Chapter 3: Advanced STP

Tuning
Instructor Materials

CCNP Enterprise: Core Networking

Chapter 3 Content
This chapter covers the following content:

STP Topology Tuning - Giải thích về các lựa chọn cho phép thay đổi vị trí của
root bridge hoặc chuyển các port block thành port designated

Additional STP Protection Mechanisms - các cơ chế bảo vệ như root guard,
BPDU guard, STP loop guard

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
STP Topology Tuning
• Trong 1 network, 1 switch sẽ được chọn để làm root bridge

• Các yếu tố để thiết kế network là: phần cứng, khả năng phục hồi mạng, topology mạng

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
STP Topology Tuning
Root Bridge Placement
Để đảm bảo vị trí của root bridge hãy đặt mức độ ưu tiên của hệ thống như sau:
• Giá trị của root bridge là thấp nhất
• Secondary root bridge thứ 2 sẽ có giá trị ưu tiên cao hơn
• Các switch còn lại có giá trị ưu tiên cao hơn các secondary root bridge
Command Description
spanning-tree vlan vlan-id priority priority The priority is a value between 0 and 61,440, in
increments of 4,096.

spanning-tree vlan vlan-id root {primary | The primary keyword sets the priority to 24,576,
secondary} [diameter diameter] and the secondary keyword sets the priority to
28,672. The optional diameter command makes it
possible to tune the Spanning Tree Protocol (STP)
convergence and modifies the timers.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
STP Topology Tuning
Configuring the Root Bridge
In the example:
• The initial priority for VLAN 1 on SW1 is
verified, 32,769.
• SW1 is configured to be the primary root for
VLAN 1
• The priority is verified again to ensure the
change took place.
STP Topology Tuning

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Configuring the Backup Root Bridge
In the example:
• The initial priority for VLAN 1 on SW2 is
verified, 32,769.
• SW2 is configured to be the secondary
root for VLAN 1
• The priority is verified again to ensure the
change took place.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
STP Topology Tuning
Modifying STP Root Port & Blocked Switch Port Locations
Calculating total path cost to the root bridge:
• SW1 sends a BPDU to SW3 with
the path cost of 0.
• SW3 receives the BPDU and adds
its root port cost (4) to cost from the
BPDU (0), resulting in the cost of 4.
• SW3 sends a BPDU to SW5 with
the path cost of 4.
• SW5 receives the BPDU and adds

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
its root port cost (4) to the cost from the BPDU (4), resulting in the cost of 8 for
SW5 to reach the root bridge.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
STP Topology Tuning

Verifying the Total Path Cost

The example highlights the total path cost to
the root bridge from SW3 and SW5.

Note: There is not a total path cost in

SW1’s output

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
STP Topology Tuning
Modifying STP Port Cost

• The spanning tree [vlan vlan-id] cost cost

command can be used to modify the STP
forwarding path.

• Lệnh spanning tree sẽ sửa đổi giá trị cho tất

cả các VLANs. Nếu muốn thay đổi cho 1
VLAN cụ thể cần thêm giá trị vlan-id.

Modifying STP Port Priority

STP port priority ảnh hưởng đến việc port nào
sẽ trở thành port thay thế khi có nhiều kết nối
giữa các switch.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
STP Topology Tuning

spanning-tree [vlan vlan-id] port-priority priority to change the STP port priority on a
switch’s interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
 Additional STP Protection Mechanisms
• Vòng loop sẽ sảy ra khi có nhiều kết nối đồng thời giữa các thiết bị. Lưu lượng Broadcast
and multicast sẽ được đẩy ra tất cả các cổng của switch sẽ tiếp tục gây ra vòng loop
• Throughtput trong mạng sẽ bị ảnh hưởng nghiêm trọng do các thiết bị chuyển mạch phải
xử lý nhiều frame, CPU của switch sẽ tăng cao gây, khi đó các switch có thể gặp sự cố
quá tải gây ảnh hưởng đến mạng.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Additional STP Protection Mechanisms
Additional STP Protection Mechanisms
Các nguyên nhân gây ra forwarding loops:
• STP không được cấu hình trên switch.
• Router hoặc bộ định tuyến bị lỗi gửi lưu lượng ra nhiều cổng có cùng địa chỉ MAC.
• 1 switch ảo kết nối 2 cổng vật lý.
• End users sử dụng 1 switch không quản lý được hoặc hub.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Root Guard
Root guard là 1 tính năng của STP để cấu hình trên 1 cổng để cổng đó không
bao giờ thành root port
• Thực hiện bằng cách đặt cổng ở trạng thái ErrDisabled nếu nhận được 1
superior BDPU.
• Root guard được đặt ở các designated ports trên các switches sao cho
chúng không bao giờ trở thành root bridges.
• Root guard được bật trên port-by-port basis.

