spanning-tree protocol (STP)

What is Spanning tree ?

spanning-tree protocol is a protocol used in switching network to create a loopfree
topology. STP is enabled by default on all VLANs on Catalyst switches. STP
switches send BPDU’s (Bridge Protocol Data Units) to each other to form their
topology databases. BPDU’s are sent out all ports every two seconds, are
forwarded to a specific MAC multicast address: 0180.c200.0000.
What causes a loop in a switched network?
When two switches connected via a single cable there will be no loops in switching
network.
Below topology is a example

Loops occur when we add redundancy to avoid single point failure(means

connecting two switches via two or more cable to give back up in the case of a
failure to one of the link).When a loop is introduced into the network, a highly
destructive broadcast storm can develop within seconds and it will slow down or
block off all other traffic.
Lets see how loop happening in below topology

1. Computer A which is connected to switch A sends an ARP request because

it’s looking for the MAC address of a computer connected to switch B. An
ARP request is a broadcast frame.
2. Switch A will forward this broadcast frame on all it interfaces, except the
link where the frame originated from.
3. Switch B will receive both broadcast frames from switch A
4. Switch B will forward it out of every link except the interface where it
originated from.
5. This means that the frame that was received on Interface fa0/1 will be
forwarded on Interface fa0/2.
6. The frame that was received on Interface fa0/2 will be forwarded on
Interface fa0/1.
So a loop will occur in the network.Both switches will keep forwarding over and
over unitl we disconnect one of the cable or switch will crash due to overburden
traffic
So how STP block or prevent loop ?
STP enabled switch will block port if a loop exist and blocked port will be
activated again if needed.Check below topology

The STP Process

To maintain a loop-free environment, STP performs the following functions:
• A Root Bridge is elected
• Root Ports are identified
• Designated Ports are identified
• If a loop exists, a port is placed in Blocking state. If the loop is removed the
blocked port is activated again.
If multiple loops exist in the switching environment, multiple ports will be placed
in a blocking state
Switches exchange BPDU’s to perform the election process. By default, all
switches “believe” they are the Root Bridge, until a switch with a lower Bridge ID
is discovered. Root Bridge elections are a continuous process. If a new switch with
a lower Bridge ID is added to the topology, it will be elected as the new Root
Bridge.
Electing an STP Root Bridge
First STP has to elect a root bridge from the network.The root bridge is the switch
with the lowest bridge identifier(Bridge-ID)
Bridge Identifier = Bridge priority + MAC Address
In normal case bridge priority will be same for all switches (ie 32768 by
default).Range of bridge priority is from 0 - 65535.As all switches having same
priority,Switches having lowest MAC address in the network will be elected as
"ROOT Bridge".One thing we must keep in mind is that, latest switches always
having higher MAC address than old switches.So normally oldest switch in your
network or datacenter might be elected as Root bridge instead of new switch.To
avoid this we can change default bridge priority of switches.
We can elect Root bridge manually by two method.
The spanning-tree vlan root primary command is the first one
Switch(config)#spanning-tree vlan <Vlan Number> root primary
spanning-tree vlan priority command is the second one
Switch(config)#spanning-tree vlan <Vlan number> priority 4096
Commands used in Spanning tree
Switch#show spanning-tree
Switch#show spanning-tree summary
Switch#debug spanning-tree
Switch#debug spanning-tree events
NOTE : We know default bridge priority is 32768.But in real environment,when
you type command "show spanning-tree" you may see like below
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
The sys-id-ext value that you see is the VLAN number. The priority is 32768 but
spanning-tree will add the VLAN number 1 so we end up with priority value
32769( 32768+ 1 ).if its for VLAN 10 it may be like 32778 (32768 +10)
Interfaces that forward traffic are called designated ports in spanning-tree. On a
root bridge the interfaces are always in forwarding mode because the non-root
switches will need to find the root bridge.
Identifying Root Ports
After finding the root bridge,All other switches in the network(non-root bridges)
have to find the shortest path to the root bridge.This shortest path to root bridge is
find out by calculating path cost.Always lowest path cost is better.Path cost of a
Gigabit interface is less than a fast Ethernet link.So STP will choose a Gigabit link
over fast Ethernet. The interface that leads to the root bridge is called the root
port.
Root port always forward traffic to the root bridge Each switch has only one
Root Port, and the Root Bridge cannot have a Root Port.

