Spanning Tree Protocol (STP) An Introduction Rick Graziani Cabrillo College graziani@cabrillo.edu

Spanning Tree Protocol (STP) Standard: IEEE 802.1D A loop-prevention protocol Allows Layer 2 devices to communicate with each other to discover physical loops in the network. STP algorithm creates a loop-free logical topology. STP creates a tree structure of loop-free leaves and branches that spans the entire Layer 2 network. Term "bridge": Same as "switch" Legacy terms: Transparent and Translation bridges

Ensures that there will be only one active path to every destination. MAC Address Table Port MAC Address MAC Address Table Port MAC Address MAC Address Table Port MAC Address The purpose of STP is to avoid and eliminate loops in the network by negotiating a loop-free path through a root bridge. STP determines where the are loops and blocks links that are redundant. Ensures that there will be only one active path to every destination. STP executes an algorithm called Spanning Tree Algorithm (STA). STA chooses a reference point, called a root bridge. Then determines the available paths to that reference point. If more than two paths exists, STA picks the best path and blocks the rest Ensures that there will be only one active path to every destination. STP executes an algorithm called Spanning Tree Algorithm (STA). STA chooses a reference point, called a root bridge. Then determines the available paths to that reference point. If more than two paths exists, STA picks the best path and blocks the rest

Spanning Tree Protocol (STP) “STP often accounts for more than 50% of the configuration, troubleshooting, and maintenance headaches in real-world campus networks (especially if they are poorly designed). A complex protocol that is generally poorly understood.” Radia Perlman – Developer of STP

https://thenetworkcollective https://thenetworkcollective.com/2017/10/history-of-networking-radia-perlman-spanning-tree/

Spanning Tree Protocol (STP) An Introduction Rick Graziani Cabrillo College graziani@cabrillo.edu

Redundancy at Layers 1, 2 and 3 Overview of Benefits and Issues Rick Graziani Cabrillo College graziani@cabrillo.edu

Redundancy: Layer 1, 2, and 3 Redundancy is important for fail over Layer 3 routers always forward unicasts out a single port Single path unless there is a routing loop (misconfiguration or convergence issues) Layer 2 switches always forward unknown unicasts out all ports Susceptible to continuous loops, duplicate frames, MAC table instability

Ethernet without STP Makes the LAN interoperable in seconds Unknown unicasts Broadcasts

Layer 2 Ethernet Frames: No TTL/Hop Limit IP has a mechanism to prevent loops. Unlike IP, Ethernet frames have no TTL field

Redundancy at Layers 1, 2 and 3 Overview of Benefits and Issues Rick Graziani Cabrillo College graziani@cabrillo.edu

STP Disabled Duplicate Frames and MAC Address Table Instability Rick Graziani Cabrillo College graziani@cabrillo.edu

Unknown Unicast Moe A Host Kahn A Larry Host Baran Switch Moe learns Kahns’ MAC address. MAC Address Table Port 4: 00-90-27-76-96-93 Moe A Host Kahn A Larry Host Baran

Unknown Unicast Moe A Host Kahn A Larry Host Baran Destination MAC is an unknown unicast, so Moe floods it out all ports. MAC Address Table Port 4: 00-90-27-76-96-93 Moe A Host Kahn A Bob Kahn – TCP with Vint Cerf Paul Baran – Packet Switching Donald Davies Larry Host Baran

Unknown Unicast Moe A Host Kahn A Larry Host Baran Switch Larry records the Source MAC of the frame twice. MAC Address Table Port 4: 00-90-27-76-96-93 Moe A Host Kahn A Larry MAC Address Table Port 1: 00-90-27-76-96-93 Port A: 00-90-27-76-96-93 Host Baran

Unknown Unicast Moe A Host Kahn A Larry Host Baran Switch Larry floods the unknown unicast out all ports, except the incoming port. MAC Address Table Port 4: 00-90-27-76-96-93 Moe A Host Kahn A Larry MAC Address Table Port A: 00-90-27-76-96-93 Host Baran

Unknown Unicast Moe A Host Kahn A Larry Host Baran Switch Moe receives the frame, changes the MAC address table with newer information and floods the unknown unicast out all ports. MAC Address Table Port 4: 00-90-27-76-96-93 Port 1: 00-90-27-76-96-93 Moe A Host Kahn A Larry MAC Address Table Port A: 00-90-27-76-96-93 Host Baran

