VLAN & Trunk

802.1q Trunks
Si Si Si Si Si Si

Layer 3 Equal Layer 3 Equal

Cost Links Cost Links
Si Si

Si Si Si Si

Si Si
VLAN Example
Consider the following
example:
Creating VLANs
By default, all interfaces belong to VLAN 1. To assign an interface to a different VLAN,
that VLAN must first be created:
Switch(config)# vlan 100
Switch(config-vlan)# name SERVERS
The first command creates VLAN 100, and enters VLAN configuration mode. The second
command assigns the name SERVERS to this VLAN.
Note that naming a VLAN is not required.
The standard range of VLAN numbers is 1 – 1005, with VLANs 1002-1005 reserved for
legacy Token Ring and FDDI purposes.
A switch operating in VTP transparent mode can additionally use the VLAN range of 1006
– 4094. These are known as extended-range VLANs.
Switch# show vlan
1 default active gi1/1-24
100 SERVERS active
1002 fddi-default suspended
1003 token-ring-default
1004 fddinet-default suspended
1005 trnet-default
suspended
Note that no interfaces have been assigned to the newly created VLAN 100 yet.
suspended
Statically Assigning VLANs
To statically assign an interface into a specific VLAN:
Switch(config)# interface gi1/10
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 100
The first command enters interface configuration mode. The second command indicates that
this is an access port, as opposed to a trunk port. This will be explained in detail shortly.
The third command assigns this access port to VLAN 100. Note that the VLAN number is
specified, and not the VLAN name.
The show vlan command should now reflect the new VLAN assignment:
Switch# show vlan
VLAN Name Status Ports

1 default active gi1/1-9,11-24

100 SERVERS active gi1/10
1002 fddi-default suspended
1003 token-ring-default
1004 fddinet-default suspended
1005 trnet-default
suspended
VLAN Port Types

A VLAN-enabled switch supports two types of

 Access ports
ports:
 Trunk ports
An access port is a member of only a single VLAN. Access ports are most often used to
connect host devices, such as computers and printers. By default on Cisco switches, all
switch ports are access ports.
Any host connected to an access port immediately becomes a member of the VLAN
configured on that port. This is transparent to the host - it is unaware that it belongs to a
VLAN.
It is possible for a VLAN to span more than one switch. There are two methods of
connecting a VLAN across multiple switches:
 Create uplink access ports between the switches, one for each VLAN.
 Create a trunk connection between the switches.
A trunk port is not a member of a single VLAN. The traffic from any or all
VLANs can traverse trunk links to reach other switches.
Uplinking access ports quickly becomes unfeasible in large switching environments. The
following illustrates the advantage of using trunk ports:
Frame Tagging Protocols
Cisco switches support two frame tagging protocols:
 Inter-Switch Link (ISL)
 IEEE 802.1Q
The tagging protocol can be manually specified on a trunk port, or dynamically
negotiated using Cisco’s proprietary Dynamic Trunking Protocol (DTP).

Trunk - VLANs 100, 200

HostA HostB HostC HostD HostE HostF

VLAN 100 VLAN 100 VLAN 200 VLAN 100 VLAN 100 VLAN 200
IEEE 802.1Q
IEEE 802.1Q, otherwise referred to as dot1Q, is an industry-standard frame-tagging
protocol.
802.1Q is supported by nearly all switch manufacturers, including Cisco. Because
an open isstandard, switches from different vendors can be trunked together.
802.1Q
Recall that ISL encapsulates a frame with an additional header and trailer. In contrast,
802.1Q embeds a 4-byte VLAN tag directly into the Layer-2 frame header. Because the
Layer-2 header is modified, 802.1Q must recalculate the frame’s CRC value.
The VLAN tag includes a 12-bit VLAN ID. This tag increases the size of an Ethernet frame,
from its default of 1514 bytes to 1518 bytes. Nearly all modern switches support the
802.1Q tag and the slight increase in frame size.
802.1Q supports a maximum of 4096 VLANs on a trunk port.
Trunk & DTP Dynamic Trunk Protocol
Configuring Trunk Links
To manually configure an interface as a trunk port:
Switch(config)# interface gi2/24
Switch(config-if)# switchport mode trunk
For a switch that supports both ISL and 802.1Q, the tagging or
encapsulation protocol must be configured first:
Switch(config)# interface gi2/24
Switch(config-if)# switchport trunk encapsulation isl
Switch(config-if)# switchport mode trunk
Switch(config)# interface gi2/24
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Important note: Both sides of the trunk must be configured with the
same
tagging protocol. Otherwise, a trunk connection will not form.
If the switch only supports 802.1Q, the switchport trunk encapsulation
command will not be available.
Configuring Trunk Links (continued)

