Intervaln Routing
Intervaln Routing
Intervaln Routing
🌐 To use inter-VLAN routing, the most efficient method is to use SVI on multilayer switches.
🚫You can use the SVI autostate exclude command to configure a port so that it is not included in
the SVI line-state up-and-down calculation.
🔗 Layer 2 EtherChannel uses access layer or trunk ports to bundle the interfaces, whereas Layer 3
EtherChannel uses routed ports for bundling.
🌐Routing needs to be enabled explicitly on some routers for routing across VLANs or other
networks.
Router can be used as the DHCP server for the client IP request. Configuration examples are
provided only to allow certain ranges of IP but also to exclude certain ranges.
🔍 To request the IP address when the server boots up, DHCP uses DHCPDISCOVER broadcast
messages to request the IP address. DHCP server responds with DHCPOFFER Unicast message.
🔄Using DHCP relay with the ip helper-address command, a client can extend its DHCP request
across the VLANs.
With DHCP services options, you can provide clients with TFTP and critical server information (for
example, in the case of IP phone, TFTP server information).
📝 Summary
🔄 Inter-VLAN routing provides communication between devices in different VLANs. A VLAN is a
single broadcast domain, and devices within a VLAN cannot communicate beyond VLAN
boundaries unless through a Layer 3 device. Multilayer switches support two types of Layer 3
interfaces: routed ports and SVIs (VLAN interfaces).
🔄 Routed ports are point-to-point connections, such as those interconnecting the building
distribution submodules and the campus backbone submodules when using Layer 3 in the
distribution layer.
🔄SVIs are VLAN interfaces that route traffic between VLANs and VLAN group ports. In multilayer
switched networks with Layer 3 in the distribution layer and Layer 2 in the access layer, SVIs can
route traffic from VLANs on the access layer switches.
🔄On multilayer switches, Layer 3 links can be aggregated using Layer 3 EtherChannels.
🔄DHCP server function can be configured on the Cisco switches and routers.
🔄If the network uses a centralized DHCP server, a DHCP relay agent feature can be configured on
the switches by using the ip helper-address command.
lists the common problems that can be seen during Inter-VLAN routing
configuration.
Activate to view larger image,
🚨 Troubleshooting Inter-VLAN Problems 🔍
To troubleshoot inter-VLAN routing issues, the following are some checkpoint implementations:
Correct routes. 🌐
Before implementing inter-VLAN routing on a multilayer switch, it is important to plan the right
steps that are necessary to make it successful. Planning, which includes logically organizing the
necessary steps and providing checkpoints and verification, can help you reduce the risk of
problems during the installation: 🚧
The first step is to identify the VLANs that require a Layer 3 gateway within the multilayer switch.
🔄 It is possible that not all VLANs will need to reach other VLANs within the enterprise. For
example, a company may have a VLAN in use in an R&D laboratory. The network designer has
determined that this VLAN should not have connectivity with other VLANs in the enterprise or to
the Internet. However, the R&D VLAN is not a local VLAN but spans the switch fabric, due to the
presence of an R&D server in the data center, so it cannot simply prune it from the trunk between
the multilayer switch and the R&D lab switch. One way of ensuring the desired segregation might
If a VLAN needs to be routed, create an SVI interface for each VLAN to be routed within the
multilayer switch. 🔄 Assuming that the enterprise uses only IP as a routed protocol, configure each
SVI interface with an appropriate IP address and mask. At that point, just enable the SVI interface
using the no shutdown interface command.
In that case, you must enable the routing function on the multilayer switch. Routing is usually not
enabled by default. 🔄 You can also configure the multilayer switch to exchange routes via a
dynamic routing protocol. Dynamic routing protocols are discussed.
Depending on the size of the network and the design that you provide, it might be necessary for
the multilayer switch to exchange dynamic routing protocol updates with one or more other
routing devices in the network. 🔄 You must determine whether this need exists, and if so,
configure an appropriate dynamic routing protocol on the multilayer switch. The choice of
protocol may be specified by the network designer, or the choice may be left to you. 🔄🌐
Finally, after carefully considering the network structure, you may decide to exclude certain
switch ports from contributing to the SVI line-state up-and-down calculation. 🤔 You would
configure any such switch ports by using the autostate exclude interface configuration .
The SVI interface is brought up when one Layer 2 port in the VLAN has had time to converge
(transition from STP listening-learning state to forwarding state). 🔄 The default action when a
VLAN has multiple ports is that the SVI goes down when all ports in the VLAN go down. This
action prevents features such as routing protocols from using the VLAN interface as if it were fully
You can use the SVI autostate exclude command to configure a port so that it is not included in
the SVI line-state up-and-down calculation. One example is the use of a network analyzer, where
the traffic capture is being made without the device being an active participant in the VLAN that
When enabled on a port, autostate exclude applies to all VLANs that are enabled on that port. 🔄
You would therefore need to carefully consider the implications of activating this feature on a
trunk link. 🤔
Path for Traffic Forwarding Using SVI
Activate to view larger image,
🔄 Configuring Inter-VLAN Routing Using SVI and Routed Ports 🌐
This section will discuss not only how to configure SVIs but also routed ports, and
routing on a multilayer switch. 🚀 The topology of the core, aggregation, and access
layer models. 📊
Activate to view larger image,
To configure routed ports, make sure to configure the respective interface as a Layer 3 interface
using the no switchport interface command if the default configurations of the interfaces are
Layer 2 interfaces, as with the Catalyst 3560 family of switches. 🔄 In addition, assign an IP address
and other Layer 3 parameters as necessary. 🌐 After assigning the IP address, make certain that IP
routing is globally enabled and that applicable routing protocols are configured.
The number of routed ports and SVIs that can be configured on a switch is not limited by
software. However, the interrelationship between these interfaces and other features configured
on the switch may overload the CPU because of hardware limitations, so a network engineer
should fully consider these limits before configuring these features on numerous interfaces.
Routed Ports are used more for one-to-point links to connect the data center or distribution
blocks to the core blocks so both SV1 and Routed ports can be present in the Layer 3 Switch. 🌐
Just like layer 3 SV1, routed ports are also hardware-switched so it helps to do routing in
hardware. 💡
A routed port is a physical port that acts similarly to a port on a traditional router
with Layer 3 addresses configured. 🔄 Unlike an access port, a routed port is not
associated with a particular VLAN. 🚫 A routed port behaves like a regular router
interface. Also, because Layer 2 functionality has been removed, Layer 2 protocols,
such as Spanning Tree Protocol (STP) and VLAN Trunking Protocol (VTP), do not
function on a routed interface. However, protocols such as Link Aggregation Control
Protocol (LACP), which can be used to build either Layer 2 or Layer 3 EtherChannel
Note 📝
Routed ports are used for point-to-point links; connecting WAN routers and
connecting security devices are examples of the use of routed ports. In the campus
switched network, routed ports are mostly configured between switches in the
campus backbone and building distribution switches if Layer 3 routing is applied in
the distribution layer. 🏫 an example of routed ports for point-to-point links in a
🌐🔗
✨ Advantages of SVI ✨
🌐 Elimination of External Links: No requirement for external links connecting the switch to the
router for routing purposes.
🔄 Enhanced Bandwidth Options: Multiple links are supported; Layer 2 EtherChannels can be
employed between switches to boost bandwidth.
🚀 Low Latency Advantage: Significantly reduced latency since data doesn't need to leave the
switch for processing.
🌌 Disadvantages of SVI 🌌
💰 Cost Considerations: Requires a Layer 3 switch for inter-VLAN routing, which can be more
expensive (e.g., Catalyst 3560 series).
📊 Visual Representation:
SVI Advantages and Disadvantages
🔍 Conclusion: While SVI brings notable advantages like speed, streamlined connections, and low
latency, it's essential to weigh the cost factor associated with needing a Layer 3 switch, especially
in scenarios like the Catalyst 3560 series. Balancing these aspects ensures informed decisions in
network design.
🌐 Creation Flexibility: Any VLAN existing on the switch can have an SVI created for it.
Notably, each SVI corresponds to a single VLAN.
🎮 Virtual Nature: Despite lacking a dedicated physical port, an SVI emulates the
functionality of a router interface. It performs similar functions and is configured
much like a router interface, encompassing aspects such as IP address,
inbound/outbound access control lists (ACLs), and more.
🔄 Configuration Resemblance: The SVI, while "virtual," aligns with the configuration
principles of a router interface, offering a seamless transition. This includes the ability
to set IP addresses, manage inbound/outbound ACLs, and undertake other typical
router interface tasks.
