STP

1© 2000, Cisco Systems, Inc. Spanning Tree

Spanning Tree Protocol

2© 2000, Cisco Systems, Inc. Spanning Tree.

Agenda

• Spanning Tree Basics

• Spanning Tree Concepts

• Spanning Tree on Catalyst Switches

• Spanning Tree Enhancements

• Spanning Tree Troubleshooting


Spanning-Tree Basics

3© 2000, Cisco Systems, Inc.


Spanning Tree Protocol

STP is a link management protocol that provides path redundancy while preventing undesirable loops in the network


Spanning Tree Protocol Basics

1. Without the spanning-tree protocol in a redundant topology, a frame sourced from A would loop endlessly in the network.1. Without the spanning-tree protocol in a redundant topology, a frame sourced from A would loop endlessly in the network.

AA BB




AA BB

2. The spanning-tree protocol blocks redundant links to prevent frames from looping.2. The spanning-tree protocol blocks redundant links to prevent frames from looping.

XXBlocked portBlocked port



AA BB

2. The spanning-tree protocol blocks redundant links to prevent frames from looping.2. The spanning-tree protocol blocks redundant links to prevent frames from looping.

3. The spanning-tree protocol can adjust to changes in the topology by adjusting which ports are blocking and which are forwarding.3. The spanning-tree protocol can adjust to changes in the topology by adjusting which ports are blocking and which are forwarding.

XXBridge fails!Bridge fails!

XXBlocked portBlocked portRemove blocked port



Spanning-Tree Concepts



Four-Step Decision-Making Sequence

When creating a loop-free logical topology, Spanning Tree always uses the same four-step decision sequence:

1. Lowest Root BID

2. Lowest Path Cost to Root Bridge

3. Lowest Sender BID

4. Lowest Port ID


• Bridge Types

Root Bridge

Designated Bridge

• Port Types

Root Port

Designated Ports

Non-Designated Ports

• Port States

Blocking

Listening

Learning

Forwarding

(Disabled)

• Network parameters

Hello interval

Forward delay

Max age

Bridge priority (per bridge)

• Port-specific parameters

Port cost

Port priority

• BPDUs

Configuration

Topology Change Notification

Spanning Tree Terminology


1

2

3

Root bridge

Designated bridgefor segment 3

Direction of Config BPDU flow

F

F F

Root Port

Root Port Root Port

Root Port - Port with leastcost path to the root bridge

D

B

B

BNon-Designated Port

Non-Designated Port

Non-Designated Port – Port in blocking mode

A

C

Designated Port

F

F

F

Designated Port

Designated Port

Designated Port – Port selectedfor forwarding

Spanning Tree Terminology


Initial STP Convergence

Switches go through three steps for their initial convergence:

1. Elect one Root Bridge

2. Elect one Root Port per non-Root Bridge

3. Elect one Designated Port per segment


Spanning Tree Root Bridge

• One root per bridged network

• Election process to determine root

• Dictates timer values for all bridges in configuration BPDUs

• All other bridges determine shortest path to the root bridge


Spanning Tree Root Bridge Election

• All bridges first assume they are root(BPDU with RootID = BID; Path Cost = 0)

• All bridges have an 8 byte bridge ID—2 bytes bridge priority, 6 bytes MAC address

For example, here 32768 is the Bridge priority and 0080.acff.0003 is the MAC address of the bridge

• Lowest bridge ID (BID) becomes root

• Lower bridge priority has a greater chance of becoming root

32768:0080.acff.0003


Spanning Tree Root Port

• Root port determined using lowest cost to root bridge

• BPDU received on a port determines the values for transmitted BPDUs

Port cost of transmitted BPDUs = (path cost in received BPDU) + (port cost of port that receives BPDU)

• Port state on a root port is never blocking


Spanning Tree Designated Bridge

• At most one designated bridge per Ethernet segment

• Always the bridge with the shortest path to the root bridge

• Election process to determine the designated bridge

• Responsible for “advertising” BPDUs to other bridges out designated ports


Spanning Tree Designated Bridge Election

• Designated bridge is chosen for each segment

• Root is designated bridge for all connected segments

• Bridge on a segment with shortest path cost to root bridge becomes designated

• Bridges with equal cost paths to the root use lower BID as tie-breaker


Spanning Tree Designated Port

• The port through which all traffic toward the root flows off of a segment

• Responsible for transmitting BPDUs to downstream bridges

• Port state on a designated port is never blocking


Spanning Tree Non-Designated Port

• All ports on a segment other than the designated port or root ports are non-designated ports

• Non-designated ports receive BPDUs transmitted from the root or designated bridge

• Port state on a non-designated port is blocking


Spanning Tree Port States

• Blocking

No user traffic through port, receiving to BPDUs

• Listening

No user traffic through port, and listening to BPDUs

• Learning

No user traffic through port, and building bridge tables

• Forwarding

User traffic across port, and transmitting or receiving BPDUs

• Disabled

Administratively down, does not participate in frame forwarding or STP


STP State Machine

Listening

Blocking Learning

Forwarding

Disabled

TCN TCN


Spanning Tree Configuration Parameters

• Network parameters

Hello interval

Forward delay

Max age

Bridge priority (per bridge)

• Port-specific parameters

Port cost

Port priority


Spanning Tree Hello Interval

• The frequency with which a designated port will send BPDUs

• One to two second range

• Two seconds by default


Spanning Tree Forward Delay

• Used to determine how long to stay in listening and learning state

• Fifteen seconds by default

• Lower times will lower convergence, but might increase the chances of having loops

• Also used as the CAM aging time during topology change


Spanning Tree Max Age

• The amount of time a bridge stores a BPDU on a port before discarding it

In other words, the time within which a bridge expects to receive a valid BPDU from the root

