Spanning Tree Protocol (STP) is a network protocol that ensures a loop-free topology for Ethernet

networks. STP is crucial in a network with mul ple switches to prevent broadcast storms, duplica on
of packets, and poten al network failures due to loops. Enabling STP on a switch allows the network
to automa cally detect and block redundant paths, ensuring only one ac ve path exists between
network segments.

Steps to Enable STP on a Switch

1. Cisco IOS Switch: Enabling STP

STP is enabled by default on most Cisco switches, but if you need to re-enable or verify its
configura on, follow these steps:

Step-by-Step Guide to Enable STP:

1. Enter Privileged EXEC Mode:

Switch> enable

2. Enter Global Configura on Mode:

Switch# configure terminal

3. Enable STP on the Switch: STP is generally enabled by default on Cisco switches for all
VLANs, but to manually enable it:

Switch(config)# spanning-tree mode pvst

This enables Per-VLAN Spanning Tree (PVST), which creates an independent spanning tree instance
for each VLAN.

4. Enable STP on Specific VLANs (Op onal): If you want to enable STP on specific VLANs, use:

Switch(config)# spanning-tree vlan <vlan-id>

For example, to enable STP on VLAN 10:

Switch(config)# spanning-tree vlan 10

5. Set a Priority for the Root Bridge (Op onal): To influence the selec on of the root bridge
(the switch with the lowest bridge ID), lower the priority of the switch:

Switch(config)# spanning-tree vlan <vlan-id> priority <priority-value>

For example, to set priority 4096 for VLAN 10:

Switch(config)# spanning-tree vlan 10 priority 4096

The lower the priority value, the more likely this switch will become the root bridge.

6. Enable PortFast (Op onal): PortFast is a feature that allows specific switch ports (typically
those connected to end devices like computers) to bypass the usual STP states (listening and
learning) and transi on directly to forwarding mode. This helps reduce the delay when
devices are connec ng to the network.

Switch(config)# interface FastEthernet 0/1

Switch(config-if)# spanning-tree por ast

 7. Save the Configura on: A er configuring STP, save the configura on:

Switch(config)# end

Switch# write memory

8. Verify STP is Enabled: Use the following command to check if STP is running and to see
details of the current STP configura on:

Switch# show spanning-tree

This will display informa on about the root bridge, STP status, and port states (Blocking, Listening,
Learning, or Forwarding).

2. Juniper Junos Switch: Enabling STP

Step-by-Step Guide to Enable STP:

1. Enter Configura on Mode:

user@switch> configure

2. Enable STP Globally: On Juniper switches, STP is enabled globally by configuring it on all
interfaces within the Ethernet switching family.

user@switch# set protocols stp

3. Enable STP on Specific Interfaces (Op onal): If you want to enable STP on specific interfaces,
you can configure the interfaces directly:

user@switch# set protocols stp interface ge-0/0/1

4. Set Root Bridge Priority (Op onal): Just like in Cisco, you can set the bridge priority to
influence the root bridge elec on:

user@switch# set protocols stp priority <priority-value>

5. Commit the Configura on:

user@switch# commit

6. Verify STP is Running: You can verify STP opera on using the following command:

user@switch> show spanning-tree bridge

3. STP Versions:

There are several versions of STP that can be enabled based on your network needs:

1. STP (802.1D): The original standard for loop preven on, but slower to converge.

2. Rapid STP (RSTP, 802.1w): An improvement on the original STP with faster convergence
mes (this is o en the preferred choice).

3. Per-VLAN Spanning Tree (PVST): Cisco's enhancement that creates a separate spanning tree
instance for each VLAN.

4. Mul ple Spanning Tree (MST, 802.1s): Allows mul ple VLANs to share the same spanning
tree instance, providing a more scalable solu on in large networks.
Purpose and Use of STP in a Network

The primary purpose of Spanning Tree Protocol (STP) is to prevent network loops, which can cause
severe issues in Ethernet networks. Here’s how it benefits the network:

1. Prevents Network Loops:

 In a network with redundant paths between switches, loops can occur. Without STP, this
leads to broadcast storms, mul ple frame copies, and poten al network crashes.

 STP automa cally detects and blocks redundant links by placing some ports in a blocking
state while keeping only one ac ve path between devices, ensuring loop-free network
topology.