🌐 Layer 3 Processing Hub: Serving as the Layer 3 processing hub, the SVI for a VLAN
facilitates packet processing to and from all switch ports affiliated with that particular
VLAN.
Visual Representation:
SVI Configuration
🔄 Summary: In essence, the SVI's virtual prowess lies in its adaptability, mirroring
router interface functionalities without the need for dedicated physical ports. It
emerges as a versatile tool for efficient Layer 3 processing across switch ports
associated with a specific VLAN.
🔄 Inter-VLAN Routing with Switch Virtual Interfaces 🔄
🔍 Background: In the early era of switched networks, switching operated swiftly, often
at hardware speed, while routing was comparatively slower, necessitating software-
based processing. This led network designers to maximize the switched segment of
the network. Access, distribution, and core layers were configured to communicate
primarily at Layer 2, forming a switched architecture.
🔄 Switched Architecture:
Switched Architecture
🔄 Challenge: However, this approach introduced loop issues within the network
topology, prompting the need for solutions.
🔄 Resulting Topology:
Resulting Topology
🔗 Conclusion: The integration of switch virtual interfaces allowed for effective Inter-
VLAN routing, balancing the speed of switching with the loop-preventing
mechanisms of routing. This evolution marked a shift from the exclusively switched
architecture to a more robust and secure network design.
🌐 Advantages of External Routers 🌐
🔄 Compatibility: An external router seamlessly works with any switch, eliminating the need for
Layer 3 services on the switch. This is particularly useful for switches at the access layer of a
hierarchical network that may lack Layer 3 forwarding capability.
🔧 Single Point of Failure: The router represents a potential single point of failure in the network
architecture.
🚥 Congestion Risks: In a router-on-a-stick model, the trunk link's speed is limited by the router
interface, leading to potential congestion. The extent of this issue depends on network size, inter-
VLAN traffic, and router interface speed.
Latency Concerns: Frames leaving and reentering the switch chassis multiple times, coupled with
software-based routing decisions by the router, introduce latency. Software-based routing
decisions inherently incur greater latency than hardware-based switching.
🔗 Physical Limitations: External routers face limitations such as link congestion, latency, and speed.
Consequently, it's not recommended for large deployments. Instead, it finds suitability in small
networks or branch offices of small to medium-sized businesses, where the cost of high-
performing, multilayer switches is not justified.
📝 Note 📝
🔍 Except for some models of Catalyst 2960 series switches, all switches support integrated inter-
VLAN routing.
In the configuration PC1 is part of VLAN 10 and will be communicating with PC2 in
VLAN 20 via an external router using subinterfaces. Complete the following steps for
both configuration and verification:
🔧 Step 1: On R1’s Ethernet 0/0, configure a subinterface for routing of VLAN 10 traffic.
The router that provides inter-VLAN routing must be configured with subinterfaces.
🔢 The subinterface number does not have to match the encapsulation VLAN number.
However, it is a good practice to do so because it makes it easier to manage the
configuration.
🌐 The IP address on the subinterface is used as the default gateway IP address for
clients in that VLAN.
Activate to view larger image,
To unlock the magic of 802.1Q trunking, imagine transforming a physical router interface into a
multitasking wizard capable of juggling multiple VLANs. 🧙Each VLAN gets its own logical and
addressable space, giving birth to what we call "subinterfaces."
In the grand spectacle of networking, behold Figure 5-4—an illustrative example of configuring
physical interface into distinct subinterfaces—one for each VLAN. 🎶 These subinterfaces become
the maestros orchestrating communication between VLANs.
Enter the configuration stage, where commands are the script, and the router takes center stage.
📜💡guides us through the steps, showcasing how to set up the router-on-a-stick for seamless inter-
VLAN routing.
The router interface transforms into subinterfaces, each assigned to a specific VLAN. Think of it as
The trunk link connects the router to the switch, carrying the diverse VLAN traffic. It's like a
With the configurations in place, the router becomes the star of the show, routing packets
🌟 Curtains Close:
And there you have it—a behind-the-scenes glimpse into the enchanting world of configuring
inter-VLAN routing using an external router, where subinterfaces, trunking, and the router-on-a-
stick steal the spotlight. 🎬🔗 Get ready for more networking tales in the Topic ahead! 📘🌐
Ready to embark on a journey through the realms of Inter-VLAN Routing using an external
In the magical world of networking, a VLAN is like a choreographed dance, defining its broadcast
domain. 🕺💃 But here's the twist - at Layer 3, IP subnets take the lead in defining broadcast
domains. Picture a one-to-one dance, where each VLAN waltzes with its IP subnet partner. 🌐💑
Imagine a switch, a master of multiple VLANs, yet lacking the Layer 3 prowess to route their
packets. 😟 Fear not! Enter the external savior, often a router (or a multilayer switch, if feeling
fancy). The key to this magical connection? A trunk link, a bridge between worlds that carries the
where the router takes center stage, connected to a core switch through a dazzling 802.1Q trunk
link carrying the magic of VLAN 10 and 20. This, my friends, is the famed "router-on-a-stick"
configuration! 🚀 The router becomes the maestro, receiving packets from one VLAN and
In our example, PC1 unleashes its packets, guided by the router, reaching out to PC2 in a different
🌟 Curtains Close:
And there you have it, the enchanting tale of Inter-VLAN Routing with an external
router, where VLANs dance, routers conduct, and communication spans across
realms. 🎬🌐 Get ready for more networking adventures in the Topic to come! 📚🚀
Activate to view larger image,
🌐 Inter-VLAN Routing Devices 🚦
Ready to meet the heroes that make inter-VLAN routing possible? 🦸Look no further! :
🔧 Any Layer 3 Multilayer Catalyst Switch:
Behold the mighty Layer 3 multilayer Catalyst switch, your go-to for inter-VLAN routing prowess.
Meet the external router, equipped with the magical ability to support trunking—a true Router-
on-a-Stick! 🎩✨
🌐 Any External Router or Group of Routers with Separate Interfaces in Each VLAN:
The external router(s) flaunting a separate interface in each VLAN – a classic move, but watch out
📝 Important Note:
Adding a router per VLAN? Not the superhero move for scalability, especially with 20-50 VLANs.
And trunk interfaces on external routers? Scaling cap at 50 VLANs. This chapter sticks to the
📚 Knowledge Check:
Cisco IOS routers bring trunking support in specific feature sets, like the IP Plus feature set. Dive
into Cisco.com's documentation for software requirements before unleashing inter-VLAN routing
on Cisco IOS routers.
🚀 Why Router-on-a-Stick?
Simple and sweet! Routers are everywhere, making Router-on-a-Stick a quick win. Yet, the
enterprise playground favors multilayer switches for their packet-processing power in the millions
🌐 Routed Port:
A pure Layer 3 interface, akin to a Cisco IOS router's routed port. 🚢
Virtual VLAN interface magic for seamless inter-VLAN routing. SVIs, the unsung heroes! 🧙
Ready to route like a pro? The stage is set, and these devices are your backstage pass to inter-
Inter-VLAN Routing
Activate to view larger image,
In the dynamic realm of campus design, our distribution and collapsed core switches proudly
host a multitude of VLANs. 🏢 Switches at the distribution layer or in the collapsed core are like
party hubs, attracting multiple VLANs to the dance floor. But wait, for these VLANs to mingle and
communicate, we need a maestro to conduct the Layer 3 traffic orchestra.
This section spills the beans on the art of routing traffic from one VLAN to another. Picture this: a
router, an external maestro outside the Layer 2 switch, orchestrating the symphony of inter-VLAN
routing. 🎭🎶 Meanwhile, the Cisco Catalyst multilayer switch steps up to the plate, not just for intra-
VLAN frame forwarding but also for the grand spectacle of inter-VLAN routing.
🌐 Ever wondered how VLANs talk to each other? This is the curtain-raiser to the drama of inter-
VLAN routing.
🌐 Our external router takes the spotlight, showcasing the magic of inter-VLAN routing. Watch as
VLANs connect and communicate under its expert guidance.
🌐 Enter the multilayer switch with switch virtual interfaces (SVIs) in hand. Witness seamless
communication as VLANs dance through these virtual gateways.
🌐 Routed ports make their debut, offering a direct route for VLAN traffic. It's like having express
lanes for inter-VLAN speedsters.
🌐 Let's get hands-on! Learn the ropes of configuring inter-VLAN routing using SVIs and routed
ports. Spoiler: it's easier than you think.
🌐 Every great performance encounters hiccups. Dive into the art of troubleshooting inter-VLAN
routing, ensuring the show goes on without a hitch.