• Most important to blocked port state

• Twenty seconds by default


Spanning Tree Bridge Priority

• Used first to determine root bridge• Used to help determine designated bridge after

root path cost• Can range from 1–65536 (32768 is default)• High order 2 bytes of 8 byte BID• Lowering priority makes BID numerically lower,

and increases the chances of bridge becoming root


Spanning Tree Port Cost

• Represents the cost of transmitting a frame onto a bridged segment through that output port

• The root path cost is the total cost to the root bridge, i.e., the path cost received on the root port + the port cost of the root port

• When sending out new BDPUs, port cost of port that received the BPDU is added to the path cost in the transmitted BPDU


Spanning Tree Port Priority

• When two BPDUs are received with the same BID and same path cost, the port priority field in BPDU is used

• Port which receives BPDU with lowest port priority becomes root port

• Port priority = static value + port ID• Useful for load-balancing using multiple spanning

trees when there are two links between the same two bridges


Configuration BPDU

• Orginated by root switch and sent on all the designated ports (all ports on the root switch are designated ports)

• On all other switches in the network (in a steady state), configuration BPDUs are received on root ports & blocked ports only (never sent)

• Forwarded on designated ports by changing the BID & adding the port cost of the received port to the root path cost in the transmitted BPDU

• When a designated port hears an inferior BPDU, it sends a configuration BPDU with its stored BPDU information


Configuration BPDU Parameters

• Root Identifier

• Root Path Cost

• Bridge Identifier

• Port Identifier

• Message Age

• Max Age

• Hello Time

• Forward Delay

• Topology Change Ack.

• Topology Change


IEEE 802.1d Config BPDUFrame Format

2 1 1 1 8 4 8 2 2 2 2 2

ProtocolIdentifier Ver Msg

TypeFlags Root ID

RootPathCost

Bridge ID Port IDMsg Age

MaxAge

HelloTime

ForwardDelay

0x00 = Config BPDU

2 byte priority6 byte ID (MAC

address)

2 byte priority6 byte ID (MAC

address)


Configuration BPDU Layout (1)

DLC: ----- DLC Header -----

DLC:

DLC: Frame 15 arrived at 11:02:20.8523; frame size is 60 (003C hex) bytes.

DLC: Destination = Multicast 0180C2000000, Bridge_Group_Addr

DLC: Source = Station Cisco7A009A6

DLC: 802.3 length = 39

DLC:

LLC: ----- LLC Header -----

LLC:

LLC: DSAP Address = 42, DSAP IG Bit = 00 (Individual Address)

LLC: SSAP Address = 42, SSAP CR Bit = 00 (Command)

LLC: Unnumbered frame: UI

LLC:

Source MAC address of sending port

IEEE 802.1d Reserved Destination MAC address

DSAP/SSAP of 0x42 is BPDU


BPDU: ----- Bridge Protocol Data Unit Header -----

BPDU: Protocol Identifier = 0000

BPDU: Protocol Version = 00

BPDU:

BPDU: BPDU Type = 00 (Configuration)

BPDU:

BPDU: BPDU Flags = 00

BPDU: 0... .... = Not Topology Change Acknowledgment

BPDU: .... ...0 = Not Topology Change

BPDU: .000 000. = Unused

BPDU:

BPDU: Root Identifier = 8000.00400BA009A2

BPDU: Priority = 8000

BPDU: MAC Address = 00400BA009A2

BPDU:

BPDU: Root Path Cost = 0

Always 0

00 – Configuration BPDU 80 – TCN BPDU

LSB = TC flag; MSB = TCA flag

Root Bridge ID

Since this BPDU is sent by the root, the path cost is 0



BPDU: Sending Bridge Id = 8000.00400BA009A2.8005

BPDU: Priority = 8000

BPDU: MAC Address = 00400BA009A2

BPDU: Port = 8005

BPDU: Message Age = 0.000 seconds

BPDU: Information Lifetime = 20.000 seconds

BPDU: Root Hello Time = 2.000 seconds

BPDU: Forward Delay = 15.000 seconds

BPDU:

DLC: Frame padding= 7 bytes


BID of sending bridge

Port ID

Timers:MaxAgeHelloTimeFwdDelay

Seconds since root originated the BPDU


• Used to notify other switches of a change in the spanning tree topology

• TCN BPDUs are sent:– Any time a port transitions to the forwarding state and the bridge has at least one designated port

– Any time a port transitions from the forwarding or learning state to the blocking state

• Sent from the bridge with the topology change towards the root bridge

• A TCN received on a designated port of a non-root switch is forwarded towards the root



IEEE 802.1d TCN BPDUFrame Format

2 1 1

ProtocolIdentifier Ver Msg

Type

0x80 = TCN

BPDU



• TCN is sent every two seconds, until the upstream bridge acknowledges receipt with a TCN ACK flag set in the configuration BPDU

• When the root bridge receives the TCN BPDU, it sets the TC flag in the next configuration BPDU (it also sets the TCN ACK flag on the port the TCN was received)

• When bridges receive a BPDU with the TC flag set, they reduce their CAM aging time to FwdDelay (15 seconds)

• The root switch continues to send Configuration BPDUs with TC flag set for a total of FwdDelay+Max Age seconds (default=35)


Root

A

B

C

Topology Change Process

XX Bridge fails

Port moves out offorwarding mode

TCN toward rootTCN ACK

TCN toward root

TCN ACK

1. Bridge A fails.

2. Bridge B’s port moves out of forwarding mode.

3. Bridge B generates a TCN BPDU and sends it on the root port.

4. Bridge C ACKs the TCN in the next BPDU it sends to Bridge B.

5. Bridge C generates a TCN BPDU and sends it on the root port.

6. Root ACKs the TCN in the next BPDU it sends to Bridge C.


Root

Topology Change Process

7. Root also sets the topology change (TC) flag in all Config BPDUs

TC Flag

TC Flag

TC Flag TC Flag

TC Flag

8. Downstream bridges reduce CAM aging time to FwdDelay seconds for duration of the topology change.

9. Root sets TC flag in all BPDUs for MaxAge + FwdDelay seconds, then clears the TC flag.

CAM Aging=15sCAM Aging=15s

CAM Aging=15s

CAM Aging=15sCAM Aging=15s

TC flag set=35s


Spanning Tree on Catalyst Switches



Spanning Tree in Catalyst Switches

• Catalyst switches implement a Spanning Tree per VLAN

• Permits creation of different forwarding paths for each VLAN (but be aware that this is taking up resources)


