Transcript Part 2: Preventing Loops in the Network

Part 2: Preventing Loops in the
Network
Spanning Tree Protocol
Chapter 3 - Implementing Spanning Tree
Objectives




Summarise how 802.1D STP works to eliminate Layer
2 loops in a converged network.
Explain the enhancements that can be used to optimise
and protect STP.
Describe the operation of per-VLAN STP
Describe the operation of 802.1w Rapid STP.
Switching Loops
• The addition of redundant paths creates switching loops,
leading to the following problems:
•Multiple Frame Transmission
•MAC Database Instability
•Broadcast Storms
Fa0/2
Fa0/2
Fa0/1
Fa0/1
Spanning Tree Protocol 802.1d (STP)
•The solution is to allow physical loops, but create a loop free logical
topology called a tree.
•It is a spanning-tree because all devices in the network are reachable or
spanned.
•The algorithm used to create this loop free logical topology is the
spanning-tree algorithm.
•STP exchanges information called Bridge Protocol Data Units (BPDUs).
•A new algorithm called the rapid spanning-tree algorithm was developed
to reduce the time for a network to compute a loop free logical topology.
STP Variants
Bridge Protocol Data Unit
A
bridge uses a four-step decision sequence to save a copy of the
"best" BPDU seen on every port:
1.
2.
3.
4.
Lowest root Bridge ID (BID)
Lowest path cost to root bridge
Lowest sender bridge ID
Lowest sender port ID
When
making this evaluation, it considers all the BPDUs received
on the port as well as the BPDU that would be sent on that port.
As
every BPDU arrives, it is checked to see if it is more attractive
(that is, lower in value) than the existing BPDU saved for that port.
If
the new BPDU (or the locally generated BPDU) is more
attractive, the old value is replaced.
802.1D Bridge Protocol Data Unit
•By default BPDUs are sent
every two seconds.
•The BID consists of a bridge
priority that defaults to
32768 (0x8000) and the
switch MAC address.
BID
Bridge
Priority
2 Bytes
MAC
Address
6 Bytes
•The BID uses one of the MAC
addresses from a pool of MAC
addresses that are assigned to the
switch backplane.
Bridge Protocol Data Unit
BPDUs contain information that allow switches to perform specific actions:
•Select a single switch that will act as the root of the spanning-tree.
•Calculate the shortest path from itself to the root switch.
•Designate one of the switches as the closest one to the root, for each LAN
segment. This switch is called the designated switch. The designated switch
handles all communication from that LAN segment towards the root bridge.
•Each non-root switch chooses one of its ports as its root port - the
interface that gives the best path to the root switch.
•Non-designated ports are blocked.
Des
Root
Port
Root
Switch
Des
Block
Step 1 - Root Bridge Election Process
Root
S3
S1
Cost = 19
•MAC=3333.3333.3333
•Priority = 32768
Fa0/2
Fa0/1
•MAC=1111.1111.1111
•Priority = 32768
Fa0/1
Fa0/2
Cost = 19
Cost = 19
Fa0/2
•MAC=2222.2222.2222
•Priority = 32768
S2
Fa0/1
Fa0/2
Fa0/1
Cost = 19
•MAC=4444.4444.4444
•Priority = 32768
S4
Step 1 - Root Bridge Election Process

Upon completion of the root bridge election process, the switches
continue to forward the root BPDU frames advertising the root ID
of the root bridge every 2 seconds.

Each switch is configured with a max age timer that determines how
long a switch retains the current BPDU configuration in the event it
stops receiving updates from its neighboring switches. By default,
the max age timer is set to 20 seconds.

Therefore, if a switch fails to receive 10 consecutive BPDU frames
from one of its neighbors, the switch assumes that a logical path in
the spanning tree has failed and that the BPDU information is no
longer valid. This triggers another spanning-tree root bridge
election.
Step 2 - Root Port
Election Process
S3
S1 - Root
Root
Port
•MAC=3333.3333.3333
•Priority = 32768
Fa0/2
Cost = 19
Fa0/1
•MAC=1111.1111.1111
•Priority = 32768
Fa0/1
Fa0/2
•Shortest path is based on
cumulative link costs.
Cost = 19
Root
Port
Fa0/2
•MAC=2222.2222.2222
•Priority = 32768
S2
1.
2.
3.
4.
Cost = 19
•Link costs are based on the
speed of the link
Fa0/1
Root
Port
Fa0/2
Fa0/1
Cost = 19
Lowest root Bridge ID (BID)
Lowest path cost to root bridge
Lowest sender bridge ID
Lowest port ID
•MAC=4444.4444.4444
•Priority = 32768
S4
Step 3 - Designated Port
Election Process
S3
S1 - Root
Root
Port
•MAC=3333.3333.3333
•Priority = 32768
Fa0/2
Designated
Port
Cost = 19
Fa0/1
Fa0/1
Designated
Port
•MAC=1111.1111.1111
•Priority = 32768
Fa0/2
Designated
Port
Cost = 19
Root
Port
Fa0/2
•MAC=2222.2222.2222
•Priority = 32768
S2
1.
2.
3.
4.
Cost = 19
Non-Designated
Port (Blocking)
Fa0/1
Cost = 19
Lowest root Bridge ID (BID)
Lowest path cost to root bridge
Lowest sender bridge ID
Lowest port ID
Root
Port
Fa0/2
Designated
Port
Fa0/1
•MAC=4444.4444.4444
•Priority = 32768
S4
STP Port Roles

The root port exists on non-root bridges and is the switch port
with the best path to the root bridge. Root ports forward
traffic toward the root bridge.