🎭 Curtains Down:
Master the symphony of inter-VLAN routing, from the external router's solo to the multilayer
switch's ensemble. Get ready to troubleshoot any unexpected plot twists along the way! 🎻🎓
🔄 STP is a fundamental protocol to prevent Layer 2 loops and at the same time provide
redundancy in the network. This chapter covered the basic operation and configuration of RSTP
and MST. Enhancements now enable STP to converge more quickly and run more efficiently.
🔄 RSTP provides faster convergence than 802.1D when topology changes occur. RSTP enables
👀 show spanning-tree is the main family of commands used to verify RSTP operations.
🔄 MST reduces the encumbrance of PVRST+ by allowing a single instance of spanning tree to run
The Cisco STP enhancements provide robustness and resiliency to the protocol. These
enhancements add availability to the multilayer switched network. These enhancements not only
isolate bridging loops but also prevent bridging loops from occurring.
🔒 To protect STP operations, several features are available that control the way BPDUs are sent
and received:
📸 BPDU Filter is a variant that prevents BPDUs from being sent and received while leaving the port
in forwarding state. 🔒❌
📸 Root Guard prevents root switch being elected via BPDUs received on a Root Guard-configured
port.
📸 Loop Guard detects and disables an interface with Layer 2 unidirectional connectivity, protecting
📸 UDLD detects and disables an interface with unidirectional connectivity, protecting the network
🔄 In most implementations, the STP Toolkit should be used in combination with additional
🔍 STP troubleshooting is achieved with careful planning and documentation before the problem
and following a set of logical troubleshooting steps to identify and correct the problem. The
troubleshooting exercise needs to be completed by documenting findings and making
🔄 STP allows physical path redundancy, while preventing the effect of loops.
📸 If you don’t manually set the root bridge, the oldest and thus slowest switch might become the
📸 RPVST+ has faster convergences time because of its immediate transition to the forwarding
state in the most common scenario. It is highly recommended to always configure RSTP if
possible. 🔄⏩
📸 If not all the switches have the RSTP configured, interfaces that lead to legacy STP switches will
📸 UplinkFast and BackboneFast make non-RSTP converges faster. No need to enable with RSTP. 🚀
📸 Modify STP switches’ priority and implement Root Guard. It prevents unwanted switches in your
📸 UDLD and FlexLinks are not STP mechanisms. UDLD helps STP detect unidirectional links, and
📸 With MST, use trunks and do not prune VLANs from trunks. 🔄🚫🌲
📸 MST instance 0 is the only one that communicates to other regions and non-MST switches.
🌐🔄0️⃣
A unidirectional link is a frequent cause for a bridging loop. An undetected failure on a fiber link
or a problem with a transceiver usually causes unidirectional links. With STP enabled to provide
redundancy, any condition that results in a link maintaining a physical link connected status on
both link partners but operating in a one-way communication state is detrimental to network
stability because it could lead to bridging loops and routing black holes.
To resolve this problem, configure aggressive mode UDLD to detect incorrect cabling or
unidirectional links and automatically put the affected port in err-disabled state. The general
recommended practice is to use aggressive mode UDLD on all point-to-point interfaces in any
Frame Corruption
Frame corruption is another cause for STP failure. If an interface is experiencing a high rate of
physical errors, the result may be lost BPDUs, which may lead to an interface in the blocking state
moving to the forwarding state. However, this case is rare because STP default parameters are
conservative. The blocking port needs to miss consecutive BPDUs for 50 seconds before
transitioning to the forwarding state. In addition, any single BPDU that is successfully received by
the switch breaks the loop. This case is more common for nondefault STP parameters and
aggressive STP timer values. Frame corruption is generally a result of a duplex mismatch, bad
Even on high-end switches that perform most of their switching functions in hardware with
specialized application-specific integrated circuits (ASICs), STP is performed by the CPU (software
based). Therefore, if the CPU of the bridge is overutilized for any reason, it might lack the
resources to send out BPDUs. STP is generally not a processor-intensive application and has
priority over other processes; therefore, a resource problem is unlikely to arise. However, you
need to exercise caution when multiple VLANs in PVST+ mode exist. Consult the product
documentation for the recommended number of VLANs and STP instances on any specific
As discussed earlier in this chapter, the PortFast feature, when enabled on a port, bypasses the
listening and l earning states of STP, and the port transitions to the forwarding mode on linkup.
The fast transition can lead to bridging loops if configured on incorrect ports.
The problem with this type of transient loop condition is that if the looping traffic is intensive, the
bridge might have trouble successfully sending the BPDU that stops the loop. The BPDU Guard
Troubleshooting STP
Bridging loops 🔄 generally characterize STP problems. Troubleshooting STP involves identifying
and preventing such loops.
The primary function of STP is to prevent loops created by redundant links in bridged networks.
STP operates at Layer 2 of the OSI model. STP fails in specific cases, such as hardware or software
anomalies. Troubleshooting these situations is typically difficult depending on the design of the
network.
The following subsections highlight common network conditions that lead to STP problems:
📸 Duplex Mismatch
📸 Resource errors
Duplex Mismatch
The worst-case scenario for a duplex mismatch is when a bridge that is sending
BPDUs is configured for half duplex on a link while its peer is configured for full
duplex.The duplex mismatch on the link between Switch A and Switch B could
potentially lead to a bridging loop. Because Switch B is configured for full duplex, it
starts forwarding frames even if Switch A is already using the link. This is a problem
for Switch A, which detects a collision and runs the backoff algorithm before
attempting another transmission of its frame. If there is enough traffic from Switch B
to Switch A, every packet (including the BPDUs) sent by Switch A is deferred or has a
collision and is subsequently dropped. From an STP point of view, because Switch B
no longer receives BPDUs from Switch A, it assumes that the root bridge is no longer
present. Consequently, Switch B moves its port to Switch C into the forwarding state,
👁🗨 Scenario:
Part 1 of Figure 4-43 depicts a network where VLANs are manually pruned on trunks.
As pruning isn't consistent with MST configuration, VLAN 10's traffic is blocked
between Switch 1 and Switch 2.
🚫 Result:
📜 Guidelines:
📝 Note:
🚫 Caution:
🔍 Verification Output:
The provided commands configure the MST port priority for interface Ethernet 0/2 to
32. The subsequent show spanning-tree mst command on SW3 verifies the settings.
🌐 Interpretation:
Interface Configuration:
Et0/2: Root, Forwarding (FWD), Cost: 1000000, Priority: 32
This demonstrates the adjustment of MST port priority for Et0/2, ensuring it stands
Port priority operates similarly in MST, but here's the twist – port priorities are configured per
instance. 🔄
MST, adhering to STP principles, follows a sequence of four criteria to determine the optimal
path:
You wield the power to assign higher sender's priority values (lower numeric values) to prioritize
interfaces and lower sender's priority values (higher numeric values) to those you want selected
last. 📈 If all sender's interfaces share the same priority value, MST prioritizes the one with the
lowest sender port ID, designating it as forwarding while blocking the others. 🚦 showcases the
configuration sample for port priority in MST and how to verify it. 🔍🔧
The given commands configure the MST cost of interface Ethernet 0/2 to 1000000.
The subsequent show spanning-tree mst command on SW3 confirms the changes.
🌐 Interpretation:
Interface Configuration:
Et0/2: Root, Forwarding (FWD), Cost: 1000000
Et0/3: Alternate, Blocking (BLK), Cost: 2000000
Et1/0, Et1/1: Designated, Forwarding (FWD), Cost: 2000000
This setup demonstrates the adjustment of the MST path cost for Et0/2, ensuring it
Path cost operates similarly in MST, but with a twist – port costs are configured per instance. 🔄
MST, aligning with STP principles, employs a sequence of four criteria to determine the best path:
You have the power to assign lower-cost values to interfaces you prioritize and higher-cost values
for those you want selected last. 📉 If all interfaces share the same cost value, MST prioritizes the
one with the lowest sender port ID, designating it as forwarding while blocking the others. 🚦
The command show spanning-tree summary on SW3 reveals the current STP state.
The switch is operating in PVST mode, and the output provides a summary of STP
activity for each VLAN.
🌐 VLAN Details:
🔢 Total Summary:
This output gives a comprehensive overview of the spanning-tree status for each
VLAN on SW3. 🔄🌐
Activate to view larger image,
Configuring and Verifying MST 🌐🔧
In this section, you'll master the art of configuring the Multiple Spanning Tree
Protocol. 🌲
on the left illustrates the STP configuration at the lab's inception. All three switches
are set up with PVST+ and four user-created VLANs: 2, 3, 4, and 5. 🔄 SW1 claims the
role of the root bridge for VLANs 2 and 3, while SW2 takes charge for VLANs 4 and 5.