Tuneable Spantree Parameters

Max Age (per VLAN)

Forward Delay (per VLAN)

Hello Time (per VLAN)

Bridge Priority (per VLAN)

Port Cost (per port or per port/VLAN)

Port Priority (per port or per port/VLAN)

Enable/disable spantree (per VLAN)

Enhancements (PortFast, UplinkFast, etc)


Spanning Tree “set” Commands

• set spantree <enable|disable>

• set spantree priority

• set spantree hello

• set spantree maxage

• set spantree fwddelay

• set spantree portcost

• set spantree portpri

• set spantree portvlancost

• set spantree portvlanpri

• set spantree root [secondary]

• set spantree portfast

• set spantree portfast bpdu-guard

• set spantree uplinkfast

• set spantree backbonefast

• set spantree guard root


Spanning Tree “set” Commands –Caveats

The portvlanpri can only have two values, where one of the values is the portpriority per trunk

–The same applies for portvlancost – when cost is omitted the cost will be portcost - 1The use of this command is not encouraged, since the effect is additive

–The rate in the ‘set spantree uplinkfast’ command is the rate at which the switch in question will send multicast packets with SA= MAC-addresses downstream (MACs in CAM)


• The ‘set spantree root’ macro lowers the bridge priority to 8192 or one lower than the current root (secondary will have priority 16384)

• If diameter is specified, the appropriate MaxAge and FwdDelay will be calculated

Spanning Tree “set” Commands –Caveats


• clear spantree root

• clear spantree statistics

• clear spantree uplinkfast

• clear spantree portvlancost

• clear spantree portvlanpri

Spanning Tree “clear” Commands


• “clear spantree root” restores the default values for bridge priority, max age, fwd delay and hello time

• “clear spantree uplinkfast” restores the default for bridge priority, portcost, and portvlancost

• “clear spantree portvlancost (portvlanpri)” restores the default value (which is equal to portcost/portpriority)

Spanning Tree “clear” Commands – Caveats


Spanning Tree “show” Commands

show spantree [vlan] [active]

show spantree <mod_num/port_num>

show spantree statistics <port_num/port_num> <vlan>

show spantree blockedports [vlan]

show spantree summary

show spantree uplinkfast

show spantree backbonefast


• PVST – Per-VLAN Spanning Tree

• Developed around ISL

• Maintains a spantree for each active VLAN

• All current Catalyst switches support PVST

For details, see Cisco VLAN Architecture (ENG-6197)

PVST


PVST+

• PVST+ – Per-VLAN Spanning Tree Plus

• Developed to accommodate the IEEE 802.1Q standard for VLAN trunking

• PVST+ maintains a per-VLAN spantree for both 802.1Q and ISL

• PVST+ can interoperate with MST domains (3rd party) while maintaining a PVST for 802.1Q and/or ISL (no config required)

For more info, see An Engineering Guide to IEEE 802.1Q and IEEE 802.1p (ENG-18215)


MST

• MST – Mono Spanning Tree

• IEEE 802.1Q describes a Mono Spanning Tree (MST) – a single spantree dictates the topology for all VLANs


PVST/PVST+/MST Interoperation

• To interoperate with 3rd party 802.1Q-capable devices, use the ‘set trunk mod/port nonegotiate dot1q’ command

• All Cisco PVST+ connections to the MST region must be through 802.1q trunks

• PVST and PVST+ regions can communicate over ISL trunk links

• MST and PVST+ regions can connect over an 802.1q trunk


PVST/PVST+/MST Interoperation

Two techniques to provide transparent STP support across the different types of regions:

• Mapping – Used between PVST and PVST+ regions; each spantree in the PVST region maps to a spantree in PVST+ region on a one-to-one basis

• Tunneling – Used between MST and PVST+ regions; implements a combination of mapping and tunneling


Tunneling PVST+ Through MST

• The single spantree used in the MST region maps to a single spantree in the PVST+ region

• This spanning tree is referred to as the Common Spanning Tree (CST) and consists of a single spantree combining the MST and the native VLAN spantree of the PVST+ device (VLAN 1 by default)

• Cisco switches send BPDUs on the CST to the reserved IEEE 802.1D multicast MAC address 01-80-C2-00-00-00


• The per-VLAN spantrees in the PVST+ region are tunnelled through the MST region

• Cisco switches send BPDUs on non-native VLANs to the reserved Shared Spanning Tree (SSTP) multicast MAC address 01-00-0C-CC-CC-CD

• 3rd party devices in the MST region do not recognize this multicast address and flood the BPDUs throughout the MST region (constrained by VLAN), allowing them to reach other PVST+ devices connected to the MST region

Tunneling PVST+ Through MST


VLAN Load Balancing

• Used to load share traffic across redundant links which would otherwise have been unused as the ports would be blocked by spanning tree.

• Technique is to associate different port costs with different VLANs on a single port.