2. Broadcast Storm Preven on:

 Loops in Ethernet networks can cause broadcast storms, where broadcast packets keep
circula ng endlessly, consuming bandwidth and processing power. STP prevents this by
disabling redundant links.

3. Redundant Path Availability:

 STP provides redundancy. If the ac ve path fails (e.g., due to a cable cut), STP will
automa cally unblock a previously blocked redundant path, ensuring con nued network
opera on.

4. Stable Topology and Network Convergence:

 STP helps maintain a stable network topology by blocking or forwarding certain ports based
on the path cost. The protocol dynamically adjusts the state of the ports if the topology
changes (e.g., when a switch is added or removed).

 With faster convergence protocols like RSTP or MSTP, the network can quickly react to
topology changes, reducing the down me for communica on.

5. Op mizes Network Design:

 In complex networks with mul ple switches, STP allows you to design redundant paths for
higher availability while ensuring the network doesn't suffer from loops or excessive traffic.

6. Network Scalability:

 As networks grow and you add more switches and links, STP ensures the network can scale
without risking loops. MST is especially useful in large networks by grouping VLANs into
instances to reduce the overhead of running separate spanning trees for each VLAN.

Conclusion:

 STP is essen al in preven ng loops and ensuring network reliability in environments where
mul ple switches or redundant links are present.

 Enabling STP on a switch involves a few simple commands, and you can use different
versions (e.g., RSTP, PVST, or MST) depending on your network requirements.
  By using STP, you enable automa c path failover, op mize network design, and ensure
efficient bandwidth use while preven ng issues like broadcast storms and duplica on.

Would you like more details on configuring specific STP op ons or troubleshoo ng?

Conclusion:

 STP is essen al in preven ng loops and ensuring network reliability in environments where
mul ple switches or redundant links are present.

 Enabling STP on a switch involves a few simple commands, and you can use different
versions (e.g., RSTP, PVST, or MST) depending on your network requirements.

 By using STP, you enable automa c path failover, op mize network design, and ensure
efficient bandwidth use while preven ng issues like broadcast storms and duplica on.

Let's dive deeper into configuring specific STP op ons and troubleshoo ng common STP issues in
network environments. Here's a more detailed breakdown of the STP configura on and
troubleshoo ng.

Advanced Configura on of STP:

1. STP Modes:

Depending on your network size, VLAN configura on, and redundancy needs, you can choose
different modes of STP:

 PVST (Per-VLAN Spanning Tree): Creates a separate spanning tree for each VLAN. This is
useful when different VLANs need different ac ve paths. It's enabled by default on Cisco
switches.

Switch(config)# spanning-tree mode pvst

 RSTP (Rapid Spanning Tree Protocol, IEEE 802.1w): RSTP provides much faster convergence
than tradi onal STP (802.1D). In case of a topology change, RSTP can converge in seconds
compared to 30–50 seconds with STP.

Switch(config)# spanning-tree mode rapid-pvst

 MSTP (Mul ple Spanning Tree Protocol, IEEE 802.1s): MSTP maps mul ple VLANs to a single
spanning tree instance. It's more scalable in large networks.

Switch(config)# spanning-tree mode mst

2. Root Bridge Configura on:

The root bridge is the switch that forms the "root" of the spanning tree. All paths in the network will
calculate the best path to this root switch. You can influence which switch becomes the root bridge
by changing its bridge priority.

 Se ng the Root Bridge Priority: The default bridge priority is 32768, but lowering this value
makes the switch more likely to become the root bridge.

Switch(config)# spanning-tree vlan 10 priority 4096

  Automa cally Set as Root (Cisco-specific command): Cisco switches have a command to
automa cally make the switch the root for all VLANs or a specific VLAN:

Switch(config)# spanning-tree vlan 10 root primary

3. PortFast Configura on:

PortFast is used to bypass the typical STP states (Listening, Learning) on access ports that connect to
end devices (like computers). This helps reduce connec on mes when devices are plugged into the
switch.

 Enable PortFast on Specific Ports:

Switch(config)# interface FastEthernet0/1

Switch(config-if)# spanning-tree por ast

 Enable PortFast on Mul ple Ports (Range):

Switch(config)# interface range FastEthernet0/1 - 24

Switch(config-if)# spanning-tree por ast

4. BPDU Guard:

BPDU Guard disables a PortFast-enabled port if it receives a BPDU (Bridge Protocol Data Unit). This
protects against accidental loops caused by connec ng a switch or hub to an access port.

