Learning
Forwarding
RSTP defines port states based on what it does with incoming data frames.
Discarding
Incoming frames are dropped
No MAC Addresses learned
Combination of 802.1D (Disabled), Blocking and Listening
Learning
MAC Addresses learned
Forwarding
Incoming frames are forward.
Discarding This state is seen in both a stable active topology and during topology synchronization and changes.
The discarding state prevents the forwarding of data frames, thus “breaking” the continuity of a Layer 2 loop.
Learning This state is seen in both a stable active topology and during topology synchronization and changes.
The learning state accepts data frames to populate the MAC table in an effort to limit flooding of unknown unicast frames.
Forwarding This state is seen only in stable active topologies.
The forwarding switch ports determine the topology.
Following a topology change, or during synchronization, the forwarding of data frames occurs only after a proposal and agreement process.

40. RSTP BPDUs
STP Port State
STP BPDUs
RSTP Port State
RSTP BPDUs
Disabled
Not Sent/Received
Discarding
Blocking
Receive only
Sent/Received
Listening
Learning
Forwarding
RSTP uses same 802.1D BPDU format for backward compatibility.
802.1D and 802.1w switches can coexist.
BPDUs sent out every switch port at Hello Time intervals regardless if BPDUs are sent on the port.
When three BPDUs in a row (6 seconds) are missed:
the neighbor switch is presumed down
All MAC address information pointing to that switch (out that port) is immediately aged out (flushed)
Switch can detect a neighbor down in 6 seconds instead of MaxAge of 20 seconds.

41. RSTP Convergence Convergence is a two step process:
Elect a Root Bridge
Examine all switch ports which by default are in Blocking state and advance to the appropriate state to prevent loops.
STP requires the expiration of several timers before switch ports can be moved to Forwarding state.
RSTP takes a different approach:
When a switch joins the topology (powered-up) or detects a failure in the existing topology…
Determines its forwarding decisions based on the type of port.
Edge Port
Root Port
Point-to-Point Port

42. Edge Ports
Edge port will never have a switch connected to it so cannot form bridging loops.
Immediately transitions to forwarding state.
Traditional identified with STP PortFast feature.
For familiarity the command is the same: spanning-tree portfast
Never generates topology changes notifications (TCNs) when the port transitions to a disabled or enabled status.
If an edge port receives a BPDU, it loses its Edge Port status becomes a normal spanning-tree port.
An RSTP edge port is a switch port that is never intended to be connected to another switch device.
It immediately transitions to the forwarding state when enabled.
The edge port to the PortFast feature.
All ports directly connected to end stations anticipate that no switch device will be connected to them and immediately transition to the STP forwarding state, thereby skipping the time-consuming listening and learning stages.
Unlike PortFast, an edge port that receives a BPDU immediately loses its edge port status and becomes a normal spanning tree port.
Portfast
If a switch is connected to the interface when PortFast is enabled, temporary bridging loops can occur.
When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state.
Cisco’s RSTP implementation maintains the PortFast keyword for edge port configuration, thus making an overall network transition to RSTP more seamless.

43. Non-Edge Ports Root Port
The one switch port on each switch that has the best root path cost to the root.
Point-to-Point Port (Link Type)
Port operating in full-duplex mode.
Connects to another switch and becomes a Designated Port.
Uses a quick handshake with neighboring switch rather than timers to decide port state.
Shared Medium Port (Link Type)
Port operating in half-duplex mode.
It is assumed that the port is connected to shared media where multiple switches might exist.
An RSTP edge port is a switch port that is never intended to be connected to another switch device.
It immediately transitions to the forwarding state when enabled.
The edge port to the PortFast feature.
All ports directly connected to end stations anticipate that no switch device will be connected to them and immediately transition to the STP forwarding state, thereby skipping the time-consuming listening and learning stages.
Unlike PortFast, an edge port that receives a BPDU immediately loses its edge port status and becomes a normal spanning tree port.
Portfast
If a switch is connected to the interface when PortFast is enabled, temporary bridging loops can occur.
When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state.
Cisco’s RSTP implementation maintains the PortFast keyword for edge port configuration, thus making an overall network transition to RSTP more seamless.