VLAN Load Balancing Operation

Blocked Port(Red, Blue)

L3

• Link L1, L2, and L3 are VLAN trunks• The port cost is 10 on all ports for all VLANs• S1 is the root switch for all VLANs• The L1 port on S3 is blocking for all VLANs & therefore cannot carry data traffic

This is because S3’s root path cost = 10 on L2 but 10+10=20 on L1+L3

S1S2

S3

(10,10) (10,10)

(10,10)

L1 L2

Root (Red, Blue)BID 8192.0000.0000.0001BID 8192.0000.0000.0011

BID 16384.0000.0000.0002BID 16384.0000.0000.0022

BID 32768.0000.0000.0003BID 32768.0000.0000.0033


VLAN Load Balancing Operation

If we change the port cost for the Red VLAN to 30 on S3’s L2 port, then L2 becomes the blocking link for VLAN Red and L1 becomes the forwarding link for VLAN Red

This is because S3’s root path cost = 30 on L2 but only 10+10=20 on L1+L3.

Root (Red, Blue)BID 8192.0000.0000.0001BID 8192.0000.0000.0011

Blocked Port(Blue)

L1 L2

L3S1S2

S3

(10,10) (30,10)

(10,10)

BID 16384.0000.0000.0002BID 16384.0000.0000.0022

BID 32768.0000.0000.0003BID 32768.0000.0000.0033

Blocked Port(Red)


PortVlanCost Implementation

• Associating a different port cost for different VLANs

for all ports requires too much memory

• Therefore, we associate all VLANs with one of two

possible portcosts (known as portvlancost)

• Using just two portvlancosts per port and associating

all VLANs with one or the other of these costs, we can

load balance VLANs over two paths


VLAN Load Balancing Configuration

• To enable VLAN-based load balancing:

set spantree portvlancost <mod/port> [cost <value>] [<preferred vlan list>]

• Cost is between 1-65535

• The cost value is one less than the current port cost for that port by default

• If supplied, the value must be lower than the current port cost


VLAN Load Balancing Configuration

• If the preferred VLAN list is not supplied, the command applies to all VLANs, rendering the command ineffective

• Once supplied, new values of cost apply to all previously supplied VLANs and also to newly specified VLANs

• The portvlancost must be less than the portcost on a port


VLAN Load Balancing Examples

Console> (enable) set spantree portvlancost 5/2

Port 5/2 VLANs 1-1005 have path cost 10. no change to default

Console> (enable) set spantree portvlancost 5/2 2

Port 5/2 VLANs 1,3-1005 have path cost 10.

Port 5/2 VLANs 2 have path cost 9.

Console> (enable) set spantree portvlancost 5/2 cost 8 3-6

Port 5/2 VLANs 1,7-1005 have path cost 10.

Port 5/2 VLANs 2-6 have path cost 8.

Console> (enable) clear spantree portvlancost 5/2 4

Port 5/2 VLANs 1,4,7-1005 have path cost 10.

Port 5/2 VLANs 2-3,5-6 have path cost 8.


VLAN Load Balancing – A Better Method

Simpler configuration:Move the root switch for the Red VLAN to S2

Blocked Port(Blue)

L1 L2

L3S1S2

S3

(10,10)

(10,10)

Blocked Port(Red)

(10,10)

Root (Blue)BID 16384.0000.0000.0001BID 8192.0000.0000.0011

Root (Red)BID 8192.0000.0000.0002

BID 16384.0000.0000.0022

BID 32768.0000.0000.0003BID 32768.0000.0000.0033


Root Bridge Configuration

set spantree root vlansset spantree root secondary vlans

• Decreases bridge priority value for specified VLANs to make the switch root for those VLANs (remember, lower is better)

• The bridge priority is set to 8192, or 1 less than the current root’s priority

• The secondary keyword hard sets the bridge priority to 16384

• To return a VLAN to the default settings, use clear spantree root <VLAN list>


• If the current root’s bridge priority is already 1, then the command will fail

• After we become root, there is no guarantee we will remain root

– Someone could change the bridge priority on another switch to make that the root switch

– Someone could change the bridge priority on this switch to make it a non-root switch

Root Bridge Configuration – Special Cases


Root Bridge Configuration – Examples

Console> (enable) set spantree root 1

VLAN 1 bridge priority set to 8192.

VLAN 1 bridge max aging time set to 20.

VLAN 1 bridge hello time set to 2.

VLAN 1 bridge forward delay set to 15.

Switch is now the root switch for active VLAN 1.

Console> (enable) set spantree root secondary 1





Console> (enable)


Root Bridge Configuration – Advanced Configuration

set spantree root [secondary] vlans [dia network_diameter] [hello hello_time]

• Allows you to safely tune max age, forward delay and hello time

• By specifying the network diameter, the switch will determine the most aggressive possible values of the STP parameters to achieve the fastest convergence time

• Network diameter is defined as the maximum number of switches between any two attachments of end stations

• The default STP timers assume a network diameter of 7 (the maximum recommended by IEEE)

• The switch uses the formula specified in the 802.1D spec to calculate the new values of max age and forward delay


Root Bridge Configuration – Advanced Examples

Console> (enable) set spantree root 3 dia 5






Console> (enable) set spantree root 3 dia 3 hello 1






Console> (enable)


Spanning Tree Enhancements



Spanning-Tree PortFast

set spantree portfast <mod/port> <enable|disable>

• Causes a switch port to transition to the forwarding state immediately, bypassing the listening & learning states

• Prevents connectivity issues related to forwarding delay

• Most common problems are seen with DHCP, IPX GNS, and AppleTalk


Spanning-Tree PortFast

• Use only on host ports (otherwise, you might open temporary spantree loops)

• Failsafe – if a BPDU is received on the port, transition to listening mode

• No TCN is generated for state changes on portfast ports

• Use in combination with “set trunk off” and “set port channel off” (or just use “set port host”)


PortFast(No TCN!)

STP State Machine with PortFast

Listening

Blocking Learning

Forwarding

Disabled

TCNTCN


Spanning-Tree PortFast – Example

Console> (enable) set spantree portfast 8/10 enable

Warning: Spantree port fast start should only be enabled on ports connected

to a single host. Connecting hubs, concentrators, switches, bridges, etc. to

a fast start port can cause temporary spanning tree loops. Use with caution.