The designated port exists on root and non-root bridges. For
root bridges, all switch ports are designated ports. For nonroot bridges, a designated port is the switch port that receives
and forwards frames toward the root bridge as needed. Only
one designated port is allowed per segment.

The non-designated port is a switch port that is blocked, so it is
not forwarding data frames and not populating the MAC
address table with source addresses. A non-designated port is
not a root port or a designated port. For some variants of STP,
the non-designated port is called an alternate port.
802.1d BPDU Timers
Blocking
(max age = 20 secs)
Blocking
(moves to listening
after decides whether
it is a root or
designated port)
Link
comes up
Listening
(forward delay = 15 secs)
•Adjust spanning tree timers with care!
Learning
(forward delay = 15 secs)
•Set the diameter on the root switch, and
it will propagate new timers to the other
switches via its BPDUs.
•Defaults are calculated based on a
network diameter of 7 switches.
Forwarding
S1(config)#spanning-tree vlan 10 root primary diameter 4
802.1D Spanning Tree Protocol Topology Changes
S2
Root
Des
BPDU ACK
Des
TCN
Blk
Root
S3
Fa0/8
S1 - Root
BPDU ACK
Des
•After a topology change, S3 sends
a topology change notification
(TCN) BPDU from its root port, and
is forwards by subsequent
switches, until the root switch is
informed of the change.
•When the root bridge receives the
TCN BPDU, it sends out a normal
BPDU with the topology change flag
set.
•This causes all switches to
shorten their CAM table aging
timers from the default to the
forward delay interval.
802.1D Spanning Tree Protocol
Portfast
S2
Root
Des
Des
S1 - Root
Des
•When a switch port configured with
PortFast is configured as an access port,
it transitions from blocking to forwarding
state immediately, bypassing the typical
STP listening and learning states.
S3(config)#int fa0/8
S3(config-if)#spanning-tree portfast
or
S3(config)#spanning-tree portfast default
Blk
Root
S3
Fa0/8
Warning: portfast should only be enabled on ports
connected to a single host. Connecting hubs,
concentrators, switches, bridges, etc..to this interface
when portfast is enabled, can cause temporary bridging
loops.
Use with CAUTION
Portfast has been configured on FastEthernet0/8 but will
only have effect when the interface is in non-trunking
mode.
802.1D Spanning Tree Protocol BPDU Guard
S2
Root
Des
Des
S1 - Root
Des
Blk
Root
S3
Fa0/8
• In a valid configuration, PortFastconfigured interfaces should not receive
BPDUs. Reception of a BPDU by a
PortFast-configured interface signals an
invalid configuration, such as connection
of an unauthorized device
•The STP BPDU Guard shuts down
PortFast-configured interfaces that
receive BPDUs, rather than putting them
into the STP blocking state (the default
behaviour).
S3(config)#int fa0/8
S3(config-if)#spanning-tree bpduguard enable
or
S3(config)#spanning-tree portfast bpduguard
default
Protecting Spanning Tree Protocol
Root Guard
S2
Root
Des
S1 - Root
Des
Des
Root
Guard
S4
Root
Des
Root Guard
Blk
S3
Superior
BPDU
•The Root Guard feature was developed as a
means to control where candidate root
bridges can be connected and found on a
network.
•As long as superior BPDUs are received by
S2 or S3, the receiving port will be kept in
the root-inconsistent state. This prevents the
port sending or receiving data, but the
switch can listen to BPDUs.
Root
Superior
BPDU
Fa0/8
S4(config-if)#spanning-tree guard root
S4#sh spanning-tree inconsistentports
Protecting Spanning Tree Protocol Loop Guard
S2
Root
S1 - Root
Des
Des
Des
Blk
Root
S4
Des
Blk
Root
S3
Fa0/8
Des
•The Loop Guard feature keeps track of BPDU
activity on non-designated (blocking) ports,
and when BPDUs go missing, it moves the
port into the loop-inconsistent state. The port
is thus effectively blocking, preventing a loop
from forming.
•Loop Guard can be configured globally, or on
a specific port. Note that the corrective
blocking action it performs is carried out on a
per VLAN basis, not the entire port.
S4(config-if)#spanning-tree guard loop
S4(conf)#spanning-tree loopguard default
Protecting Spanning Tree Protocol
BPDU Filter
S2
Root
Des
S1 - Root
Des
Des
S4
Root
Des
Blk
•To prevent a port from sending or receiving
BPDUs, use the BPDUfilter command.
•This effectively de-activates STP, so there is a
potential to create switching loops if care is
not exercised!
•BPDU filtering can be enable either globally,
or on a per-port basis – the operation of
BPDUfilter is different, depending how it is
activated
Root
S3
BPDU Filter
Fa0/8
S3(config-if)#spanning-tree bpdufilter enable | disable
S3(config)#spanning-tree portfast bpdufilter default