part 2: preventing loops in the network
DESCRIPTION
Part 2: Preventing Loops in the Network. Spanning Tree Protocol. Chapter 3 - Implementing Spanning Tree Objectives. Summarise how 802.1D STP works to eliminate Layer 2 loops in a converged network. Explain the enhancements that can be used to optimise and protect STP. - PowerPoint PPT PresentationTRANSCRIPT
Part 2: Preventing Loops in the Network
Spanning Tree Protocol
Chapter 3 - Implementing Spanning Tree Objectives
Summarise how 802.1D STP works to eliminate Layer 2 loops in a converged network.
Explain the enhancements that can be used to optimise and protect STP.
Describe the operation of per-VLAN STP Describe the operation of 802.1w Rapid STP.
Switching Loops• The addition of redundant paths creates switching
loops, leading to the following problems:
• Multiple Frame Transmission• MAC Database Instability• Broadcast Storms
Fa0/1 Fa0/1
Fa0/2 Fa0/2
Spanning Tree Protocol 802.1d (STP)
•The solution is to allow physical loops, but create a loop free logical topology called a tree.
•It is a spanning-tree because all devices in the network are reachable or spanned.
•The algorithm used to create this loop free logical topology is the spanning-tree algorithm.
•STP exchanges information called Bridge Protocol Data Units (BPDUs).
•A new algorithm called the rapid spanning-tree algorithm was developed to reduce the time for a network to compute a loop free logical topology.
STP Variants
A bridge uses a four-step decision sequence to save a copy of the "best" BPDU seen on every port:
1. Lowest root Bridge ID (BID)2. Lowest path cost to root bridge3. Lowest sender bridge ID4. Lowest sender port ID
When making this evaluation, it considers all the BPDUs received on the port as well as the BPDU that would be sent on that port.
As every BPDU arrives, it is checked to see if it is more attractive (that is, lower in value) than the existing BPDU saved for that port.
If the new BPDU (or the locally generated BPDU) is more attractive, the old value is replaced.
Bridge Protocol Data Unit
802.1D Bridge Protocol Data Unit •By default BPDUs are sent every two seconds.
•The BID consists of a bridge priority that defaults to 32768 (0x8000) and the switch MAC address.
•The BID uses one of the MAC addresses from a pool of MAC addresses that are assigned to the switch backplane.
BridgePriority
MACAddress
2 Bytes 6 Bytes
BID
BPDUs contain information that allow switches to perform specific actions:• Select a single switch that will act as the root of the spanning-tree.• Calculate the shortest path from itself to the root switch. • Designate one of the switches as the closest one to the root, for each
LAN segment. This switch is called the designated switch. The designated switch handles all communication from that LAN segment towards the root bridge.
• Each non-root switch chooses one of its ports as its root port - the interface that gives the best path to the root switch.
• Non-designated ports are blocked.
Bridge Protocol Data Unit
Root Switch
Des
Des
Root Port
Block
Step 1 - Root Bridge Election Process
•MAC=1111.1111.1111•Priority = 32768
•MAC=3333.3333.3333•Priority = 32768
•MAC=2222.2222.2222•Priority = 32768
•MAC=4444.4444.4444•Priority = 32768
Fa0/1 Fa0/1Fa0/2
Fa0/2Fa0/1 Fa0/1
Fa0/2
Fa0/2
S3 S1
S2 S4
Cost = 19
Cost = 19
Cost = 19
Cost = 19
Root
Upon completion of the root bridge election process, the switches continue to forward the root BPDU frames advertising the root ID of the root bridge every 2 seconds.
Each switch is configured with a max age timer that determines how long a switch retains the current BPDU configuration in the event it stops receiving updates from its neighboring switches. By default, the max age timer is set to 20 seconds.
Therefore, if a switch fails to receive 10 consecutive BPDU frames from one of its neighbors, the switch assumes that a logical path in the spanning tree has failed and that the BPDU information is no longer valid. This triggers another spanning-tree root bridge election.
Step 1 - Root Bridge Election Process
Step 2 - Root Port Election Process
•MAC=1111.1111.1111•Priority = 32768
•MAC=3333.3333.3333•Priority = 32768
•MAC=2222.2222.2222•Priority = 32768
•MAC=4444.4444.4444•Priority = 32768
Cost = 19
Cost = 19
Cost = 19
Cost = 19
Fa0/1 Fa0/1Fa0/2
Fa0/2Fa0/1 Fa0/1
Fa0/2
Fa0/2
S3 S1 - RootRootPort
RootPort
RootPort
•Shortest path is based on cumulative link costs. •Link costs are based on the speed of the link
1. Lowest root Bridge ID (BID)2. Lowest path cost to root bridge3. Lowest sender bridge ID4. Lowest port ID
S2 S4
Step 3 - Designated Port Election Process
•MAC=1111.1111.1111•Priority = 32768
•MAC=3333.3333.3333•Priority = 32768
•MAC=2222.2222.2222•Priority = 32768
•MAC=4444.4444.4444•Priority = 32768
Cost = 19
Cost = 19
Cost = 19
Cost = 19
Fa0/1 Fa0/1Fa0/2
Fa0/2Fa0/1 Fa0/1
Fa0/2
Fa0/2
S3 S1 - RootRootPort
RootPort
RootPort
DesignatedPort Designated
Port
DesignatedPort
DesignatedPort
Non-DesignatedPort (Blocking)
1. Lowest root Bridge ID (BID)2. Lowest path cost to root bridge3. Lowest sender bridge ID4. Lowest port ID
S2 S4
STP Port Roles The root port exists on non-root bridges and is the switch
port with the best path to the root bridge. Root ports forward traffic toward the root bridge.
