I think the administrator of a smaller network doesn't even need to know exactly how STP works (although it's always better), but it's important to know what a loop can cause in a network and that STP can be used. My description does not even go into full details, it is not a problem to find, e.g. directly at Cisco, more detailed information. This description is devoted to STP in general (say according to the IEEE 802.1d standard) and to configure it the Cisco version of PVSTP. If practice allows, it is better to use the newer version of Rapid STP or Multiple STP, which I will cover in the next part.
Loops in the Network
For a typical Ethernet network, a star topology is used. This is a tree structure where there is only one path between each element. A simple example is shown in the following image along with the communication path from PC 1 to PC 2.
However, if we connect Switch 1 and 2, a loop is created, and there will be more than one path between the stations.
Loop Problems
Loops can cause several problems
- Broadcast storms - broadcasts will multiply until they reach a critical amount
- Connectivity issues or instability of the MAC address table (CAM) - due to the loop, a message arrives at the switch from multiple ports, and it keeps changing the source address. In some cases, the switch may think the station is connected to the wrong port and never deliver the message
- Multiple deliveries - the message circulates in the network repeatedly and keeps being delivered
The most common problem if a loop exists in a typical Ethernet LAN is a so-called broadcast storm, which usually ends with the network being completely overwhelmed. A broadcast storm means that more broadcast (or other) frames are spreading in the network than the network (active elements) can handle. If there is a loop in the network, this effect will occur due to the nature of switches.
Let's recall how a switch works. If it receives a frame for an unknown destination, it forwards it to all ports except the one it came from. It works the same way with broadcasts. It also stores the source MAC address in the CAM table, assigning it to the port from which the frame came.
Note: At the ISO/OSI layer 3 (IP), we have TTL (time to live), so the message circulation ends after a certain time, but there is no such thing at layer 2.
So in our example, the communication proceeds as follows if PC1 sends a message to PC2 (they haven't communicated yet)
- Step 1 - SW1 receives on port e2 and sends to others (e0, e1), also stores the entry in CAM
- Step 2 - SW0 receives on port e1 and sends to e0, also creates an entry in its CAM
- Step 2 - SW2 also receives on port e1 and sends to e0, e2, the target PC2 has already received the message, but the switches don't know this
- Step 3 - SW0 receives on port e0 and sends to port e1, updating the CAM entry because it thinks the PC was reconnected
- Step 3 - SW2 receives on port e0 and sends to port e1, e2, updating the CAM entry
- Step 4 - SW1 receives on port e1 and sends to e0, e1, PC1 recognizes it's not a message for it and discards it, SW1 updates CAM
- Step 4 - SW1 receives on port e0 and sends to e1, e2, updating CAM
And so the packets keep circulating in the network, more communication is added, and the network load increases.
Note: It is often stated that a broadcast storm occurs when a broadcast is sent, but I think sending a unicast can have the same effect.
Why Loops Occur
In today's local networks, which are often very extensive, a loop can occur for two reasons. One possibility is operator error or unskilled handling. In a larger network, it is not difficult to accidentally connect two switches together instead of connecting a station. It can also happen that someone connects a switch to the network instead of a station and connects it to two sockets.
The second reason is probably more important and involves redundancy or load balancing. Because high availability is very important today, redundant (extra) connections are created. Then, if a link or active element fails, most of the network still functions through another path. In this case, redundant connections serve as a backup. Another case is when we use redundant connections to increase performance (throughput) and it involves load balancing. In this case, all connections are used simultaneously.
Note: A simple solution for load balancing can be link aggregation with Cisco EtherChannel (using the IEEE 802.3ad or PAgP standard).
Spanning Tree Protocol
To prevent loops in the network, we use the Spanning Tree Protocol - STP. We can say that it works on the principle of graph theory; the network is a weighted graph, and the algorithm looks for the spanning tree of this graph. In other words, it finds the shortest paths between each pair of switches. It uses the Spanning Tree Algorithm (STA) to create a topology database and then finds and removes redundant connections (blocks ports - they do not transmit and discard received data). STP is defined by the IEEE 802.1d standard and is referred to as the Common Spanning Tree (CST).