The switch can negotiate the tagging protocol, using

DTP:
Switch(config-if)# switchport trunk encapsulation negotiate
Switch(config)# interface
Switch(config-if)# gi2/24
switchport mode trunk
The tagging protocol that is supported by both switches will be used. If the switches
support both ISL and 802.1Q, ISL will be the preferred protocol.
By default, all active VLANs are allowed to traverse a trunk link. While this is
convenient,
a good security practice is to allow only necessary VLANs over a trunk.
To explicitly allow a subset of VLANs on a trunk port:
Switch(config)# interface gi2/24
Switch(config-if)# switchport trunk allowed vlan 3,9,11-15
The above command will force the trunk link to only forward traffic from VLANS
3, 9,
and 11 – 15. To remove a VLAN from the allowed list:
Switch(config)# interface gi2/24
Switch(config-if)# switchport trunk allowed vlan remove 12
Dynamic Trunking Protocol (DTP)
Recall that a trunk’s frame tagging protocol can be autonegotiated, through the use of the
Dynamic Trunking Protocol (DTP).
DTP can also negotiate whether a port becomes a trunk at all. Previous examples
demonstrated how to manually configure a port to trunk:
Switch(config)# interface gi2/24
Switch(config-if)# switchport mode trunk

DTP has two modes to dynamically decide whether a port becomes a trunk:
 Desirable – the port will actively attempt to form a trunk with the remote switch.
This is the default setting.
 Auto – the port will passively wait for the remote switch to initiate the trunk.
To configure the DTP mode on an interface:
Switch(config)# interface gi2/24
Switch(config-if)# switchport mode dynamic desirable
Switch(config-if)# switchport mode dynamic auto
Trunk ports send out DTP frames every 30 seconds to indicate their configured
mode.
A trunk will form in the following configurations:
 manual trunk € € manual trunk
 manual trunk € € dynamic desirable
 manual trunk € € dynamic auto
 dynamic desirable € € dynamic desirable
 dynamic desirable € € dynamic auto
A trunk will never form if the two sides of the trunk are set to dynamic auto, as both ports
are waiting for the other to initialize the trunk.
It is best practice to manually configure trunk ports, to avoid DTP negotiation errors.
DTP is also vulnerable to VLAN spoofing attacks.
To explicitly disable DTP:
Switch(config)# interface gi2/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate
DTP Dynamic Trunk Protocol
• Automatic formation of
Si
On/On Si

trunked switch-to-switch interconnection

Trunk
• On: always be a trunk
• Desirable: ask if the other side can/will
• Auto: if the other sides asks I will Si
Auto/
Si

• Off: don’t become a trunk Desirable

Trunk
• Negotiation of 802.1Q or ISL encapsulation
• ISL: try to use ISL trunk encapsulation Si Si
Off/Off
• 802.1q: try to use 802.1q encapsulation NO Trunk
• Negotiate: negotiate ISL or 802.1q encapsulation with peer
• Non-negotiate: always use encapsulation that is hard set Si Si

Off/On, Auto, Desirable

NO Trunk
Troubleshooting Trunk Connections
A trunk connection requires several parameters to be configured identically on both sides of the trunk:
 Trunk Mode
 Frame-tagging protocol
 Native VLAN
 Allowed VLANs
 VTP Domain – only when using DTP to negotiate a trunk
If there is a mismatch in configuration, the trunk connection will never become active.
To determine whether an interface is an access or trunk port:
Switch# show interface gi2/24 switchport
Name: Gi2/24 Switchport: Enabled
Administrative Mode: trunk Operational
Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default) Trunking
Native Mode VLAN: 42 <snip>
To view the status of all trunk links:
Switch# show interface trunk
 Port Mode Encapsulation Status Native VLAN
Fa0/24 on 802.1q trunking 42

