1

Chapter 3
Chapter 3 - Implementing Spanning Tree
Objectives
Summarise how 802.1D STP works to eliminate
Layer 2 loops in a converged network.
Explain the enhancements that can be used to
optimise and protect STP.
Describe the operation of per-VLAN STP
Describe the operation of 802.1w Rapid STP.
Describe the operation of 802.1s Multiple STP.
Implement rapid per VLAN (RSTP) and Multiple
STP spanning tree (rapid PVST+) in a LAN to
prevent switching loops.
2
Chapter 3
Switching Loops
The addition of redundant paths creates switching loops,
leading to the following problems:

Multiple Frame Transmission
MAC Database Instability
Broadcast Storms


Fa0/1 Fa0/1
Fa0/2 Fa0/2
3
Chapter 3
Spanning Tree Protocol 802.1D (STP)
The solution is to allow physical loops, but create a loop free
logical topology called a tree.

It is a spanning-tree because all devices in the network are
reachable or spanned.

The algorithm used to create this loop free logical topology
is the spanning-tree algorithm.

STP exchanges information called Bridge Protocol Data
Units (BPDUs).

A new algorithm called the rapid spanning-tree algorithm
was developed to reduce the time for a network to compute
a loop free logical topology.
4
Chapter 3
STP Variants
5
Chapter 3
A bridge uses a four-step decision sequence to save a copy of the
"best" BPDU seen on every port:

1. Lowest root Bridge ID (BID)
2. Lowest path cost to root bridge
3. Lowest sender bridge ID
4. Lowest sender port ID
When making this evaluation, it considers all the BPDUs received on
the port as well as the BPDU that would be sent on that port.

As every BPDU arrives, it is checked to see if it is more attractive
(that is, lower in value) than the existing BPDU saved for that port.

If the new BPDU (or the locally generated BPDU) is more
attractive, the old value is replaced.

Bridge Protocol Data Unit
6
Chapter 3
802.1D Bridge Protocol Data Unit

By default BPDUs are sent
every two seconds.

The BID consists of a bridge
priority that defaults to
32768 (0x8000) and the
switch MAC address.

The BID uses one of the MAC
addresses from a pool of MAC
addresses that are assigned to the
switch backplane.
Bridge
Priority
MAC
Address
2 Bytes 6 Bytes
BID
7
Chapter 3
BPDUs contain information that allow switches to perform specific actions:

Select a single switch that will act as the root of the spanning-tree.

Calculate the shortest path from itself to the root switch.

Designate one of the switches as the closest one to the root, for each LAN
segment. This switch is called the designated switch. The designated switch
handles all communication from that LAN segment towards the root bridge.

Each non-root switch chooses one of its ports as its root port - the
interface that gives the best path to the root switch.

Non-designated ports are blocked.
Bridge Protocol Data Unit
Root
Switch
Des
Des
Root
Port
Block
8
Chapter 3
Step 1 - Root Bridge Election Process
MAC=1111.1111.1111
Priority = 32768
MAC=3333.3333.3333
Priority = 32768
MAC=2222.2222.2222
Priority = 32768
MAC=4444.4444.4444
Priority = 32768
Fa0/1 Fa0/1
Fa0/2
Fa0/2
Fa0/1 Fa0/1
Fa0/2
Fa0/2
S3 S1
S2 S4
Cost = 19
Cost = 19
Cost = 19
Cost = 19
Root
9
Chapter 3

Upon completion of the root bridge election process, the
switches continue to forward the root BPDU frames
advertising the root ID of the root bridge every 2
seconds.

Each switch is configured with a max age timer that
determines how long a switch retains the current BPDU
configuration in the event it stops receiving updates from
its neighboring switches. By default, the max age timer is
set to 20 seconds.

Therefore, if a switch fails to receive 10 consecutive BPDU
frames from one of its neighbors, the switch assumes that
a logical path in the spanning tree has failed and that the
BPDU information is no longer valid. This triggers another
spanning-tree root bridge election.