 Enable BPDU Guard Globally:

Switch(config)# spanning-tree por ast bpduguard default

 Enable BPDU Guard on a Specific Port:

Switch(config)# interface FastEthernet0/1

Switch(config-if)# spanning-tree bpduguard enable

5. Spanning Tree Timers:

STP uses three mers for network stability: Hello, Forward Delay, and Max Age. You can adjust these
mers to influence how quickly the network converges.

 Hello Timer (2 seconds by default): Controls how o en BPDUs are sent out.

Switch(config)# spanning-tree vlan 10 hello- me 2

 Forward Delay (15 seconds by default): Controls how long a port stays in the Listening and
Learning states before moving to the Forwarding state.

Switch(config)# spanning-tree vlan 10 forward- me 15

 Max Age (20 seconds by default): Defines how long a switch waits to receive a BPDU before
deciding that the path to the root bridge has failed.

Switch(config)# spanning-tree vlan 10 max-age 20

STP Troubleshoo ng:

1. Verify STP Configura on and Status:

 Check the Spanning Tree Status: Use the following command to display detailed STP
informa on for all VLANs.

Switch# show spanning-tree

Key fields to monitor:

 Root Bridge Informa on: Iden fies the current root bridge for the network.

 Port Roles: Ports can be in different roles such as Root, Designated, or Alternate. Only Root
and Designated ports forward traffic.

 Port States: Ports can be in Blocking, Listening, Learning, or Forwarding state.

 Check Root Bridge Elec on: Verify which switch is the root bridge and check its priority:

Switch# show spanning-tree root

2. Detect STP Loop or Misconfigura on:

Symptoms of an STP loop or misconfigura on include high CPU u liza on, network slowness, or
intermi ent connec vity.

 Check for High CPU Usage: If a switch experiences a loop, its CPU may spike due to
processing excessive BPDUs and broadcast traffic.

Switch# show processes cpu history

 Check STP Logs for Errors: Look for log messages related to topology changes, port state
transi ons, or STP errors.

Switch# show logging

 Check for Blocked Ports: Ensure that STP is properly blocking redundant links to prevent
loops.

Switch# show spanning-tree blockedports

3. PortFast Issues:

 Verify PortFast Status: If PortFast is not func oning as expected or you suspect an issue,
verify that it's enabled on specific ports:

Switch# show spanning-tree interface FastEthernet0/1 por ast

 Detect BPDU Guard Shutdown: If BPDU Guard shuts down a port due to a BPDU received,
check for error-disabled ports:

Switch# show interface status err-disabled

4. Root Bridge Changes and Topology Changes:

If the network is experiencing frequent topology changes, it may be due to root bridge elec ons or
link flapping. Use the following command to check how o en the topology changes:
Switch# show spanning-tree detail | include ieee|occurr|from|is exec

If there are too many topology changes, try the following:

 Check for unstable links (frequently going up/down).

 Adjust the bridge priority to ensure a stable switch remains the root bridge.

 Check for incorrect cabling or misconfigured trunk links.

5. BPDU Guard and Error-Disabled Ports:

If BPDU Guard disables a port (typically due to an unexpected switch connected to an access port),
the port will go into an error-disabled state.

 Reac vate the Error-Disabled Port:

Switch(config)# interface FastEthernet0/1

Switch(config-if)# shutdown

Switch(config-if)# no shutdown

 Globally Enable Automa c Recovery: You can enable the automa c recovery of error-
disabled ports a er a set me:

Switch(config)# errdisable recovery cause bpduguard

Switch(config)# errdisable recovery interval 300

Summary:

 STP Modes: Choose the STP version (STP, RSTP, PVST, MSTP) based on your network's size
and complexity.

 PortFast & BPDU Guard: Essen al for minimizing delays on access ports and protec ng
against loops.

 Root Bridge Elec on: Set lower priori es for switches that should be the root bridge to
control the topology.

 Troubleshoo ng Tools: Use commands like show spanning-tree and show spanning-tree
detail to monitor the current state of STP, detect loops, and find blocked ports.