Port Vlans allowed on trunk

Fa0/24 3,9,11-15

Port Vlans allowed and active in management domain

Fa0/24 3,9

Port Vlans in spanning tree forwarding state and not pruned

Fa0/24 3,9

Note that VLANs 11-15 are not active. Most likely, no interfaces have been assigned to those VLANs.
If there are no interfaces in an active trunking state, the show interface trunk
command will return no output.
VTP VLAN Trunking Protocol
VLAN Trunking Protocol (VTP)
Maintaining a consistent VLAN database can be difficult in a large switching
environment.
Cisco’s proprietary VLAN Trunking Protocol (VTP) simplifies this management – updates
to the VLAN database are propagated to all switches using VTP advertisements.
VTP requires that all participating switches join a VTP domain. Switches must belong to
the same domain to share VLAN information, and a switch can only belong to a single
domain.
VTP Versions

There are three versions of VTP. VTP version 1 supports the standard 1 – 1005 VLAN
range. VTP version 1 is also default on Catalyst switches.
VTP version 2 introduces some additional features:
 Token Ring support
 VLAN consistency checks
 Domain-independent transparent pass through

VTPv1 and v2 are not compatible. The VTP version is dictated by the VTP server,
discussed in detail shortly. If the VTP server is configured for VTPv2, all other switches in
the VTP domain will change to v2 as well.
Until recently, VTP Version 3 was supported on only limited Cisco switch platforms.
VTPv3 was built to be flexible, and can forward both VLAN and other database
information, such as Multiple Spanning Tree (MST) protocol.
Other enhancements provided by VTPv3 include:
Support for the extended 1006-4094 VLAN range.
Support for private VLANs.
Improved VTP authentication.
Protection from accidental database overwrites, by using VTP primary and secondary
servers.
Ability to enable VTP on a per-port basis.
VTP Modes
A switch using VTP must operate in one of three modes:
Server
Client
Transparent
VTP servers are responsible for creating, deleting, or modifying entries in the VLAN
database. Each VTP domain must have at least one VTP server, and this is the default
mode for Cisco switches.
Servers advertise the VLAN database to all other switches in the VTP domain, including
other servers. VTP servers can only advertise the standard 1-1005 VLAN range, and
advertisements are only sent out trunk ports.
VTP clients cannot modify the VLAN database, and rely on advertisements from other
switches to update VLAN information. A client will also forward VTP advertisements
out every trunk port.
VTP Virtual Trunk Protocol
• Centralised VLAN management
Set
• VTP server switch propagates VLAN VLAN 50 Pass
Through
Trun
Update
k
database to VTP client switches A Server
Transp Fare
• Runs only on trunks nt Ok, I
Trun Trun Just
• Four modes: k k Learned
Ok, I VLAN 50!
• Server: updates clients and servers Just
Learned
• Client: receive updates— cannot make changes
• Transparent: let updates pass through
VLAN 50! Client
Trun
Client B
Drop k
• Off: ignores VTP updates
VTP
Upd
ates
Off
C
Remember: switches must be in the same VTP Domain to share and accept updates to
the VLAN database. Only servers can change the VLAN database.
A VTP transparent switch maintains its own local VLAN database, and does not
directly participate in the VTP domain. A transparent switch will never accept VLAN
database information from another switch, even a server. Also, a transparent switch will
never advertise its local VLAN database to another switch.
Transparent switches will pass through advertisements from other switches in the VTP
domain. The VTP version dictates how the pass through is handled:
VTP version 1 – the transparent switch will only pass through advertisements from
the same VTP domain.
VTP version 2 – the transparent switch will pass through advertisements from
any VTP domain.
VTP Advertisements – Revision Number
Recall that updates to the VLAN database are propagated using VTP advertisements. VTP
advertisements are always sent out trunk ports, on VLAN 1.
VTP advertisements are marked with a 32-bit configuration revision number, to identify
the most current VLAN database revision. Any change to the VLAN database increments
the configuration revision number by 1. Thus, a higher number represents a newer database
revision.
A switch will only accept an advertisement if the revision number is higher than the current
VLAN database. Advertisements with a lower revision number are ignored.
Important note: While only VTP servers can change the VLAN database, VTP clients can
advertise updates, to other clients and even to a server! As long as the revision number is
higher, the switch will accept the update.
This can result in a newly-introduced switch advertising a blank or incorrect VLAN
database to all other switches in the domain. Switch ports would then lose their VLAN
memberships, resulting in a significant network outage.
This can be avoided when implementing a new switch into the VTP domain. Best practice
is to configure a new switch as a VTP client, and reset its revision number to zero before
deploying into a production network.