Note: Supplemented thanks to Tomfi. The original STP (let's say CSTP) no longer exists today. In 2004, the IEEE 802.1D standard was revised and merged with extensions 802.1t and 802.1w, with the original STP being replaced by RSTP. Nevertheless, I will focus on the original STP, which is closest (and also simplest) to the default Cisco version PVSTP.
STP creates a virtual topology on the physical topology that may contain loops, which no longer contains loops. It is a dynamic protocol, so if a loop occurs, it reconfigures to prevent it. Similarly, if a link is broken, it tries to create an alternative path (by enabling a previously blocked port), if possible.
Determining the Shortest Path
STP creates a tree of shortest paths (spanning tree). The shortest path is determined based on the cumulative cost of the links. The cost of a link is given by its bandwidth, according to the following table. In the original specification, the maximum speed was 1Gbps, so it was updated to include 10Gbps links.
link speed | cost since 2001 | cost since 1998 | original cost |
---|---|---|---|
10 Gbps | 2000 | 2 | 1 |
2 Gbps | 10000 | 3 | 1 |
1 Gbps | 20000 | 4 | 1 |
100 Mbps | 200000 | 19 | 10 |
10 Mbps | 2000000 | 100 | 100 |
Bridge ID - BID
Bridge ID (BID) is the basic value of each switch and consists of priority (2B), default is 0x8000
, and the switch's MAC address (6B). The switch with the lowest BID becomes the Root Bridge. We can change the BID by changing the switch's priority.
Bridge Protocol Data Units - BPDU
STP uses the sending of special messages between devices. These messages are called BPDU (bridge protocol data units) and are received even by blocked ports. At the beginning of communication, configuration BPDU are used, followed by Topology Change Notification - TCN BPDU (announcing a change in network topology) and Topology Change Notification Acknowledgment - TCA BPDU. BPDU frames use the port's MAC address as the source address and are sent to the STP multicast address 01:80:C2:00:00:00
.
BPDU has three main parts. Global information about STP (version, etc.), information of the given STP instance for configuration, and timing parameters (STP timers). Hello Time is the interval at which BPDU are sent (default 2s). Max age (default 20s) and Forward delay (default 15s) are the times between states.
size [B] | item |
2 | protocol ID |
1 | protocol version |
1 | BPDU type |
1 | flags |
8 | root BID |
4 | root path cost |
8 | sender BID |
2 | sender port ID |
2 | Message Age |
2 | Max Age |
2 | Hello Time |
2 | Forward Delay |
Superior BPDU is a BPDU that has lower values of Root BID, path cost to the root, sender BID, and sender port ID than others.
Root Bridge
- has the lowest BID
- all its ports are in the forwarding state (communicating) and are of the designated type
- it is the root of the tree
- all decisions are made from its perspective
- it is generally good to ensure that the Root Bridge is the most powerful switch (which is usually also the central element)
Root Bridge Selection
If we set the switch's priority to a lower value, we can determine which switch will be the Root Bridge. The Root Bridge selection proceeds as follows:
- the switch (e.g., newly connected) sends a BPDU (as a broadcast), setting its BID as the root BID
- each switch receives the BPDU and if its BID is lower than the root, it updates it to its own and sends it
- if it receives a BPDU with a lower root BID than its own, it recognizes it as the Root Bridge
Port Types
STP assigns one of three types to each port on the switch (if the port is not disabled):
- root port - the port with the lowest cost, either a link directly connected to the Root Bridge or with the shortest path to it.
- designated port - a port that is a member of the STP topology and connects a segment.
- non-designated port - a blocked port, redundant path.
Root and designated port are ports that send data, they are in the forwarding state. Non-designated port is blocking, i.e., in the blocked state.