Step 1 - Root Bridge Election Process
10
Chapter 3
Step 2 - Root Port
Election Process
MAC=1111.1111.1111
Priority = 32768
MAC=3333.3333.3333
Priority = 32768
MAC=2222.2222.2222
Priority = 32768

MAC=4444.4444.4444
Priority = 32768
Cost = 19
Cost = 19
Cost = 19
Cost = 19
Fa0/1 Fa0/1
Fa0/2
Fa0/2
Fa0/1 Fa0/1
Fa0/2
Fa0/2
S3 S1 - Root
Root
Port
Root
Port
Root
Port
Shortest path is based on
cumulative link costs.

Link costs are based on the
speed of the link

1. Lowest root Bridge ID (BID)
2. Lowest path cost to root
bridge
3. Lowest sender bridge ID
4. Lowest sender port ID
S2 S4
11
Chapter 3
Step 3 - Designated Port
Election Process
MAC=1111.1111.1111
Priority = 32768
MAC=3333.3333.3333
Priority = 32768
MAC=2222.2222.2222
Priority = 32768
MAC=4444.4444.4444
Priority = 32768
Cost = 19
Cost = 19
Cost = 19
Cost = 19
Fa0/1 Fa0/1
Fa0/2
Fa0/2
Fa0/1 Fa0/1
Fa0/2
Fa0/2
S3 S1 - Root
Root
Port
Root
Port
Root
Port
Designated
Port Designated
Port
Designated
Port
Designated
Port
Non-Designated
Port (Blocking)

1. Lowest root Bridge ID (BID)
2. Lowest path cost to root
bridge
3. Lowest sender bridge ID
4. Lowest sender port ID
S2 S4
12
Chapter 3
STP Port Roles
The root port exists on non-root bridges and is the switch
port with the best path to the root bridge. Root ports
forward traffic toward the root bridge.

The designated port exists on root and non-root bridges.
For root bridges, all switch ports are designated ports. For
non-root bridges, a designated port is the switch port that
receives and forwards frames toward the root bridge as
needed. Only one designated port is allowed per segment.

The non-designated port is a switch port that is blocked, so
it is not forwarding data frames and not populating the MAC
address table with source addresses. A non-designated port
is not a root port or a designated port. For some variants of
STP, the non-designated port is called an alternate port.

13
Chapter 3
802.1D BPDU Timers
Blocking
(max age = 20 secs)
Listening
(forward delay = 15 secs)
Learning
(forward delay = 15 secs)
Blocking
(moves to listening
after decides whether
it is a root or
designated port)
Link
comes up
Forwarding

Adjust spanning tree timers
with care!

Defaults are calculated based
on a network diameter of 7
switches.

Set the diameter on the root
switch, and it will propagate new
timers to the other switches via
its BPDUs.
S1(config)#spanning-tree vlan 10 root primary diameter 4
14
Chapter 3
Fa0/8
S1 - Root
S2
S3
Des
Des
Root
Root
Des
Blk
TCN
BPDU ACK
BPDU ACK
After a topology change, S3 sends a
topology change notification (TCN)
BPDU from its root port, which is
forwarded by subsequent switches,
until the root switch is informed of
the change.

When the root bridge receives the
TCN BPDU, it sends out a normal
BPDU with the topology change flag
set.

This causes all switches to shorten
their CAM table aging timers from
the default to the forward delay
interval.

802.1D Spanning Tree Protocol
Topology Changes
15
Chapter 3
When a switch port configured with
PortFast is configured as an access port,
it transitions from blocking to forwarding
state immediately, bypassing the typical
STP listening and learning states.
Fa0/8
S1 - Root
S2
S3
Des
Des
Root
Root
Des
Blk
S3(config)#int fa0/8
S3(config-if)#spanning-tree portfast
or
S3(config)#spanning-tree portfast default

Warning: portfast should only be enabled on ports connected to a
single host. Connecting hubs, concentrators, switches, bridges,
etc..to this interface when portfast is enabled, can cause
temporary bridging loops.
Use with CAUTION

Portfast has been configured on FastEthernet0/8 but will only
have effect when the interface is in non-trunking mode.