There are two methods of resetting the revision number to zero on a switch:
1.Change the VTP domain name, and then change it back to the original name.
2.Change the VTP mode to transparent, and then change it back to
either server or client. Transparent switches always a revision number of 0.
VTP has fallen out of favor, due to the risk of an unintentional overwrite of the VLAN
database. Until very recently, Cisco did not support VTP on the Nexus platform of
switches.

VTPv3 directly addresses this risk through the use of VTP primary and secondary servers.
Only the primary server is allowed to update the VLAN database on other switches. Only
one primary server is allowed per domain.
VTP Advertisements – Message Types
Three message types exist for VTP advertisements:
Summary Advertisement
Subset Advertisement
Advertisement Request
Both VTP servers and clients will send out a summary advertisement every 300 seconds.
Summary advertisements contain the following information about the VTP domain:
VTP version
Domain name
Configuration revision number
Time stamp
MD5 digest
Summary advertisements are also sent when a change occurs to the VLAN database. The
summary is then followed with a subset advertisement, which actually contains the full,
updated VLAN database.
A subset advertisement will contain the following information:
VTP version
Domain name
Configuration revision number
VLAN IDs for each VLAN in the database
VLAN-specific information, such as the VLAN name and MTU

Important note: Switches will only accept summary and subset advertisements if the
domain name and MD5 digest match. Otherwise, the advertisements are ignored.
If a switch receives a summary advertisement with a revision number higher than its own,
it will send out an advertisement request. VTP servers will then respond with an updated
summary and subset advertisement so that the switch can synchronize to the most current
VLAN database.
A switch that is reset or newly joined to the VTP domain will also send out an
advertisement request.
Configuring VTP
By default, a switch is in VTP server mode, and joined to a blank domain labeled NULL.
To change the VTP domain name:
Switch(config)# vtp domain MYDOMAIN
Note that the domain name is case sensitive. To configure the VTP mode:

Switch(config)# vtp mode server Switch(config)# vtp mode client

Switch(config)# vtp mode transparent
The VTP domain can be secured using a password:
Switch(config)# vtp password P@SSWORD!
The password is also case sensitive. All switches
participating in the VTP domain must be
configured with the same password. The password
is hashed into a 16-byte MD5 digest.
Cisco switches use VTP version 1 by default, which is not compatible with VTPv2. The
VTP version is dictated by the VTP server, and if the server is configured for VTPv2, all
 Switch(config)# vtp version 2

To view status information about VTP:

Switch# show vtp status
VTP Version : 2
Configuration : 42
Revision
Maximum VLANs supported locally :
1005 Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : MYDOMAIN
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps : Disabled
Generation MD5 : 0x42 0x51 0x69 0xBA 0xBE 0xFA 0xCE
digest 0x34
Configuration last modified by 0.0.0.0 at 6-22-14
4:07:52

To view VTP statistical information and error counters:

Switch# show vtp counters
VTP Pruning
Recall that Layer-2 switches belong to only one broadcast domain. A Layer-2 switch will
thus forward both broadcasts and multicasts out every port in the same VLAN but the
originating port. This includes sending out broadcasts out trunk ports to other switches,
which will in turn flood that broadcast out all ports in the same VLAN.