Port States
During convergence (topology change, e.g., connecting a switch to the network), individual ports go through several states. There is a certain maximum time interval between each transition.
port state | description | time [s] | |
Blocking | receives only BPDU, does not send | ||
| | 20 | Max-Age | |
Listening | sends and receives BPDU, nothing else | ||
| | 15 | Forward Delay 1 | |
Learning | sends and receives BPDU and learns MAC addresses | ||
| | 15 | Forward Delay 2 | |
Forwarding | sends and receives everything |
STP Convergence
A switched computer network is converged when all switch ports are either in the blocking or forwarding state. Thus, convergence is the time it takes for a port to go from blocking to forwarding, typically a maximum of 50 seconds. Convergence occurs whenever there is a topology change, such as connecting or disconnecting a switch/port or changing the STP configuration. Therefore, any newly connected port will start communicating only after 50 seconds. Similarly, in the event of a link failure, the switch to a backup link will occur after this time.
STP Process
- Select the Root Bridge
- Determine Root Ports
- Determine Designated Ports
- Set others as Non-designated
STP Modes/Types
What I have described so far is the classic STP, known as Common Spanning Tree (CST), defined by the IEEE 802.1d standard. Over time, several other types of STP have emerged, improving certain features. On Cisco devices, the term mode is used instead of type, and Cisco uses most STP in its own modified version.
Different Types of STP
- Common Spanning Tree (CST) - IEEE 802.1d, a single instance of STP runs for all VLANs. The standard was created in 1998 and CST was abolished by a revision in 2004.
- Per-VLAN Spanning Tree (PVST) - Cisco, based on IEEE 802.1d, but a separate instance of STP runs for each VLAN. The advantage is that I can distribute the load so that each VLAN communicates through a different path. Uses ISL trunk.
- Per-VLAN Spanning Tree Plus (PVST+) - Cisco, the difference from PVST is that it uses 802.1q trunk.
- Rapid Spanning Tree (RST) - IEEE 802.1w, the main difference is fast convergence (around 1s). Merged into the 802.1d standard by a revision in 2004.
- Rapid per-VLAN Spanning Tree Plus (RPVST+) - Cisco, based on IEEE 802.1w, RST runs separately for each VLAN.
- Multiple Spanning Tree (MST) - IEEE 802.1s, as fast as RST and allows mapping multiple VLANs to a single STP instance, thus saving the number of STP instances for a large number of VLANs. MSTP runs on top of RSTP, so both must always exist. Used on the network backbone. Merged into the 802.1q standard, which deals with VLANs, by a revision in 2003.
STP Load Balancing - Balancing Load Between Trunk Ports
Using Port Priority
Spanning-Tree Protocol can be used for some load balancing of VLANs on trunk ports. It is based on the fact that switches are directly connected by more than one trunk (which is common for redundancy). In this case, one link is blocked and communication occurs only through one. Because both links have the same Root Bridge ID, path cost, and sending switch BID, the blocked port is chosen based on the sending port ID.
Port ID (16-bit value) consists of port priority and its index. The default port priority is 128, but it can be changed through configuration, even for a specific VLAN. Valid values are multiples of 16 up to 240; other values are rejected. A Port ID with a lower value (and thus lower port priority) has higher priority.
SWITCH(config-if)#spanning-tree port-priority 48 // priority of the entire interface SWITCH(config-if)#spanning-tree vlan 3 port-priority 48 // port priority for the given VLAN
Using Path Cost
The second option for load balancing using STP is to use path cost. In this method, different trunk links can be connected to different switches. The path cost is typically determined by the link speed. The cost can also be set manually; a lower value has higher priority (if the values are the same, it is determined by BID and port ID).
SWITCH(config-if)#spanning-tree cost 4 // cost of the entire interface SWITCH(config-if)#spanning-tree vlan 10 cost 4 // cost for VLAN on the interface
STP Configuration in Cisco IOS
Note: I think in many practical cases, we only need to configure two things: determine the Root Bridge and set PortFast on each end port (where a computer is connected).
Today's Cisco switches support STP in PVST+, Rapid PVST+, and MSTP modes. For PVST+ and RPVST+, there can (usually) be a maximum of 128 STP instances. For MSTP, the limit is 65 instances. These are just versions of STP that include Cisco extensions.
