Advanced Spanning Tree Protocol
We have looked at STP, but now it is time to dive a little deeper into this. Lets look at some basic definitions, and these are grouped into two groups;
- the fasts – port, uplink and backbone
- the guards – root, bpdu and loop
Portfast allows an access port to go directly from blocking to forwarding mode, without going through the whole discovery / listen / learn phase. This makes for bringing host links up faster, but should only be used with host (access) ports.
For switches that have the majority of ports configured as access ports, we can globally configure portfast as follows:
conf t spanning-tree portfast default
and then go in and change each port that you do not need portfast on by issuing:
no spanning-tree portfast
Best practice however would dictate that ports be configured on a per port basis, or by using the port range command. The other thing to remember is that these ports do not broadcast TCN BPDUs.
Both uplinkfast and backbonefast get around the long delay inherent in the transition from blocking to forwarding. This is a bit like portfast, but where portfast disables STP on an access port, and does not transmit TCN BPDUs, uplink fast does. This enables a rapid transition from blocking to forwarding on redundant trunk ports.
The problem solved here is that using STP; if a primary link goes down, it can take up to 50 seconds for a backup link to come up. That is too long in todays networks.
We can create what is termed and uplink group. These are a group of links that can be used for inter switch communication, and need to come up fast if one goes down. Essentially when one goes down, STP immediately brings up a backup link without going through the learning and listening phases.
- Best practice is to use this on the access layer only.
- Uplinkfast can only be enabled globally, on all VLANs.
- Uplinkfast cannot be enabled on a root switch
So what happens when if a root port goes down, a backup port comes up and then the root port comes back up again. STP will attempt to make the root port the primary link again, however it does wait a little while as determined by the following:
(2 x fdw delay ) + 5 seconds = 2 x 20 seconds + 5 = 45.
When uplinkfast is enabled on a switch, to ensure that the switch does not become the root switch, the switch priority is set to 49152. This is well above the default of 32768.
The STP port cost is also increased by 3000, making it unlikely that downstream switches will use this link as a root link.
The command to enable this is the global command Spanning-tree uplinkfast
So how does Uplinkfast work?
From Cisco: The UplinkFast feature is designed to run in a switched environment when the switch has at least one alternate/backup root port (port in blocking state), that is why Cisco recommends that UplinkFast be enabled only for switches with blocked ports, typically at the access-layer.
I read this mean that Uplinkfast will not be enabled on a root switch as it has no blocked ports.
Backbone fast is a Cisco proprietary system for recovering from an indirect link failure. So what on earth is an indirect link failure?
An indirect link failure is one that occurs on another switch, but affects the switch in question.
An indirect link failure is detected when an inferior BPDU is received by the switch. In essence, the switch receives two BPDUs from different switches, both claiming to be root; one might even be itself. The switch decides which has the better priority and forwards that BPDU to the other ‘root’ switch.
So how does all of this work. The protocol at work here is RLQ or Root Link Query. The RLQ is transmitted by the port that would normally receive BPDUs.
The command to turn on Backbonefast is spanning-tree backbonefast, and show spanning-tree backbonefast will give its status.
We are unlikely to come across backbonefast in the CCNP but we should be aware of it, as it can still be found in production networks; remember though, that it is Cisco proprietary so it will only be found on Cisco devices.
Root guard is configured at the port level, and prevents downstream switches from becoming the primary or secondary root switch. In essence, we use this to prevent edge switches from becoming the root, in the event of some sort of root failure.
When a superior BPDU is received on this port, the port drops the BPDU and puts the port into Root Inconsistent state.
It will stay in root-inconsistent until it stops receiving superior BPDUs, then it transitions via the normal STP listen and learn process to forwarding packets again.
The command is per interface; spanning guard root , and should be placed on all ports where there are downstream (edge) switches.
Disables a port by putting it into error disable mode, when portfast is enabled (ie; it is an access port) and it starts to receive BPDUs (in other words, has another switch or network device connected to it rather than a host.)
This prevents switching loops by preventing topology changes caused by BPDUs coming from a device that should not be connected.
