Upload
danneco87
View
215
Download
0
Embed Size (px)
Citation preview
1Chapter 3
Chapter 3 - Implementing Spanning Tree
Objectives•Summarise how 802.1D STP works to eliminate Layer 2
loops in a converged network.•Explain the enhancements that can be used to optimise
and protect STP.•Describe the operation of per-VLAN STP•Describe the operation of 802.1w Rapid STP.•Describe the operation of 802.1s Multiple STP.•Implement rapid per VLAN (RSTP) and Multiple STP
spanning tree (rapid PVST+) in a LAN to prevent switching loops.
2Chapter 3
Switching Loops• The addition of redundant paths creates switching
loops, leading to the following problems:
•Multiple Frame Transmission•MAC Database Instability•Broadcast Storms
Fa0/1 Fa0/1
Fa0/2 Fa0/2
3Chapter 3
Spanning Tree Protocol 802.1D (STP)•The solution is to allow physical loops, but create a loop free logical topology called a tree.
•It is a spanning-tree because all devices in the network are reachable or spanned.
•The algorithm used to create this loop free logical topology is the spanning-tree algorithm.
•STP exchanges information called Bridge Protocol Data Units (BPDUs).
•A new algorithm called the rapid spanning-tree algorithm was developed to reduce the time for a network to compute a loop free logical topology.
4Chapter 3
STP Variants
5Chapter 3
•A bridge uses a four-step decision sequence to save a copy of the "best" BPDU seen on every port:
1. Lowest root Bridge ID (BID)2. Lowest path cost to root bridge3. Lowest sender bridge ID4. Lowest sender port ID
•When making this evaluation, it considers all the BPDUs received on the port as well as the BPDU that would be sent on that port.
•As every BPDU arrives, it is checked to see if it is more attractive (that is, lower in value) than the existing BPDU saved for that port.
•If the new BPDU (or the locally generated BPDU) is more attractive, the old value is replaced.
Bridge Protocol Data Unit
6Chapter 3
802.1D Bridge Protocol Data Unit •By default BPDUs are sent every two seconds.
•The BID consists of a bridge priority that defaults to 32768 (0x8000) and the switch MAC address.
•The BID uses one of the MAC addresses from a pool of MAC addresses that are assigned to the switch backplane.
BridgePriority
MACAddress
2 Bytes 6 Bytes
BID
7Chapter 3
BPDUs contain information that allow switches to perform specific actions:•Select a single switch that will act as the root of the spanning-tree.•Calculate the shortest path from itself to the root switch. •Designate one of the switches as the closest one to the root, for each LAN segment. This switch is called the designated switch. The designated switch handles all communication from that LAN segment towards the root bridge. •Each non-root switch chooses one of its ports as its root port - the interface that gives the best path to the root switch. •Non-designated ports are blocked.
Bridge Protocol Data Unit
Root Switch
Des
Des
Root Port
Block
8Chapter 3
Step 1 - Root Bridge Election Process
•MAC=1111.1111.1111•Priority = 32768
•MAC=3333.3333.3333•Priority = 32768
•MAC=2222.2222.2222•Priority = 32768
•MAC=4444.4444.4444•Priority = 32768
Fa0/1 Fa0/1Fa0/2
Fa0/2Fa0/1 Fa0/1
Fa0/2
Fa0/2
S3 S1
S2 S4
Cost = 19
Cost = 19
Cost = 19
Cost = 19
Root
9Chapter 3
• Upon completion of the root bridge election process, the switches continue to forward the root BPDU frames advertising the root ID of the root bridge every 2 seconds.
• Each switch is configured with a max age timer that determines how long a switch retains the current BPDU configuration in the event it stops receiving updates from its neighboring switches. By default, the max age timer is set to 20 seconds.
• Therefore, if a switch fails to receive 10 consecutive BPDU frames from one of its neighbors, the switch assumes that a logical path in the spanning tree has failed and that the BPDU information is no longer valid. This triggers another spanning-tree root bridge election.