Spanning-tree uses cost to determine the shortest path to the root bridge. The
slower the interface, the higher the cost is. The path with the lowest cost will be
used to reach the root bridge. Below is the cost table

Cost
10 Mbit 100
100 Mbit 19
1000 Mbit 4

Identifying Designated Ports

The third and final step in the STP process is to identify Designated Ports. Each
network segment requires a single Designated Port, which has the lowest path cost
leading to the Root Bridge. This port will not be placed in a blocking state. A port
cannot be both a Designated Port and a Root Port. Ports on the Root Bridge are
never placed in a blocking state and always designated ports
Port ID
In certain circumstances, a tie will occur in both Path Cost and Bridge ID. Consider
the following example:

If the bandwidth of both links are equal, then both of Switch 2’s interfaces have an
equal path cost to the Root Bridge. Which interface will become the Root Port?
The tiebreaker should be the lowest Bridge ID, but that cannot be used in this
circumstance
In this circumstance, Port ID will be used as the tiebreaker. An interface’s Port ID
consists of two parts - a 6-bit port priority value, and the MAC address for that
port. Whichever interface has the lowest Port ID will become the Root Port.
By default, the port priority of an interface is 128. Lowering this value will ensure
a specific interface becomes the Root Port:
Switch(config)# int fa0/22
Switch(config-if)# spanning-tree port-priority 60
Remember, that port priority is the last tiebreaker STP will consider. STP decides
Root and Designated Ports based on the following criteria, and in this order:

• Lowest Path Cost to the Root Bridge

• Lowest Bridge ID
• Lowest Port ID
Consider the below example

For simplicity the MAC of switches is taken as below

MAC of Switch A : AAA
MAC of Switch B : BBB
MAC of Switch C : CCC
Identifying Root bridge
In the above example priority of all switches are default (32768).So we have to
look at the lowest MAC address to find the root bridge.Switch A having the lowest
Mac address among all and elected as Root Bridge.We know all ports of Root
bridge will be designated ports(Forwarding state) and represented by D
Identifying Root Ports
Fa 0/14 of switch B and Fa 0/14 of switch C are the Root port here because they
are the shortest path to reach Root Bridge.
Identifying the designated ports
Now we have to find which port have to designated and which port have to be
blocked between Switch B and Switch C.As we know the switch having lowest
MAC Address will be the designated port here and other switch will be in blocked
state.Here Switch B has lowest MAC address than Switch C.So Fa 0/16 of switch
B become designated port and Fa 0/16 of switch C will be alternative port(Blocked
Port)
Points to remember
STP is also called IEEE 802.1D
STP is used to avoid loops
Ethernet has no capacity for detecting loops.If a loop exist,broadcast storm
will appear
STP prevents loop formation by detecting redundant links and disabling
them until needed.
STP is enabled by default in switches
STP works by selecting a switch in the network as a root bridge
A STP network must select
o One root bridge
o One root port per non-root bridge
o One designated port per network segment
Designated port (DP) : All ports in root bridge must be DP.All designated
ports will be in forwarding state
Root Port (RP) : Root port is the port in the non-root bridge that connects
the best path to root bridge
Blocked port (BP) : Such ports will be in blocked state.it will receive
informations from Designated ports but will not send any information
through it
One end of every link must be designated port.Other end may be Blocked
Port OR Root Port

RSTP:-

Rapid spanning tree (RSTP) Notes

Rapid spanning tree is not a revolution of the original spanning tree but an
evolution from it.Behind the scenes some things have been changed to speed up
the process.
In original STP we had 4 port-states.They are
Blocking
Listening
Learning
Forwarding
In RSTP,Blocking and Listening state is combined to one and total there are 3
states.They are
Discarding
Learning
Forwarding
As in original STP,Root bridge election process in RSTP is same.The switch with
the best bridge ID (priority + MAC address) becomes the root bridge. The
other switches (non-root) have to find the shortest cost path to the root bridge. This
is the root port.No change in this.On each segment there can be only one
designated port or we’ll end up with a loop. The port will become the designated
port if it can send the best BPDU. Root bridge ports are always
in designated mode.
Rapid spanning tree and Original STP are compatible.In original STP Root
bridge only send BPDU to other non-root switches and they receive it on their root
ports.But in RSTP all switches generate BPDUs every two seconds (hello time).
This is the default hello time but you can change it.
The original STP uses the max age timer (15 seconds) so MAC addresses could be
removed faster from the mac address table. In RSTP, BPDUs uses as a keepalive
mechanism similar to what routing protocols like OSPF or EIGRP use. If a
switch misses three BPDUs from a neighbor switch it will assume connectivity to
this switch has been lost and it will remove all MAC addresses immediately.
Original STP used to reject inferior BPDU. BUT RSTP accepts inferior BPDU(as
the backbone fast feature is enabled)