44. Point-to-Point: The Quick Handshake
Proposal
Root A DP RP B
Agreement
Switch A is connected to Switch B through a point-to-point link,
All ports are in the Discarding (Blocking) state.
Switch A has a lower BID than Switch B.
Switch A sends a proposal message (Configuration BPDU) to Switch B, proposing itself as the Root Bridge and the designated switch on the segment.
Switch B:
Selects its new root port the port from which the proposal message was received and immediately goes into Forwarding State
Forces all nonedge ports to the Discarding (Blocking) state,
Sends an agreement message.
Switch A: Immediately transitions its designated port to the forwarding state.
No loops in the network are formed because Switch B blocked all of its nonedge ports and because there is a point-to-point link between Switches A and B.

45. Root A B Root A B C Root A B C D
Proposal
Root A DP RP B
Agreement
Proposal
Root DP DP A B DP RP C
Agreement
Proposal
Root A DP RP B DP RP C DP RP D
Agreement
Switch C is connected to Switch B: a similar set of handshaking messages are exchanged.
Switch C selects the port connected to Switch B as its root port, and both ends immediately transition to the forwarding state.
Handshaking process continues throughout topology.

46. RSTP Topology Change Notifications
802.1D
802.1D
802.1D
Switch detects a state change (up or down), it sends the Root Bridge a TCN BPDU.
The Root Bridge sends out a Configuration BPDU (TCN bit set) to all switches to tell them about the change. (30 seconds before Forwarding)
RSTP
Detects a topology change only when a nonedge port transitions to the Forwarding State.
RSTP uses its convergence mechanisms (Edge Ports, Point-to-Point ports, handshaking, etc.) to prevent bridging loops.
Therefore, topology changes are detected only so MAC address tables can be updated and corrected.
This means that a loss of connectivity is not considered as a topology change any more, contrary to 802.1D (that is, a port that moves to blocking no longer generates a TC).

47. RSTP Topology Change Notifications
When a topology change occurs:
Switch flushes the MAC addresses associated with all nonedge ports.
Switch sends BPDU with TCN bit set to all neighbors so they can update their MAC Address tables too.
RSTP no longer uses the specific TCN BPDU, unless a legacy bridge needs to be notified
When a bridge receives a BPDU with the TCN bit set from a neighbor:
It clears the MAC addresses learned on all its ports, except the one the port that it receives the topology change.
It sends BPDUs with TCN set on all its designated ports and root port (RSTP no longer uses the specific TCN BPDU, unless a legacy bridge needs to be notified).
This way, the TCN floods very quickly across the whole network - now a one step process.
The initiator of the topology change floods this information throughout the network, as opposed to 802.1D where only the root did.
Much faster than the 802.1D equivalent < wait for the root bridge to be notified, and then max age plus forward delays>.
In just a few seconds, or a small multiple of hello-times, most of the entries in the CAM tables of the entire network (VLAN) flush.
This approach results in potentially more temporary flooding, but on the other hand it clears potential stale information and allows rapid convergence.

48. RSTP BPDU Flag Byte Use

49. Rapid PVST Implementation Commands
Cisco implements RSTP with Rapid PVST+
Switch(config)# spanning-tree mode rapid-pvst
To revert back to the default PVST+ using traditional 802.1D:
Switch(config)# spanning-tree mode pvst

50. Rapid PVST Implementation Commands
Cisco implements RSTP with Rapid PVST+
To configure an RSTP edge port:
Switch(config-if)# spanning-tree portfast
RSTP automatically decides if a port is point-to-point link operating in full duplex or half-duplex.
If you need to set it manually, other switch is in Half-Duplex but still point-to-point (by the way, both ends must then be Half-Duplex):
Switch(config-if)# spanning-tree link-type point-to-point