Step 1 - Root Bridge Election Process
10Chapter 3
Step 2 - Root Port Election Process
•MAC=1111.1111.1111•Priority = 32768
•MAC=3333.3333.3333•Priority = 32768
•MAC=2222.2222.2222•Priority = 32768
•MAC=4444.4444.4444•Priority = 32768
Cost = 19
Cost = 19
Cost = 19
Cost = 19
Fa0/1 Fa0/1Fa0/2
Fa0/2Fa0/1 Fa0/1
Fa0/2
Fa0/2
S3 S1 - RootRootPort
RootPort
RootPort
•Shortest path is based on cumulative link costs. •Link costs are based on the speed of the link
1. Lowest root Bridge ID (BID)2. Lowest path cost to root
bridge3. Lowest sender bridge ID4. Lowest sender port ID
S2 S4
11Chapter 3
Step 3 - Designated Port Election Process
•MAC=1111.1111.1111•Priority = 32768
•MAC=3333.3333.3333•Priority = 32768
•MAC=2222.2222.2222•Priority = 32768
•MAC=4444.4444.4444•Priority = 32768
Cost = 19
Cost = 19
Cost = 19
Cost = 19
Fa0/1 Fa0/1Fa0/2
Fa0/2Fa0/1 Fa0/1
Fa0/2
Fa0/2
S3 S1 - RootRootPort
RootPort
RootPort
DesignatedPort Designated
Port
DesignatedPort
DesignatedPort
Non-DesignatedPort (Blocking)
1. Lowest root Bridge ID (BID)2. Lowest path cost to root
bridge3. Lowest sender bridge ID4. Lowest sender port ID
S2 S4
12Chapter 3
STP Port Roles• The root port exists on non-root bridges and is the switch
port with the best path to the root bridge. Root ports forward traffic toward the root bridge.
• The designated port exists on root and non-root bridges. For root bridges, all switch ports are designated ports. For non-root bridges, a designated port is the switch port that receives and forwards frames toward the root bridge as needed. Only one designated port is allowed per segment.
• The non-designated port is a switch port that is blocked, so it is not forwarding data frames and not populating the MAC address table with source addresses. A non-designated port is not a root port or a designated port. For some variants of STP, the non-designated port is called an alternate port.
13Chapter 3
802.1D BPDU Timers
Blocking(max age = 20 secs)
Listening(forward delay = 15 secs)
Learning(forward delay = 15 secs)
Blocking(moves to listening after decides whether it is a root or designated port)
Link comes
up
Forwarding
•Adjust spanning tree timers with care!
•Defaults are calculated based on a network diameter of 7 switches.
•Set the diameter on the root switch, and it will propagate new timers to the other switches via its BPDUs.
S1(config)#spanning-tree vlan 10 root primary diameter 4
14Chapter 3
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Des
Blk
TCN
BPDU ACKBPDU ACK
•After a topology change, S3 sends a topology change notification (TCN) BPDU from its root port, which is forwarded by subsequent switches, until the root switch is informed of the change.
•When the root bridge receives the TCN BPDU, it sends out a normal BPDU with the topology change flag set.
•This causes all switches to shorten their CAM table aging timers from the default to the forward delay interval.
802.1D Spanning Tree Protocol Topology Changes
15Chapter 3
•When a switch port configured with PortFast is configured as an access port, it transitions from blocking to forwarding state immediately, bypassing the typical STP listening and learning states.
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Des
Blk
S3(config)#int fa0/8S3(config-if)#spanning-tree portfastorS3(config)#spanning-tree portfast default
Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc..to this interface when portfast is enabled, can cause temporary bridging loops.Use with CAUTION
Portfast has been configured on FastEthernet0/8 but will only have effect when the interface is in non-trunking mode.
