Ch 3: Advanced STP Tuning

Question 1

A switch’s STP priority can be configured in increments of ______.

a. 1
b. 256
c. 2048
d. 4096

Answer 1

D. A switch’s STP priority increments in values of 4096. The priority is actually added to the VLAN number as part of the advertisement. The VLAN identifier is 12 bits, which is a decimal value of 4096.

Question 2

True or false: The advertised path cost includes the advertising link’s port cost as part of the configuration BPDU advertisement.

a. True
b. False

Answer 2

B. False. The advertising path cost includes the calculate path cost but does not include the path cost of the interface from which the BPDU is being advertised.

The receiving switch adds the port cost for the interface on which the BPDU was received in conjunction to the value of the total path cost in the BPDU.

Question 3

True or false: The switch port with the lower STP port priority is more preferred.

a. True
b. False

Answer 3

A. True. As part of the STP algorithm, when two links exist between two switches, on the upstream switch, the port with the lower port priority is preferred.

Question 4

What happens to a switch port when a BPDU is received on it when BPDU guard is enabled on that port?

a. A message syslog is generated, and the BPDU is filtered.
b. A syslog message is not generated, and the BPDU is filtered.
c. A syslog message is generated, and the port is sent back to a listening state.
d. A syslog message is generated, and the port is shut down.

Answer 4

D. BPDU guard generates a syslog message and shuts down an access port upon receipt of a BPDU.

Question 5

Enabling root guard on a switch port does what?

a. Upon receipt of an inferior BPDU, the port is shut down.
b. Upon receipt of a superior BPDU, the port is shut down.
c. Upon receipt of an inferior BPDU, the BPDU is filtered.
d. When the root port is shut down, only authorized designated ports can become root ports.

Answer 5

B. Root guard ensures that the designated port does not transition into a root port by shutting down the port upon receipt of a superior BPDU.

Question 6

UDLD solves the problem of ______.

a. time for Layer 2 convergence
b. a cable sending traffic in only one direction
c. corrupt BPDU packets
d. flapping network links

Answer 6

B. Unidirectional Link Detection (UDLD) solves the problem when a cable malfunctions and transmits data in only one direction.

Question 7

What command sets a switch to be either the primary or secondary root switch? What are the Bridge Priorities associated with both primary and secondary?

Answer 7

spanning-tree vlan vlan-id root {primary | secondary} [diameter diameter]:

This command executes a script that modifies certain values. The primary keyword sets the priority to 24,576, and the secondary keyword sets the priority to 28,672.

The optional diameter command makes it possible to tune the Spanning Tree Protocol (STP) convergence and modifies the timers; it should reference the maximum number of Layer 2 hops between a switch and the root bridge. The timers do not need to be modified on other switches because they are carried throughout the topology through the root bridge’s bridge protocol data units (BPDUs).

Question 8

What is the command to set STP bridge priority on a switch?

Answer 8

spanning-tree vlan vlan-id priority priority

The priority is a value between 0 and 61,440, in increments of 4,096.

The default is 32,768.

Question 9

T/F: The best way to prevent erroneous devices from taking over the STP root role is to set the priority to 0 for the primary root switch and to 4096 for the secondary root switch. In addition, root guard should be used.

Answer 9

True. This will ensure the root role is not subverted.

Question 10

What command is used to modify the STP port cost?

Answer 10

By changing the STP port costs with the command spanning tree [vlan vlan-id] cost cost, you can modify the STP forwarding path. You can lower a path that is currently an alternate port while making it designated, or you can raise the cost on a port that is designated to turn it into a blocking port.

The spanning tree command modifies the cost for all VLANs unless the optional vlan keyword is used to specify a VLAN.

Question 11

T/F: The STP port priority impacts which port is an alternate port when multiple links are used between switches.

Answer 11

True.

Question 12

What is STP port priority? What is the default value?

Answer 12

Each port of a Switch has a Spanning Tree Port Priority value associated with it, which is equal to 128 by default. We can view the spanning-tree command by using show command “show spanning-tree”.

The priority values are 0, 32, 64, 96, 128, 160, 192, and 224. All other values are rejected.

The STP port priority impacts which port is an alternate port when multiple links are used between switches.

This is used for prefering a path to the root bridge, by having traffic prefer a specific path.

