Featured image

Table of Contents Link to heading

Spanning Tree Versions Link to heading

  • 802.1D โ€“ original specification
    • Good for learning, a single spanning tree is used.
    • Often called Common Spanning Tree (CST) and STP.
  • Per-VLAN Spanning Tree (PVST)
    • Uses the Cisco proprietary ISL trunking protocol.
      • Inter-Switch Link (ISL) โ€“ a way of tagging like 802.1Q.
    • Each VLAN has an instance of spanning tree.
    • Ability to load balance traffic at L2.
    • Includes extensions BackboneFast, UplinkFast, and PortFast.
  • Per-VLAN Spanning Tree Plus (PVST+)
    • Supports ISL and IEEE 802.1Q trunking.
    • Supports Cisco proprietary STP extensions.
    • Adds BPDU guard and root guard enhancements.
    • Root switch selection is done for each VLAN.
    • Generally unusable in mixed vendor environments.
  • 802.1W Rapid Per-VLAN Spanning Tree Plus (RPVST+)
    • Has faster convergence than 802.1D.
    • Root switch selection is done for each VLAN.
    • Use RPVST+ if STP is required since it provides for faster convergence than traditional 802.1D default timers.
  • 802.1W Rapid Spanning Tree Protocol (RSTP)
    • Introduced in 1982 and provides faster convergence than 802.1D.
    • The replacement for CST/STP (IEEE 802.1D), which also provides backwards compatibility.
    • Implements generic versions of the Cisco-proprietary STP extensions.
    • IEEE has incorporated RSTP into 802.1D, identifying the specification as IEEE 802.1D-2004.
  • 802.1S Multiple Spanning Tree (MST)
    • Inspired by the Cisco’s Multiple Instances Spanning Tree Protocol (MISTP).
    • IEEE 802.1Q (2003) now includes MST.
    • Multiple VLANs can be mapped to the same spanning-tree instance.
    • Root switch selection is based on instances.
    • Generally unusable in mixed vendor environments.
NameBased on STP or RSTP?# TreesOriginal IEEE StandardConfig Parameter
STPSTP1 (CST)802.1DN/A
PVST+STP1/VLAN802.1Dpvst
RSTPRSTP1 (CST)802.1wN/A
Rapid PVST+RSTP1/VLAN802.1wrapid-pvst
MSTPRSTP1 or more*802.1smst

Spanning Tree Protocol (STP) Link to heading

Info
STP ensures a loop-free topology (thus allowing for redundant links) with only one active path between all destinations on the network at any one time.

Without STP, redundancy in the switched network, albeit useful for network reliability, would introduce the following LAN issues:

ProblemDescription
Broadcast stormsEach switch floods broadcasts endlessly.
Multiple frame transmissionMultiple copies of one frame are delivered to the intended host, confusing the host.
MAC database instabilityIncorrect entries in the MAC address table result from copies of the same frame being received on different ports of the switch.

Since L2 does not have a “Time To Live” field like L3, the frame will never be discarded if there is a physical or logical loop in a network.

Broadcast StromIssue

Tip

STP creates a spanning tree of interfaces that forward frames. The tree structure of forwarding interfaces creates a single path to and from each Ethernet link.

Switches exchange messages to detect loops (which are removed by shutting down selected switch ports), preventing frames from circling the network forever.

If any network segment experiences a disruption in connectivity, STP rebuilds a new tree by activating (unblocking) the previously inactive, but redundant, path.