Note: STP is enabled by default on Cisco switches (in PVST+ mode) and it is not recommended to disable it.
The basic configuration of STP parameters does not depend on the mode used; higher modes only add additional features. In this chapter, I will describe only the configuration of STP in PVST+ mode. In this case, we usually do not need to configure almost anything.
Note: Possible configurations and features vary depending on the IOS version.
At the beginning of the configuration, we can choose the mode in which STP should operate.
SWITCH(config)#spanning-tree mode pvst // set STP mode
Note: If we change the STP mode, all instances are reinitialized, and communication may be interrupted.
We can then enable or disable STP for a specific VLAN.
SWITCH(config)#spanning-tree vlan 10 // enable STP for VLAN 10 SWITCH(config)#no spanning-tree vlan 10 // disable STP for VLAN 10
We can then configure individual STP parameters for each VLAN separately. I think the most important is setting the priority because it determines the Root Bridge. The command with root primary
finds the current lowest priority in the STP instance and sets a lower one, so it is even better than setting the priority directly.
Note: An STP instance for a VLAN is created automatically when the first port is assigned to the VLAN and is removed when the last port is removed.
SWITCH(config)#spanning-tree vlan 10 priority 32768 // sets the switch priority, multiples of 4096 SWITCH(config)#spanning-tree vlan 10 root primary // sets the switch as root
Instead of a single VLAN, we can define several separated by commas or a range using a dash.
We can also use the optional keyword diameter and define the maximum network diameter. In practice, we usually choose the central element (core switch) as the Root Bridge, and the network radius is typically 2 (access switches are directly connected to the center) or 3 (we also have a distribution layer). The switch then calculates optimal values for hello time, forward-delay time, and maximum-age time.
SWITCH(config)#spanning-tree vlan 1-4094 root primary diameter 2
There are several show commands for monitoring and managing STP.
SWITCH#show spanning-tree // displays STP info for each VLAN SWITCH#show spanning-tree summary // brief STP info SWITCH#show spanning-tree detail // detailed STP info SWITCH#show spanning-tree vlan 100 // STP info for the specified VLAN SWITCH#show spanning-tree interface f0/1 // STP info for the specified interface SWITCH#show spanning-tree bridge detail // brief overview of STP instances
How do I find out which switch is the Root Bridge?
Using show spanning-tree summary
, I can see for which VLANs the given switch is the Root. I can also tell because all ports for the given VLAN are in the Designated state.
To find the correct switch, I look at show spanning-tree vlan 100
on any switch to see which port is the Root and move to the switch it is connected to. Gradually, I reach the Root Bridge.
STP Extensions
Cisco has several extensions for standard STP. Most of them aim to increase speed or improve security. I will briefly mention a few of them. The most important, in my opinion, is portfast
.
PortFast
Normally, after connecting a device to a port, it must go through the entire cycle from blocking to forwarding. If we know that only a computer is connected to the port and a loop cannot occur, we can set the port as portfast, where it goes directly to the forwarding state after being enabled. We can set it either on a port or globally for all ports (unless specified otherwise).
SWITCH(config-if)#spanning-tree portfast // for one port SWITCH(config)#spanning-tree portfast default // for all
Note: If portfast is not set, it often happens that a connected PC (e.g., with Windows XP) boots up before the port goes into the forwarding state, so when sending a DHCP request for an address, no response is received, causing several problems. Portfast can also be set on a trunk port if a server is connected there.
UplinkFast
It is mainly used on access switches. In the event of a main link failure (Root Port), it unblocks the backup link and ensures its immediate switch to the forwarding state (skipping the listening and learning states). It is set for the entire switch.
SWITCH(config)#spanning-tree uplinkfast
BPDUguard and BPDUfilter
Both functions can be set either per port or globally as the default port behavior, but in this case, it only applies to ports that have portfast set.
BPDU guard protects a port intended for an end station (or server). If a BPDU is received on this port, the port is disabled (switched to error-disable
state). This usually means that someone connected an unauthorized switch.