Spantree port 8/10 fast start enabled.

Console> (enable) show spantree 8/10

Port Vlan Port-State Cost Prio Portfast Channel_id

------------------------ ---- ------------- --------- ---- -------- ----------

8/10 1 connected 3100 32 enabled 0

Console> (enable)


PortFast BPDU Guard

set spantree portfast bpdu-guard <enable|disable> • Safeguard to make sure rogue bridges are not allowed to connect

to the network through host ports

• If a BPDU is received on a portfast-enabled port, that port is placed in the “errdisable” state

• Works only on portfast-enabled ports

• Disabled by default

• If BPDUs stop arriving on the port, the port is reenabled automatically

• Also works with errdisable-timeout feature


PortFast BPDU Guard – Example

Console> (enable) set spantree portfast 5/1 enable

Warning: Spantree port fast start should only be enabled on ports connected

to a single host. Connecting hubs, concentrators, switches, bridges, etc. to

a fast start port can cause temporary spanning tree loops. Use with caution.

Spantree port 5/1 fast start enabled.

Console> (enable) set spantree portfast bpdu-guard enable

Spantree portfast bpdu-guard enabled on this switch.

Console> (enable) 2001 Jul 12 21:23:10 %SPANTREE-2-RX_PORTFAST:Received BPDU on

PortFast enable port. Disabling 5/1

2001 Jul 12 21:23:10 %PAGP-5-PORTFROMSTP:Port 5/1 left bridge port 5/1

Console> (enable) show port status 5/1

Port Name Status Vlan Duplex Speed Type

----- ------------------ ---------- ---------- ------ ----- ------------

5/1 errdisable 1 auto auto 10/100BaseTX

Console> (enable)


PortFast BPDU Guard – Verifying

Console> (enable) show spantree summary

Root switch for vlans: 1-3,5,10,20.

Portfast bpdu-guard enabled for bridge.

Uplinkfast disabled for bridge.

Backbonefast disabled for bridge.

< . . . >


Spanning-Tree UplinkFast

• Spanning Tree has relatively slow convergence in recovering from faults

• At default values, convergence time varies between 30-50 seconds

• In the wiring closet, the typical design has a redundant link into the distribution/core that is in spantree blocking mode


Spanning Tree UplinkFast Operation

• When the forwarding port fails, the blocking port directly transitions to forwarding without going through listening & learning states

• Should be used ONLY in wiring closet/access layer switches

• Need to have at least one port in forwarding and one port in blocking

• Used in conjunction with deterministic setting of root switch



• Switch transmits dummy multicast packets for each downstream MAC address to upstream switches for MaxAge seconds so that other switches update their CAM tables

• Dummy multicasts have DA of 01000CCDCDCD and SA of MAC addresses in local CAM table

• Multicasts sent at the rate of 15 packets per 100 msec, 1% of the load of a 10Mbps Ethernet (a conservative value)

• The rate limit prevents excessive flooding when many access switches change root port

• The value of rate is also limited by the power of the CPU on the switch. A Cat 5000 Supervisor 1 does not have enough power to go well above the default rate

• It is better to be conservative in choosing this value and preventing excessive flooding when a distribution switch dies which will affect many wiring closet switches



• When the failed link is restored, the port on the uplinkfast switch goes directly to forwarding state

• However, the upstream switch still transitions through listening & learning states

• Therefore, we delay the selection of a recovered port as the root port until 2*forward_delay + 5 seconds has elapsed, allowing the connected switch to transition the port to the forwarding state


Spanning Tree UplinkFast Configuration

set spantree uplinkfast <enable> [rate <station_update_rate>] [all-protocols <off|on>]

• Increases the bridge priority value on all VLANs to 49152 (so the switch is unlikely to become root)

• Increases the portcost of all ports by 3000 (so the switch is unlikely to be the designated bridge on any segment)

• The “rate” sets the rate of transmission of dummy multicast packets (packets/100 ms)

• If protocol filtering is enabled upstream, use all-protocols option


6509> (enable) set spantree uplinkfast enableVLANs 1-1005 bridge priority set to 49152.The port cost and portvlancost of all ports set to above 3000.Station update rate set to 15 packets/100ms.uplinkfast all-protocols field set to off.uplinkfast enabled for bridge.6509> (enable)

Bridge priority set very high to reduce chance of being the root

Station update rate set to 15 packets/100ms. Can be adjusted upto 32000 pkts/100ms! Be careful!

All-protocols field set to off. Turn ‘on’ if protocol filtering is enabled on

uplink switch but not on this switch

3000 is added to all port costs to prevent ports from becoming designated ports

Spanning Tree UplinkFast Configuration


Spanning Tree UplinkFast – Verifying


MAC address reduction: disabled

Root switch for vlans: 1.

Portfast bpdu-guard disabled for bridge.

Uplinkfast enabled for bridge.

Backbonefast disabled for bridge.

< . . . >

UplinkFast statistics

--------------------

Number of transitions via uplinkFast (all VLANs) : 10

Number of proxy multicast addresses transmitted (all VLANs) : 4234

Console> (enable)



Console> (enable) show spantree uplinkfast

Station update rate set to 15 packets/100ms.

uplinkfast all-protocols field set to off.