 Topology Stability: Minimize unnecessary topology changes by ensuring a stable root bridge
and monitoring link health.

Enabling port-based authen ca on using 802.1X Network Access Control (NAC) on a switch involves
configuring the switch to authen cate devices before gran ng them access to the network. 802.1X
ensures that only authen cated users or devices can connect to the network through a port. It
typically works with a RADIUS server that handles the authen ca on requests from the switch.

Here is how you can configure 802.1X port-based authen ca on on a network switch.
Steps to Configure 802.1X on a Switch:

The setup typically involves configuring:

1. 802.1X on the switch (supplicant and authen cator).

2. RADIUS server configura on on the switch.

3. Enabling 802.1X on specific ports.

4. Tes ng the authen ca on process.

Step 1: Configure the RADIUS Server

First, ensure the switch can communicate with your RADIUS server (typically a server running
FreeRADIUS, Microso NPS, or another RADIUS service). You need to configure the switch to send
authen ca on requests to the RADIUS server.

Example RADIUS Configura on:

1. Define the RADIUS Server:

Switch(config)# radius-server host <RADIUS-server-IP> auth-port 1812 acct-port 1813 key <shared-
secret>

o <RADIUS-server-IP>: IP address of your RADIUS server.

o <shared-secret>: A shared key used for communica on between the switch and the
RADIUS server.

2. Set the Timeout and Retries:

Switch(config)# radius-server meout 5

Switch(config)# radius-server retransmit 3

3. Define the RADIUS Source Interface (op onal but recommended): This ensures the switch
uses a specific interface for communica on with the RADIUS server.

Switch(config)# ip radius source-interface <interface-name>

4. Enable RADIUS Accoun ng (op onal):

Switch(config)# aaa accoun ng dot1x default start-stop group radius

Step 2: Enable 802.1X on the Switch

Next, configure the AAA (Authen ca on, Authoriza on, Accoun ng) features to enable 802.1X on
the switch:

1. Enable AAA:

Switch(config)# aaa new-model

 2. Configure 802.1X Authen ca on Method: Define which method will be used for
authen ca on. In this case, we use the RADIUS server.

Switch(config)# aaa authen ca on dot1x default group radius

Step 3: Enable 802.1X Globally

Enable 802.1X globally on the switch so that all interfaces can par cipate in port-based
authen ca on.

Switch(config)# dot1x system-auth-control

Step 4: Configure 802.1X on Specific Switch Ports

You need to enable 802.1X authen ca on on individual ports where users or devices will connect.

1. Enter Interface Configura on Mode: Choose the interface (port) where you want to apply
the 802.1X authen ca on.

Switch(config)# interface FastEthernet0/1

2. Enable 802.1X on the Port:

Switch(config-if)# dot1x port-control auto

This se ng puts the port into auto mode, meaning it will a empt to authen cate any device that
connects to it.

3. Set Port to Access Mode: Ensure that the port is configured as an access port (since 802.1X is
used on access ports, not trunk ports).

Switch(config-if)# switchport mode access

4. (Op onal) Enable Guest VLAN (for Non-Authen cated Devices): You can configure a Guest
VLAN to allow limited network access for devices that fail authen ca on.

Switch(config-if)# dot1x guest-vlan <vlan-id>

5. Enable MAB (MAC Authen ca on Bypass) (Op onal): This op on allows devices that don’t
support 802.1X (e.g., printers, IP phones) to bypass authen ca on and be authen cated
based on their MAC address.

Switch(config-if)# authen ca on order dot1x mab

Switch(config-if)# authen ca on priority dot1x mab

6. Exit the Interface:

Switch(config-if)# exit

Step 5: Tes ng 802.1X Authen ca on

To verify that 802.1X is working, you can test by connec ng a client device (laptop or PC) with 802.1X
supplicant so ware enabled (this is typically built into most modern opera ng systems, including
Windows, macOS, and Linux).

 Monitor Authen ca on A empts: You can use the following commands to monitor the
802.1X authen ca on process and check the port’s status:

Switch# show dot1x

 Show Port Authen ca on Details:

Switch# show dot1x interface FastEthernet0/1

 Check the RADIUS Server Logs: Review the logs on the RADIUS server to see if the
authen ca on requests are being received and processed correctly.