802.1D Spanning Tree Protocol Portfast
16Chapter 3
802.1D Spanning Tree Protocol BPDU Guard
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Des
Blk
S3(config)#int fa0/8S3(config-if)#spanning-tree bpduguard enableorS3(config)#spanning-tree portfast bpduguard default
• In a valid configuration, PortFast-configured interfaces should not receive BPDUs. Reception of a BPDU by a PortFast-configured interface signals an invalid configuration, such as connection of an unauthorized device
•The STP BPDU Guard shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the STP blocking state (the default behaviour).
17Chapter 3
802.1D Spanning Tree Protocol Enhancements:
UplinkFast(Cisco)
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Des
Blk
S3(config)#spanning-tree uplinkfast | max-update-rate
•UplinkFast allows alternate paths to the root to be activated immediately when the primary root path fails. •UplinkFast works by keeping a track of possible paths to the root bridge – the command is not allowed on a root bridge. •Uplinkfast also makes some modifications to the local switch to ensure that it does not become the root bridge – the priority is raised to 49,152 and the path cost of all ports is incremented to 3000.
Root
18Chapter 3
802.1D Spanning Tree Protocol Enhancements: BackboneFast(Cisco)
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Des
Blk
S3(config)#spanning-tree backbonefast
•BackboneFast allows a switch to determine whether alternative paths exist to the root bridge in the case of an indirect link failures.
•If the local switch has blocked ports, BackboneFast begins to use the Root Link Query (RLQ) protocol to see whether upstream switches have stable connections to the root bridge.
•RLQ replies will short circuit the max-age timer on S3.
Root
Des
S4
Inf BPDU
RLQ Req
RLQ Req
RLQ Rep
RLQ Rep
Root Des
Root
19Chapter 3
Protecting Spanning Tree Protocol: Root Guard
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Blk
S4(config-if)#spanning-tree guard rootS4#sh spanning-tree inconsistentports
•The Root Guard feature was developed as a means to control where candidate root bridges can be connected and found on a network.
•As long as superior BPDUs are received by S2 or S4, the receiving port will be kept in the root-inconsistent state. This prevents the port sending or receiving data, but the switch can listen to BPDUs.
Root
DesRoot Guard
S4
Superior BPDU
DesRoot
Guard
Superior BPDU
20Chapter 3
Protecting Spanning Tree Protocol: Loop Guard
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Blk
S4(config-if)#spanning-tree guard loopS4(conf)#spanning-tree loopguard default
Root
DesS4
Des Des
Blk
•The Loop Guard feature keeps track of BPDU activity on non-designated (blocking) ports, and when BPDUs go missing, it moves the port into the loop-inconsistent state. The port is thus effectively blocking, preventing a loop from forming.
•Loop Guard can be configured globally, or on a specific port. Note that the corrective blocking action it performs is carried out on a per VLAN basis, not the entire port.
21Chapter 3
Protecting Spanning Tree Protocol: BPDU Filter
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Blk
S3(config-if)#spanning-tree bpdufilter enable | disableS3(config)#spanning-tree portfast bpdufilter default
•To prevent a port from sending or receiving BPDUs, use the BPDUfilter command.
•This effectively de-activates STP, so there is a potential to create switching loops if care is not exercised!
•BPDU filtering can be enabled either globally, or on a per-port basis – the operation of BPDUfilter is different, depending how it is activated
Root
Des
S4
Des
BPDU Filter
22Chapter 3
Protecting Spanning Tree Protocol: Unidirectional Link Detection (UDLD)
S3(config-if)# udld port aggressive S3(conf)#udld | enable | aggressive | message time
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Des
Blk
Fibre Optic
•Cisco proprietary UDLD interactively monitors the status of a port, to ensure that it is operating bi-directionally.
•Switches send special layer 2 UDLD frames, identifying a switch port at regular intervals (15 seconds default).
•UDLD expects the neighbouring switch to echo these frames back across the same link, with the neighbouring switch port’s identification added.
•UDLD must be enabled on both sides of a link for this process to work.