Within the MST region, the IST instance 🌐🌲 maintains a loop-free topology, presenting
the entire MST region as a unified virtual bridge to the external STP. 🔄 BPDUs
between the MST's STP instance and the CST's STP instance exchange over the native
MST seamlessly coexists with other STP flavors.on the left, three switches operate
within an MST region, while two switches outside the region don't run MST. On the
right, the IST provides a loop-free path within the MST region, making it appear as a
Unlike the IST, MSTIs have no interaction outside the region. 🔄🔗 MST runs a single
spanning tree outside the region, and, except for the IST instance, regular instances
within the region lack an outside counterpart. Additionally, MSTIs don't send BPDUs
By default, all VLANs map to the IST instance, representing classic IEEE RSTP with all
VLANs sharing the same spanning tree. 🔄🔄 Explicit mapping is required for other
instances, with the best practice being to reserve MSTI0 for VLANs connecting to
switches not running MST. 🤝🔄 Each MSTI assigns priorities and link costs, creating a
private logical topology separate from the IST. MST consolidates MSTI information
into the IST's BPDU, utilizing M-Record fields for each active MSTI. 📊🔄
Activate to view larger image,
🌐 On the left, initially, all six VLAN instances belong to MSTI0. This is the default
behavior. 🔄
Now, let's assign half of VLAN instances (11, 22, and 33) to MSTI1, and the other half
(44, 55, and 66) to MSTI2. If different root bridges are configured for MSTI1 and
🔄 Within a topology involving multiple STP variations, the Common Spanning Tree
(CST) topology views an MST region as a single black box. CST ensures a loop-free
topology with links connecting regions and switches not running MST. 🔄🌐
Activate to view larger image,
MST operates uniquely by not sending separate BPDUs for every active STP instance.
Instead, a special instance (instance 0), known as the Internal Spanning Tree (IST),
consolidates all STP-related information. 🔄 BPDUs carry the standard STP data along
with configuration name, revision number, and a hash value calculated over VLAN-
MST boasts support for multiple instances, and Instance 0 (IST) acts as the internal
spanning tree. 🌲 the coexistence of various MST instances (MSTIs) within a single MST
region. MSTI1 and MSTI2 are linked to different VLANs, each converging based on
distinct root bridge configurations. 🔄 Their topologies differ, creating three
independent STP instances within the MST region: MSTI0 (IST), MSTI1, and MSTI2. 🌐🌲
Activate to view larger image,
o be part of a common MST region, a group of switches must share the same configuration
attributes. 🤝 It's the network administrator's responsibility to properly propagate the configuration
throughout the region. 🌐 Currently, this step is achievable through the CLI or SNMP, but future
methods could emerge since the IEEE specification doesn't explicitly detail the process. 🔄🚀
For a consistent VLAN-to-instance mapping, the protocol must precisely identify region
boundaries. 🌲 These characteristics are included in BPDUs to ensure clarity. 📊 The exact VLAN-to-
instance mapping isn't transmitted; instead, a digest, revision number, and name are sent. 📬 After
receiving a BPDU, a switch extracts the digest, derived mathematically from the VLAN-to-instance
mapping table, and compares it with its own computed digest. If they differ, the mapping is
In broad terms, a port is at the boundary of a region if the designated bridge on its segment is in
The configuration revision number provides a means to track changes in the MST region. 🔄 It
doesn't automatically increase with each configuration change; the network administrator should
MST Regions 🌐🌲
MST stands out by consolidating certain VLANs into logical spanning-tree instances.
🌐 Load-Balancing Brilliance:
The desired load-balancing scheme remains intact as half the VLANs follow a distinct instance.
💼 Switch Efficiency:
Switch utilization stays low, managing only two instances, enhancing operational efficiency. 💻📉
From a technical standpoint. It's the optimal solution despite potential challenges. 🌟💡
🤯 Complexity Consideration:
MST's complexity surpasses traditional spanning trees, demanding additional operational staff
training. 📚🔄
Interaction with legacy bridges can pose challenges due to the advanced nature of MST. 🔄🌉
MST empowers you to construc t multiple spanning trees over trunks by smartly grouping
VLANs. Each instance operates independently, providing diverse forwarding paths for traffic and
Network fault tolerance triumphs over Common Spanning Tree (CST) as one instance's failure
doesn't necessarily affect others. Consistency in VLAN-to-MST grouping across all bridges within
Large networks benefit from easier administration and optimal use of redundant paths with
🌐 Configuration Harmony:
Configuration harmony is crucial; a set of bridges with the same MST info ensures participation
in specific spanning-tree instances. Interconnected bridges sharing MST configurations form an
MST region. 🔄🌐 Bridges with distinct MST settings or those running 802.1D exist as separate MST
regions. 🌐🌉
Multiple Spanning Tree (MST) extends the IEEE 802.1w RST algorithm to multiple spanning trees. 🌳
The main purpose of MST is to reduce the total number of spanning-tree instances to match the
physical topology of the network and thus reduce the CPU cycles of a switch. 💻 PVRST+ runs STP
instances for each VLAN, while MST uses a minimum number of instances to match physical
topologies.
The 802.1Q and PVST+ represent two extremes of STP operation. 802.1Q has a single instance for
all VLANs, whereas PVST+ uses one instance per active VLAN, resulting in many instances for a
large network. 🌐 MST maps one or more VLANs to a single STP instance, providing a more
efficient approach.
Objectives:
Troubleshoot STP
🌐 Recommended STP Stability Mechanisms:
🚀 PortFast: Apply to all end-user ports. For secure PortFast-enabled ports, always combine
PortFast with BPDU Guard.
🌲 Root Guard: Apply to all ports where the root is never expected.
🔄 Loop Guard: Apply to all ports that are or can become nondesignated.
🔗 UDLD: The UDLD protocol enables devices to monitor the physical configuration of cables and
detect unidirectional links. When detected, UDLD shuts down the affected LAN port. Often
configured on ports linking switches.
🔒 Depending on security requirements, the port security feature can restrict ingress traffic by
limiting allowed MAC addresses.
📝 Note: Examples requiring BPDU Filters are rare. Never use BPDU Filter and BPDU Guard on the
same interface under any circumstances.
🌐 In modern networks, a 50-second convergence time is usually not acceptable. For this reason,
RSTP is widely preferred over legacy 802.1D implementations. 🔄 In networks with many VLANs
over numerous switches, grouping STP instances with MST may be necessary. 🏢 Most of the time,
the same VLAN wouldn't be configured over many switches. VLANs are local to a floor, spanning
a limited number of switches. In this setup, RSTP provides the best efficiency.
🚀 RSTP is far superior to 802.1D STP and even PVST+ in terms of convergence. It significantly
improves restoration times for VLANs requiring topology convergence due to linkup and
enhances convergence time over BackboneFast for indirect link failures.
📝 Note: If a network includes switches from different vendors, isolate STP domains with Layer 3
routing to avoid compatibility issues.
Even if the recommended design doesn't rely on STP for failure events, STP is necessary to
protect against user-side loops. 🔄 A loop can be introduced on user-facing access layer ports in
various ways. STP ensures a loop-free topology and safeguards the network from issues in the
access layer.
📝 Note: Some security personnel recommend disabling STP at the network edge, but it's not
recommended due to the greater risk of lost connectivity.
🌲 Spanning tree should be used, and its topology controlled by manual designation of the root
bridge. 🌐 Once the tree is created, use the STP Toolkit to enhance overall performance and reduce
time lost during topology changes.
🔄 To configure a VLAN instance as the root bridge, use the spanning-tree vlan vlan-ID root
command to modify the bridge priority from the default value (32768) to a significantly lower
value. Manually placing primary and secondary bridges, along with enabling STP Toolkit options,
supports a deterministic configuration where you know which ports should be forwarding and
which should be blocking.
🔧 The Cisco RSTP implementation is far superior to 802.1D STP and even PVST+ from a convergen
BackboneFast for indirect link failures and UplinkFast for uplink failures.
recommended placements for STP Toolkit features.