51. Rapid PVST Implementation Commands

52. Rapid PVST Implementation Commands

53. Implementing MSTP

54. Multiple Spanning Tree Protocol – 802.1s
Instance 1 maps to VLANs 1–500
Instance 2 maps to VLANs 501–1000
Multiple Spanning Tree (MST) extends the IEEE 802.1w RST algorithm to multiple spanning trees.
The main purpose of MST is to:
Reduce the total number of spanning-tree instances to match the physical topology of the network
Thus reduce the CPU cycles of a switch.
Allows the network administrator to configure the exact number of instances.
PVST+ runs a single instance of STP for each VLAN and does not take into consideration the physical topology.
May have 1,000 VLANs but only 2 different topologies (2 different Root Bridges).
PVST+ will still create 1,000 instances of STP
MST, on the other hand, uses a minimum number of STP instances to match the number of physical topologies present.
MST will let you specify only 2 instances of STP.

55. 802.1D
802.1D
MST Regions
MST Region
MST Region is a group of switches placed under a common administration (like an AS).
In most networks a single MST region is sufficient.
A single MST Region can handle 15 STP instances (topologies).
Within a region, all switches must run the instance of MST as defined by:
MST configuration name (32 characters)
MST configuration revision number ( 0 to 65,535)
MST instance-to-VLAN mapping table (4,096 entries)
MST was designed to work with all forms of STP.
IST (Internal Spanning Tree) instance runs to work out a loop-free topology inside the MST Region.
IST presents the entire MST region as a single virtual switch (bridge) to the CST (802.1D) outside.
The main enhancement introduced by MST is the ability to map several VLANs to a single spanning-tree instance.
This raises the problem, however, of determining what VLAN is to be associated with what instance.
Based on received BPDUs, devices need to identify these instances and their VLANs (VLANs that are mapped to the instances).
Details not important…
Each switch that is running MST in the network has a single MST configuration that consists of three attributes:
An alphanumeric configuration name (32 bytes)
A configuration revision number (2 bytes)
A 4096-element table that associates each of the potential 4096 VLANs supported on the chassis to a given instance

56. MST
Remember, the whole idea of MST is to map multiple VLANs to a smaller number of STP instances.
Cisco supports a maximum of 16 MST Instances (MSTIs) in a region.
The IST uses MST 0 leaving 1 through 15 available for use.
The Distribution1 switch is the primary root bridge for the data VLANs 10, 30, and 100
Secondary root bridge for the voice VLANs 20, 40, and 200.
The Distribution2 switch the primary root bridge for the voice VLANs 20, 40, and 200
Secondary root bridge for the data VLANs 10, 30, and 100.
Distribution1 is chosen as CIST regional root.
It means that Distribution1 is the root for IST0.

57. MST

58. MST

59. MST

60. Extended System ID in Bridge ID Field

61. Cisco’s RSTP is Rapid PVST+

62. 802.1D creates a single instance of STP for all VLANs.
PVST+ and RPVST create a single instance of STP for each VLAN.
If there are 500 VLANs in the network that would be 500 instances of STP running!
Cisco’s RSTP is Rapid PVST+
PVST+ does allow different VLANs to have different Root Bridges which can allow for the use of redundant links.

63. Configuring Link Aggregation with EtherChannel

64. Spanning Tree and EtherChannel
Etherchannel Bundle
Spanning Tree only allows a single link between switches to prevent bridging loops.
Cisco’s EtherChannel technology allows for the scaling of link bandwidth by aggregating or bundling parallel links.
Treated as a single, logical link.
Access or Trunk link
Allows you to expand the link’s capacity without having to purchase new hardware (modules, devices).
Load Balances, View as one logical port , Redundancy.

65. EtherChannel EtherChannel allows for two to eight links.
Fast Ethernet (FE)  Fast EtherChannel  Up to 1600 Mbps
Gigabit Ethernet (GE)  Gigabit EtherChannel  Up to 16 Gbps
10-Gigabit Ethernet (10GE)  10 Gigabit EtherChannel  Up to 160 Gbps
This does not mean the total bandwidth of the bundle equals the sum of the links.
The load is not always distributed evenly (coming).