UDLD
UDLD
23Chapter 3
Interface Fa0/1---Port enable administrative configuration setting: Enabled / in aggressive modePort enable operational state: Enabled / in aggressive modeCurrent bidirectional state: BidirectionalCurrent operational state: Advertisement - Single neighbor detectedMessage interval: 15Time out interval: 5
Entry 1 --- Expiration time: 33 Device ID: 1 Current neighbor state: Bidirectional Device name: FOC1330Y049 Port ID: Fa0/3 Neighbor echo 1 device: FDO1117Z17R Neighbor echo 1 port: Fa0/1
Message interval: 15 Time out interval: 5 CDP Device name: ALS1.cisco
Protecting Spanning Tree Protocol : Unidirectional Link Detection (UDLD)
Verification
24Chapter 3
Spanning Tree Protection
Root
Blocking
Forwarding
•Portfast•BPDU Guard•BPDU Filter
•UDLD
•UDLD
•UDLD
•UDLD
•UDLD•Loopguard•UDLD•Rootguard
•UDLD•Loopguard
• Portfast – rapid transition to forwarding state for access ports.• BPDU guard- protects portfast ports from creating loops.• Root Guard – controls which ports are eligible to participate in root election.• Unidirectional Link Detection (UDLD) – prevents links transitioning to forwarding state under unidirectional fault conditions.• Loopguard – prevents links transitioning to forwarding under unidirectional fault conditions if designated port still operational.
• Permissible Combinations on a Switch port:
1. Loop Guard & UDLD2. Root Guard & UDLD
•Not Permissible on a switch port:1. Root Guard & Loop Guard2. Root Guard & BPDU Guard
25Chapter 3
Cisco Storm Control
Fa0/1
S2
PC1172.17.10.21/24
(VLAN 10)
Fa0/11
Computer
PC2172.17.20.22/24
(VLAN 20)
Computer
PC3172.17.30.23/24
(VLAN 30)
Fa0/18
S3 S1Fa0/1
Fa0/6
Computer
Fa0/2 Fa0/2Fa0/3
Fa0/1
Fa0/4Fa0/3Fa0/4
Fa0/4
Fa0/2 Fa0/3
S1(config)# int range fa0/1 – 4S1(config-if-range)# storm-control broadcast level 50S1(config-if)# storm-control action shutdown
•Storm control manages how the receiving port handles broadcast traffic.
•Configures a threshold to drop broadcasts for a certain period of time or until the broadcast flow slows down.
•In addition, you can shut down the port or send a SNMP trap to an NMS.
S1#show interfaces accountingvlan10Protocol Pkts In Chars In Pkts Out Chars OutIP 16705943 1727686324 77739 26586738ARP 10594397 635663820 484 29040
26Chapter 3
VLAN 20 VLAN 10S1S3
S2
802.1D Spanning Tree Protocol - Common Spanning Tree (CST)
Des
Root Blk
Des Root
Des
•The IEEE 802.1Q standard specifies how VLANs are trunked between switches. 802.1Q specifies only a single instance of STP, that encompasses all VLANs on a trunk link.• This instance is referred to as the Common Spanning Tree (CST), and all CST BPDUs are transmitted over trunks using the native VLAN.•CST reduces switch CPU loading, but having only one STP instance can cause limitations too, as redundant links between switches will be blocked with no capability for load balancing.
Root
27Chapter 3
Per-VLAN spanning tree Protocol (PVST)
•Cisco developed PVST so that a network can run an STP instance for each VLAN in the network, using ISL trunking – this prevents operability with CST.•PVST+ supports both ISL and 802.1q trunking, so it can communicate with PVST and CST.•With PVST+, more than one trunk can block for a VLAN and load sharing can be implemented.