VTP pruning eliminates unnecessary broadcast or multicast traffic throughout the

switching infrastructure. Consider the following example:
Assume that a host is connected to SwitchB, in VLAN 300. If the host sends out a
broadcast, SwitchB will forward the broadcast out every port in VLAN 300, including the
trunk ports to SwitchA and SwitchC. Both SwitchA and SwitchC will then forward that
broadcast out every port in VLAN 300.
However, SwitchA does not have any ports in VLAN 300, and will drop the broadcast.
Thus, sending the broadcast to SwitchA is a waste of bandwidth.
VTP pruning allows a switch to learn which VLANs are active on its neighbors. Thus,
broadcasts are only sent out the necessary trunk ports where those VLANs exist. In the
preceding example, pruning would prevent VLAN 300 broadcasts from being sent to
SwitchA, and would prevent VLAN 100 and 200 broadcasts from being sent to SwitchC.
VTP pruning is disabled by default on IOS switches. VTP pruning must be enabled on a
server, and will be applied globally to the entire VTP domain:
Switch(config)# vtp pruning
Both VLAN 1 and the system VLANs 1002-1005 are never eligible for pruning. To
manually specify which VLANs are pruning eligible on a trunk:
Switch(config)# interface gi2/24
Switch(config-if)# switchport trunk pruning vlan 2-10
Switch(config-if)# switchport trunk pruning vlan add 42
Switch(config-if)# switchport trunk pruning vlan remove 5
Switch(config-if)# switchport trunk pruning vlan except 100-
200 Switch(config-if)# switchport trunk pruning vlan none
Optimising Convergence: Trunk Tuning
Trunk Auto/Desirable Takes Some Time
• DTP negotiation tuning improves link up convergence time
• IOS(config-if)# switchport mode trunk
• IOS(config-if)# switchport nonegotiate

2.5
Time to Converge in Seconds

1.5 Si
Two Seconds
1 of Delay/Loss
Tuned Away
0.5
Voice Data
0
Trunking Desirable Trunking Nonegotiate
Ether Channel
Configuration
•Typically deployed in distribution to core, and core
to core interconnections

• Used to provide link redundancy—while reducing Si Si Si Si Si Si

peering complexity
• Tune L3/L4 load balancing hash to achieve
Layer 3 Layer 3 Equal
maximum utilisation of channel members Equal Cost Cost
Links Si Si
Links
• Deploy in powers of two (two, four, or
eight)
Si Si Si Si

• Match CatOS and Cisco IOS PAgP settings Si Si

• 802.3ad LACP for interop if you need it

• Disable unless needed

WAN Data Centre Internet
• Cisco IOS: switchport host
EtherChannel – Manual Configuration

There are two methods of configuring an EtherChannel:

• Manually
• Dynamically, using an aggregation protocol

To manually configure two ports to join an EtherChannel:

Switch(config)# interface range gi2/23 - 24

Switch(config-if)# channel-group 1 mode on

The remote switch must also have the EtherChannel manually configured as on. Remember
that speed, duplex, VLAN, and STP configuration must be configured identically across all
participating ports on both switches.

The channel-group number identifies the EtherChannel on the local switch. This number does
not need to match on both switches, though for documentation purposes it should.
Adding switch ports to a channel-group creates a logical port-channel interface.
This interface can be configured by referencing the channelgroup number:

Switch(config)# interface port-channel 1

Changes made to the logical port-channel interface are applied to all physical
switch ports in the channel-group:

Switch(config)# interface port-channel 1

Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 50-100

To configure a port-channel as a Layer-3 interface:

Switch(config)# interface port-channel 1

Switch(config-if)# no switchport
Switch(config-if)# ip address
192.168.10.1 255.255.255.0
By default, a port-channel interface is administratively shutdown. To bring the port-
channel online:

Switch(config)# interface port-channel 1

Switch(config-if)# no shut

Physical port properties, such as speed and duplex, must be configured on the
physical interface, and not on the port-channel interface.
EtherChannel – Dynamic Configuration

Cisco switches support two dynamic aggregation protocols: • PAgP (Port

Aggregation Protocol) – Cisco proprietary aggregating protocol. • LACP (Link
Aggregation Control Protocol) – IEEE standardized aggregation protocol, originally
defined in 802.3ad.