Unknown Unicast Moe A Host Kahn A Larry Host Baran MAC Address Table Port 4: 00-90-27-76-96-93 Port 1: 00-90-27-76-96-93 And the cycle continues! Moe A Host Kahn A Larry MAC Address Table Port A: 00-90-27-76-96-93 Host Baran

STP Disabled Duplicate Frames and MAC Address Table Instability Rick Graziani Cabrillo College graziani@cabrillo.edu

STP Disabled: Broadcast Frames Rick Graziani Cabrillo College graziani@cabrillo.edu

Broadcasts (ARP Request)

STP Disabled: Broadcast Frames Rick Graziani Cabrillo College graziani@cabrillo.edu

STP – Introducing the Bridge ID and Path Cost Rick Graziani Cabrillo College graziani@cabrillo.edu

STP Prevents Loops The purpose of STP is to avoid and eliminate loops in the network by negotiating a loop-free path through a root bridge. STP determines where the are loops and blocks links that are redundant. Ensures that there will be only one active path to every destination. X

Spanning Tree Algorithm STP executes an algorithm called Spanning Tree Algorithm (STA). STA chooses a reference point, called a root bridge. Then determines the available paths to that reference point. If more than two paths exists, STA picks the best path and blocks the rest X

Two-key STP Concepts STP calculations make extensive use of two key concepts in creating a loop-free topology: Bridge ID Path Cost Link Speed Cost (Revised IEEE Spec) Cost (Previous IEEE Spec) 10 Gbps 2 1 1 Gbps 4 100 Mbps 19 10 10 Mbps 100 Rick Graziani graziani@cabrillo.edu

Bridge ID (BID) Bridge ID Without the Extended System ID Bridge ID (BID) is used to identify each bridge/switch. The BID is used in determining the center of the network, in respect to STP, known as the root bridge. Bridge ID Without the Extended System ID Bridge ID with the Extended System ID Rick Graziani graziani@cabrillo.edu

Bridge ID (BID) Consists of two components: A 2-byte Bridge Priority: Cisco switch defaults to 32,768 or 0x8000. Usually expressed in decimal format A 6-byte MAC address Usually expressed in hexadecimal format.

Bridge ID (BID) Each switch has a unique BID. Original 802.1D standard, the BID = Priority Field +MAC address of the switch. All VLANs were represented by a CST – one spanning tree for all vlans (later). PVST requires that a separate instance of spanning tree run for each VLAN BID field is required to carry VLAN ID (VID). Extended system ID to carry a VID.

What is the BID of this switch? Core# show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0001.964E.7EBB Cost 4 Port 25(GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0001.C945.A573 Aging Time 20

Bridge ID (BID) Used to elect a root bridge (coming) Lowest Bridge ID is the root. If all devices have the same priority, the bridge with the lowest MAC address becomes the root bridge. (Yikes) Note: For simplicity, in our topologies we will use Bridge Priorities without the Extended System ID. (Same process, just done per VLAN.)

Path Cost – Original Spec (Linear) Link Speed Cost (Revised IEEE Spec) Cost (Previous IEEE Spec) 10 Gbps 2 1 1 Gbps 4 100 Mbps 19 10 10 Mbps 100 Bridges use the concept of cost to evaluate how close they are to other bridges. Used to create the loop-free topology . Originally, 802.1D defined cost as 1 billion/bandwidth of the link in Mbps. Cost of 10 Mbps link = 100 Cost of 100 Mbps link = 10 Cost of 1 Gbps link = 1 Running out of room for faster switches including 10 Gbps Ethernet

Path Cost – Revised Spec (Non-Linear) Link Speed Cost (Revised IEEE Spec) Cost (Previous IEEE Spec) 10 Gbps 2 1 1 Gbps 4 100 Mbps 19 10 10 Mbps 100 IEEE modified the most to use a non-linear scale with the new values of: 4 Mbps 250 (cost) 10 Mbps 100 (cost) 16 Mbps 62 (cost) 45 Mbps 39 (cost) 100 Mbps 19 (cost) 155 Mbps 14 (cost) 622 Mbps 6 (cost) 1 Gbps 4 (cost) 10 Gbps 2 (cost) You can change the path cost by modifying the cost of a port. Exercise caution when you do this! BID and Path Cost are used to develop a loop-free topology . Coming very soon!