Root forVLAN 20
VLAN 20
Root forVLAN 10
VLAN 10
•VLAN 20 – Forwarding•VLAN 10 – Blocking/Alt
•VLAN 20 – Blocking/Alt•VLAN 10 - Forwarding
S1S3
S2
28Chapter 3
BID = Priority + VLAN ID + MAC Address
BID = 32768 + 10 + 000A.0033.333BID = 32778 000A.0033.333
Example:
PVST Bridge ID
29Chapter 3
Root forVLAN 20
VLAN 20
Root forVLAN 10
VLAN 10
•VLAN 20 – Forwarding•VLAN 10 - Blocking
•VLAN 20 – Blocking•VLAN 10 - Forwarding
Fa0/3 Fa0/2
S1S3
S2
PVST+ Configuration
S3(config)#spanning tree vlan 20 root primary•Automatically drops priority by 8192 to 24576 if the current root is set to default 32768. If current root is lower, will try and set priority lower by a 4096 step. If it can’t (if current root has a priority of ‘1’), then operation will fail.
S3(config)#spanning tree vlan 10 root secondary•No mechanism for distributing which switch has the second-lowest priority after the root, so this command just sets the priority to 28672 (4096 less than the default).
30Chapter 3
Root forVLAN 20
VLAN 20
Root forVLAN 10
VLAN 10
•VLAN 20 – Forwarding•VLAN 10 - Blocking
•VLAN 20 – Blocking•VLAN 10 - Forwarding
Fa0/3 Fa0/2
S1S3
S2
S3(config )#spanning tree vlan 20 priority 4096S3(config)#spanning tree vlan 10 priority 8192S1(config )#spanning tree vlan 10 priority 4096S1(config)#spanning tree vlan 20 priority 8192
PVST+ Configuration
31Chapter 3
IEEE 802.1w Rapid Spanning Tree Protocol
•The IEEE 802.1w standard was developed to use 802.1D’s principal concepts and make the resulting convergence much quicker – hence it is also know as Rapid Spanning Tree Protocol (RSTP).
•RSTP uses the same BPDU as 802.1D , but utilises some previously unused fields in the Message Type field, to perform RSTP functions. Version field is set to ‘2’.
•RSTP BPDUs are sent from every switch port at hello time intervals, regardless of whether BPDUs are received from the root, acting as a keepalive mechanism.
•When 3 consecutive BPDUs are missed, a neighbour is presumed to be down, and all information relating to that neighbour is aged out.
32Chapter 3
RSTP Port States
Operational Port
State
802.1D STP Port State
802.1w RSTP Port State
Enabled Blocking DiscardingEnabled Listening DiscardingEnabled Learning LearningEnabled Forwarding ForwardingDisabled Disabled Discarding
33Chapter 3
RSTP Port roles
Root
Alt
Root
Des
•Alternative port: switch port that offers an alternative path toward the root bridge. •The alternative port assumes a discarding state in a stable, active topology.•Backup port: additional switch port on the designated switch with a redundant link to the segment for which the switch is designated. •A backup port has a higher port ID than the designated port on the designated switch.• The backup port assumes the discarding state in a stable, active topology.
Des
Root
BackDes
34Chapter 3
RSTP Port Types STP Root
S1S3
S2
Des
Des
Root
RootAlt
Des
Edge
Edge
Edge
EdgeP2P
P2PP2P
•RSTP considers every switch port to be one of the following types:
1.Edge Port – a port at the ‘edge’ of the network, connecting to a single host, that transitions immediately to the forwarding state when activated.
2.Root Port – the port that has the best cost to the root of the STP instance.
3.Point-to-Point Port (P2P) – any port that connects to another switch and becomes a designated port (non-edge). A quick handshake with the neighbouring switch, rather than a timer expiration, decides the port state.
35Chapter 3
RSTP – Convergence
STP RootS1
S4S3
S2
Propose
Root
Des
Edge
Edge Edge
Agree
Root Root
Des DesDisc Disc
ProposeAgree
•For each non-edge port, the switch exchanges a proposal-agreement handshake to decide the state of each end of the link.
•Each switch assumes that its port should become the designated port for the segment, and a proposal message (confirmation BPDU) is sent to the neighbour suggesting this.
•If a port receives a superior BPDU from a neighbour, that port becomes the root port.