Spanning-Tree Algorithm (STA) Link to heading

Info
Algorithm used by STP to create a spanning tree.
  • A single switch is designated as the root switch and is used as the reference point for all subsequent calculations.
    • Root Switch/Bridge is the upstream switch, all of whose active interfaces are in a forwarding state and are categorised as a Designated Port.
      • STP was created before LAN switches even existed, using LAN bridges to connect LANs. Since nowadays switches play the same role as bridges, the term bridge and switch is used synonymously in terms of STP.
    • Spanning Tree Algorithm (STA) is how STP chooses the forwarding interfaces that should be placed into a forwarding state.
  • A Bridge Protocol Data Unit (BPDU) or configuration BPDUs is a frame containing STP information exchanged by switches using STP.
    • The most common BPDU is a Hello BPDU which contains:
      1. Root BID - The BID of the sender of this Hello, currently believed to be the root switch.
      2. Sender’s BID - The BID of the switch sending this Hello BPDU.
      3. Sender’s root cost - The root cost between this switch and the current root.
      4. Timer values on the root switch - Includes the Hello timer, MaxAge timer, and forward delay timer.
    • The root switch sends periodic Hello BPDUs (default, 2 seconds).
    • Each configuration BPDU contains a bridge ID (BID) that identifies the switch that sent the BPDU. The switch with the lowest BID becomes the root switch.
      • Bridge ID (BID) - an 8-byte value unique to each switch: 2-byte priority field and 6-byte system ID (burned-in address) .
        1. Priority - [configurable] - increments in blocks of 4096, from 0 up to 61440 (default, 32768).
        2. System ID - [blocks of unconfigurable] - unique amongst all switches, ensuring a unique BID.
      • Extended System ID - a 12-bit field borrowed from the priority field to identify the VLAN ID held in this BPDU.
  • Root election process - The root switch with the lowest bridge priority or (if that ties) the lowest numerical MAC address becomes the root bridge.
    • The process begins with all switches claiming to be the root by sending Hello BPDUs listing their own BID as the root BID. If a switch hears a Hello that lists a better (lower) BID, it stops advertising itself as root and starts forwarding the superior Hello.
    • You can manually lower the bridge priority value of the switch that you want to be the STP root.
  • After the root switch has been determined, for every nonroot switch, the STA elects its root port by calculating the shortest path to the root switch, which is the path with the least-cost path.
    • Root Port (RP) is the port closest to the root switch and is in a forwarding state.
      • There should only be one root port per VLAN on a switch.
    • The root cost is the sum of all STP costs for all ports out which a frame will exit if it flows over that path to reach the root.
      • When a switch receives a BPDU, it adds the ingress port cost of the segment to determine its internal root path cost.
      • If a switch has multiple equal-cost paths to the root switch, the switch will determine a port using the following tiebreakers, in order:
        1. The lowest BID
        2. The lowest interface STP priority (default, 128)
        3. The lowest internal interface number (e.g., F0/1, F0/2, F0/3)
          • Default port costs can be found at ๐Ÿ”—. These can be changed manually per port.
      • The last two tiebreakers are unlikely today, used when a single switch can connect two or more interfaces to the same collision domain by connecting to a hub. In that case, the one switch hears its own BPDUs.
  • After all switches have their root ports elected, the other switch ports are then configured into different port roles. The port roles describe their relation in the network to the root switch and whether they are allowed to forward traffic.
  1. Designated Port (DP) โ€“ an active port that is in a forwarding state and thus permitted to receive and forward BPDU frames to other switches.
    • DPs provide connectivity to downstream devices and switches.
    • There should be only one active DP on a link to another switch.
  2. Non-Designated Port - an active port that is blocked from forwarding traffic due to STP calculations.
    • Non-designated ports are neither a RP or a DP.

Step 1 - Electing Root Switch Link to heading

The first step with STP is to identify the root switch. As a switch initialises, it assumes that it is the root switch and uses the local bridge identifier as the root switch identifier.

It then listens to its neighbour’s configuration BPDU and does the following:

  • If the neighbour’s configuration BPDU is inferior to its own BPDU, the switch ignores that BPDU.
  • If the neighbour’s configuration BPDU is preferred to its own BPDU, the switch updates its BPDUs to include the new root switch identifier along with a new root path cost that correlates to the total path cost to reach the new root bridge.
  • This process continues until all switches in a topology have identified the root switch.
  • STP prefers lower priority number then goes to lower MAC address.

CST Step 1

Step 2 - Electing Root Ports Link to heading

Once the Root Switch is found, the switch must determine its Root Port. The RP is selected using the following logic:

  1. The interface associated to lowest path cost is more preferred.
  2. The interface associated to the lowest system priority of the advertising switch is preferred next.
  3. The interface associated to the lowest system MAC address of the advertising switch is preferred next.
  4. When multiple links are associated to the same switch, the lowest port priority from the advertising switch is preferred.
  5. When multiple links are associated to the same switch, the lower port number from the advertising switch is preferred.

CST Step 2

Step 3 - Electing Designated Ports Link to heading

CST Step 3

Step 4 - Electing Non-Designated Ports Link to heading

The RPs have been identified and all other ports are considered designated ports. If two non-root switches are connected to each other on their designated ports, one port must be set to a blocking state to prevent a forwarding loop.