The designated port exists on root and non-root bridges. For root bridges, all switch ports are designated ports. For non-root bridges, a designated port is the switch port that receives and forwards frames toward the root bridge as needed. Only one designated port is allowed per segment.
The non-designated port is a switch port that is blocked, so it is not forwarding data frames and not populating the MAC address table with source addresses. A non-designated port is not a root port or a designated port. For some variants of STP, the non-designated port is called an alternate port.
802.1d BPDU Timers
Blocking(max age = 20 secs)
Listening(forward delay = 15 secs)
Learning(forward delay = 15 secs)
Blocking(moves to listening after decides whether it is a root or designated port)
Link comes up
Forwarding
•Adjust spanning tree timers with care!
•Defaults are calculated based on a network diameter of 7 switches.
•Set the diameter on the root switch, and it will propagate new timers to the other switches via its BPDUs.
S1(config)#spanning-tree vlan 10 root primary diameter 4
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Des
Blk
TCN
BPDU ACKBPDU ACK
•After a topology change, S3 sends a topology change notification (TCN) BPDU from its root port, and is forwards by subsequent switches, until the root switch is informed of the change.•When the root bridge receives the TCN BPDU, it sends out a normal BPDU with the topology change flag set. •This causes all switches to shorten their CAM table aging timers from the default to the forward delay interval.
802.1D Spanning Tree Protocol Topology Changes
•When a switch port configured with PortFast is configured as an access port, it transitions from blocking to forwarding state immediately, bypassing the typical STP listening and learning states.
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Des
Blk
S3(config)#int fa0/8S3(config-if)#spanning-tree portfastorS3(config)#spanning-tree portfast default
Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc..to this interface when portfast is enabled, can cause temporary bridging loops.Use with CAUTIONPortfast has been configured on FastEthernet0/8 but will only have effect when the interface is in non-trunking mode.
802.1D Spanning Tree Protocol Portfast
802.1D Spanning Tree Protocol BPDU Guard
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Des
Blk
S3(config)#int fa0/8S3(config-if)#spanning-tree bpduguard enableorS3(config)#spanning-tree portfast bpduguard default
• In a valid configuration, PortFast-configured interfaces should not receive BPDUs. Reception of a BPDU by a PortFast-configured interface signals an invalid configuration, such as connection of an unauthorized device
•The STP BPDU Guard shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the STP blocking state (the default behaviour).
Protecting Spanning Tree Protocol Root Guard
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
BlkS4(config-if)#spanning-tree guard rootS4#sh spanning-tree inconsistentports
•The Root Guard feature was developed as a means to control where candidate root bridges can be connected and found on a network.
•As long as superior BPDUs are received by S2 or S3, the receiving port will be kept in the root-inconsistent state. This prevents the port sending or receiving data, but the switch can listen to BPDUs.
Root
DesRoot Guard
S4
Superior BPDU
DesRoot Guard
Superior BPDU
Protecting Spanning Tree Protocol Loop Guard
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
BlkS4(config-if)#spanning-tree guard loopS4(conf)#spanning-tree loopguard default
Root
DesS4
Des Des
Blk
•The Loop Guard feature keeps track of BPDU activity on non-designated (blocking) ports, and when BPDUs go missing, it moves the port into the loop-inconsistent state. The port is thus effectively blocking, preventing a loop from forming.
•Loop Guard can be configured globally, or on a specific port. Note that the corrective blocking action it performs is carried out on a per VLAN basis, not the entire port.
Protecting Spanning Tree Protocol BPDU Filter
Fa0/8
S1 - RootS2
S3
Des
Des
Root
Root
Blk
S3(config-if)#spanning-tree bpdufilter enable | disableS3(config)#spanning-tree portfast bpdufilter default
•To prevent a port from sending or receiving BPDUs, use the BPDUfilter command.
•This effectively de-activates STP, so there is a potential to create switching loops if care is not exercised!
•BPDU filtering can be enable either globally, or on a per-port basis – the operation of BPDUfilter is different, depending how it is activated
Root
Des
S4
Des
BPDU Filter