There are many arguments in favor of using large Layer 2 domains in a corporate network. There
are also good reasons why you should avoid Layer 2 in the network. 🔄🚫
The traditional way of doing transparent bridging requires the computation of a spanning tree for
the data plane. Spanning means that there will be connectivity between any two devices that
have at least one path physically available between them in the network. Tree means that the
active topology will use a subset of the links physically available so that there is a single path
between any two devices. 🌲🔄 (For example, there is no loop in the network.) Note that this
requirement is related to the way frames are forwarded by bridges, not to the STP that is just a
This behavior can result in a single copy being delivered to all the nodes in the network without
any duplicate frames. This approach has the following two main drawbacks:
Image Networkwide failure domain: A single source can send traffic that is propagated to all the
links in the network. If an error condition occurs and the active topology includes a loop, because
Ethernet frames do not include a Time-To-Live (TTL) field, traffic might circle around endlessly,
Image No multipathing: Because the forwarding paradigm requires the active topology to be a
tree, only one path between any two nodes is used. That means that if there are n redundant
paths between two devices, all but one will be simply ignored. Note that the introduction of a
per-VLAN tree allows working around this constraint to a certain extent. 🚫🔄🌲
To limit the impact of such limitations, the general recommendation is to use Layer 3 connectivity
at the distribution or core layer of the network, keeping Layer 2 for the access layer. 🌐🔍 Using
Layer 3 between the distribution and core layer allows multipathing ( up to 16 paths) using
Equal-Cost Multipathing (ECMP) without dependency on STP and is strongly
preferred unless there is a need to extend Layer 2 across a data center pod
(distribution block). ECMP refers to the situation in which a router has multiple equal-
cost paths to a prefix, and thus load balances traffic over each path. 🔄🔗 Newer
technologies, such as Catalyst 6500 Virtual Switching System or Nexus 7000 virtual
You can configure only one FlexLinks backup link for any active link, and it must be a different
interface from the active one. 🚫🔗
An interface can belong to only one FlexLinks pair. An interface can be a backup link for only one
active link. An active link cannot belong to another FlexLinks pair. 🔄🚫🔗
Neither of the links can be a port that belongs to an EtherChannel. However, you can configure
two port channels (EtherChannel logical interfaces) as FlexLinks, and you can configure a port
channel and a physical interface as FlexLinks, with either the port channel or the physical
A backup link does not have to be the same type (Fast Ethernet, Gigabit Ethernet, or port
channel) as the active link. However, you should configure both FlexLinks with similar
characteristics so that there are no loops or changes in behavior if the standby link begins to
STP is disabled on FlexLinks ports. A FlexLinks port does not participate in STP, even if the VLANs
that are present on the port are configured for STP. When STP is not enabled, be sure that there
It is a pair of Layer 2 interfaces, either switch ports or port channels, that are configured to act as
a backup to another Layer 2 interface. The feature provides an alternative solution to the STP, and
it allows users to turn off STP and still provide basic link redundancy. An active/standby link pair is
FlexLinks is configured at the interface level with the command switchport backup interface
interface-slot/number.
To verify FlexLinks configuration, use the show interface switchport backup command. 🔍🔄
🔐 A sound practice is to unleash the power of UDLD aggressive mode in any setting
embracing fiber-optic interconnections. It acts as a vigilant guardian, swiftly
identifying and addressing issues in this fiber-rich landscape.
🔄 To fortify your network, elevate UDLD to global mode. This broad activation
ensures the watchful eye of UDLD on each individual fiber-optic interface, creating a
comprehensive shield against potential pitfalls.
the STP baggage. 🔄 Users can bid adieu to STP while still enjoying basic link
🔧 Configuration Chronicles:
🔄 Designate one Layer 2 interface as the standby link for the primary. This
configuration sets the stage for dynamic link-level redundancy.
🔄 Once FlexLinks is configured for a pair of interfaces, only one is in the linkup state
and actively forwarding traffic. If the primary link bids farewell, the standby link
promptly takes the spotlight, ensuring uninterrupted data flow.
🔄 If the inactive link reawakens, it gracefully steps into standby mode, patiently
awaiting its turn to shine again.
witness the FlexLinks magic in action. Ports Fast Ethernet 0/1 and Fast Ethernet 0/2
on Switch A, connected to uplink Switches B and C, dance to the FlexLinks rhythm.
With one in active forwarding mode and the other in standby, FlexLinks orchestrates
a seamless transition if the active link falters. 🔄 When Fast Ethernet 0/1 goes down,
Fast Ethernet 0/2 gracefully steps up, ensuring the dance of data continues
uninterrupted. The network revels in link-level redundancy, thanks to the FlexLinks
performance. 🔄
Activate to view larger image,
🔄 UDLD Limitations and Recommended Practices 🔄
🚫 UDLD, while a stalwart guardian, doesn't shield against Spanning Tree Protocol
(STP) failures triggered by software glitches, particularly when the designated switch
neglects to dispatch BPDUs. Fortunately, such software-induced failures are less
frequent, with hardware issues taking center stage.
🚧 Loop Guard faces limitations—it doesn't function on shared links or links that have
been unidirectional from their inception. However, the ultimate defense against
pitfalls involves the dynamic duo of UDLD and Loop Guard. Activating both ensures a
comprehensive shield against potential network perils.
environment. 🔄
👀 To check the UDLD status for a specific interface or all interfaces, employ the show
udld [interface slot/number] command in privileged EXEC mode.
🔄 If you need to undo the effects of UDLD by resetting interfaces that were shut
down, the udld reset command comes to the rescue. Alternatively, you can achieve
the same outcome by gracefully shutting down and then reactivating the interface.
🔄 While Loop Guard and UDLD both stand guard against STP failures arising from
unidirectional links, their paths diverge in functionality and approach to the problem.
Each has its unique role in fortifying the network against potential pitfalls. 🔄
…see more
Activate to view larger image,
Depicts the default status for the UDLD on a global and an interface basis.
Activate to view larger image,
🔄 Unidirectional Link Detection (UDLD) stands as a Layer 2 protocol harmonizing with Layer 1
mechanisms to scrutinize the physical state of a link. In the intricate dance of fiber connections, if
one strand bids farewell, the autonegotiation process intervenes, preventing the link from going
active or staying up. Yet, if both strands gleam with Layer 1 vitality, UDLD steps in to ensure
bidirectional traffic flow between the correct neighbors.
🔄 Periodically, the switch dispatches UDLD packets through an interface armed with UDLD
prowess. If these packets fail to echo back within a defined timeframe, the link is red-flagged as
unidirectional, swiftly leading to the error-disabled state of the interface. For UDLD to wield its
magic, both devices at each end of the link must be UDLD-savvy.
💬 UDLD peers establish contact by swapping special frames, journeying to the well-known MAC
address 01:00:0C:CC:CC:CC.
🌐 Although UDLD dances to its own beat outside the Spanning Tree Protocol (STP), its presence is
indispensable in a Layer 2 network. It heroically steps in to thwart one-way dialogues between
adjacent devices.
🔄 Within an EtherChannel bundle, should a physical link falter, UDLD smartly errors-disable solely
the troubled link.
⏰ UDLD messages waltz at regular intervals, a timer subject to modification. The default cadence,
platform-dependent, often ticks at 15 seconds.
🔒 UDLD, a Cisco proprietary protocol, also finds its script in RFC 5171.
🚦 Once UDLD spots a unidirectional link, it opts for two courses of action, depending on the
configured mode:
🌟 Normal mode: Unfazed by a unidirectional hiccup, the port persists in operation. UDLD simply
marks it as having an undetermined state, generating a syslog message.
🌟 Aggressive mode: When a unidirectional link raises its head, the switch jumps into action,
attempting to revive the link with a barrage of messages every second for 8 seconds. If no reply
The final result will be that all ports in the topology are forwarding. The result is a
Layer 2 loop. UDLD is a Cisco proprietary protocol that detects unidirectional links
and prevents Layer 2 loops from occurring
Activate to view larger image,
SW1 has a port that is connected to SW2 and blocked by STP. Because SW1 is no
longer receiving BPDUs from SW2, SW1 will proceed to unblock the port.
Activate to view larger image,
🔄 Unidirectional Link Detection (UDLD) Importance 🔄
such as shutting down the impacted interface. 🔄 Particularly beneficial for fiber ports,
UDLD acts as a guardian against potential network disruptions arising from issues
like miswiring at patch panels. In such scenarios, a link might appear to be in an
up/up status, but the vital Bridge Protocol Data Units (BPDUs) are lost.
🔧 Picture a network scenario involving three switches and gigabit interface converter
(GBIC) or Small Form-Factor Pluggable (SFP) module failure in the transmit circuitry. 🔄
In this context, UDLD plays a crucial role in identifying and addressing unidirectional
link issues to maintain a robust and reliable network infrastructure.
🔄 Loop Guard Verification Commands 🔄
Activate to view larger image,
🔄 The Loop Guard feature operates on a per-port basis, yet its impact extends to the STP level,
blocking inconsistent ports on a per-VLAN basis due to Per-VLAN Spanning Tree Protocol
(PVSTP). 🔄 In PVSTP, if BPDUs cease on a trunk port for a specific VLAN, only that VLAN is blocked,
transitioning to the loop-inconsistent STP state.