STP – Introducing the Bridge ID and Path Cost Rick Graziani Cabrillo College graziani@cabrillo.edu

STP – Introducing the STP Process (Algorithm) Rick Graziani Cabrillo College graziani@cabrillo.edu

STP Convergence and Decision Sequences STP Convergence Step 1 Elect one Root Bridge Step 2 Elect Root Ports Step 3 Elect Designated Ports When creating a loop-free topology, STP always uses the same five-step decision sequence: Five-Step decision Sequence Step 1: Lowest root bridge ID - Determines the root bridge Step 2: Lowest cost to the root bridge - Favors the upstream switch with the least cost to root Step 3: Lowest sender bridge ID - Serves as a tie breaker if multiple upstream switches have equal cost to root Step 4 - Lowest Port Priority - Serves as a tie breaker if a switch has multiple (non-Etherchannel) links to a single upstream switch (configurable) Step 5: Lowest sender Port ID (port priority then port ID) - Serves as a tie breaker if a switch has multiple (non-Etherchannel) links to a single upstream switch with the same priority

Key BPDU concepts BPDU key concepts: Bridges send STP BPDUs (Bridge Protocol Data Units) on all ports every 2 seconds. This describes their best path to the Root Bridge As every BPDU arrives, it is checked against this five-step sequence to see if it is more attractive (lower in value) than the existing BPDU saved for that port. Only the best value BPDU is saved. BPDU key concepts: Bridges save a copy of only the best BPDU seen on every port. When making this evaluation, it considers all of the BPDUs received on the port, as well as the BPDU that would be sent on that port. As every BPDU arrives, it is checked against this five-step sequence to see if it is more attractive (lower in value) than the existing BPDU saved for that port. Only the lowest value BPDU is saved. Bridges send configuration BPDUs until a more attractive BPDU is received. Okay, lets see how this is used...

Steps to STP Convergence STP Convergence Step 1 Elect one Root Bridge Step 2 Elect Root Ports Step 3 Elect Designated Ports Five-Step decision Sequence Step 1 - Lowest Root BID Step 2 - Lowest Path Cost to Root Bridge Step 3 - Lowest Sender BID Step 4 - Lowest Port Priority Step 5 - Lowest Sender Port ID Root Port is the port closest to the Root Bridge. Designated port is port with “best” path to root (smallest BPDU) on link All other ports are Blocked (Undesignated Port)

Root Bridge Lowest Bridge ID is the root.

Root Ports: Best path to Root Bridge Root Port is the port closest to the Root Bridge. Designated port is port with “best” path to root (smallest BPDU) on link All other ports are Blocked (Undesignated Port)

Designated Ports – Root Bridge Root Port is the port closest to the Root Bridge. Designated port is port with “best” path to root (smallest BPDU) on link All other ports are Blocked (Undesignated Port)

Designated Ports: Which switch has best path? Root Port is the port closest to the Root Bridge. Designated port is port with “best” path to root (smallest BPDU) on link All other ports are Blocked (Undesignated Port)

Another Example BID: 24577.5555.5555.5555 BID: 24577.1111.1111.1111

Another example: Other videos 

STP – Introducing the STP Process (Algorithm) Rick Graziani Cabrillo College graziani@cabrillo.edu

STP Bridge Protocol Data Unit (BPDU) and Propagating BPDUs Rick Graziani Cabrillo College graziani@cabrillo.edu

There are three kinds of BPDUs: Configuration BPDU: Provides information to all switches. TCN (Topology Change Notification): Announces changes in the topology. TCA (Topology Change Acknowledgment): Confirms reception of the TCN. By default the BPDUs are sent every 2 seconds.

Its all done with BPDUs! Just a brief additional comment: neither IEEE STP nor Cisco PVST+/RPVST+ are encapsulated into Ethernet_II frames, that is why there is no information about the assigned EtherType. An Ethernet frame carrying these protocols carries the length of the frame in the respective field, and the actual payload type is determined by additional headers. The IEEE STP/RSTP/MSTP uses LLC encapsulation with the DSAP=SSAP=0x42. The Cisco's PVST+ uses SNAP encapsulation where, because of SNAP, DSAP=SSAP=0xAA and the Protocol=0x010B. Best regards, Peter Paluch Rick Graziani graziani@cabrillo.edu

STP Bridge Protocol Data Unit (BPDU) and Propagating BPDUs Rick Graziani Cabrillo College graziani@cabrillo.edu

Danger of Disabling STP Rick Graziani Cabrillo College graziani@cabrillo.edu

Spanning Tree – Only for Loops Two users interconnecting the switches in their cubicles. Loops may occur in your network as part of a design strategy for redundancy. STP is not needed if there are no loops in your network. However, DO NOT disable STP! Loops can occur accidentally from network staff or even users! We will see how to protect the network from users adding switches, which is NOT GOOD!