VLAN port list

------------------------------------------------------

1 4/1(fwd),4/2,5/3

2 4/1(fwd), 5/4

7 5/1(fwd)

Example above indicates that :

• Vlan 1 has 4/1 as root port, 4/2 and 5/3 as redundant root ports

• Vlan 2 has 4/1 as root port, but only one redundant port, 5/4

• Vlan 7 has 5/1 as the root port and no redundant ports


If you want to disable uplinkfast, use the ‘set spantree uplinkfast disable’ command. Use the ‘clear spantree uplinkfast’ command to return to defaults:

6509> (enable) set spantree uplinkfast disableuplinkfast disabled for bridge.Use clear spantree uplinkfast to return stp parameters to default.6509> (enable) clear spantree uplinkfastThis command will cause all portcosts, portvlancosts, and thebridge priority on all vlans to be set to default.Do you want to continue VLANs 1-1005 bridge priority set to 32768.(y/n) [n]? yThe port cost of all bridge ports set to default value.The portvlancost of all bridge ports set to default value.uplinkfast all-protocols field set to off.uplinkfast disabled for bridge.6509> (enable)

At this point, bridge priority and portcosts are still artificially high; we just won’t switchover to blocked uplink and send dummy multicasts if there is a failure

Bridge priority and port costs are returned to default (will overwrite any manual tuning performed after set spantree uplinkfast enable)



Spanning Tree BackboneFast

• At default values, convergence time on an indirect link failure takes 50 seconds

• BackboneFast detects indirect link failures and recovers in ~30 seconds


Direct vs. Indirect Link Failure

These switches see link down

These switches do not see a link down

XX


Indirect Link Failure Without BackboneFast

1. Link between A & B fails2. B detects link failure and send out BPDU claiming to be root3. C ignores B and MaxAges BPDU on blocked port toward B

(20 seconds)4. MaxAge expires and C transmits a BPDU toward B5. B receives superior BPDU from C and establishes root port6. C transitions the port toward B through listening (15 seconds) and

learning (15 seconds)7. C transitions the port toward B into forwarding and begins sending

traffic

Convergence time = MaxAge + (2 * FwdDelay) = 50 sec

Root

Blocking

XXD

CB

A


Inferior BPDUs

If the switch receives an inferior BPDU from the designated bridge, we know that the designated bridge has either:

1. Lost the root

2. Or, its root path cost has increased above ours

Root

XXRoot

XX


Spanning Tree BackboneFast Operation

• In IEEE 802.1D, an inferior BPDU is discarded• With BackboneFast, the switch tracks inferior

BPDUsWe compare inferior BPDUs to the stored BPDU to determine if there has been an indirect link failure

• Only inferior BPDUs sent by the designated bridge are tracked (i.e., inferior BPDUs sent with the same BID as the stored BPDU)

If a newly inserted bridge starts sending inferior BPDUs, it will not trigger the BackboneFast feature


BackboneFast Root Link Query

BackboneFast implements a new PDU, the Root Link Query (RLQ)

• When a BackboneFast switch receives an inferior BPDU from the designated bridge on a blocked port, an RLQ is sent toward the root

• If the root is still active, it responds to the RLQ confirming it is active

• The originating switch’s BID is included in the RLQ PDUs so when the switch receives a reply to its own query, it doesn’t flood the response on its designated ports

• The RLQ PDU has the same packet structure as a normal spanning-tree BPDU, but we use two different Cisco-specific SNAP addresses, one for the request and one for the reply


Indirect Link Failure With BackboneFast

1. Link between A & B fails2. B detects link failure and send out BPDU claiming to be root3. C detects possible indirect failure, sends RLQ toward root4. D forwards RLQ on the root port5. A receives the RLQ & sends a response6. D floods the response on all designated ports7. C receives the response and expires the BPDU on the port toward B (skips

MaxAge)8. B receives superior BPDU from C and establishes root port9. C transitions the port toward B through listening (15 seconds) and learning

(15 seconds)10. C transitions the port toward B into forwarding and begins sending traffic

Convergence time = (2 * FwdDelay) = 30 sec

Root

Blocking

XXD

CB

A


Spanning Tree BackboneFast Configuration

set spantree backbonefast <enable|disable>

• Enable BackboneFast on all switches in the network (access, distribution, core)Console> (enable) set spantree backbonefast enable

Backbonefast enabled for all VLANs.

Console> (enable)

• Verify the configuration:Console> (enable) show spantree backbonefast

Backbonefast is enabled.

Console> (enable)


Spanning Tree BackboneFast – Verifying


MAC address reduction: disabled

Root switch for vlans: 1.

Portfast bpdu-guard disabled for bridge.

Uplinkfast enabled for bridge.

Backbonefast enabled for bridge.

< . . . >

BackboneFast statistics

-----------------------

Number of transitions via backboneFast (all VLANS) : 0

Number of inferior BPDUs received (all VLANs) : 0

Number of RLQ req PDUs received (all VLANs) : 0

Number of RLQ res PDUs received (all VLANs) : 0

Number of RLQ req PDUs transmitted (all VLANs) : 0

Number of RLQ res PDUs transmitted (all VLANs) : 0

Console> (enable)


Spanning Tree Root Guard

The problem: Customer’s switch becomes root for the ISP’s switched network

Root


Spanning Tree Root Guard

The solution: ISP uses spanning tree Root Guard

Root


set spantree guard root <mod/port>

• Define a perimeter within which you want the root to remain by enabling rootguard on each perimeter port

• Root guard can be enabled per port, not per port per VLAN

• Verifies that the port is the designated port for the segment

• If a superior BPDU is received:

–The port moves to the root-inconsistent state

–The BPDU is dropped

Spanning Tree Root Guard Configuration


Spanning Tree Root Guard Operation

• Disconnects switches claiming to be root

• Prevents superior BPDUs from passing through the defined perimeter

• The ISP spanning-tree topology is not affected

• If the port stops receiving superior BPDUs, it leaves the root-inconsistent state after a max age


Console> (enable) set spantree guard root 1/1

Rootguard on port 1/1 is enabled.