🔄 When Loop Guard is applied to an EtherChannel interface, the entire channel is blocked for a
particular VLAN. This is because EtherChannel is perceived as a single logical port in the eyes of
STP, not merely individual links.
🚫 Root Guard and Loop Guard are mutually exclusive. Root Guard operates on designated ports,
ensuring they don't become nondesignated. Loop Guard, on the other hand, focuses on
nondesignated ports, preventing them from becoming designated through maximum age
expiration. 🔄 Enabling Loop Guard on a port automatically disables Root Guard on the same port.
🔄 Loop Guard, inactive by default, can be configured globally or on a per-port basis. If globally
enabled, it applies to all point-to-point links, identified by the link's duplex status. Full duplex
indicates a point-to-point link. Despite global settings, individual port configurations can still be
specified. 🔄 showcases the commands for configuring Loop Guard both per-port and globally. 🔄
🔄 In this network setup, Switch A holds the role of the root. However, due to a
unidirectional link failure on the connection between Switch B and Switch C, Switch C
stops receiving Bridge Protocol Data Units (BPDUs) from Switch B.
Without Loop Guard, the Spanning Tree Protocol (STP) blocking port on Switch C
undergoes a perilous sequence. As the maximum age timer expires, it transitions to
the STP listening state. Subsequently, it leaps to the forwarding state, completing the
transition in two times the forward delay time. This unfortunate progression results in
the creation of a loop.
Now, with Loop Guard activated, the blocking port on Switch C takes a different
course. As the maximum age timer ticks down, the port shifts into the STP loop-
inconsistent state, thanks to Loop Guard. 🔄 Ports in the loop-inconsistent state don't
forward user traffic, essentially mirroring the behavior of the blocking state.
Consequently, the network avoids the loop peril that would have occurred without
Loop Guard. 🔄
Activate to view larger image,
The 🔄 Spanning Tree Protocol (STP) Loop Guard feature provides an extra layer of
protection against Layer 2 loops. 🔄 A Layer 2 loop occurs when an STP blocking port
in a redundant topology mistakenly transitions to the forwarding state. This usually
happens when one of the ports in a physically redundant setup (not necessarily the
STP blocking port) stops receiving STP Bridge Protocol Data Units (BPDUs).
Root Guard is useful in avoiding Layer 2 loops during network anomalies. The Root
Guard feature forces an interface to become a designated port to prevent
surrounding switches from becoming a root switch. In other words, Root Guard
provides a way to enforce the root bridge placement in the network. Catalyst
switches force Root Guard-enabled ports to be designated ports. If the bridge
receives superior STP BPDUs on a Root Guard-enabled port, the port moves to a
root-inconsistent STP state (effectively equal to a listening state), and the switch does
not forward traffic out of that port. As a result, this feature effectively enforces the
position of the root bridge.
shows a sample topology to illustrate the Root Guard feature. Switches A and B
comprise the core of the network, and Switch A is the root bridge for a VLAN. Switch
C is an access layer switch. The link between Switch B and Switch C is blocking on the
BPDUs are sent on all ports, even if they are PortFast enabled. You should always run
STP to prevent loops. However, in special cases, you need to prevent BPDUs from
being sent out. You can achieve that by using BPDU Filter.
Configuring BPDU Filter so that all configuration BPDUs received on a port are
dropped can be useful for service provider environments, where a service provider
provides Layer 2 Ethernet access for customers. Ideally, the service provider does not
want to share any spanning-tree information with customers, because such sharing
might jeopardize the stability of the service provider’s internal spanning-tree
topology. By configuring PortFast and BPDU Filter on each customer access port, the
service provider will not send any configuration BPDUs to customers and will ignore
With RSTP, PortFast is enabled with the same commands. However, these single-host ports are
called edge ports. But why would you want to enable PortFast in RSTP, because convergence
times are much shorter? If you have numerous end devices in your network, and they are going
up and down all the time, that can mean many STP recalculations. Defining the edge ports
Even though PortFast is enabled, the interface will listen for BPDUs. If a BPDU is received, the port
will be moved into a blocking state. However, a loop can be detected only in a finite amount of
time; some time is needed to move a port into a blocked state.
BPDU Guard protects the integrity of ports that are PortFast enabled. If any BPDU is received on a
PortFast-enabled port, that port is put into an err-disabled state. That means the port is shut
down and must be manually re-enabled or automatically recovered through the error-disabled
timeout function.
You will receive the following command-line interface (CLI) notification if a switch is connected to
Never use the PortFast feature on switch ports that connect to other switches, hubs, or routers.
These connections can cause physical loops, and spanning tree must go through the full
initialization procedure in these situations. A spanning-tree loop can bring your network down. If
you turn on PortFast for a port that is part of a physical loop, there can be a window of time when
packets are continuously forwarded (and can even multiply) in such a way that the network
cannot recover.
You can also enable PortFast on trunk ports. This is useful if you have a trunk enabled for a host
such as a server that needs multiple VLANs. To enable a port for PortFast on an interface that
PortFast Configuration
An additional benefit of using PortFast is that TCN BPDUs are not sent when a switch port in
PortFast mode goes up or down. In a large network, PCs might go up and down, and that can
mean a lot of TCNs if your access ports are not configured with PortFast. 🚫🔄📤
By default, PortFast is disabled on all switch ports. You can configure PortFast in two ways: per
port and globally. If you configure PortFast globally (that is, a conditional configuration), all ports
that are configured as access ports automatically become PortFast enabled, and the port will
immediately transition to forwarding (unless they receive a BPDU). If a port does receive a BPDU,
that port will go into blocking mode. If you configure PortFast per port, in some implementations
that can be an unconditional configuration. The port will be PortFast enabled even if it receives
BPDUs. 🌐🚀🔄🔒
STP PortFast
Activate to view larger image,
Use PortFast
An end-user PC connects to access layer switches. When the PC is turned on, STP will have to go
through all the states: blocking, listening, learning, and eventually forwarding. With the default
STP timers, this transition takes about 30 seconds (15 seconds for listening to learning, and 15
seconds from learning to forwarding). The PC cannot transmit or receive data before the switch
transitions the port to forwarding state. How can this affect the user PC? The PC might run into
trouble with acquiring DHCP addresses in its first try, and therefore it might take quite some time
When PortFast is enabled, the port transitions immediately from blocking to forwarding, . As
mentioned before, PortFast is enabled on access layer switches where the hosts are connected. 🔄🚀🔗
📝 Note:
Configure BackboneFast on all switches in the network, because it is required if you want to use
Normally a switch must wait for the maximum age timer to expire before responding to the
inferior BPDUs. However, BackboneFast searches for an alternative path:
If the inferior BPDU arrives on a port that is blocked, the switch assumes that the root port and all
If the inferior BPDU arrives on a port that is root, the switch assumes all blocked ports are an
alternate path. If no ports are blocked, the switch assumes that it lost connectivity with the root
In the example, an inferior BPDU is received on a blocked port. DSW2 assumes that the root port
After the switch identifies potential alternative ports, it starts sending RLQs (request link queries).
By sending these queries, it finds out whether upstream switches have a path to the root bridge.
🔄📡🔍
When a switch, which is either the root bridge or has a connection to the root bridge, receives an
RLQ, the switch sends back an RLQ reply. Otherwise, an RLQ gets forwarded until it gets to a
switch that is the root bridge or has a connection to the root bridge. 🔄🔄🔄🔄
If the exchange of RLQ messages results in validation that the root bridge (DSW3) is still
accessible, the switch (DSW2) starts sending existing root bridge information to the bridge that
lost connectivity through its root port (DSW1). If this validation fails, DSW2 can start the root
bridge election process. In either of these cases, if validation is successful or not, the maximum
Use BackboneFast
DSW3 is the root bridge, and DSW2 is the one blocking DSW3’s alternate path to
DSW1. When DSW1’s root port fails, DSW1 declares itself the root bridge and starts
sending BPDUs to all switches it is connected to (in this case, only DSW2). These
BPDUs are inferior. When a switch receives an inferior BPDU on a blocked port, it
runs a procedure to validate that it still has an active path to the currently known
root bridge. 🌐🔄
Activate to view larger image,
🔍 ASW# Show UplinkFast Status 🔍
UplinkFast is 🚀 enabled 🚀
📊 UplinkFast Statistics 📊
✨ UplinkFast is in full action, and the designated interfaces for VLAN0001 are Et0/1 (forwarding)
and Et0/2. The network is cruising smoothly with the power of UplinkFast! 🌐🚀
🚀 UplinkFast Essentials 🔄
UplinkFast, the swift hero in reducing convergence time, kicks into action only when a switch has
blocked ports. 🚷 This feature is customarily crafted for an access switch flaunting redundant
blocked uplinks. UplinkFast, being a Cisco proprietary gem, operates on the entire switch and
cannot be selectively enabled for individual VLANs.