Propose
36Chapter 3
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Des
Alt
TC•When a topology change is detected, a switch must propagate news of the change to other switches in the network so that they can correct their CAM tables.
•BPDU’s, with their TC bit set, are sent out all non-edge designated ports. This is done until the TC timer (twice the hello interval) expires. •All neighbouring switches that receive the TC message must flush the MAC addresses learnt on all ports except the one that received the TC message.
RSTP Topology Changes
S4Des Root
TC
TC
37Chapter 3
PVST/PVST+/RPVST+ Issues
•As each instance of RPVST+ demands its own root and BPDUs, the processing overhead can be unnecessarily high if each VLAN has its own spanning tree.•This overhead is difficult to justify in topologies, with limited redundant paths.
Root forVLAN 1-500
VLAN 1 - 500
Root forVLAN 501 - 1001
VLAN 500 - 1001S1S3
S2
38Chapter 3
Multiple Spanning Tree (MST) 802.1s
•MST allows the configuration of exactly the number of STP instance that make sense for the enterprise network.
•MST allows the mapping of one or more VLANs to a single STP instance.
•Multiple MST instances can be used, with each instance supporting a different group of VLANs.
•Switches running MST are grouped in common MST regions, with each switch running compatible parameters.
39Chapter 3
Multiple Spanning Tree (MST)
• To provide this logical assignment of VLANs to spanning trees, each switch running MST in the network has a single MST configuration that consists of three attributes:
•An alphanumeric configuration name (32 bytes) •A configuration revision number (two bytes) •A 4096-element table that associates each of the potential 4096 VLANs supported on the chassis with a given instance
• To be part of a common MSTP region, a group of switches must share the same configuration attributes. It is up to the network administrator to properly propagate the configuration throughout the region.
• Cisco IOS supports a maximum of 16 MST instances.
40Chapter 3
MSTP Configuration
Root forVLAN 1-500
VLAN 1 - 500
Root forVLAN 501 - 1001
VLAN 501 - 1001
Fa0/3 Fa0/2
S1S3
S2
S1(config)#spanning-tree mst configS1(config-mst)#sh currentS1(config-mst)#instance 1 vlan 1-500S1(config-mst)#instance 2 vlan 501-1001S1(config-mst)#name REGION12S1(config-mst)#revision 1S1(config-mst)#sh pendingS1(config-mst)#exitS1(config)#spanning-tree mst 1 root secondaryS1(config)#spanning-tree mst 2 root primary
Verify:S1#sh spanning-tree mst configS1# sh spanning-tree mst 1S1# sh spanning-tree mst detail
Enable:S1(config)#spanning-tree mode mst
41Chapter 3
•FlexLinks are configured on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the FlexLink or backup link. •When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link shuts down. •At any given time, only one of the interfaces is in the linkup state and forwarding traffic. If the primary link shuts down, the standby link starts forwarding traffic.
FlexLinks
FlexLinks are configured only on the primary interface:
S1(config-if)#interface Gi1/1 S1(config-if)#switchport backup interface Gi1/2 May 2 09:04:14: %SPANTREE-SP-6-PORTDEL_ALL_VLANS: TenGigabitEthernet1/2 deleted from all Vlans May 2 09:04:14: %SPANTREE-SP-6-PORTDEL_ALL_VLANS: TenGigabitEthernet1/1 deleted from all Vlans S1#show interfaces switchport backup
Gi1/1
Gi1/2
S1
42Chapter 3
Chapter 3 - Implementing Spanning Tree
Objectives•Summarise how 802.1D STP works to eliminate Layer 2
loops in a converged network.•Explain the enhancements that can be used to optimise
and protect STP.•Describe the operation of per-VLAN STP•Describe the operation of 802.1w Rapid STP.•Describe the operation of 802.1s Multiple STP.•Implement rapid per VLAN (RSTP) and Multiple STP
spanning tree (rapid PVST+) in a LAN to prevent switching loops.
43Chapter 3
AnyQuestions?