Both PAgP and LACP exchange negotiation packets to form the EtherChannel.
When an EtherChannel is configured manually, no negotiation packets are
exchanged.

Thus, an EtherChannel will never form if one switch manually configured the
EtherChannel, and the other switch is using a dynamic aggregation protocol.

PAgP and LACP are not compatible – both sides of an EtherChannel must use the
same aggregation protocol.
EtherChannel - LACP

LACP is an IEEE standard aggregation protocol, and supports two modes:

• Active – actively attempts to form a channel
• Passive – waits for the remote switch to initiate the channel

An LACP channel will form in the following configurations:

• active active
• active passive

A channel will not form if both sides are set to passive. Also, LACP will not form a
channel if the remote side is running PAgP, or manually configured.

To create an EtherChannel using LACP negotiation:

Switch(config)# interface range gi2/23 – 24
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group 1 mode active
Switch(config-if)# channel-group 1 mode
LACP requires that speed, duplex, VLAN, and STP configuration be configured
identically across all participating ports.

Recall that a maximum of 8 active ports are supported in a single EtherChannel.

LACP supports adding an additional 8 ports into the bundle in a standby state, to
replace an active port if it goes down.

LACP assigns a numerical port-priority to each port, to determine which ports

become active in the EtherChannel. By default, the priority is set to 32768, and a
lower priority is preferred. If there is a tie in port-priority, the lowest port number is
preferred.
To change the LACP port-priority to something other than default:

Switch(config)# interface range gi2/23 – 24

Switch(config-if)# lacp port-priority 100

LACP also assigns a system-priority to each switch, dictated which switch becomes
the decision-maker if there is a conflict about active ports. The default system-
priority is 32768, and a lower priority is again preferred. If there is a tie in system-
priority, the lowest switch MAC address is preferred.

To globally change the system-priority on a switch:

Switch(config)# lacp system-priority 500

Troubleshooting EtherChannel

To view status information on all configured EtherChannels:

Switch# show etherchannel summary

Flags: D - down P - in port-channel I - stand-alone s - suspended R -

Layer3 S - Layer2 U - port-channel in use

Group Port-channel Ports

1 Po1(SU) Gi2/23(P) Gi2/24(P)

Note that both ports have a status of P, which indicates that they are up and active
in the EtherChannel.

On Cisco Nexus switches, the syntax for this command is slightly different:

NexusSwitch# show port-channel summary

Understanding Ether Channel
Link Negotiation Options—PAgP and LACP
Port Aggregation Protocol Link
Aggregation Protocol
Si Si
On/On Si
On/On
Si

Channel Channel

Si Si
On/Off Si
On/Off
Si

No Channel No Channel

Si Si
Auto/Desirable Si
Active/
Si

Channel Passive
Channel
Si Si
Si Si

Off/On, Auto, Desirable Passive/Passive

No Channel No Channel
On: always be a channel/bundle On: always be a channel/bundle
member Desirable: ask if the other side member Active: ask if the other side
can/will Auto: if the other side asks I can/will Passive: if the other side asks I
will will
Off: don’t become a member of a Off: don’t become a member of
channel/bundle a channel/bundle
EtherChannels
10/100/1000 How Do You Aggregate It?

10 GE and
Core Si Si
10-GE Channels
Typical 4:1
Data Over-
Subscription
Distribution
Si Si

Typical 20:1
Data Over-
Subscription Access
EtherChannels
Reduce Complexity/Peer Relationships
• More links = more routing peer
relationships and associated
overhead
Si Si Si Si Si Si • EtherChannels allow you to reduce
peers by creating single logical
interface to peer over
• On single link failure in a bundle
Layer 3 Layer 3 Equal
Equal Cost Cost • OSPF running on a Cisco
Links Links
IOS-based switch will reduce link cost
Si Si