Op onal Advanced Features

1. 802.1X with Dynamic VLAN Assignment: RADIUS can dynamically assign devices to different
VLANs a er successful authen ca on. To enable this, the RADIUS server needs to be
configured to return the VLAN ID for the authen cated client. On the switch side, just ensure
that the port is not sta cally assigned to any VLAN.

2. Enable 802.1X Authen ca on on Mul ple Ports: To apply 802.1X se ngs across a range of
interfaces:

Switch(config)# interface range FastEthernet0/1 - 24

Switch(config-if-range)# dot1x port-control auto

Troubleshoo ng 802.1X

 Check 802.1X Status on Ports: Use the following commands to check the status of 802.1X on
specific ports:

Switch# show dot1x all

Switch# show dot1x interface FastEthernet0/1

 Verify RADIUS Communica on: If clients are not authen ca ng, check whether the switch
can reach the RADIUS server:

Switch# ping <RADIUS-server-IP>

 Check AAA Debug Logs: Debug logs provide detailed informa on about the authen ca on
process and any errors encountered.

Switch# debug dot1x all

Switch# debug radius

 Check RADIUS Server Logs: Verify that the authen ca on request is reaching the RADIUS
server and see whether it’s being accepted or rejected.
Summary:

1. RADIUS Configura on: Set up communica on between the switch and the RADIUS server,
using shared secrets and defining ports for authen ca on and accoun ng.

2. Enable AAA: Enable and configure AAA on the switch to use RADIUS as the authen ca on
method for 802.1X.

3. 802.1X Global and Port Configura on: Enable 802.1X system-wide and on individual access
ports, se ng ports to auto mode for authen ca on.

4. Tes ng and Monitoring: Use the built-in commands to monitor and troubleshoot the 802.1X
authen ca on process on your switch.

Here is a step-by-step guide for se ng up 802.1X Port-Based Authen ca on with CLI commands on
a switch, including configuring the RADIUS server and 802.1X authen ca on on the switch. This
guide assumes you have a RADIUS server ready and will guide you through configuring both the
RADIUS server on the switch and enabling 802.1X authen ca on on specific switch ports.

Step 1: Configure the RADIUS Server on the Switch

You need to tell the switch where the RADIUS server is and define a shared secret for secure
communica on between the switch and the RADIUS server.

1. Enter Global Configura on Mode:

Switch> enable

Switch# configure terminal

2. Configure the RADIUS Server:

o <RADIUS-server-IP>: The IP address of the RADIUS server.

o <shared-secret>: A shared secret key used for authen ca on between the switch
and the RADIUS server.

Switch(config)# radius-server host <RADIUS-server-IP> auth-port 1812 acct-port 1813 key <shared-
secret>

Example:

Switch(config)# radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key mySecretKey

3. Configure RADIUS Timeout and Retransmission (Op onal but recommended): This sets
how long the switch should wait for a response from the RADIUS server and how many mes
to retry if no response is received.

Switch(config)# radius-server meout 5

Switch(config)# radius-server retransmit 3

 4. Define the Source Interface for RADIUS (Op onal): This specifies the interface the switch
will use to communicate with the RADIUS server (typically a management or loopback
interface).

Switch(config)# ip radius source-interface <interface-name>

Step 2: Enable AAA for 802.1X

AAA (Authen ca on, Authoriza on, and Accoun ng) is required for 802.1X. You need to configure
the switch to use the RADIUS server for authen ca on.

1. Enable AAA on the Switch: This command enables the AAA system on the switch.

Switch(config)# aaa new-model

2. Configure the Authen ca on Method for 802.1X: This command tells the switch to use the
RADIUS server for 802.1X authen ca on.

Switch(config)# aaa authen ca on dot1x default group radius

3. Configure Authoriza on (Op onal but recommended): You can also configure authoriza on
so that users are granted certain network access rights based on their iden ty. This step is
op onal and depends on your network policies.

Switch(config)# aaa authoriza on network default group radius

4. Enable Accoun ng (Op onal but recommended): Accoun ng can be used to track who is
authen ca ng and for how long. This sends accoun ng informa on to the RADIUS server.