802.1D Spanning Tree Protocol
Portfast
16
Chapter 3
802.1D Spanning Tree Protocol
BPDU Guard
Fa0/8
S1 - Root
S2
S3
Des
Des
Root
Root
Des
Blk
S3(config)#int fa0/8
S3(config-if)#spanning-tree bpduguard enable
or
S3(config)#spanning-tree portfast bpduguard default



In a valid configuration, PortFast-
configured interfaces should not receive
BPDUs. Reception of a BPDU by a PortFast-
configured interface signals an invalid
configuration, such as connection of an
unauthorized device

The STP BPDU Guard shuts down
PortFast-configured interfaces that
receive BPDUs, rather than putting them
into the STP blocking state (the default
behaviour).

17
Chapter 3
802.1D Spanning Tree Protocol
Enhancements: UplinkFast(Cisco)
Fa0/8
S1 - Root
S2
S3
Des
Des
Root
Root
Des
Blk
S3(config)#spanning-tree uplinkfast | max-update-rate


UplinkFast allows alternate paths to
the root to be activated immediately
when the primary root path fails.
UplinkFast works by keeping a track
of possible paths to the root bridge
the command is not allowed on a
root bridge.
Uplinkfast also makes some
modifications to the local switch to
ensure that it does not become the
root bridge the priority is raised to
49,152 and the path cost of all ports
is incremented to 3000.
Root
18
Chapter 3
802.1D Spanning Tree Protocol
Enhancements: BackboneFast(Cisco)
Fa0/8
S1 - Root
S2
S3
Des
Des
Root
Root
Des
Blk
S3(config)#spanning-tree backbonefast


BackboneFast allows a switch to
determine whether alternative
paths exist to the root bridge in
the case of an indirect link
failures.

If the local switch has blocked
ports, BackboneFast begins to use
the Root Link Query (RLQ)
protocol to see whether upstream
switches have stable connections
to the root bridge.

RLQ replies will short circuit the
max-age timer on S3.
Root
Des
S4
Inf BPDU
RLQ Req
RLQ Req
RLQ Rep
RLQ Rep
Root
Des
Root
19
Chapter 3
Protecting Spanning Tree Protocol:
Root Guard
Fa0/8
S1 - Root
S2
S3
Des
Des
Root
Root
Blk
S4(config-if)#spanning-tree guard root
S4#sh spanning-tree inconsistentports


The Root Guard feature was
developed as a means to control
where candidate root bridges can
be connected and found on a
network.

As long as superior BPDUs are
received by S2 or S4, the
receiving port will be kept in the
root-inconsistent state. This
prevents the port sending or
receiving data, but the switch can
listen to BPDUs.

Root
Des
Root Guard
S4
Superior
BPDU
Des
Root
Guard
Superior
BPDU
20
Chapter 3
Protecting Spanning Tree Protocol:
Loop Guard
Fa0/8
S1 - Root
S2
S3
Des
Des
Root
Root
Blk
S4(config-if)#spanning-tree guard loop
S4(conf)#spanning-tree loopguard default


Root
Des

S4
Des

Des
Blk
The Loop Guard feature keeps
track of BPDU activity on non-
designated (blocking) ports, and
when BPDUs go missing, it moves
the port into the loop-inconsistent
state. The port is thus effectively
blocking, preventing a loop from
forming.

Loop Guard can be configured
globally, or on a specific port. Note
that the corrective blocking action
it performs is carried out on a per
VLAN basis, not the entire port.
21
Chapter 3
Protecting Spanning Tree Protocol:
BPDU Filter
Fa0/8
S1 - Root
S2
S3
Des
Des
Root
Root
Blk
S3(config-if)#spanning-tree bpdufilter enable | disable
S3(config)#spanning-tree portfast bpdufilter default
To prevent a port from sending or
receiving BPDUs, use the
BPDUfilter command.

This effectively de-activates STP,
so there is a potential to create
switching loops if care is not
exercised!

BPDU filtering can be enabled
either globally, or on a per-port
basis the operation of BPDUfilter
is different, depending how it is
activated

Root
Des

S4
Des

BPDU Filter
22
Chapter 3
Protecting Spanning Tree Protocol:
Unidirectional Link Detection (UDLD)
S3(config-if)# udld port aggressive
S3(conf)#udld | enable | aggressive | message time


Fa0/8
S1 - Root
S2
S3
Des
Des
Root
Root
Des
Blk
Fibre
Optic
Cisco proprietary UDLD interactively
monitors the status of a port, to ensure
that it is operating bi-directionally.