66. EtherChannel
The Cisco Catalyst family of switches supports two types of link aggregation:
Port Aggregation Protocol (PAgP) - Cisco proprietary
Default when port channel is created (coming)
Link Aggregation Control Protocol (LACP) - Industry standard 802.3ad-based protocol
EtherChannel provides redundancy.
If one link fails traffic is automatically moved to an active link.
Transparent to end user.
LACP (coming) also allows for standby links (coming).

67. The key is consistency for all links in the bundle:
Media
Same media type and speed
Same duplex
VLANs – All ports within the bundle must be configure with:
Same VLAN (if access)
Same trunking encapsulation and mode (if trunk)
Mode on opposite switches do not have to be the same as long as it still forms a trunk.
Same Native VLAN
Pass the same set of VLANs

68. Distribution of Traffic and Load Balancing
Load is not balanced equally across links.
EtherChannel uses a hashing algorithm.
Single input is used (such as Source IP address), the hash will only look at the bits associated with this input. (coming)
Two inputs are used (such as Source IP address and Destination IP address), the hash will perform an exclusive OR (XOR) operation on both inputs. (coming!)
Both of these will compute a binary number that selects a link number in the bundle to carry the frame. (coming!!!)

69. Load Balancing Let’s take a brief look at how this works.
We will focus on the 2, 4 and 8 link possibilities as this is easier to understand and the only options that provide more ideal load balancing.
A 2 link EtherChannel bundle requires a 1-bit index using an XOR.
If the index is 0, link 0 is selected
If the index is 1, link 1 is selected
A 4 link EtherChannel bundle requires a 2-bit index using an XOR.
4 possible links: 00, 01, 10, 11
An 8 link EtherChannel bundle requires a 3-bit index using an XOR.
8 possible links: 000, 001, 010, 011, 100, 101, 110, 111

70. Load Balancing Example: 2 Link EtherChannel.1
Example: 2 Link EtherChannel.
Packet sent from to
The chosen hash uses Source IP and Destination IP address
At most there can only be 8 links in bundle, so only the last 3 rightmost bits (least-significant) of the addresses will ever need to be indexed or examined.
3 bits will give us 8 choices (8 links max in a bundle)
=> =>
In our example we have 2 links in the EtherChannel (1 bit index):
The XOR is performed only on the rightmost bit 1 XOR 0
1 XOR 0 = 1
Link 1 is used

71. Load Balancing Example: 4 Link EtherChannel3
Example: 4 Link EtherChannel
Packet sent from to
Our hash used the Source IP and Destination IP address
=> =>
If there are 4 links in the EtherChannel (2 bit index):
The XOR is performed only on 2 rightmost bits 01 XOR 10
Each bit is computed separately
01 XOR 10 = 11
1 XOR 0 = 1
0 XOR 1 = 1
Link 3 (112) is used

72. Load Balancing Example: 8 Link EtherChannel7
Example: 8 Link EtherChannel
Packet sent from to
Our hash used the Source IP and Destination IP address
=> =>
If there are 8 links in the EtherChannel (3 bit index):
The XOR is performed only on the 3 rightmost bits 001 XOR 110
Each bit is computed separately
001 XOR 110 = 111
1 XOR 0 = 1
0 XOR 1 = 1
Link 7 (1112) is used

73. Configuring EtherChannel Load Balancing
Switch(config)# port-channel load-balance method
The load balancing method is configured in global configuration mode.

74. Load Balancing
6500 and 4500 switches also allow hash input to be based on:
dst-port (destination port)
src-dst-port (source and destination ports)
Dafaults for 29xx and 35xx (this may vary so check documentation)
Layer 2 switching (switched port) is src-mac (coming)
Layer 3 switching (routed port) is src-dst-ip (coming)
For non-IP traffic the switch will distribute frames based on MAC addresses.
Multicasts and broadcasts sent over one link in the EtherChannel are not sent back over other links in the EtherChannel.