📝 Note:
UplinkFast is exclusive to Cisco.
📝 Note:
UplinkFast is, by default, disabled.
🚨 Caution:
Activate UplinkFast exclusively on access layer switches sporting redundant uplinks. If this feature
graces a transit switch - one connecting to both the root bridge and another switch - the peril of
an STP loop looms large. 🔄 In Figure 4-18, only ASW is deemed fit for the UplinkFast spotlight;
🚀 Using UplinkFast 🚦
In the event of a forwarding uplink failure, the traditional recovery time ranges from
30 to 50 seconds before the alternate uplink takes over. Enter UplinkFast, a Cisco
proprietary solution designed to significantly slash convergence time.
The magic of UplinkFast lies in its definition of an uplink group on a switch. This
group comprises the root port and all ports serving as alternate connections to the
root bridge. If the root port (primary uplink) fails, UplinkFast swiftly selects the port
with the next lowest cost from the uplink group to seamlessly take its place.
To expedite recovery, the access layer switch initiates the announcement of all MAC
addresses as source addresses in dummy multicast frames. These frames travel
upstream through the new forwarding port, ensuring a lightning-fast replacement. In
normal circumstances, the total time to recover from the primary link failure with
STP, a seasoned protocol with years of refinement, may encounter challenges due to network
assumptions. While designed to avoid loop openings, it can face high-profile failures impacting
the network. To enhance STP performance and align its behavior with your network, the Cisco
🔄 BackboneFast: Facilitates swift convergence in the distribution or core layer during STP changes.
🔄 Loop Guard: Prevents an alternate port from becoming the designated port if no BPDUs are
received.
🚀 Describe UplinkFast.
Configure BackboneFast.
🔄 Describe how UDLD detects a unidirectional link and the actions it takes.
Configure UDLD.
STP Timers
STP relies on three distinct timers to ensure a seamless and loop-free convergence. Here are the
three crucial STP timers along with their default values:
📅 Hello time: The time between each BPDU sent on a port. Defaults to 2 seconds.
🔄 Forward delay: The time spent in the listening and learning state. Defaults to 15 seconds.
⏳ Max (maximum) age: Controls the maximum time before a bridge port saves its configuration
BPDU information. Defaults to 20 seconds.
🔍 To observe STP convergence in real-time after port cost changes, activate the STP topology
events debugging on SW3, as depicted in Figure 4-17. This will help measure how long STP takes
to establish a new path after a link failure.
🔧 Example 4-10: Debug spanning-tree events to gauge the time it takes to transition the port into
forwarding mode. As a practical illustration, shut down the forwarding uplink on SW3 (Ethernet
0/2).
👀 Observe the duration it takes for STP to detect the failure and activate the redundant link for
forwarding
For port role determination, the cost value plays a crucial role. When all ports share
the same cost, the tiebreaker is the sender’s port ID. To influence active port
selection, tweak the cost of the interface or the sender’s interface port ID.
🔧 You can adjust the port cost using the spanning-tree vlan vlan-list cost cost-value
command, where the cost value can range from 1 to 65,535.
🔍 The port ID comprises a port priority and a port number. While the port number
remains fixed based on hardware location, you can alter the port ID by configuring
the port priority.
Modify the port priority with the spanning-tree vlan vlan-list port-priority port-
priority command, where the port priority value can be between 0 and 255 (default is
128). A lower port priority implies a more preferred path to the root bridge.
Ethernet 0/1 and Ethernet 0/2 of SW3 share the same STP cost to the root SW2.
Ethernet 0/1 of SW3 is forwarding because its sender’s port ID (128.2) is lower than
that of Ethernet 0/3 (128.4) of SW2. To make SW3’s Ethernet 0/2 forwarding, you
could lower the port cost on Ethernet 0/2. Alternatively, you could make SW3’s
Ethernet 0/2 forwarding by decreasing the sender’s port priority, which, in this case,
It's not advisable for the network to autonomously select the root bridge. By default, if all
switches have standard STP priorities, the one with the lowest MAC address becomes the root
bridge. The oldest switch usually has the lowest MAC address, as lower addresses were assigned
in the factory. To manually designate the root bridge, you can adjust a switch's priority.
Let's say the access layer switch SW3 becomes the root bridge due to its oldest MAC address. If
SW3 is the root bridge, the link between the distribution layer switches might be blocked.
Consequently, traffic between SW1 and SW2 would need to pass through SW3, which isn't ideal.
📌 Note:
It's highly recommended to configure distribution or core switches to be the root bridge.
The priority can range from 0 to 65,535, in increments of 4096, with a default value of 32,768.
📌 Note:
With PVST, the extended system ID is used for bridge priority calculation. The priority reduces
from 16 to 4 bits, with 12 bits representing the VLAN ID. The better solution is to use the
spanning-tree vlan vlan-id root {primary | secondary} command. This macro adjusts the switch's
priority number to make it the root bridge.
To set a switch as the root bridge for a specified VLAN, use the primary keyword. Use the
secondary keyword to configure a secondary root bridge, preventing the slowest and oldest
access layer switch from becoming the root bridge if the primary root bridge fails.
The spanning-tree root command calculates the priority by considering the current root priority
and lowering the value by 4096. For instance, if the current root priority is over 24,576, the local
switch sets its priority to 24,576. If the root bridge has a priority lower than 24,576, the local
switch sets its priority 4096 less than the current root bridge's. Configuring the secondary root
bridge sets a priority of 28,672. Since the switch can't determine the second-best priority in the
network, setting the secondary priority to 28,672 is a best guess.
When you check the configuration with the show running-configuration command, the switch's
priority appears as a number, not the primary or secondary keyword.
📌 Note:
If the root bridge's priority is set to 0, configuring another switch with the root primary command
will fail. This is because it can't set a local switch's priority 4096 lower than that of the root bridge.
🌐 An edge port is a switch port that is never intended to be connected to another switch device.
Edge ports, equivalent to point-to-point links, are candidates for rapid transition to a forwarding
state. Before the link type parameter can be considered for expedient port transition, RSTP must
determine the port role. The following list highlights the port types and how they use link type
parameters for transition:
📸 Root ports: Root ports do not use the link type parameter. They are able to make a rapid
transition to the forwarding state as soon as the port is in the sync state.
📸 Alternate and backup ports: In most cases, alternate and backup ports do not use the link type
parameter.
📸 Designated ports: Designated ports make the most use of the link type parameter. Rapid
transition to the forwarding state for the designated port occurs only if the link type parameter
indicates a point-to-point link.
🔍 These parameters differ for edge ports and non-edge ports. Non-edge ports are
🎭 The link type can predetermine the active role that the port plays as it stands by for
learned on all its ports except the one that receives the topology change. 🔄 The switch also
receives BPDUs with the TC bit set on all designated ports and the root port.
🔄 RSTP no longer uses the specific TCN BPDUs unless a legacy bridge needs to be notified.
🔄 With RSTP, the TC propagation is now a one-step process. In fact, the initiator of the topology
change floods this information throughout the network, as opposed to 802.1D, where only the
root did. This mechanism is much faster than the 802.1D equivalent. There's no need to wait for
the root bridge to be notified and then maintain the topology change state for the whole
network for <max age plus forward delay> seconds. In just a few seconds, or a small multiple of
hello times, most of the entries in the CAM tables of the entire network (VLAN) flush. 🔄 This
approach results in potentially more temporary flooding; however, it clears potential stale
information that prevents rapid connectivity restitution.
❓ Why does RSTP not consider link failure a topology change? Loss of connectivity does not
provide new paths in topology. If a switch loses the link to a downstream switch, the downstream
switch either has an alternate path to the root bridge or it does not. If the downstream switch has
no alternate path, no action will be taken to improve convergence. If the downstream switch has
an alternate path, the downstream switch will unblock it and consequently generate its own
BPDUs with the TC bit set.
🔄 Like with STP, PortFast-enabled ports do not create topology changes. This reduces the amount
of topology change messages flooding. 🔄 PortFast-enabled ports do not have associated MAC
addresses flushed if a topology change message is received.
🔗 A port will accept and process BPDU frames in all port states.
🔄 For RSTP, a topology change occurs only when a non-edge port transitions to the
forwarding state. This means that a loss of connectivity is no longer considered a
topology change, contrary to STP.