SWITCH(config-if)#spanning-tree bpduguard enable // for one interface SWITCH(config)#spanning-tree portfast bpduguard default // for all
BPDU filter is used to filter STP traffic on ports intended for an end station (or server). It prevents the reception and transmission of BPDU packets, which is good to set so that client stations do not receive this communication. If a BPDU arrives at the port, portfast (if enabled) and BPDU filter are disabled.
SWITCH(config-if)#spanning-tree bpdufilter enable // for one interface SWITCH(config)#spanning-tree portfast bpdufilter default // for all
STP Guard
We can use Root Guard, which protects the network from an unwanted switch becoming the Root Bridge. For example, if someone connects a switch with priority 0 and a low MAC address. It enforces that the port with Root Guard set is a designated port; if it should become a root port, it is blocked (switched to root-inconsistent
state, where it does not send data but receives BPDU).
SWITCH(config-if)#spanning-tree guard root
Additional protection against loops is offered by Loop Guard.
SWITCH(config-if)#spanning-tree guard loop // for one interface SWITCH(config)#spanning-tree loopguard default // for all
Dobrý den,
V prvé řadě oceňuji, že píšete sérii Cisco IOS, osvěty není nikdy dost:)
Chápu to tak, že zůstáváte u toho co "učí cisco". Neodpustím si alespoň poznámku že 10GBit/s již nemá tak nízký cost ... již od roku 2004 má doporučenou hodnotu 2000.
Dále 802.1w již je zahrnut v revizi 802.11D z roku 2004 ...
802.1s je zase součástí 802.1Q-2005.
Takže by to chtělo mírný "upgrade" zdroje ze kterého čerpáte a v článku uvést i to jak to je definováno "nově"
respond to [1]tomfi: Vycházím primárně z materiálů Cisca, myslím, že o svých zařízeních toho budou vědět nejvíce. A zaměřuji se na jejich modifikace/verze.
Děkuji za doplnění/opravu. Co se týče vysokých cen linek, nedíval jsem se do normy, ale našel jsem na webu jen jedinou zmínku, a to, že se to týká Rapid STP.
Jinak máte pravdu. V roce 2004 byl zrušen protokol STP a nahrazen RSTP (sloučeny normy 802.1d s 802.1w a 802.1t). Potom se ale hůř popíše PVSTP, který je defaultní i na nových Cisco switchích.
Zdravim, serial o Cisco IOS chvalim. Mel bych jeden dotaz ohledne STP.
Krome dalsich, zde mame take starsi Catalyst 3500XL, kde nejsem schopen prepnout mod STP na novejsi PVST+/RST (alespon z CLI to ani napoveda nenabizi). Jaky mod STP maji pouzit okolni switche k nemu pripojene, aby to fungovalo resp. kdyz ty okolni switche napr. nastavim na RST bude to vubec fungovat?
Diky za radu
respond to [3]Walker: Děkuju. Měli jsme ve firmě taky 3500XL a bohužel tahle řada nepodporuje řadu (dnes) důležitých funkcí. Například neumí RST či MST, ale měl by umět PVST+ (ono se to všude píše jako PVST, ale je to verze +, jinak by vám to nefungovalo na 802.1q trunku). Již mám připravený článek o RST, takže jej brzy zveřejním. Stručně, pokud okolní switche nastavíte na RST, tak stejně celá síť poběží v PVST+. Při použití MST by mohl tento switch fungovat jako samostatný region, takže zbytek sítě by běžel v RST.
Ses borec
broadcastová bouře se tomu říká proto, že ten unicastový rámec, který máš na příkladu se chová jako broadcastový. (switch nezná cílovou MAC, tak ho pošle na všechny odchozí porty - klasické broadcastové chování). Kdyby switche po cestě znaly cílovou MAC adresu, tak k takovému chování nedojde.
Pokud na port dorazí BPDU, tak se vypne portfast (pokud bylo zapnuto) a také BPDU filter.