Calculate which ports should be blocked between two non-root switches:

  1. The interface is a designated port and must not be considered an RP.
  2. The switch with the lower path cost to the root switch forwards, and the one with the higher path cost blocks. If they tie, they move on to the next step.
  3. The system priority of the local switch is compared to the system priority of the remote switch. The local port is moved to a blocking state if the remote system priority is lower than that of the local switch. If they tie, they move on to the next step.
  4. The system MAC address of the local switch is compared to the system priority of the remote switch. The local designated port is moved to a blocking state if the remote system MAC address is lower than that of the local switch. If the links are connected to the same switch, they move on to the next step.

CST Step 4

Port Cost Link to heading

Info
Port costs also have default values, per port, per VLAN. To favour one link, give the ports on that link a lower cost, or to avoid a link, give the ports a higher cost.
Link SpeedIEEE 802.1D Standard (Short-mode)Latest IEEE Standard (Long-mode)
10 Mbps1002,000,000
100 Mbps19200,000
1 Gbps420,000
10 Gbps22,000
20 Gbps11,000
100 GbpsN/A200
1 TbpsN/A20
10 TbpsN/A2
  • The interface STP cost was originally stored as a 16-bit value, called short mode, with a reference value of 20 Gbps.
    • This is the default mode.
  • Another method, called long mode, uses a 32-bit value and uses a reference speed of 20 Tbps.
Info
To configure the default mode:
Switch(config)# spanning-tree pathcost method <long / short>

STP Port States Link to heading

Every port on a switch using STP exist in one of the following five states:

Port StateDescriptionLearns MACs based on Received Frames?Forwards Data Frames?Transitory or Stable State?
DisabledThe port is administratively disabled and does not participate in STPNoNoStable
BlockingThe port is enabled, listening for BPDUs but not forwarding any trafficNoNoStable
ListeningThe port is sending and receiving BPDUs and determines the best path to the root bridge, also removing old stale (unused) MAC table entriesNoNoTransitory
LearningThe port is learning the MAC addresses of the devices connected to it and populating the MAC address table, but does not forward any trafficYesNoTransitory
ForwardingThe port is forwarding traffic normally and participating in STP convergenceYesYesStable

STP PortStates

STP Port Types Link to heading

Port TypeDescription
Point-to-point (P2P)This port type connects with another network device (PC or RSTP switch).
P2P edgeThis port type specifies that portfast is enabled on this port.

STP Convergence Link to heading

Info
The complete and functional STP process.
  1. All root and designated ports are in a forwarding state and all other active ports are in a blocking state.
  2. The switches collectively realise that something has changed in the LAN topology and dynamically determine whether they need to change which ports block and which ports forward.

STP Timers Link to heading

Info
STP convergence requires 3 timers: Hello, Forward Delay, and Max Age; timers must be configured on the root switch.
TimerDefault ValueDescription
Hello2 secondsInterval between Hello BPDUs sent by the root
MaxAge10 times HelloHow long any switch should wait, after ceasing to hear Hellos, before trying to change the STP topology
Forward Delay15 secondsTime that is spent in the listening and learning state, which delays the process that occurs when an interface changes from blocking state to forwarding state

STP Topology Changes Link to heading

BPDUs always flow from the root switch towards the edge switches, unless there are changes in the topology.

  • The switch that detects a link status change sends a Topology Change Notification (TCN) BPDU out of its RP to the root switch.
  • If an upstream switch receives the TCN, it sends out an acknowledgement and forwards the TCN out its RP to the root switch.
  • Upon receipt of the TCN, the root switch creates a new configuration BPDU with the Topology Change flag set, and it is then flooded to all the switches.
  • When switches receive this, they set their MAC address timer to a default 15 seconds. Then the device flushes its MAC table if has not heard from a device in that last 15 seconds.
  • TCNs are generated on a VLAN basis, so the impact of TCNs directly correlates to the number of hosts in a VLAN.