75. Load Balancing Switch(config)# port-channel load-balance src-dst-ip
dst-ip Dst IP Addr bits
dst-mac Dst Mac Addr bits
src-dst-ip Src XOR Dst IP Addr XOR
src-dst-mac Src XOR Dst Mac Addr XOR
src-ip Src IP Addr bits
src-mac Src Mac Addr bits
Load Balancing
Switch(config)# port-channel load-balance src-dst-ip
Normally, the default Source IP and Destination IP addresses will result in a fair statistical distribution of frames.
This is because of the random nature of multiple Source and Destination IP addresses.
However, if a single server’s destination IP address is receiving most of the traffic this may cause one link to be overused in a two link EtherChannel.
Two links in a four link EtherChannel
Four links in an eight link EtherChannel.
Use only Source IP address or include MAC addresses to create a more balanced load across the bundle.

76. EtherChannel Protocols
PAgP
LACP
LACP
PAgP
The Cisco Catalyst family of switches supports both:
Port Aggregation Protocol (PAgP) - Cisco proprietary
Default when port channel is created (coming)
Link Aggregation Control Protocol (LACP) - Industry standard 802.3ad-based protocol
Not many differences.
When a Cisco switch is connected to a non-Cisco switch use LACP.
Must be the same on both ends!

77. EtherChannel Protocols
Fa0/1
Fa0/4
PAgP requires identical static VLANs or trunking encapsulation with same allowed VLANs.
If the VLAN, speed or duplex on a port in the bundle is changed PAgP automatically reconfigures the rest of the ports in that bundle.

78. EtherChannel Protocols
Channel Group
Fa0/1
Fa0/4
Channel-group number: 1 – 64
Does not need to be the same on both switches but its recommended that it usually is.

79. No PAgP or LACP negotiation
EtherChannel on on
on – Forces port to channel without PAgP negotiation.
Both ends must be on.
All ports channeling
You can use channel-group # mode on when the connecting device does not support PAgP and you need to set up the channel unconditionally.

80. PAgP modes EtherChannel desirable desirable auto
An interface in desirable mode can form an EtherChannel with another interface that is in desirable or auto mode.
Desirable (Active) - Actively asks to form a channel

81. PAgP modes EtherChannel desirable auto
An interface in auto mode can form an EtherChannel with another interface in desirable mode.
Auto (default, passive) - Waits to be asked to form a channel.
An interface in auto mode cannot form an EtherChannel with another interface that is also in auto mode because neither interface starts PAgP negotiation.

82. LACP modes EtherChannel active active passive
An interface in the active mode can form an EtherChannel with another interface that is in the active or passive mode.
An interface in the passive mode can form an EtherChannel with another interface that is in the active mode.
An interface in the passive mode cannot form an EtherChannel with another interface that is also in the passive mode because neither interface starts LACP negotiation.

83. Forming EtherChannelson on
PAgP Negotiated EtherChannel
desirable
desirable
auto
LACP Negotiated EtherChannel
active
active
passive

84. Configuring PAgP Notice:
Load balancing does not have to match but usually it does.
DTP on DLS2 is dynamic auto (result is trunk with DLS1)
PAgP configured on both ends

85. Verifying DLS2#show run DLS1#show run ! !
port-channel load-balance dst-ip
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/1
! ...
interface FastEthernet0/11
channel-group 1 mode desirable
interface FastEthernet0/12
DLS2#show run !
port-channel load-balance src-dst-ip
interface Port-channel1
switchport trunk encapsulation dot1q
interface FastEthernet0/1
! ...
interface FastEthernet0/11
channel-group 1 mode auto
interface FastEthernet0/12

86. Verifying

87. Verifying

88. Configuring LACP Port Priority - (Optional for LACP)
LACP uses the port priority to decide which ports should be put in standby mode.
Not typically used (more with hardware limitation).
Ports with lower priority are active, rest are standby. (Default is 32,768)
System Priority - (Optional for LACP)
Valid values are 1 through
Higher numbers have lower priority. (Default is 32768, switch MAC is tiebreaker)
Recommended only when some ports are in standby.

89. Configuring LACP: DLS1 and DLS2

90. Verifying (only showing DLS1)
DLS1#show run !
port-channel load-balance dst-ip
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/11
lacp port-priority 99
channel-group 1 mode active
interface FastEthernet0/12
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active !
interface FastEthernet0/14

91. Verifying

92. Verifying

93. Configuring Link Aggregation with EtherChannel (End)