Switches send special layer 2 UDLD
frames, identifying a switch port at
regular intervals (15 seconds default).

UDLD expects the neighbouring switch
to echo these frames back across the
same link, with the neighbouring switch
ports identification added.

UDLD must be enabled on both sides of
a link for this process to work.
UDLD
UDLD
23
Chapter 3
Interface Fa0/1
---
Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 15
Time out interval: 5

Entry 1
---
Expiration time: 33
Device ID: 1
Current neighbor state: Bidirectional
Device name: FOC1330Y049
Port ID: Fa0/3
Neighbor echo 1 device: FDO1117Z17R
Neighbor echo 1 port: Fa0/1

Message interval: 15
Time out interval: 5
CDP Device name: ALS1.cisco
Protecting Spanning Tree Protocol :
Unidirectional Link Detection (UDLD)
Verification
24
Chapter 3
Spanning Tree Protection
Root
Blocking

Forwarding
Portfast
BPDU Guard
BPDU Filter
UDLD

UDLD

UDLD

UDLD

UDLD
Loopguard

UDLD
Rootguard

UDLD
Loopguard

Portfast rapid transition to forwarding state for
access ports.
BPDU guard- protects portfast ports from creating
loops.
Root Guard controls which ports are eligible to
participate in root election.
Unidirectional Link Detection (UDLD) prevents links
transitioning to forwarding state under unidirectional
fault conditions.
Loopguard prevents links transitioning to forwarding
under unidirectional fault conditions if designated port
still operational.
Permissible Combinations on a Switch port:
1. Loop Guard & UDLD
2. Root Guard & UDLD

Not Permissible on a switch port:
1. Root Guard & Loop Guard
2. Root Guard & BPDU Guard
25
Chapter 3
Cisco Storm Control
Fa0/1
S2
PC1
172.17.10.21/24
(VLAN 10)
Fa0/11
Computer
PC2
172.17.20.22/24
(VLAN 20)
Computer
PC3
172.17.30.23/24
(VLAN 30)
Fa0/18
S3 S1
Fa0/1
Fa0/6
Computer
Fa0/2 Fa0/2
Fa0/3
Fa0/1
Fa0/4 Fa0/3
Fa0/4
Fa0/4
Fa0/2 Fa0/3
S1(config)# int range fa0/1 4
S1(config-if-range)# storm-control broadcast level 50
S1(config-if)# storm-control action shutdown



Storm control manages how the
receiving port handles broadcast
traffic.

Configures a threshold to drop
broadcasts for a certain period of
time or until the broadcast flow
slows down.

In addition, you can shut down the
port or send a SNMP trap to an
NMS.
S1#show interfaces accounting
vlan10
Protocol Pkts In Chars In Pkts Out Chars Out
IP 16705943 1727686324 77739 26586738
ARP 10594397 635663820 484 29040
26
Chapter 3
VLAN 20 VLAN 10
S1 S3
S2
802.1D Spanning Tree Protocol -
Common Spanning Tree (CST)
Des
Root Blk
Des Root
Des
The IEEE 802.1Q standard specifies how VLANs are trunked between
switches. 802.1Q specifies only a single instance of STP, that encompasses
all VLANs on a trunk link.
This instance is referred to as the Common Spanning Tree (CST), and all
CST BPDUs are transmitted over trunks using the native VLAN.
CST reduces switch CPU loading, but having only one STP instance can
cause limitations too, as redundant links between switches will be blocked
with no capability for load balancing.
Root