Per-VLAN Spanning Tree Plus (PVST+) Link to heading

Info
PVST+ allows each VLAN to have its own independent spanning tree, thereby making better use of available links in the network.
  • A drawback to PVST+ is that there is solely one instance of PVST+ running for each VLAN in the network, regardless of whether there are different spanning-tree topologies required. This presents the potential for overwhelming the switch CPU and memory.
  • Additionally, Cisco switches support a finite number of PVST instances. If more VLANs are created than there are PVST+ instances supported on a particular switch, some of the VLANs will not have any STP running, and therefore not having any switching loop protection.
  • Rapid Per VLAN Spanning Tree (PVST+) is the Cisco implementation of RSTP on a per-VLAN basis.
    • Each VLAN runs an independent spanning tree instance of RSTP.
    • The number of VLANs = the number of root switches existing in the topology
  • To identify which VLAN is described by a BPDU:
    1. List the VLAN ID in the System ID Extension field of the BPDU
    2. Add the VLAN ID in an extra TLV field in the BPDU
    3. Add a VLAN tag when forwarding a BPDU over VLAN trunks
  • The receiving switch can check all three locations that list the VLAN ID to ensure that they all agree about what VLAN the BPDU is describing.

Rapid Spanning Tree Protocol (RSTP) Link to heading

Info
RSTP is the improved and advanced version of STP to accommodate advancements in hardware and software capabilities.
  • Most parameters have been left unchanged, meaning anyone who has configured STP before can easily configure RSTP.
  • RSTP increases recalculation speed and also reaches convergence faster.
  • If a port is configured to be an alternate port, it can immediately change to a forwarding state without waiting for the network to converge.

RSTP Port States Link to heading

  1. Discarding
  2. Learning
  3. Forwarding

RSTP Port Roles Link to heading

Port RoleDescription
Root Port (RP)Port that begins a nonroot switch’s best path to the root
Alternate PortPort that replaces the RP when the RP fails
Designated Port (DP)Port that is designated to forward onto a collision domain
Backup PortPort that replaces a DP when the DP fails
Disabled PortPort that is administratively disabled
  • Alternate and Backup are two additional port types for blocked port:
  • Backup ports apply only to designs that use hubs, so they are unlikely to be useful today.

RTSP

STP versus RSTP Link to heading

Similarities Link to heading

  • RSTP and STP elect the root switch using the same rules and tiebreakers.
  • RSTP and STP switches select their root ports with the same rules.
  • RSTP and STP elect designated ports on each LAN segment with the same rules and tiebreakers.
  • RSTP and STP place each port in either forwarding or blocking state, although RSTP calls the blocking state the discarding state.

Differences Link to heading

  • RSTP adds a mechanism by which a switch can replace its RP, without any waiting to reach a forwarding state (in some conditions).
  • RSTP adds a new mechanism to replace a DP, without any waiting to reach a forwarding state (in some conditions).
  • RSTP lowers waiting times for cases in which RSTP must wait for a timer.

Comparing Port States Link to heading

FunctionSTP StateRSTP State
Port is administratively disabledDisabledDiscarding
Stable state that ignores incoming data frames and is not used to forward data framesBlockingDiscarding
Interim state without MAC learning and without forwardingListeningNot used
Interim state with MAC learning and without forwardingLearningLearning
Stable state that allows MAC learning and forwarding of data framesForwardingForwarding

Multiple Spanning Tree (MST) Link to heading

Info
MST allows network engineers to reduce the load of the spanning-tree protocol while still providing unique spanning-tree topologies for groups of VLANs.

Configuring and Verifying BID Link to heading

Regardless of the which per-VLAN Spanning Tree is used, two main configuration options can be used to achieve load-balancing:

  1. Bridge ID - The bridge ID influences the choice of root switch and can be configured per VLAN.
  2. Port cost - Each interface’s (per-VLAN) STP cost to reach the root influences the choice of designated port on each LAN segment.

Because PVST requires that a separate instance of spanning tree run for each VLAN, the BID field is required to carry VLAN ID (VID) information. This is accomplished by reusing a portion of the Priority field as the extended system ID to carry a VID.

STP defaults and configurations options:

SettingDefaultCommand(s) to Change Default
Bridge IDPriority: 32,768 + VLAN ID
System: A burned-in MAC on the switch
spanning-tree vlan vlan_# root <primary / secondary>
spanning-tree vlan vlan_# priority priority_#
Interface cost100 for 10 Mbps, 19 for 100 Mbps, 4 for 1 Gbps, 2 for 10 Gbpsspanning-tree vlan vlan_# cost cost
  • The primary keyword sets the priority to 24576 or to the next 4096 increment value below the lowest bridge priority detected on the network.
  • The secondary keyword sets the priority to 28672, assuming the rest of the network is set to the default priority of 32768.
  • Alternatively, a specific priority value can be directly configured; however, priority value must be in increments of 4096 between 0 and 65536.

