STP

Question 1

Why we have STP

Answer 1

Layer 2 ethernet headers do not have a TTL field to stop looping traffic

STP is used to prevent layer 2 loops

Necessary evil - Access layer switches can only use half of their physically cabled uplink bandwidth, but it’s for the sake of preventing broadcast storms which will crash a network

Question 2

Bridges vs. Switches

Answer 2

Bridges:
Early switches that were expensive and had very few ports
They segmented LANs which were built with hubs

Switches:
A multi-port bridge
STP was invented when bridges were in uses
So it uses “Root Bridge” and “Bridge Protocol Data Units”

Question 3

How STP Works

Answer 3

Enabled by default on all vendor’s switches

Switches send BPDUs when they come online
Used to detect other switches & potential loops

Switch will not forward traffic out any port until it is certain it is loop free

Question 4

Port States

Answer 4

Blocking State:
When the port first comes online, it will be in a blocking state
STP will detect if the port forms a potential loop

Forwarding State:
If there is no loop, the port will transition to Forwarding
Can take up to 50 seconds

Question 5

Bridge ID

Answer 5

The BPDU contains the switch’s BID, which uniquely identifies the switch on the LAN

The BID is comprised of the switch’s unique MAC address & an administrator defined Bridge Priority value

The Bridge Priority can be from 0 - 65535, with 32768 being the default

Question 6

Root Bridge

Answer 6

Elected based on the switches’ BID values

The switch with the lowest Bridge Priority value is preferred

In the case of a tie, the switch with the lowest MAC address is selected

The switches build a loop-free forwarding path tree leading back to the Root Bridge

Question 7

Root Port

Answer 7

Each switch’s exit interface on the lowest cost path to the Root Bridge is selected as its Root Port

Question 8

STP: Load Balancing

Answer 8

STP does not do load balancing

If a switch has multiple equal cost paths towards the Root Bridge:
It will select the neighbor switch with the lowest BID

If a switch has multiple equal cost paths via the same neighbor switch towards the Root Bridge:
It will select the port with the lowest Port ID

Question 9

Designated Ports

Answer 9

Ports on the neighbor switch opposite the Root Port are Designated Ports

Root ports = point towards the Root Bridge
Designated ports = point away from Root Bridge

All ports on the Root Bridge are always Designated Ports

Question 10

Blocking Ports

Answer 10

Any ports which have not been selected as a Root/Designated Port would potentially form a loop
These are selected as Blocking Ports

STP only blocks ports on one side of the blocked link

BPDUs continue to be sent over the link but other traffic is dropped

Question 11

How to tell which are root/designated/blocking ports

Answer 11

Determine the Root Bridge first (best BID)
All ports on the Root Bridge are Designated
Determine the Root Ports on the other switches (lowest cost to Root Bridge)
The ports on the other sides of those links are Designated ports
On the links which are left, one port will be Blocking
Determine the blocking port (highest cost path to Root Bridge or highest BID)
The ports on the other sides of those links are Designated ports

Question 12

Spanning Tree Versions: IEEE Open Standards

Answer 12

802.1D STP (Spanning Tree Protocol):
The OG STP
Uses one STP for all VLANs in the LAN

802.1w RSTP (Rapid Spanning Tree Protocol):
Significantly improved convergence time
Uses one STP for all VLANs in the LAN

802.1s MSTP (Multiple Spanning Tree Protocol):
Enables grouping & mapping VLANs into different spanning tree instances for load balancing

Question 13

Spanning Tree Versions: Cisco Proprietary

Answer 13

PVST+ (Per VLAN Spanning Tree Plus):
Cisco enhancement to 802.1D
Uses a separate Spanning tree instance for every VLAN
Default on Cisco switches
Will assign Root, Designated, or Alternate role to ports
Alternate ports = blocking ports

RPVST+ (Rapid Per VLAN Spanning Tree Plus):
Significantly improved convergence time over PVST+
Uses a separate Spanning tree instance for every VLAN
Cisco versions do not support grouping multiple VLANs into the same instance

Question 14

Command: Verify spanning tree info

Answer 14

show spanning-tree –> displays STP info for all VLANs

show spanning-tree vlan 1 –> specify which VLAN to show STP info on

show mac address-table –> Helps you verify the path a packet takes by looking at the MAC address of the destination, then checking each hop’s MAC table from the starting point to see which interface it leaves out of

Question 15

Root Bridge Election

Answer 15

Because Spanning Tree selects path pointing towards the root bridge, it acts as the center point of the LAN

Best practice is to ensure a pair of high-end core switches are selected as the first & second most preferred Root Bridge

Question 16

Manipulating Root Bridge Elections

Answer 16

You can manipulate the Root Bridge election by setting Bridge priority

Default value is 32768 (lowest being most preferred)
If tied, lowest MAC is selected
This is liable to be the oldest switch (not ideal)

Question 17

Command: Set primary root bridge

Answer 17

spanning-tree vlan 1 root primary

Sets bridge priority of 24576

Question 18

Command: Set secondary root bridge

Answer 18

spanning-tree vlan 1 root secondary

Sets bridge priority of 28672

Question 19

STP & HSRP Relationship

Answer 19

HSRP should be configured to match the STP path

Set a higher HSRP priority on the router with the most direct path to the root bridge
Allows traffic from PCs to take the most direct path to their default gateway

Question 20

Spanning Tree: Portfast

Answer 20

It can take up to 50 seconds for STP to transition a port to a forwarding state when it becomes active

A loop cannot be formed on ports where a single end host is plugged in

You can make the port transition to a forwarding state immediately when it becomes active by disabling STP on the port

Question 21

Command: Enable portfast on interface F0/10

Answer 21

interface f0/10

spanning-tree portfast

Question 22

Command: Set all ports to portfast by default

Answer 22

spanning-tree portfast default

Then, on ports connected to switches:

no spanning-tree portfast

Question 23

BPDU Guard

Answer 23

If you enable Portfast on a port and then a loop is formed through it, a broadcast storm will result

This can be caused by users adding devices to the network or changing cabling

You can enable BPDU Guard on Portfast ports to guard against this happening

If a BPDU is received, the port will be shut down

Question 24

Command: Enable BPDU Guard on interface F0/10

Answer 24

interface f0/10
spanning-tree portfast
spanning-tree bpduguard enable

Question 25

Command: Set BPDU guard on portfast ports by default

Answer 25

spanning-tree portfast bpduguard default

Question 26

Root Guard

Answer 26

Spanning Tree Root Guard prevents an unintended switch from becoming the root bridge

If a port where Root Guard is enabled receives BPDUs that are superior than the current root bridge, it will transition the port to root-inconsistent and not forward any traffic over the port

Ensures that the root bridge remains the root bridge

Can prevent a malicious actor from trying to attach their own switch & make it the root bridge to sniff traffic

Question 27

Command: Enable root guard on interface f0/2

Answer 27

interface f0/2

spanning-tree guard root