Per interface command is spanning-tree bpduguard enable (or disable) and the global version of the command is spanning-tree portfast bpduguard default. This command is used on access ports and access switches to prevent rouge switches changing the switch topology, where the portfast command is used.
For instance, on my own home LAN switch, I have:
spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! interface FastEthernet0/1 spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/2 spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/3 spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/4 spanning-tree portfast spanning-tree bpduguard enable
It is also possible to filter BPDUs. You might do this if you do not want your ports to go into error-disable.
The operation of BPDU filter is different depending on weather the config is global or per port.
- In global configuration, enabling PBDU filtering will enable this on all ports running portfast, and portfast will stop running on that port, if that port recieves a BPDU.
- In per port config, portfast continues to run and will drop (or not respond) to any BPDUs received.
Loopguard guards against switching loops. Say what? Isn’t that what spanning tree and all that stuff I wrote above, does? Well yes but;
Ports in blocking mode block data traffic, but are still able to receive BPDUs
If in a mesh of switches, one link becomes unidirectional, it is possible that a loop can occur. How does this happen? Well if a switch stops receiving BPDUs, it might start (after the max age time, default 20 seconds) to look at other BPDUs and decide to change its topology or even become the root.
If this happens, this can disrupt switch operation. Loopguard prevents this from happening by putting the unidirectional port into loop inconsistent state. It way stay in this state until the link becomes bidirectional again, when it will come out of loop inconsistent state automatically.
By default, LoopGuard is disabled but it can be enabled on a port by port, or global basis:
- Per port : spanning-tree guard loop
- Global : spanning-tree loopguard default
Loop guard operates on a per VLAN basis only.which makes sense when you think about it because spanning tree works on a per VLAN basis.
BDPU Skew Detection.
Sometimes when BPDUs are sent out from the root, in a large switch network, we might loose or delay a BPDU packet. If that delay is over 2 seconds the downstream switches might (under some circumstances) start to transition to a new topology. We don’t want this to happen.
When the switch detects this situation, it sends a syslog message, every 60 seconds, until the situation has cleared. This might be caused by heavy CPU usage or a similar transient situation, or it might be something more permanent like a broadcast storm.
In the case of the skew reaching max age time / 2 (i.e. 10 seconds) the switch will start transmitting syslog error messages immediately, as this is a critical situation.
UDLD (Uni Directional Link Detection)
This is primarily intended for fiber optic communication and troubleshooting. One of the issues with fiber connections, is that a fiber connection consists of a pair of fibers – one for each direction. In essence, fiber connections are unidirectional. If one fiber goes down, we still might have either receive or transmit capability.
To detect the status of the fiber link, UDLD transmits a frame, and:
- if it receives a frame in return, the link is good
- If no frame is returned, the link is considered unidirectional
UDLD operates in two modes: normal and aggressive. UDLD sends 8 packets (a sort of L2 ping) and if they are not received, it does the following:
- Normal – generates a syslog error message only
- Aggressive – puts the port into error disable after 8 UDLD messages.
UDLD sends one packet per second.
Can be enabled on a per port basis or globally, but however it is enabled, it only runs on fiber optic port. UDLD enable in global config mode.
It is important to note that UDLD must be running on both ends of the link in order for the UDLD link status to work.
To check the status of the above configurations, we can use show spanning-tree summary totals. This will give us the output of the spanning tree command and configurations thus:
s2940#sh spanning-tree summary totals Switch is in pvst mode Root bridge for: VLAN0001 EtherChannel misconfig guard is enabled Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled UplinkFast is disabled BackboneFast is disabled Pathcost method used is short
… or you can drill down on a per port basis by issuing the spanning-tree interface detail command.
s2940#sho spanning-tree int fa0/1 det Port 1 (FastEthernet0/1) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.1. Designated root has priority 32769, address 0021.1ce8.a5c0 Designated bridge has priority 32769, address 0021.1ce8.a5c0 Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Bpdu guard is enabled BPDU: sent 1378620, received 0