MST (Multiple Spanning Tree) Notes and configuration

In PVST,we need to have different calculations for each VLAN. This will be fine
for less number of VLANS. But if we have 100's of VLAN this is not easy.For
such cases we use MST (Multiple Spanning Tree).
In MST,Instead of calculating a spanning tree for each VLAN we can use instances
and map VLANS to each instance. For example consider we have 200 vlans.it can
be configured as
• Instance 1: VLAN 100 – 200.
• Instance 2: VLAN 201 – 300.
Only two spanning tree calculations (instances) are required for all these VLANs.
MST works with the concept of regions. Switches that are configured to use MST
need to find out if their neighbors are running MST. When switches have the same
attributes they will be in the same region. It's possible to have one or more regions
and here are the attributes that need to match
• MST configuration name.
• MST configuration revision number.
• MST instance to VLAN mapping table.
When switches have the same attributes configured they will be in the same region.
If the attributes are not the same the switch is seen as being at the boundary of the
region. It can be connected to another MST region but also talk to a switch running
another version of spanning tree.
We can give any name or number for "MST configuration name" and "MST
configuration revision number".VLANs will be mapped to an instance by using the
"MST instance to VLAN mapping table". This is something we have to do
ourselves.
Within the MST region we will have one instance of spanning tree that will create
a loop free topology within the region. When you configure MST there is always
one default instance used to calculate the topology within the region. We call this
the IST (Internal Spanning Tree). By default Cisco will use instance 0 to run the
IST.
By default there will be only instance 0 is available.We can see that all VLANs are
currently mapped to instance 0.

Lets do an example.There are two switches-Switch A and Switch B. Don't forget

to create trunk between switches.
SwitchA(config)#spanning-tree mode mst
SwitchA(config)#vlan 10
SwitchA(config-vlan)#vlan 20
SwitchA(config-vlan)#vlan 30
SwitchA(config-vlan)#vlan 40
SwitchA(config-vlan)#vlan 50
SwitchA(config-vlan)#vlan 60
SwitchA(config-vlan)#exit
SwitchB(config)#spanning-tree mode mst
SwitchB(config)#vlan 10
SwitchB(config-vlan)#vlan 20
SwitchB(config-vlan)#vlan 30
SwitchB(config-vlan)#vlan 40
SwitchB(config-vlan)#vlan 50
SwitchB(config-vlan)#vlan 60
SwitchB(config-vlan)#exit
We enabled mst and configured vlan 10,20,30,40,50 and 60 in both switch A and
Switch B
SwitchA(config)#spanning-tree mst configuration
SwitchA(config-mst)#name sysnetnotes
SwitchA(config-mst)#revision 1
SwitchA(config-mst)#instance 2 vlan 10,20,30
SwitchA(config-mst)#instance 3 vlan 40,50,60
SwitchA(config-mst)#exit
SwitchB(config)#spanning-tree mst configuration
SwitchB(config-mst)#name sysnetnotes
SwitchB(config-mst)#revision 1
SwitchB(config-mst)#instance 2 vlan 10,20,30
SwitchB(config-mst)#instance 3 vlan 40,50,60
SwitchB(config-mst)#exit
This is how we configure MST. First you need the spanning-tree mst configuration
command to enter the configuration of MST. We set the name by using the name
command[You can set any name]. Don't forget to set a revision number and map
the instances with the instance command.
We can use the show spanning-tree mst configuration command to verify our
configuration.You can see that we now have two instances. The VLANS are
mapped to instance 2 and 3.All the other VLANs are still mapped to instance 0.
To create Root bridge manually in MST
Switch(config)#spanning-tree mst < 0 > priority 4096
This is how I change the priority for MST "instance 0".
To view
Switch#show spanning-tree mst
Switch#show spanning-tree mst configuration
NOTE : MST will only advertise BPDUs from the IST [(Internal Spanning Tree)]
to the outside world