Cisco STP Toolkit Link to heading

Cisco recommends that you design for the use of the Cisco STP Toolkit to enhance the performance of IEEE 802.1D STP on your network.

MechanismImproves STP Performance or Stability?Description
PortFastSTP performanceBypasses listening-learning phases to transition directly to the forwarding state
UplinkFastSTP performanceEnables fast uplink failover on an access switch
BackboneFastSTP performanceEnables fast convergence in distribution and core layers when STP changes occur
Loop GuardSTP stabilityPrevents an alternate or root port from being the designated port in the absence of bridge protocol data units (BPDUs)
Root GuardSTP stabilityPrevents external switches from becoming the root of the STP tree
BPDU GuardSTP stabilityDisables a PortFast-enable port if a BPDU is received
BPDU FilterSTP stabilitySuppresses BPDU on ports

EtherChannel Link to heading

Note
Read more at ๐Ÿ”—

One of the best ways to lower STP’s convergence time is to avoid convergence altogether. EtherChannel provides a way to prevent STP convergence from being needed when only a single port or cable failure occurs.

Info
The switches treat the EtherChannel as a single interface with regard to STP. As a result, if one of the links fails, but at least one of the links is up, STP convergence does not have to occur.

PortFast Link to heading

Info
PortFast speeds up convergence for access ports when they become active by allowing a switch to immediately transition from blocking to forwarding, bypassing listening and learning states

Ports connected to non-switch, non-bridge, or non-hub devices should be configured with PortFast, such as PCs, servers, and routers. However, make sure that you PortFast is not enabled on a port connected to another L2 switch, since this might inadvertently be creating a L2 loop, which will create broadcast storms and the mislearning of MAC addressing information.

BPDU Guard Link to heading

Info
The Cisco BPDU Guard feature helps defeat possible security exposures by disabling a port if any BPDUs are received on the port. Thus, this feature is particularly useful on ports that should be used only as an access port and never connected to another switch.
  • Security exposures may include:
    • An attacker could connect a switch to one of these ports, one with a low STP/RSTP priority value, and become the root switch. The new STP/RSTP topology could have worse performance than the desired topology.
    • The attacker could plug into multiple ports, into multiple switches, become root, and actually forward much of the traffic in the LAN. Without the networking staff realising it, the attacker could use a LAN analyser to copy large numbers of data frames sent through the LAN.
    • Users could innocently harm the LAN when they buy and connect an inexpensive consumer LAN switch (one that does not use STP/RSTP). Such a switch, without any STP/RSTP function, would not choose to block any ports and could cause a loop.
  • In addition, the BPDU Guard feature helps prevent problems with PortFast. PortFast should be enabled only on access ports that connect to user devices, not to other LAN switches. Using BPDU Guard on these same ports makes sense because if another switch connects to such a port, the local switch can disable the port before a loop is created.

Configuration Link to heading

Configure a specific access port (per interface):

TaskIOS Command
Select an interface (port) to configureSwitch(config)# interface interface_#
Configure that port as an access portSwitch(config-if)# switchport mode access
Enable PortFast on the access portSwitch(config-if)# spanning-tree portfast
Verify the PortFast statusSwitch# show spanning-tree interface interface_# portfast

Configure all access ports (globally):

TaskIOS Command
Enable PortFast globally on all access portsSwitch(config)# spanning-tree portfast default
Enable BPDU Guard globally on all access portsSwitch(config)# spanning-tree portfast bpduguard default
Enable PortFast on trunk portsSwitch(config)# spanning-tree portfast trunk

Troubleshooting STP Link to heading

STP runs by default on switches and rarely causes problems in small- to medium-sized networks. However, if encountering STP problems, use the following steps to analyse:

  1. Determine the root switch.
  2. For each non-root switch, determine its one root port (RP) and cost to reach the root switch through that RP.
  3. For each segment, determine the designated port (DP) and the cost advertised by the DP onto that segment.

Troubleshooting commands:

TaskIOS Command
Report on active interfaces onlySwitch# show spanning-tree active
Provide a summary of connected spanning tree ports by VLANSwitch# show spanning-tree summary
Show detailed informationSwitch# show spanning-tree detail
Show the current state of the spanning tree for this VLAN IDSwitch# show spanning-tree vlan vlan_id(s)
Turn on debug for STP if having problems identifying what is causing the loopSwitch# debug spanning-tree events