Switch(config)# aaa accoun ng dot1x default start-stop group radius

Step 3: Enable 802.1X Globally on the Switch

Once the RADIUS server is set and AAA is configured, you need to globally enable 802.1X system-
wide on the switch.

1. Enable 802.1X System Control:

Switch(config)# dot1x system-auth-control

Step 4: Configure 802.1X on Switch Ports

Now that 802.1X is enabled globally, you need to enable it on individual access ports where users
will connect.

1. Enter Interface Configura on Mode: You need to configure each port where 802.1X
authen ca on will take place. You can configure a single port or a range of ports.

For a single port:

Switch(config)# interface FastEthernet0/1

For a range of ports (e.g., FastEthernet 0/1 to 0/24):

Switch(config)# interface range FastEthernet0/1 - 24

2. Enable 802.1X on the Port: You will set the port to use auto mode, which means the port
will a empt to authen cate the device that connects to it using 802.1X.

Switch(config-if)# dot1x port-control auto

3. Set the Port to Access Mode: 802.1X is used on access ports, so ensure that the port is
configured as an access port.

Switch(config-if)# switchport mode access

4. (Op onal) Enable a Guest VLAN: You can configure a Guest VLAN to allow devices that fail
802.1X authen ca on (or do not support it) to have limited access to the network. Replace
<vlan-id> with the VLAN number you want to assign.

Switch(config-if)# dot1x guest-vlan <vlan-id>

Example:

Switch(config-if)# dot1x guest-vlan 100

5. Enable MAB (MAC Authen ca on Bypass) (Op onal): MAB allows devices that don’t
support 802.1X (like printers, IP phones) to authen cate using their MAC address.

Switch(config-if)# authen ca on order dot1x mab

Switch(config-if)# authen ca on priority dot1x mab

6. Exit Interface Configura on Mode: A er configuring the port, exit the interface
configura on mode.

Switch(config-if)# exit

Step 5: Verifying 802.1X Configura on

A er configuring the switch for 802.1X, it's important to verify that it's working as expected.

1. Check the Global 802.1X Status: Use this command to verify that 802.1X is enabled globally
on the switch.

Switch# show dot1x

2. Verify 802.1X on Specific Interfaces: Use this command to check the 802.1X status of a
specific interface.

Switch# show dot1x interface FastEthernet0/1

3. Monitor the Authen ca on Process: You can monitor ongoing 802.1X authen ca on
a empts on the switch.

Switch# show dot1x all

 4. Check RADIUS Server Logs: Make sure that the authen ca on requests are being received
by the RADIUS server. You should be able to see log entries for authen ca on requests and
responses on the RADIUS server.

Step 6: Troubleshoo ng 802.1X Issues

If you encounter issues, here are some commands to help troubleshoot:

1. Check for Error-Disabled Ports: Some mes ports get disabled due to authen ca on issues or
security viola ons.

Switch# show interface status err-disabled

2. Debugging 802.1X and RADIUS: These commands will display detailed debug informa on for
troubleshoo ng authen ca on issues.

o Debugging 802.1X:

Switch# debug dot1x all

o Debugging RADIUS:

Switch# debug radius

3. Show RADIUS Server Status: Check the status of the communica on between the switch and
the RADIUS server.

Switch# show radius

4. Verify Connec vity to RADIUS Server: Make sure the switch can reach the RADIUS server by
pinging it.

Switch# ping <RADIUS-server-IP>

Summary of Commands:

RADIUS Configura on:

Switch(config)# radius-server host <RADIUS-server-IP> auth-port 1812 acct-port 1813 key <shared-
secret>

Switch(config)# radius-server meout 5

Switch(config)# radius-server retransmit 3

Switch(config)# ip radius source-interface <interface-name>

AAA Configura on:

Switch(config)# aaa new-model

Switch(config)# aaa authen ca on dot1x default group radius

Switch(config)# aaa accoun ng dot1x default start-stop group radius

Enable 802.1X Globally:

Switch(config)# dot1x system-auth-control

Port Configura on:

Switch(config)# interface FastEthernet0/1

Switch(config-if)# switchport mode access

Switch(config-if)# dot1x port-control auto

Switch(config-if)# dot1x guest-vlan <vlan-id>

Switch(config-if)# authen ca on order dot1x mab

Switch(config-if)# authen ca on priority dot1x mab

Switch(config-if)# exit