Remember that the sytem ID and port cost will be checked first. But, if the system ID and port costs are the same, the next check is port priority, This is only used as a third resort in breaking ties to the root bridge.

Question 13

What is STP Port ID? How is it formed?

Answer 13

Spanning Tree Port ID is formed by adding the 4-bit port priority value (the default value of 128) to 12-bit interface identifier (total 16 bits).

Normally, a Port ID is denoted in Hexadecimals similar as 0x8015, which is equivalant to 128.21 in decimals, where the first part is the default Port Priority number and second part is the switch interface identifier.

Question 14

T/F: All of the following are some common scenarios for Layer 2 forwarding loops:

• STP disabled on a switch
• A misconfigured load balancer that transmits traffic out multiple ports with the same MAC address
• A misconfigured virtual switch that bridges two physical ports (Virtual switches typically do not participate in STP.)
• End users using a dumb network switch or hub

Answer 14

True.

Question 15

If you see this error in syslog, what should you look for?

• 12:40:30.044: %SW_MATM-4-MACFLAP_NOTIF: Host 70df.2f22.b8c7 in vlan 1 is flapping between port Gi1/0/3 and port Gi1/0/2

Answer 15

In this scenario, STP should be checked for all the switches hosting the VLAN mentioned in the syslog message to ensure that spanning tree is enabled and working properly.

Catalyst switches detect a MAC address that is flapping between interfaces and notify via syslog with the MAC address of the host, VLAN, and ports between which the MAC address is flapping. These messages should be investigated to ensure that a forwarding loop does not exist.

Question 16

Which of the following are true?

1. Root guard is an STP feature that is enabled on a port-by-port basis
2. Root guard prevents a configured port from becoming a root port.
3. Root guard functions by ignoring packets with a superior BPDU when they are received on a configured port.
4. Root guard is enabled with the interface command spanning-tree guard root.
5. Root guard is placed on designated ports toward other switches that should never become root bridges.

Answer 16

All are true except 3.

Root guard is an STP feature that is enabled on a port-by-port basis; it prevents a configured port from becoming a root port. Root guard prevents a downstream switch (often misconfigured or rogue) from becoming a root bridge in a topology. Root guard functions by placing a port in an ErrDisabled state if a superior BPDU is received on a configured port. This prevents the configured DP with root guard from becoming an RP.

Root guard is enabled with the interface command spanning-tree guard root. Root guard is placed on designated ports toward other switches that should never become root bridges.

Question 17

T/F: The STP portfast feature disables TCN generation for access ports.

Answer 17

True:

The generation of TCN for hosts does not make sense as a host generally has only one connection to the network. Restricting TCN creation to only ports that connect with other switches and network devices increases the L2 network’s stability and efficiency. The STP portfast feature disables TCN generation for access ports.

Question 18

T/F: The STP Portfast feature allows access ports to bypass the earlier 802.1D STP states (learning and listening) and forward traffic immediately.

Answer 18

True. This is beneficial in environments where computers use Dynamic Host Configuration Protocol (DHCP) or Preboot Execution Environment (PXE). If a BPDU is received on a portfast-enabled port, the portfast functionality is removed from that port.

Question 19

What are the commands to enable Portfast globally and locally?

Answer 19

Interface:

• spanning-tree portfast [disable]

Globally:

• spanning-tree portfast default

Question 20

T/F: Portfast can be enabled on trunk links.

Answer 20

True.

Portfast can be enabled on trunk links with the command spanning-tree portfast trunk. However, this command should be used only with ports that are connecting to a single host (such as a server with only one NIC that is running a hypervisor with VMs on different VLANs). Running this command on interfaces connected to other switches, bridges, and so on can result in a bridging loop.

Question 21

What command(s) can you use to verify which ports are using Portfast?

Answer 21

Three ways:

1. Show the running config.
2. Portfast can be verified by examining the STP configuration for VLAN 10 with show spanning-tree vlan 10.
3. By examining the STP interface details with show spanning-tree interface gi1/0/13 detail.

Notice that the portfast ports are displayed with P2P Edge.

Question 22

What is BPDU Guard?

Answer 22

BPDU guard is a safety mechanism that shuts down ports configured with STP portfast upon receipt of a BPDU. Assuming that all access ports have portfast enabled, this ensures that a loop cannot accidentally be created if an unauthorized switch is added to a topology.

ErrDisabled is the resulting port state.