Console> (enable)

2001 Jun 15 07:04:15 %SPANTREE-2-ROOTGUARDBLOCK:Port 1/1 tried to become non-designated in VLAN 1. Moved to root-inconsistent state

Spanning Tree Root Guard Example


Console> (enable) show spantree guard

Port VLAN Port-State Guard Type

------------------------ ---- ------------- ----------

1/1 1 root-inconsis root

1/2 1 forwarding root

8/1 1 not-connected none

Spanning Tree Root Guard Verification


Spanning Tree Troubleshooting



What Causes Loops?

1) Configuration problems

• Spantree disabled

• Spantree enabled on some switches but not on others

• Bridging VLANs together

• Speed/duplex mismatches

• Portfast enabled on ports connected to hubs or switches

• Router, multiport NIC, configured for bridging

• Using different spantree protocols within the same VLAN

• Misconfigured or buggy trunk- or channel-capable NIC

• Loops with hubs or switches

• Port channeling misconfiguration


What Causes Loops?

2) Design issues

• Too large of a switched network

• Bridging over the WAN (delay problems)


What Causes Loops?

3) Software issues

• Software bugs

• Forwarding traffic across blocked ports

• UplinkFast/BackboneFast

• Etc.

• Loss of management communication to line cards


What Causes Loops?

4) Hardware Issues

• Layer one links that are bad (i.e. CRCs, other input errors)

• Unidirectional links

• Data corruption (BPDUs dropped)

• Port Stuck (BPDUs dropped)

• NMP stops listening to spanning-tree (stuck inband)

• Loss of management communication to line cards


Detecting Spanning Tree Loops

1) Network is EXTREMELY slow for all nodes

2) Network outage

3) High system utilization on switch

System Utilization in “show system” above 20% usually indicates a loop

Above 7% indicates possible transitory loop

Depends on network traffic and hardware (Cat5000 Sup1 vs. Cat6000 Sup2, etc.)

4) System LED indicators on Switch Utilization Bar

5) High Amount of In-lost and Out-lost on “show mac”

6) “MLS: TOO MANY MOVES” appearing on console and log (Cat5000 only)

7) HSRP, OSPF, etc report duplicate IP address

8) Unicast flooding


Detecting Spanning Tree Loops

• Check spantree blocked and root ports for errors using “show port”, “show mac” & “show counters”

• Set up a syslog server and turn on logging for the “spantree” facility to 6, which will show port transitions through the spantree states (listening, learning, etc.)

• Use “show inband” to check for “RsrcErrors” (BPDU could be dropped if supervisor is unable to process the BPDU)

• Check to see if you are exceeding spanning tree instances “show spantree summary”


During an Event

• Remove redundant Ethernet segments from the network

–Start with connections between core switches

–Begin with EtherChannels, if used

–Wait for 30-60 seconds for the network to recover before removing another link

–If the network does not recover, continue methodically removing redundancy until the network stabilizes

• Avoid rebooting or powering off switches

–If you do this you’ll lose the logging buffer & spantree stats on the switch

–Syslog to a server cannot necessarily be trusted during a network failure


Finding the Smoking Gun

• Use “show system” to find switches with high backplane utilization

• Use “show mac” and look for large amounts of broadcast/multicast received & transmitted

• Use “show spantree statistics” to follow the problem through the network

–On the root, check the “topology change initiator” to see which bridge last generated a TCN

–Look for “msg age expiry count” on blocked ports to see whether we expired a BPDU on the port (MaxAge was reached)

–Look for “tcn bpdu's xmitted” to see whether a bridge sent many TCNs

–Look for “forward trans count” to see how many times the port transitioned into the forwarding state


Preparing for the Next Time

Take proactive measures (perform these tasks prior to having another event)

• Turn spantree logging level on the switches to 6 (“set logging level spantree 6 default”) to see state transitions & TCNs (also, log to a server)

• On switches running IOS, use “debug spanning events”

• Enter “clear counters” on all switches


Finding the Root

Verify the location of the root

• The customer might have failed to deterministically set the root

• The root might have moved due to a new bridge in the network, or a bridge priority change

esc-cat6500-a> (enable) show spantree 5VLAN 5Spanning tree enabled Spanning tree type ieeeDesignated Root 00-d0-06-26-f4-04Designated Root Priority 8192Designated Root Cost 3Designated Root Port 2/1-2 (agPort 13/33)Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 secBridge ID MAC ADDR 00-d0-bb-01-30-04Bridge ID Priority 32768Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 secPort Vlan Port-State Cost Priority Portfast Channel_id------------------------ ---- ------------- ----- -------- ---------- ----------2/1-2 5 forwarding 3 32 disabled 801 15/1 5 forwarding 4 32 enabled 0

The bridge ID of the root

bridge

Root port (port to get to root

bridge)


esc-6500-b> (enable) show spantree 5VLAN 5Spanning tree enabledSpanning tree type ieeeDesignated Root 00-d0-06-26-f4-04Designated Root Priority 8192Designated Root Cost 0Designated Root Port 1/0Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 secBridge ID MAC ADDR 00-d0-06-26-f4-04Bridge ID Priority 8192Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 secPort Vlan Port-State Cost Priority Portfast Channel_id------------------------ ---- ------------- ----- -------- ---------- ----------4/1-2 5 forwarding 3 32 disabled 865

esc-6500-b> (enable) show spantree summaryRoot switch for vlans: 4-10.