Interview Questions
1. What is Spanning tree aka STP ?
2. How does STP maintain a loop-free network?
3. What parameters can be tuned to influence the selection of a
port as a
Root or Designated Port?
4. What is BDPU ?what is the basics function of BPDU?
5. Using the default STP timers, how long does it take for a port to
move
from the Blocking state to the Forwarding state?
6. What is the STP listening state?
7. Which command enables RSTP on a switch?
8. what is Per-VLAN Spanning Tree Protocol (PVST)
9. What is the default bridge priority in a Bridge ID for all Cisco
switches?
10. Which STP version run default on cisco switches ?
11. What is the purpose of Spanning Tree Protocol in a switched
LAN?
12. Difference between Spanning Tree Protocol (STP) and Rapid
Spanning
Tree Protocol (RSTP)?
13. What is the STP blocking state?
14. What is the STP Forwarding state?
15. Difference between Root Port and Designated Port?
16. What is the difference between path cost and root path cost?
17. What is the difference between STP, MSTP, PVST and RSTP?
18. What is path cost?
19. Define selection criteria of STP root bridge.
20. What are the four spanning tree port states?
21. How to non bridge decide which port will elect as root port?
22. If a nonroot bridge has two redundant ports with the same root
path
cost, how does the bridge choose which port will be the root port?
23. Port states of spanning tree protocol.
24. If the users face delay during initial login, what you will suggest
to
implement?
25. Why spanning tree BPDU filter is used?
26. Can I use BPDU filter on trunk ports?
27. Which port state is introduced by Rapid-PVST?
28. What is Spanning Tree Protocol (STP) PortFast?
29. What does STP do when it detects a topology change in the
network due
to a bridge or link failure?

QinQ:-

802.1Q tunneling
IEEE 802.1Q tunneling can be used to achieve simple layer 2 VPN connectivity
between sites by encapsulating one 802.1Q trunk inside another. 802.1Q tunneling
also called QinQ
Business customers of service providers often have specific requirements for
VLAN IDs and the number of VLANs to be supported. The VLAN ranges required
by different customers in the same service-provider network might overlap, and
traffic of customers through the infrastructure might be mixed. Assigning a unique
range of VLAN IDs to each customer would restrict customer configurations and
could easily exceed the VLAN limit (4096) of the IEEE 802.1Q specification.
802.1Q tunneling solves this issues by assigning each customer a single VLAN
number, chosen by the service provider. Within each customer VLAN exists a
secondary 802.1Q trunk, which is controlled by the customer. Each customer
packet traversing the service provider network is tagged twice: the inner-most
802.1Q header contains the customer-chosen VLAN ID, and the outer-most header
contains the VLAN ID assigned to the customer by the service provider.
Customer traffic tagged in the normal way with appropriate VLAN IDs comes
from an IEEE 802.1Q trunk port on the customer device and into a tunnel port on
the service-provider edge switch. The link between the customer device and the
edge switch is asymmetric because one end is configured as an IEEE 802.1Q trunk
port, and the other end is configured as a tunnel port.
Note: By default, the native VLAN traffic of a dot1q trunk is sent untagged, which
cannot be double-tagged in the service provider network. Because of this situation,
the native VLAN traffic might not be tunneled correctly. Be sure that the native
VLAN traffic is always sent tagged in an asymmetrical link.Also we must verify
that all of our switches support the necessary maximum transmission unit (MTU),
1504 bytes before configuring 802.1Q tunneling
These are some ways to solve Native VLAN tagging problem:
•Use the vlan dot1q tag native global configuration command to configure the edge
switch so that all packets going out an IEEE 802.1Q trunk, including the native
VLAN, are tagged. If the switch is configured to tag native VLAN packets on all
IEEE 802.1Q trunks, the switch accepts untagged packets, but sends only tagged
packets.
•Ensure that the native VLAN ID on the edge-switch trunk port is not within the
customer VLAN range. For example, if the trunk port carries traffic of VLANs 100
to 200, assign the native VLAN a number outside that range.