Question 23

What is the command(s) to enable BPDU Guard?

Answer 23

BPDU guard is enabled globally on all STP portfast ports with the command spanning-tree portfast bpduguard default.

BPDU guard can be enabled or disabled on a specific interface with the command spanning-tree bpduguard {enable | disable}.

Question 24

T/F: err-disabled ports from BPDU Guard must be manually shut and no shut before they will pass traffic again.

Answer 24

False.

By default, ports that are put in the ErrDisabled state because of BPDU guard do not automatically restore themselves. The Error Recovery service can be used to reactivate ports that are shut down for a specific problem, thereby reducing administrative overhead.

To use Error Recovery to recover ports that were shut down from BPDU guard, use the commands:

• errdisable recovery cause bpduguard
• errdisable recovery interval seconds

The Error Recovery service operates every 300 seconds (5 minutes) by default. This can be changed to 5 to 86,400 seconds with the global configuration command errdisable recovery interval time.

Question 25

What is BPDU Filter?

Answer 25

BPDU filter simply blocks BPDUs from being transmitted out a port.

Question 26

T/F: BPDU filter deployments can cause problems. Most network designs do not require BPDU filter, which adds an unnecessary level of complexity and also introduces risk.

Answer 26

True. Careful deployment is key here.

Question 27

What are the commands to deploy BPDU Filter both globally and locally?

Answer 27

Global deploment:

• spanning-tree portfast bpdufilter default

​Interface deployment:

• spanning-tree bpdufilter enable

​

Question 28

What is the command to view BPDU Filter statistics on an interface?

Answer 28

show spanning-tree interface interface-id detail | in BPDU|Bpdu|Ethernet

Question 29

What are two solutions to Uni-directional links? i.e. A link that is only sending traffic in one direction.

Answer 29

There are two methods to dealing with this problem,

1. STP Loop Guard: STP loop guard prevents any alternative or root ports from becoming designated ports (ports toward downstream switches) due to loss of BPDUs on the root port. Loop guard places the original port in an ErrDisabled state while BPDUs are not being received. When BPDU transmission starts again on that interface, the port recovers and begins to transition through the STP states again.

2. Unidirectional Link Detection (UDLD): allows for the bidirectional monitoring of fiber-optic cables. UDLD operates by transmitting UDLD packets to a neighbor device that includes the system ID and port ID of the interface transmitting the UDLD packet. The receiving device then repeats that information, including its system ID and port ID, back to the originating device. The process continues indefinitely. UDLD operates in two different modes:

• Normal: In normal mode, if a frame is not acknowledged, the link is considered undetermined and the port remains active.
• Aggressive: In aggressive mode, when a frame is not acknowledged, the switch sends another eight packets in 1-second intervals. If those packets are not acknowledged, the port is placed into an error state.

Question 30

What are the commands to enable STP Loopguard both globally and locally?

Answer 30

Globally: spanning-tree loopguard default

Locally: It can be enabled on an interface basis with the interface command spanning-tree guard loop.

Note: It is important to note that loop guard should not be enabled on portfast-enabled ports (because it directly conflicts with the root/alternate port logic).

Question 31

What is the command(s) to enable UDLD? (Uni-directional Link Detection)

Answer 31

This can be enabled globally or locally.

Globally: UDLD is enabled globally with the command udld enable [aggressive]. This enables UDLD on any small form-factor pluggable (SFP)-based port. UDLD can be disabled on a specific port with the interface configuration command udld port disable.

Locally: UDLD can be enabled on a port-by-port basis with the interface configuration command udld port [aggressive], where the optional aggressive keyword places the ports in UDLD aggressive mode.

NOTE: UDLD must be enabled on the remote switch as well for both global and local.

Question 32

What is the command to enable UDLD recovery?

Answer 32

UDLD recovery can be enabled with the command udld recovery [interval time], where the optional interval keyword allows for the timer to be modified from the default value of 5 minutes.

Question 33

What is the command to verify the status of UDLD neighborships?

Answer 33

It can be verified with the command show udld neighbors.

More detailed information can be viewed with the command show udld interface-id.

Example 3-18 displays the verification of SW1’s neighborship with SW2. The link is operating in a bidirectional state. More information is obtained with the show udld Te1/1/3 command, which includes the current state, device IDs (that is, serial numbers), originating interface IDs, and return interface IDs.