Toto by chtělo možná lépe formulovat. BPDU filter způsobí, že se na portu nebudou přijímat (ani vysílat) BPDU rámce a tím pádem se vypne STP. Pokud ale na port dorazí BPDU, tak to nezpůsobí opětovné zapnutí STP (a vypnutí filtru), pouze to vypne portfast. V dokumentaci je taky uvedeno, že to může tím pádem způsobit smyčky.
respond to [7]davro:
Dovolím si Vás trochu upřesnit... je to trochu komplikovanější.
Pokud je to nastavené globálně, pak se stane to co je napsáno v článku. Pokud je to nastavené na konkrétním rozhraní, stane se to co píšete vy :)
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/stp_enha.html#wp1033403
respond to [8]tomfi:
Ups... trochu jsem se překoukl.
s tím vypnutím portfast u zadání na rozhraní si nejsem jistý ... zkusim se na podívat :)
Zdravim,
prave jsem narazil na tuto stranku a pisi jen kvuli tomu, abych podekoval autorovi! Perfektni serial, diky za investovany cas!
zdravim,
chcel by som podakovat autorovi za odvedeny vykon!len tak dalej...:)
Jsem vul ale nevadi mam tezkou mentalni redardaci
Perfektní guide.
Perfektní guide.
Dobrý den. Dá se nějakým způsobem zjistit v jakém módu zrovna Spanning Tree Protocol "jede" (mám na mysli jak zjistím jestli je PVSTP,RSTP ...) Předem díky za info a jinak chválím váš blog/forum.
respond to [15]noIDCZek: No to je jednoduché . Je to vidět třeba hned u výpisu příkazu show spanning-tree.
Dobrý den, mám dotaz ....dá se nějakým způsobem využít STP nebo nějakého podobného mechanismu proti zkruhování switche? ...například v situaci kdy někdo omylem propojí pomocí patch kabelu dva porty stejného switche ...ve svý podstatě taky vzniká "broadcastová bouře" ...díky za odpověď.
odpoved na respond to [17]Ramzey: : vím, že je to hodně starý, ale na tohle mi to nedá neodpovědět.
Myslím, že tohle je hodně dobý dotaz, kdyby byl položený třeba na foru pro zahrádkáře Ale pod článkem, který smyčky a řešení smyček přímo popisuje? Autor si buď dělá srandu, nebo nečetl vůbec tento článek.
respond to [18]Hobit: Částečně souhlasím i když myslím, že autor se ptal ne na zakruhování DVOU SWITCHŮ, ale zakruhování dvou portů JEDNOHO SWITCHE. Tedy co se stane pokud, kabelem propojíme 2 porty na jednom switchi.
No podle me to funguje i takhle mezi porty, protoze na kazde lince vlastne taky probehne election a klasicky podle cisla portu ten vyssi by mel zustat jako blocking. A nebo ze by switch sam poznal ze komunikuje se sebou? Musi nekdo ozkouset v labu.
Dobrý den, popisujete prosím vás někde jak nakonfigurovat abych mohl switche zapojit do mesh topologie chtěl bych takhle docílit (redudance) ale nevim pod cim hledat.
děkuji.
hahaha tohle mi moc pomohlo voléééé díkes grátes můj nygo. 11/10
spanning-tree loopguard - škoda že se tento pojem nerozvedl.
Příklad: mám port ve stavu Alt BLK a z nějakého důvodu přestanou chodit BPDU rámce, tak při běžném nastavení se tento port nahodí do Desg FWD což může způsobit smyčku. Např. když je uplink optika a poškodí se jedno vlákno.
Tento příkaz ale způsobí, že se port blokne Desg BKN
Takže silně doporučuji toto nastavovat.
respond to [23]Michaels: pokud jsem to tedy správně pochopil: http://wh.cs.vsb.cz/sps/images/f/f3/LoopGuard-Fecu-Vychodil.pdf
dobrý den, chci se zeptat jak mám propojit kabely SPU s SPT. Chci uspořádat party s informatikáři. Jste pozván! Děkuji
Dobrý den, mám dotaz
nechápu, jak jste popsal switch STUPV, jelikož má stejné vlastnosti jako port BNG u konzole K. Rád bych se o tom pobavil u kafe.
Děkuji,
Bořek Louda