27
Chapter 3
Per-VLAN spanning tree Protocol (PVST)
Cisco developed PVST so that a network can run an STP instance for
each VLAN in the network, using ISL trunking this prevents operability
with CST.
PVST+ supports both ISL and 802.1q trunking, so it can communicate
with PVST and CST.
With PVST+, more than one trunk can block for a VLAN and load sharing
can be implemented.
Root for
VLAN 20
VLAN 20
Root for
VLAN 10
VLAN 10
VLAN 20 Forwarding
VLAN 10 Blocking/Alt
VLAN 20 Blocking/Alt
VLAN 10 - Forwarding
S1 S3
S2
28
Chapter 3
BID = Priority + VLAN ID + MAC Address
BID = 32768 + 10 + 000A.0033.333
BID = 32778 000A.0033.333
Example:
PVST Bridge ID
29
Chapter 3
Root for
VLAN 20
VLAN 20
Root for
VLAN 10
VLAN 10
VLAN 20 Forwarding
VLAN 10 - Blocking
VLAN 20 Blocking
VLAN 10 - Forwarding
Fa0/3 Fa0/2
S1 S3
S2
PVST+ Configuration
S3(config)#spanning tree vlan 20 root primary
Automatically drops priority by 8192 to 24576 if the current root is set to default
32768. If current root is lower, will try and set priority lower by a 4096 step. If it
cant (if current root has a priority of 1), then operation will fail.

S3(config)#spanning tree vlan 10 root secondary
No mechanism for distributing which switch has the second-lowest priority after the
root, so this command just sets the priority to 28672 (4096 less than the default).

30
Chapter 3
Root for
VLAN 20
VLAN 20
Root for
VLAN 10
VLAN 10
VLAN 20 Forwarding
VLAN 10 - Blocking
VLAN 20 Blocking
VLAN 10 - Forwarding
Fa0/3 Fa0/2
S1 S3
S2
S3(config )#spanning tree vlan 20 priority 4096
S3(config)#spanning tree vlan 10 priority 8192

S1(config )#spanning tree vlan 10 priority 4096
S1(config)#spanning tree vlan 20 priority 8192


PVST+ Configuration
31
Chapter 3
IEEE 802.1w Rapid Spanning Tree
Protocol
The IEEE 802.1w standard was
developed to use 802.1Ds principal
concepts and make the resulting
convergence much quicker hence
it is also know as Rapid Spanning
Tree Protocol (RSTP).

RSTP uses the same BPDU as
802.1D , but utilises some
previously unused fields in the
Message Type field, to perform
RSTP functions. Version field is set
to 2.


RSTP BPDUs are sent from every switch port at hello time intervals,
regardless of whether BPDUs are received from the root, acting as a
keepalive mechanism.

When 3 consecutive BPDUs are missed, a neighbour is presumed to be
down, and all information relating to that neighbour is aged out.
32
Chapter 3
RSTP Port States
Operational
Port State
802.1D STP
Port State
802.1w RSTP
Port State
Enabled Blocking Discarding
Enabled Listening Discarding
Enabled Learning Learning
Enabled Forwarding Forwarding
Disabled Disabled Discarding
33
Chapter 3
RSTP Port roles
Root
Alt
Root
Des
Alternative port: switch port that
offers an alternative path toward
the root bridge.
The alternative port assumes a
discarding state in a stable, active
topology.
Backup port: additional switch port
on the designated switch with a
redundant link to the segment for
which the switch is designated.
A backup port has a higher port ID
than the designated port on the
designated switch.
The backup port assumes the
discarding state in a stable, active
topology.

Des
Root
Back
Des
34
Chapter 3
RSTP Port Types
STP Root
S1 S3
S2
Des
Des
Root
Root Alt
Des
Edge
Edge
Edge
Edge
P2P
P2P P2P
RSTP considers every switch port to be one of the following types:

1. Edge Port a port at the edge of the network, connecting to a single host, that
transitions immediately to the forwarding state when activated.

2. Root Port the port that has the best cost to the root of the STP instance.

3. Point-to-Point Port (P2P) any port that connects to another switch and
becomes a designated port (non-edge). A quick handshake with the neighbouring
switch, rather than a timer expiration, decides the port state.
35
Chapter 3
RSTP Convergence
STP Root
S1
S4 S3
S2
Propose
Root
Des
Edge
Edge Edge
Agree
Root Root
Des Des
Disc Disc
Propose
Agree

For each non-edge port, the switch
exchanges a proposal-agreement
handshake to decide the state of
each end of the link.

Each switch assumes that its port
should become the designated port
for the segment, and a proposal
message (confirmation BPDU) is
sent to the neighbour suggesting
this.

If a port receives a superior BPDU
from a neighbour, that port
becomes the root port.

Propose
36
Chapter 3
Fa0/8
S1 - Root
S2
S3
Des
Des
Root
Root
Des
Alt
TC
When a topology change is detected,
a switch must propagate news of the
change to other switches in the
network so that they can correct
their CAM tables.