Finding the Root

RootID and BID will match on the

root bridge

Designated root cost on the root

is always “0”

In 5.4 and later, use “show spantree summary” to see for

which VLANs the switch is root


esc-6500-b> (enable) show spantree summary< . . . >Summary of connected spanning tree ports by vlanVlan Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ---------- 1 2 0 0 4 6 4 0 0 0 2 2 5 0 0 0 6 6 6 0 0 0 4 4 7 0 0 0 4 4 8 0 0 0 4 4 9 0 0 0 4 4 10 0 0 0 4 4 Blocking Listening Learning Forwarding STP Active----- -------- --------- -------- ---------- ----------Total 2 0 0 32 34< . . . >

Finding Active and Blocked Ports

Total blocking ports on the switch

Total ports in the spanning tree (do not exceed limits

specified for your supervisor engine in the

Release Notes


Viewing Blocked Ports

esc-6500-b> (enable) show spantree blockedT = trunkg = groupPorts Vlans----- ---------- 8/23 (T) 1 8/24 (T) 1Number of blocked ports (segments) in the system : 2

Ports 8/23 and 8/24 are blocking for VLAN 1


Monitoring Blocked & Root Ports

esc-6500-b> (enable) show spantree stat 8/23 1Port 8/23 VLAN 1SpanningTree enabled for vlanNo = 1

BPDU-related parametersport spanning tree enabledstate blockingport_id 0x836cport number 0x36cpath cost 12message age (port/VLAN) 3(20)designated_root 00-30-94-93-e5-80designated_cost 19designated_bridge 00-50-53-59-a0-00designated_port 0x8001top_change_ack FALSEconfig_pending FALSEport_inconsistency none

PORT based information & statisticsconfig bpdu's xmitted (port/VLAN) 36(698871)config bpdu's received (port/VLAN) 215843(608891)tcn bpdu's xmitted (port/VLAN) 0(7)

Blocked & root ports should receive BPDUs every 2 seconds–Monitor blocked and root ports to see if they are receiving config BPDUs every 2 seconds

–Check for errors on blocked or root ports, which might cause a blocked port to transition out of blocking mode, or a root bridge change

Ports 8/23 is blocking for VLAN 1

Make sure the “config bpdu’s received” counter is

incrementing on the port approximately every 2 seconds


If BPDUs are not being received every 2 seconds (or at all) on the port, check for errors using:

–show port counters – Check for Layer 1 errors (Align, FCS, etc.)

–show mac – Make sure the “Rcv-Multicast” counter is incrementing; make sure the “In-Discard” counter is not incrementing

–show counters – Check for any errors on the receive side

–show inband – Look for “RsrcErrors”

–show cam system – Make sure 01-80-c2-00-00-00 (IEEE 802.1d BPDU MAC) is listed as a system entry for the VLAN

Monitoring Blocked & Root Ports


Monitoring Spanning TreeConsole> (enable) show spantree 3/47Port Vlan Port-State Cost Priority Portfast Channel_id------------------------ ---- ------------- ----- -------- ---------- ---------- 3/47 1 blocking 3019 32 disabled 0 3/47 2 blocking 3019 32 disabled 0 3/47 3 blocking 3019 32 disabled 0 3/47 4 forwarding 3019 32 disabled 0 3/47 5 forwarding 3019 32 disabled 0 3/47 6 forwarding 3019 32 disabled 0 3/47 10 forwarding 3019 32 disabled 0 3/47 11 forwarding 3019 32 disabled 0

Console> (enable) show spantree 3 activeVLAN 3Spanning tree enabledSpanning tree type ieee

Designated Root 00-50-80-39-ee-42Designated Root Priority 32768Designated Root Cost 3019Designated Root Port 3/48 Root Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Bridge ID MAC ADDR 00-d0-00-3f-a0-02Bridge ID Priority 49152Bridge Max Age 20 sec Hello Time 2 sec Forward Delay 15 sec

Port Vlan Port-State Cost Priority Portfast Channel_id------------------------ ---- ------------- ----- -------- ---------- ---------- 3/47 3 blocking 3019 32 disabled 0 3/48 3 forwarding 3019 32 disabled 0 4/1-4 3 forwarding 3002 32 disabled 865


Console> (enable) show spantree statistics 3/47 3 Port 3/47 VLAN 3

SpanningTree enabled for vlanNo = 3

BPDU-related parametersport spanning tree enabledstate blockingport_id 0x80afport number 0xafpath cost 3019message age (port/VLAN) 0(20)designated_root 00-50-80-39-ee-42designated_cost 0designated_bridge 00-50-80-39-ee-42designated_port 0x8026top_change_ack FALSEconfig_pending FALSEport_inconsistency none

PORT based information & statisticsconfig bpdu's xmitted (port/VLAN) 2(127624)config bpdu's received (port/VLAN) 51(3124)tcn bpdu's xmitted (port/VLAN) 0(65)tcn bpdu's received (port/VLAN) 0(36)forward trans count 0scp failure count 0

Spanning-tree port state

Config BPDU stats for port & VLAN

TCN BPDU stats for port & VLAN

Number of times the port transitioned to forwarding mode

Monitoring Spanning Tree


[continued]

VLAN based information & statisticsspanningtree type ieeespanningtree multicast address 01-80-c2-00-00-00bridge priority 49152bridge mac address 00-d0-00-3f-a0-02bridge hello time 2 secbridge forward delay 15 sectopology change initiator: 3/48last topology change occured: Thu Jan 20 2000, 23:53:12topology change FALSEtopology change time 35topology change detected FALSEtopology change count 63topology change last recvd. from 00-d0-79-09-60-5d

Other port-specific infodynamic max age transitions 0port bpdu ok count 0msg age expiry count 0link loading 1bpdu in processing FALSEnum of similar bpdus to process 0received_inferior_bpdu FALSEnext state 4

Port on which TCN was last

received

Monitoring Spanning Tree

Time of last TCN

Total topology change count

BID that sourced the last TCN

Number of times the stored BPDU expired


References

• Cisco Press Cisco LAN Switching book, two chapters on Spanning Tree

• Troubleshooting Spanning-Tree Protocol and Related Design Considerations

http://www.cisco.com/warp/customer/473/16.html

• Bridge Loop Troubleshooting:

http://www-tac.cisco.com/Support_Library/ Internetworking/ Spanning_Tree/span.html

121

Documents

STP