STP Flashcards
Why we have STP
Layer 2 ethernet headers do not have a TTL field to stop looping traffic
STP is used to prevent layer 2 loops
Necessary evil - Access layer switches can only use half of their physically cabled uplink bandwidth, but it’s for the sake of preventing broadcast storms which will crash a network
Bridges vs. Switches
Bridges:
Early switches that were expensive and had very few ports
They segmented LANs which were built with hubs
Switches:
A multi-port bridge
STP was invented when bridges were in uses
So it uses “Root Bridge” and “Bridge Protocol Data Units”
How STP Works
Enabled by default on all vendor’s switches
Switches send BPDUs when they come online
Used to detect other switches & potential loops
Switch will not forward traffic out any port until it is certain it is loop free
Port States
Blocking State:
When the port first comes online, it will be in a blocking state
STP will detect if the port forms a potential loop
Forwarding State:
If there is no loop, the port will transition to Forwarding
Can take up to 50 seconds
Bridge ID
The BPDU contains the switch’s BID, which uniquely identifies the switch on the LAN
The BID is comprised of the switch’s unique MAC address & an administrator defined Bridge Priority value
The Bridge Priority can be from 0 - 65535, with 32768 being the default
Root Bridge
Elected based on the switches’ BID values
The switch with the lowest Bridge Priority value is preferred
In the case of a tie, the switch with the lowest MAC address is selected
The switches build a loop-free forwarding path tree leading back to the Root Bridge
Root Port
Each switch’s exit interface on the lowest cost path to the Root Bridge is selected as its Root Port
STP: Load Balancing
STP does not do load balancing
If a switch has multiple equal cost paths towards the Root Bridge:
It will select the neighbor switch with the lowest BID
If a switch has multiple equal cost paths via the same neighbor switch towards the Root Bridge:
It will select the port with the lowest Port ID
Designated Ports
Ports on the neighbor switch opposite the Root Port are Designated Ports
Root ports = point towards the Root Bridge
Designated ports = point away from Root Bridge
All ports on the Root Bridge are always Designated Ports
Blocking Ports
Any ports which have not been selected as a Root/Designated Port would potentially form a loop
These are selected as Blocking Ports
STP only blocks ports on one side of the blocked link
BPDUs continue to be sent over the link but other traffic is dropped
How to tell which are root/designated/blocking ports
Determine the Root Bridge first (best BID)
All ports on the Root Bridge are Designated
Determine the Root Ports on the other switches (lowest cost to Root Bridge)
The ports on the other sides of those links are Designated ports
On the links which are left, one port will be Blocking
Determine the blocking port (highest cost path to Root Bridge or highest BID)
The ports on the other sides of those links are Designated ports
Spanning Tree Versions: IEEE Open Standards
802.1D STP (Spanning Tree Protocol):
The OG STP
Uses one STP for all VLANs in the LAN
802.1w RSTP (Rapid Spanning Tree Protocol):
Significantly improved convergence time
Uses one STP for all VLANs in the LAN
802.1s MSTP (Multiple Spanning Tree Protocol):
Enables grouping & mapping VLANs into different spanning tree instances for load balancing
Spanning Tree Versions: Cisco Proprietary
PVST+ (Per VLAN Spanning Tree Plus):
Cisco enhancement to 802.1D
Uses a separate Spanning tree instance for every VLAN
Default on Cisco switches
Will assign Root, Designated, or Alternate role to ports
Alternate ports = blocking ports
RPVST+ (Rapid Per VLAN Spanning Tree Plus):
Significantly improved convergence time over PVST+
Uses a separate Spanning tree instance for every VLAN
Cisco versions do not support grouping multiple VLANs into the same instance
Command: Verify spanning tree info
show spanning-tree –> displays STP info for all VLANs
show spanning-tree vlan 1 –> specify which VLAN to show STP info on
show mac address-table –> Helps you verify the path a packet takes by looking at the MAC address of the destination, then checking each hop’s MAC table from the starting point to see which interface it leaves out of
Root Bridge Election
Because Spanning Tree selects path pointing towards the root bridge, it acts as the center point of the LAN
Best practice is to ensure a pair of high-end core switches are selected as the first & second most preferred Root Bridge
Manipulating Root Bridge Elections
You can manipulate the Root Bridge election by setting Bridge priority
Default value is 32768 (lowest being most preferred)
If tied, lowest MAC is selected
This is liable to be the oldest switch (not ideal)
Command: Set primary root bridge
spanning-tree vlan 1 root primary
Sets bridge priority of 24576
Command: Set secondary root bridge
spanning-tree vlan 1 root secondary
Sets bridge priority of 28672
STP & HSRP Relationship
HSRP should be configured to match the STP path
Set a higher HSRP priority on the router with the most direct path to the root bridge
Allows traffic from PCs to take the most direct path to their default gateway
Spanning Tree: Portfast
It can take up to 50 seconds for STP to transition a port to a forwarding state when it becomes active
A loop cannot be formed on ports where a single end host is plugged in
You can make the port transition to a forwarding state immediately when it becomes active by disabling STP on the port
Command: Enable portfast on interface F0/10
interface f0/10
spanning-tree portfast
Command: Set all ports to portfast by default
spanning-tree portfast default
Then, on ports connected to switches:
no spanning-tree portfast
BPDU Guard
If you enable Portfast on a port and then a loop is formed through it, a broadcast storm will result
This can be caused by users adding devices to the network or changing cabling
You can enable BPDU Guard on Portfast ports to guard against this happening
If a BPDU is received, the port will be shut down
Command: Enable BPDU Guard on interface F0/10
interface f0/10
spanning-tree portfast
spanning-tree bpduguard enable
Command: Set BPDU guard on portfast ports by default
spanning-tree portfast bpduguard default
Root Guard
Spanning Tree Root Guard prevents an unintended switch from becoming the root bridge
If a port where Root Guard is enabled receives BPDUs that are superior than the current root bridge, it will transition the port to root-inconsistent and not forward any traffic over the port
Ensures that the root bridge remains the root bridge
Can prevent a malicious actor from trying to attach their own switch & make it the root bridge to sniff traffic
Command: Enable root guard on interface f0/2
interface f0/2
spanning-tree guard root