and reroute traffic

• OSPF running on a hybrid switch will
Si Si Si Si
not change link cost and may overload
Si Si
remaining links
• EIGRP may not change link cost
and may overload remaining links
WAN Data Centre Internet
EtherChannels
Why 10-Gigabit Interfaces
• More links = more routing peer
relationships and associated overhead
• EtherChannels allow you to
Si Si Si Si Si Si
reduce peers by creating single logical
interface to peer over
• However, a single link failure is not taken
Layer 3 Equal
Cost Links
Layer 3 Equal
Cost
into consideration by routing protocols.
Si Si Links Overload possible
• Single 10-gigabit links address both
Si Si Si problems. Increased bandwidth without
Si Si
increasing complexity or compromising
routing protocols ability to select best
Si

path
WAN Data Centre Internet
 RSTP
(Rapid
Spanning Tree
Protocol )
Rapid Spanning Tree Protocol (RSTP)
In modern networks, a 30 to 50 second convergence delay is unacceptable.
Enhancements were made to the original IEEE 802.1D standard to address this. The
result was 802.1w, or Rapid Spanning Tree Protocol (RSTP).
RSTP is similar in many respects to STP:
 BPDUs are forwarded between switches
 A Root Bridge is elected, based on the lowest Bridge ID.
 Root and designated ports are elected and function identically to STP.
RSTP defines four port roles:
 Root Port – Port on each switch that has the best path cost to the Root Bridge. A
switch can only have one root port.
 Alternate Port – Backup root port that has a less desirable path cost.
 Designated Port – Non-root port that represents the best path cost for each network
segment to the Root Bridge.
 Backup Port – Backup designated port that has a less desirable path cost.
STP vs RSTP
1. 802.1 D STP supported five port states, while RSTP supports three:
 Discarding
 Learning
 Forwarding
Initially, a switch port starts in a discarding state:
 A discarding port will not forward frames or learn MAC addresses.
 A discarding port will listen for BPDUs.
 Alternate and backup ports will remain in a discarding state.
RSTP does not need a listening state. Instead, if a port is elected as a root or
designated port, it will transition from discarding to a learning state:
 A learning port will begin to add MAC addresses to the CAM table.
 However, a learning port cannot forward frames quite yet.
Finally, a learning port will transition to a forwarding state:
 A forwarding port is fully functional – it will send and listen for BPDUs, learn
MAC addresses, and forward frames.
 Root and designated ports will eventually transition to a forwarding state.
The key benefit of RSTP is faster convergence:
 BPDUs are generated by every switch, and sent out at the hello interval.
 Switches no longer require artificial forward delay timers.
In 802.1D, BPDUs are generated by the Root Bridge. If a switch receives a BPDU from
the Root Bridge on its root port, it will propagate the BPDU downstream to its neighbors.
This convergence process is slow, and STP relies on forward delay timers to ensure a
loop-free environment.
In RSTP, switches will handshake directly with their neighbors, allowing the topology to
be quickly synchronized. This allows ports to rapidly transition from a discarding state to a
forwarding state without a delay timer.
A key component of the RSTP process is the type of each port:
 Edge – port that connects to a host. This port behaves exactly like a PortFast-enabled
port, transitioning to a forwarding state immediately.
 Root – port that connects to another switch, and has the best path cost to the Root
Bridge.
 Point-to-Point – port that connects to another switch, with the potential to
become the designated port for a segment.
Note: If an edge port receives a BPDU, it will lose its edge port status and transition
normally through the RSTP process. On Cisco switches, any port configured with PortFast
becomes an Edge Port.
The RSTP convergence process is as follows:
 Switches exchange BPDUs to elect the Root Bridge.
 Edge ports immediately transition into a forwarding state.
 All potential root and point-to-point ports start in a discarding state.
 If a port receives a superior BPDU, it will become a root port, and transition
immediately to a forwarding state.
 For a point-to-point port, each switch will exchange a handshake
proposal to determine which port becomes designated.
 Once the switches agree, the designated port is moved immediately into a
forwarding state.
Every switch will perform this handshaking process with each of its neighbors, until
all switches are synchronized. Complete convergence happens very quickly –
within seconds.
TCN Topology Change Notification

RSTP handles topology changes more efficiently than 802.1D STP, which generates a
Topology Change Notification (TCN) in two circumstances:
 When a port transitions into a forwarding state.
 When a port transitions into a blocking or down state.
The TCN will eventually reach the Root Bridge, which will then inform all other switches
of the change by sending a BPDU with the Topology Change (TC) bit set.