Danger of Disabling STP Rick Graziani Cabrillo College graziani@cabrillo.edu

STP Enhancements Varieties - Overview Rick Graziani Cabrillo College graziani@cabrillo.edu

Distribution1 is the Root for all VLANs Root VLANs 1,10, 20

Distribution1 is the Root for VLAN1 and 10 Root VLANs 1,10

Distribution2 is the Root for VLAN 20 Root VLAN 20

PVST+ (Per VLAN Spanning Tree) - Load Balancing with 2 Root Switches Root VLANs 1,10 Root VLAN 20 Notice that more links are being used!

IEEE 802.1D Faster convergence Cisco’s RSTP is Rapid PVST+

STP Enhancements Varieties - Overview Rick Graziani Cabrillo College graziani@cabrillo.edu

Layer 2 vs Layer 3 Redundancy Rick Graziani Cabrillo College graziani@cabrillo.edu

X Layer 2 Redundancy Same IP network MAC Address Table Port

Layer 3 Redundancy Different IP networks A S1 S3 S2 C B Fa0/3 Fa0/1 IP Routing Table Prefix/Length Next Hop/Egress Interface S1 Fa0/3 A Fa0/1 Fa0/2 Different IP networks Fa0/2 Fa0/2 Fa0/1 Fa0/1 S3 S2 IP Routing Table Prefix/Length Next Hop/Egress Interface IP Routing Table Prefix/Length Next Hop/Egress Interface Fa0/3 Fa0/3 C B

Layer 2 vs Layer 3 Redundancy Rick Graziani Cabrillo College graziani@cabrillo.edu

Rick Graziani Cabrillo College graziani@cabrillo.edu STP: Sender Port ID Rick Graziani Cabrillo College graziani@cabrillo.edu

Correct – Sender Port ID Root 1 2 Designated Root A 5 B 5 2 1 Blocked D B B has to decide which port is designated (forwarding) and which port is non-designated (blocking) Uses A's Port ID as the tie breaker

Rick Graziani Cabrillo College graziani@cabrillo.edu STP: Sender Port ID Rick Graziani Cabrillo College graziani@cabrillo.edu

Rick Graziani Cabrillo College graziani@cabrillo.edu STP Port States Rick Graziani Cabrillo College graziani@cabrillo.edu

STP Port States

STP Port States Updating Disabled Blocking Listening Learning Forwarding MAC Address Table BPDUs Updating Data Port State BPDU MAC-Add Table Data frames Duration Disabled None sent/received No update Until no shutdown Administratively shutdown; Not an STP port state Blocking Receive only Continuous if loop detected Port initializes; receives BPDUs only Listening Receive and send Forward delay 15 sec Building active topology. Thinks port can be selected root or designated port. Returns to blocking (NDP) if cannot become root or designated port. Learning Updating Table None sent Building bridging table. Switch can now learn source MAC Addresses but is not formally receiving frames in order to forward them. Forwarding Sent and received Continuous if up and no loop detected Sending/Receiving data, no loops detected. Port is either a root or designated port.

Rick Graziani Cabrillo College graziani@cabrillo.edu STP Port States Rick Graziani Cabrillo College graziani@cabrillo.edu

Rick Graziani Cabrillo College graziani@cabrillo.edu RSTP: An Introduction Rick Graziani Cabrillo College graziani@cabrillo.edu

Rapid Spanning Tree Protocol The immediate hindrance of STP is convergence. Depending on the type of failure, it takes anywhere from 30 to 50 seconds, to converge the network. RSTP helps with convergence issues that plague legacy STP. RSTP can be applied on Cisco switches as: A single instance per VLAN Rapid PVST+ (RPVST+) Multiple instances IEEE 802.1s Multiple Spanning Tree (MST)

RSTP Port States Operational Port State STP Port State RSTP Port State Disabled Discarding Enabled Blocking Listening Learning Forwarding RSTP defines port states based on what it does with incoming data frames. Discarding Incoming frames are dropped No MAC Addresses learned Combination of 802.1D (Disabled), Blocking and Listening Learning MAC Addresses learned Forwarding Incoming frames are forward. Discarding This state is seen in both a stable active topology and during topology synchronization and changes. The discarding state prevents the forwarding of data frames, thus “breaking” the continuity of a Layer 2 loop. Learning This state is seen in both a stable active topology and during topology synchronization and changes. The learning state accepts data frames to populate the MAC table in an effort to limit flooding of unknown unicast frames. Forwarding This state is seen only in stable active topologies. The forwarding switch ports determine the topology. Following a topology change, or during synchronization, the forwarding of data frames occurs only after a proposal and agreement process.