📡 A switch announces a topology change by sending BPDUs with the TC bit set out
from all the non-edge designated ports. This way, all neighbors are informed about
the topology change, allowing them to correct their bridging tables.
🌐 SW4 sends BPDUs out all its ports after detecting a link failure. SW2 then sends the
BPDU to all its neighbors, except the one that received the BPDU from SW4, and so
on.
Activate to view larger image,
🌐 In a stable topology, RSTP ensures that every root port and designated port transit
to forwarding, while all alternate ports and backup ports are always in the discarding
state. 🔄
Activate to view larger image,
🔄 There's a difference between STP and RSTP port roles. Instead of STP
nondesignated port role, there are now alternate and backup ports.
🔄 Additional port roles let RSTP define a standby switch port before a failure or
topology change. The alternate port moves to the forwarding state if there's a failure
on the designated port for the segment.
📝 Note: You'll probably not see a backup port role in practice. It's used only when
switches are connected to a shared segment. To build shared segments, you need
hubs, and these are obsolete.
🔄 The RSTP port states correspond to the three basic operations of a switch port:
discarding, learning, and forwarding. There's no listening state as with STP. Listening
and blocking STP states are replaced with the discarding state. The STP port roles
and RSTP port roles.
…see more
Activate to view larger image,
Root: The root port is the chosen path to the root bridge on nonroot bridges. Only one per
switch, it's an active topology participant forwarding, sending, and receiving BPDUs. 🌱
Designated: Each switch has at least one designated port for the segment. In the active
topology, it receives frames destined for the root bridge on that segment. Only one designated
Alternate: An alternate port offers an alternative path to the root bridge. It's in a discarding state
in an active topology and transitions to a designated port if the current path fails. 🔄
Backup: A backup port is an additional switch port on the designated switch with a redundant
link to the shared segment. It has a discarding state in the active topology. 🔄🔗
Ready to dive into the world of networking and port roles? Let's get started! 🚀
Rapid Spanning Tree Protocol (IEEE 802.1w, or RSTP) 🚀 significantly accelerates spanning tree
recalculation during network topology changes. RSTP introduces additional port roles like
alternate and backup, defining states as discarding, learning, or forwarding. Let's explore the
distinctions between STP (802.1D) and RSTP (802.1w).
The 802.1D STP standard aimed for network recovery within a minute after an outage. However,
with Layer 3 switching and protocols like OSPF and EIGRP providing alternatives in about 1
second, bridging faced competition. Cisco enhanced 802.1D with proprietary features like
UplinkFast, BackboneFast, and PortFast for quicker network convergence, though they require
extra configuration.
📝 Note: UplinkFast, BackboneFast, and PortFast details are discussed in later Topic.
IEEE 802.1w (RSTP) evolves 802.1D rather than revolutionizing it. Terminology remains similar, and
most parameters stay unchanged. Users familiar with 802.1D find RSTP configuration
comfortable. In many cases, RSTP outperforms Cisco's proprietary extensions with minimal
additional configuration. Moreover, 802.1w can revert to 802.1D for interoperability with legacy
bridges on a per-port basis, though this negates the benefits of 802.1w on that segment.
RSTP designates a switch as the active spanning-tree root and assigns port roles based on their
involvement in the active topology. It swiftly restores connectivity after switch, switch port, or
LAN failures. Through an explicit handshake protocol, a new root port and the designated port of
the connecting bridge transition to forwarding. RSTP streamlines switch port configuration for
direct forwarding transition during switch reinitialization.
On Cisco Catalyst switches, the per-VLAN version of RSTP is known as PVRST+, a rapid evolution
🌐 When the root bridge receives the TCN BPDU, it first sends an acknowledgment
BPDU, known as Topology Change Acknowledgment (TCA), to the switch from which
it received the TCN. 📤 The root bridge then signals the topology change to other
switches in the network by changing the topology change flag in its BPDU (TC), 🔄
Switches then shorten their bridge table aging times to the forward delay time.
…see more
Activate to view larger image,
🌐🔄 Layer 2 EtherChannel Configuration Guidelines:
Pre-Implementation Steps:
🔄 Protocol Assignment:
Identify the protocol to use (PAgP or LACP).
Assign a channel group number to associate interfaces within a port group.
Configure negotiation preferences.
🤝 Connection Validation:
Ensure established connections.
Confirm EtherChannel formation on both sides, verifying aggregated bandwidth provision.
🔄 EtherChannel Support:
All Ethernet interfaces on all modules support EtherChannel.
No requirement for physical contiguity or placement on the same module.
🌈 VLAN Configuration:
All interfaces in the EtherChannel must:
Belong to the same VLAN, or
Be configured as trunks.
🌍 VLAN Range:
EtherChannel supports an identical VLAN range across all interfaces in a trunking Layer 2
EtherChannel.
Mismatched VLAN ranges prevent EtherChannel formation; ensure consistency.
🌐 In Summary:
Following these guidelines ensures a smooth EtherChannel implementation, maximizing network
📚 Overview:
Port Aggregation Protocol (PAgP) mirrors the negotiation prowess of LACP, offering dynamic link
aggregation benefits. PAgP, however, is exclusive to Cisco devices, making it a proprietary
protocol.
🔄 Key Features:
🔄 PAgP packets exchanged exclusively between Cisco devices over EtherChannel-capable ports.
🔄 Dynamically adjusts EtherChannel parameters if any port in the bundle undergoes modification.
🤝 Compatibility Note:
🚫 PAgP and LACP are not interoperable; each operates within its proprietary ecosystem.
🌈 PAgP Modes:
📚 Overview:
Link Aggregation Control Protocol (LACP) is an integral part of the IEEE specifications (802.1AX
and 802.1aq), designed to bundle multiple physical ports into a unified logical channel. LACP
enables switches to dynamically negotiate and form EtherChannels by exchanging LACP packets.
🔄 Key Functions:
🔄 Ensures configuration consistency and manages link additions and failures between switches.
🔄 Validates that all EtherChannel ports share the same configuration attributes: speed, duplex,
and VLAN information.
🔄 Modifications to any port post-EtherChannel creation apply universally to all other channel
ports.
📡 Packet Exchange:
👥 Role Assignment:
🔄 Switch with the lowest system priority makes decisions on active participating ports.
📊 Channel Characteristics:
🔄 Only 8 links can be active simultaneously; non-active links are in standby, activated if an active
link fails.
🌈 LACP Modes:
Additional Parameters:
🔄 System Priority: Set automatically or through CLI, determines system ID using MAC address and
system priority.
🔄 Port Priority: Specifies port priority, used to decide which ports enter standby mode if hardware
limitations prevent full aggregation.
🔄 Configuration Options:
switches. 🚀💻
🌐 In Summary:
Understanding the nuances of each EtherChannel mode empowers network
administrators to tailor link aggregation strategies based on the network's dynamics
Centralized Configuration:
🤖 Logic of EtherChannel:
🔄 One-to-One Relationship:
🚫 Limitations:
Traffic cannot be sent to two different switches through the same EtherChannel link.
EtherChannel technology exclusively bundles ports of the same type.
Ethernet ports. 🚀💡
🌐 Overview: VTP is a boon in new networks for VLAN implementation, but as the network
expands, it can transform from an asset to a risk. Accidental deletion of a VLAN on one server
propagates the deletion network-wide. Introducing a switch with a pre-defined VLAN database
can lead to the unwanted removal of added VLANs. The recommended practice is to set all
switches to transparent VTP mode, manually adding VLANs, especially in extensive campus
networks. While VTP is ideal for smaller setups, transparency ensures control and avoids
unintended changes.
📍 Resource Distribution: In networks where resources may be distant from user locations, certain
links face heavy demand. While increasing link speed helps to an extent, EtherChannel steps in to
address bandwidth challenges by creating logical links from multiple physical ones.
📚 Key Topics :
📈 Growing Demand: Intranet applications like video streaming, interactive messaging, VoIP, and
collaborative tools escalate the need for scalable bandwidth in campus networks. Simultaneously,
resilient network designs are crucial for mission-critical applications. With the widespread
adoption of high-speed Ethernet links, users must aggregate existing resources or enhance uplink
and core speeds to ensure optimal performance across the network backbone. EtherChannel
The distribution layer in the campus design has a unique role in which it acts as a 🚀
services and control boundary between the access layer and the core. Both the
access layer and the core are essentially dedicated special-purpose layers. The access
layer is dedicated to meeting the functions of end-device connectivity, and the core
layer is dedicated to providing nonstop connectivity across the entire campus