• spanning-tree guard root to enable root guard.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Additional STP Protection Mechanisms
STP Portfast
STP portfast vô hiệu hóa việc tạo thông báo (TCN) và khiến các cổng switch bỏ qua trạng
thái học và nghe rồi chuyển sang trạng thái forwarding ngay lập tức. Nếu 1 BPDU được
nhận trên port đã bật portfast thì chức năng portfast sẽ bị hủy bỏ
Command Description
spanning-tree portfast Interface command to enable portfast on a
specific access port
spanning-tree portfast default Global command to enable portfast on all
access ports
spanning-tree portfast disable Disable portfast on a port

spanning-tree portfast trunk Command used on trunk links to enable

portfast *This command should only be used
with ports connected to a single host.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Additional STP Protection Mechanisms
STP Portfast Examples
The following shows how to enable STP portfast globally and on a specific interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Additional STP Protection Mechanisms
BPDU Guard
BPDU guard là 1 cơ chế an toàn cho phép shutdown các cổng đã cấu hình ports
configured STP portfast khi nhận được BPDU.

Command Description
spanning-tree portfast bpduguard default Global command to enable BPDU guard on
all STP portfast ports
spanning-tree portfast bpduguard default Interface command to enables or disable
{enable | disable} BPDU guard on a specific interface
show spanning-tree interface interface-id Displays whether BPDU guard is enabled for
detail the specified interface
Note: BPDU Guard is typically configured with all host-facing ports that are enabled with
portfast.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Additional STP Protection Mechanisms
BPDU Guard Examples
The following shows how to configure BPDU guard and a BPDU guard-enabled port
detecting a BPDU.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Additional STP Protection Mechanisms

The show interfaces statuscommand

shows the err-disabled status of the port
that received the BPDU.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Additional STP Protection Mechanisms
BPDU Guard Error Recovery
The Error Recovery service cho phép kích hoạt lại các cổng bị shutdown. Các cổng được
đưa vào chế độ ErrDisabled do bảo vệ BPDU guard sẽ không tự động khôi phục lại. Sử
dụng các lệnh sau để khôi phục lại:
Command Description
errdisable recovery cause bpduguard Recovers ports shutdown by BPDU guard

errdisable recovery interval time-seconds The period that Error Recovery checks for ports

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Additional STP Protection Mechanisms
BPDU Guard Error Recovery Example
The following example shows how to configure the Error Recovery service.

Note: The Error Recovery service operates every

300 seconds (5 minutes). This can be changed
from 5 to 86,000 seconds with the global
command errdisable recovery interval time
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Additional STP Protection Mechanisms
BPDU Filter
BPDU chặn BPDUs truyền ra khỏi cổng. Nó có thể cấu hình global hoặc trên 1 cổng cụ
thể nào đó
. hơn any BPDUs but still passes them
along to inferior switches.
Lệnh lọc Global BPDU: spanning-tree
• switch sẽ xử lý các BPDUs nhưng
portfast bpdufilter default
nó sẽ không chuyển tiếp BPDUs đến các
switches cao cấp hơn
Với cấu hình global BPDU port sẽ gửi 1 loạt
Lệnh lọc BPDU trên cổng: Spanning-tree
10 – 12 BPDUs. Nếu switch nhận được bất
bpdufilter enable
kỳ BPDUs, nó sẽ kiểm tra xem switch nào
được ưu tiên cao hơn.
Với cấu hình BPDU trên cổng, cổng đó sẽ
•Switch được ưu tiên cao hơn sẽ không xử
không liên tục gửi BPDU. Nếu cổng ở xa
lý BPDUs nhưng nó sẽ chuyển cho sw kém
có BPDU guard nó sẽ shutdown cổng như
1 cơ chế chống loop
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Additional STP Protection Mechanisms
Verifying a BPDU Filter
The following shows using the show spanning-tree interface interface-id detail command
to verify that BPDU filter is enabled.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Additional STP Protection Mechanisms
Problems with Unidirectional Links
Các thiết bị mạng kết nối với nhau bằng cáp quang có thể sẽ gặp phải lưu lượng
1 chiều khi có 1 đường truyền bị đứt. BPDUs sẽ không được chuyển tiếp và các
switches khác sẽ hết thời gian chờ BPDU gửi từ root port và sẽ gây ra loop

2 giải pháp cho vấn đề liên kết 1 chiều:

• STP Guard
• Unidirectional Link Detection (Phát hiện liên kết 1 chiều)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Additional STP Protection Mechanisms
STP Loop Guard
STP Loop guard prevents any alternative or root ports from becoming designated ports
due to loss of BPDUs on the root port. Loop guard sẽ đặt cổng vào trạng thái ErrDisabled
trong khi không nhận được BPDUs và sẽ chuyển về trạng thái STP khi bắt đầu nhận lại
BPDUs.
Command Description
spanning-tree loopguard default Global command to enable loop guard

spanning-tree guard loop Interface command to enable loop guard

show spanning-tree inconsistent-ports Shows ports in the inconsistent state due to

the port not receiving BPDUs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Additional STP Protection Mechanisms
Note: Loop guard không nên bật trên cổng đã được bật chế độ portfast vì nó
sẽ gây xung đột với cổng gốc /alternate port logic

STP Loop Guard Examples

VD sau trình bày cách cấu hình loop guard, triggering loop guard by blocking BPDUs and
the port in an inconsistent state.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Additional STP Protection Mechanisms

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Additional STP Protection Mechanisms
Unidirectional Link Detection
Unidirectional Link Detection (UDLD) cho phép giám sát 2 chiều cáp quang.

UDLD operates in two modes:

• Normal – If a frame is not acknowledged, Liên kết được coi là không xác
định và cổng vẫn hoạt động
• Aggressive – If a frame is not acknowledged, switch sẽ gửi 8 packets in
1 second . Nếu không nhận được xác nhận cổng sẽ rơi vào trạng thái lỗi.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Additional STP Protection Mechanisms
UDLD Commands
The following are commands for configuring and verifying UDLD:
Command Description
udld enable [aggressive] Global command to enable UDLD. *Optional
aggressive keyword sets the mode to aggressive.
udld port [aggressive] Interface command to enable UDLD *Optional
aggressive keyword sets the mode to aggressive.
udld port disable Disable UDLD on a specific interface

udld recovery [interval time] Enables UDLD recovery. The time default value is 5
minutes.
show udld neighbors Displays the status of UDLD neighborship

show udld interface-id Displays detailed information about UDLD

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Additional STP Protection Mechanisms

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Additional STP Protection Mechanisms
Configuring & Verifying UDLD Examples
The following are examples for configuring and verifying UDLD:

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Additional STP Protection Mechanisms

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Prepare for the Exam

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Prepare for the Exam

Key Topics for Chapter 3

Description

Root bridge placement

Root bridge values
Spanning tree port cost
Root guard
STP portfast
BPDU guard

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Prepare for the Exam

BPDU filter
Key Terms for Chapter 3
Terms

BPDU filter
Root guard
STP loop guard
BPDU guard
STP portfast

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Prepare for the Exam

Unidirectional Link Detection (UDLD)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Prepare for the Exam

Command Reference for Chapter 3

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Prepare for the Exam

Command Reference for Chapter 3 (Cont.)

Task Command Syntax
spanning-tree portfast bpdufilter default OR
Enable BPDU guard globally or for a specific
spanning-tree bpdufilter enable
interface

spanning-tree loopguard default OR

Enable STP loop guard globally or for a specific spanning-tree guard loop
interface

Enable automatic error recovery for BPDU guard.

errdisable recovery cause bpduguard

spanning-tree portfast bpdufilter default OR

Enable BPDU guard globally or for a specific spanning-tree bpdufilter enable
interface

spanning-tree loopguard default OR

Enable STP loop guard globally or for a specific spanning-tree guard loop
interface

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

Task Command Syntax

 spanning-tree vlan vlan-id root {primary | secondary}
Configure the STP priority for a switch [diameter diameter]
Prepare for the Exam
so that it is a root bridge or a backup root bridge OR
spanning-tree vlan vlan-id priority priority
Enable automatic error recovery for BPDU guard.
Configure the STP port cost spanning tree
errdisable [vlan cause
recovery vlan-id]bpduguard
cost cost
Configure the STP port priority on the downstream
Command
port Reference for Chapter 3 (Cont.)
spanning-tree [vlan vlan-id] port-priority priority

Enable
Taskroot guard on an interface spanning-tree guard root
Command Syntax
spanning-tree portfast default
Change the automatic error recovery
errdisable recovery interval time-seconds
OR
timeSTP portfast globally, for a specific port, or
Enable
spanning-tree portfast
for a trunk port
Enable UDLD globally or for a specific OR
udld enable [aggressive] OR
spanning-tree portfast trunk
port udld port [aggressive]
spanning-tree portfast bpduguard default
Enable BPDU
Display guard
the list globally
of STPorports
for a specific
in an OR
switch port
inconsistent state show spanning-tree inconsistentports
spanning-tree bpduguard {enable | disable}
Display the list of neighbor devices
running UDLD show udld neighbors

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39