BPDUs, with their TC bit set, are
sent out all non-edge designated
ports. This is done until the TC timer
(twice the hello interval) expires.

All neighbouring switches that
receive the TC message must flush
the MAC addresses learnt on all
ports except the one that received
the TC message.


RSTP Topology Changes
S4
Des Root
TC
TC
37
Chapter 3
PVST/PVST+/RPVST+
Issues
As each instance of RPVST+ demands its own root and
BPDUs, the processing overhead can be unnecessarily high
if each VLAN has its own spanning tree.
This overhead is difficult to justify in topologies, with
limited redundant paths.

Root for
VLAN 1-500
VLAN 1 - 500
Root for
VLAN 501 - 1001
VLAN 500 - 1001
S1 S3
S2
38
Chapter 3
Multiple Spanning Tree (MST)
802.1s

MST allows the configuration of exactly the
number of STP instance that make sense for
the enterprise network.
MST allows the mapping of one or more VLANs
to a single STP instance.
Multiple MST instances can be used, with each
instance supporting a different group of VLANs.
Switches running MST are grouped in common
MST regions, with each switch running
compatible parameters.
39
Chapter 3
Multiple Spanning Tree (MST)

To provide this logical assignment of VLANs to spanning
trees, each switch running MST in the network has a
single MST configuration that consists of three
attributes:

An alphanumeric configuration name (32 bytes)
A configuration revision number (two bytes)
A 4096-element table that associates each of the
potential 4096 VLANs supported on the chassis with
a given instance

To be part of a common MSTP region, a group of
switches must share the same configuration attributes.
It is up to the network administrator to properly
propagate the configuration throughout the region.
Cisco IOS supports a maximum of 16 MST instances.
40
Chapter 3
MSTP Configuration
Root for
VLAN 1-500
VLAN 1 - 500
Root for
VLAN 501 - 1001
VLAN 501 - 1001
Fa0/3 Fa0/2
S1 S3
S2
S1(config)#spanning-tree mst config
S1(config-mst)#sh current
S1(config-mst)#instance 1 vlan 1-500
S1(config-mst)#instance 2 vlan 501-1001
S1(config-mst)#name REGION12
S1(config-mst)#revision 1
S1(config-mst)#sh pending
S1(config-mst)#exit
S1(config)#spanning-tree mst 1 root secondary
S1(config)#spanning-tree mst 2 root primary






Verify:
S1#sh spanning-tree mst config
S1# sh spanning-tree mst 1
S1# sh spanning-tree mst detail





Enable:
S1(config)#spanning-tree mode mst
41
Chapter 3
FlexLinks are configured on one Layer 2
interface (the active link) by assigning another
Layer 2 interface as the FlexLink or backup link.
When one of the links is up and forwarding
traffic, the other link is in standby mode, ready
to begin forwarding traffic if the other link shuts
down.

At any given time, only one of the interfaces is in
the linkup state and forwarding traffic. If the
primary link shuts down, the standby link starts
forwarding traffic.

FlexLinks
FlexLinks are configured only on the primary interface:

S1(config-if)#interface Gi1/1
S1(config-if)#switchport backup interface Gi1/2
May 2 09:04:14: %SPANTREE-SP-6-PORTDEL_ALL_VLANS: TenGigabitEthernet1/2 deleted
from all Vlans
May 2 09:04:14: %SPANTREE-SP-6-PORTDEL_ALL_VLANS: TenGigabitEthernet1/1 deleted
from all Vlans
S1#show interfaces switchport backup

Gi1/1
Gi1/2
S1
42
Chapter 3
Chapter 3 - Implementing Spanning Tree
Objectives
Summarise how 802.1D STP works to eliminate
Layer 2 loops in a converged network.
Explain the enhancements that can be used to
optimise and protect STP.
Describe the operation of per-VLAN STP
Describe the operation of 802.1w Rapid STP.
Describe the operation of 802.1s Multiple STP.
Implement rapid per VLAN (RSTP) and Multiple
STP spanning tree (rapid PVST+) in a LAN to
prevent switching loops.
43
Chapter 3
Any
Questions?