In RSTP, only a non-edge port transitioning to a forwarding state will generate a TCN.
The switch recognizing a topology change does not have to inform the Root Bridge first.
Any switch can generate and forward a TC BPDU, allowing the topology to quickly
converge via handshakes.
A switch receiving a TC BPDU will flush all MAC addresses learned on
designated
ports, except for the port that received the TC BPDU.
In the event of a topology change, RSTP will allow alternate or backup ports to
immediately enter a forwarding state. Additionally, RSTP does not have to wait an arbitrary
max age timer to accept an inferior BPDU, if there is an indirect failure in the topology.
Essentially, RSTP inherently supports the functionality of UplinkFast and BackboneFast.
RSTP is compatible with 802.1D STP. If a neighboring switch does not respond to an
RSTP handshake, a port reverts back to transitioning through 802.1D states. Note that
this
means that all RSTP benefits are lost on that port.
Two implementations of RSTP exist:
 Rapid Per-VLAN Spanning Tree Protocol (RPVST+)
 Multiple Spanning Tree (MST)
RPVST+ is Cisco proprietary, while MST is defined in the IEEE 802.1s standard.
To enable RPVST+ globally on a switch:
Switch(config)# spanning-tree mode rapid-pvst
Topolog
y
Multiple Spanning Tree (MST)
3 versions of 802.1D STP were described:
 CST utilizes a single STP instance for all VLANs.
 PVST and PVST+ employ a separate STP instance for each VLAN.
PVST and PVST+ are more efficient, and allow STP to load balance VLANs across links.
This comes at a cost – maintaining a separate STP instance for each VLAN adds overhead
to the CPU and memory on a switch.
Multiple Spanning Tree (MST), defined in IEEE 802.1s, allows a group
of VLANs to be mapped to an STP instance.
Each MST instance (MSTI) builds its own RSTP topology database, including electing
its own Root Bridge. A VLAN can only be assigned to one instance.
MST further separates the STP topology into regions. All switches in a region must be
configured with identical MST parameters:
 32-byte configuration name
 16-bit revision number
 VLAN-to-instance mapping database
If two switches are configured with different MST parameters, they belong to different
MST regions.
For most Cisco platforms, a region can contain a maximum of 16 MST instances,
numbered 0 through 15. By default, all VLANs belong to instance 0.
The Internal Spanning Tree (IST) is responsible for maintaining the topology for the
entire region and all of the MSTIs. Only the IST can send and receive BPDUs, and
encapsulates the MSTI information within a BPDU as an MST record (M-record).
The IST is always mapped to instance 0.
MST is compatible with all other implementations of STP. An MST region is obfuscated
from non-MST switches, which will see the entire MST region as a single 802.1D or RSTP
switch.
Multiple Spanning Tree (MST) (continued)
To enable MST globally on a switch:
Switch(config)# spanning-tree mode mst

Changes to MST parameters must be made from MST configuration mode:

Switch(config)# spanning-tree mst configuration
Switch(config-mst)#
To assign the MST configuration name and revision number:
Switch(config-mst)# name MYMSTNAME
Switch(config-mst)# revision 2
To map VLANs to a specific MST instances:
Switch(config-mst)# instance 2 vlan 1-100
Switch(config-mst)# instance 3 vlan 101-200
Remember: A maximum of 16 MST instances are supported, numbered 0 to
15. The MST configuration name, revision number, and VLAN-to-instance mapping must
be identical on all switches in the same region.
All other MST parameters are configured identically to 802.1D STP, with two
exceptions:
 The mst parameter must be used on all commands
 All commands reference the MST instance instead of a VLAN.
Thus, to configure a switch as the Root Bridge for MST instance
2:
Switch(config)# spanning-tree mst 2 root primary