RSTP Root Bridge: Same election process as 802.1D (lowest BID) Ports Root Port (802.1D Root Port) The one switch port on each switch that has the best root path cost to the root. Designated Port (802.1D Designated Port) The switch port on a network segment that has the best root path cost to the root. Alternate Port (802.1D Blocking Port) A port with an alternate path the root. An alternate port receives more useful BPDUs from another switch and is a port blocked. Similar to how Cisco UplinkFast works. Backup Port (802.1D Blocking Port) A port that provides a redundant (but less desirable) connection to a segment where another switch port already connects. (Not common – hubs) A backup port receives more useful BPDUs from the same switch it is on and is a port blocked.

You will probably not see a backup port role in practice You will probably not see a backup port role in practice. It is used only when switches are connected to a shared segment. To build shared segments, you need hubs, and these are obsolete.

RSTP Convergence STP requires the expiration of several timers before switch ports can be moved to Forwarding state. RSTP takes a different approach: When a switch joins the topology (powered-up) or detects a failure in the existing topology… Determines its forwarding decisions based on the type of port and link-type.

Immediately transitions to forwarding state. Edge port will never have a switch connected to it so cannot form bridging loops. Immediately transitions to forwarding state. Traditional identified with STP PortFast feature. For familiarity the command is the same: spanning-tree portfast Never generates topology changes notifications (TCNs) when the port transitions to a disabled or enabled status. If an edge port receives a BPDU, it loses its Edge Port status becomes a normal spanning-tree port. An RSTP edge port is a switch port that is never intended to be connected to another switch device. It immediately transitions to the forwarding state when enabled. The edge port to the PortFast feature. All ports directly connected to end stations anticipate that no switch device will be connected to them and immediately transition to the STP forwarding state, thereby skipping the time-consuming listening and learning stages. Unlike PortFast, an edge port that receives a BPDU immediately loses its edge port status and becomes a normal spanning tree port. Portfast If a switch is connected to the interface when PortFast is enabled, temporary bridging loops can occur. When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. Cisco’s RSTP implementation maintains the PortFast keyword for edge port configuration, thus making an overall network transition to RSTP more seamless.

An RSTP edge port is a switch port that is never intended to be connected to another switch device. It immediately transitions to the forwarding state when enabled. The edge port to the PortFast feature. All ports directly connected to end stations anticipate that no switch device will be connected to them and immediately transition to the STP forwarding state, thereby skipping the time-consuming listening and learning stages. Unlike PortFast, an edge port that receives a BPDU immediately loses its edge port status and becomes a normal spanning tree port. Portfast If a switch is connected to the interface when PortFast is enabled, temporary bridging loops can occur. When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. Cisco’s RSTP implementation maintains the PortFast keyword for edge port configuration, thus making an overall network transition to RSTP more seamless. Root Port The one switch port on each switch that has the best root path cost to the root.

Point-to-Point Port (Link Type) Port operating in full-duplex mode. An RSTP edge port is a switch port that is never intended to be connected to another switch device. It immediately transitions to the forwarding state when enabled. The edge port to the PortFast feature. All ports directly connected to end stations anticipate that no switch device will be connected to them and immediately transition to the STP forwarding state, thereby skipping the time-consuming listening and learning stages. Unlike PortFast, an edge port that receives a BPDU immediately loses its edge port status and becomes a normal spanning tree port. Portfast If a switch is connected to the interface when PortFast is enabled, temporary bridging loops can occur. When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. Cisco’s RSTP implementation maintains the PortFast keyword for edge port configuration, thus making an overall network transition to RSTP more seamless. Point-to-Point Port (Link Type) Port operating in full-duplex mode. Connects to another switch and becomes a Designated Port. Uses a quick handshake with neighboring switch rather than timers to decide port state.

Shared Medium Port (Link Type) Port operating in half-duplex mode. An RSTP edge port is a switch port that is never intended to be connected to another switch device. It immediately transitions to the forwarding state when enabled. The edge port to the PortFast feature. All ports directly connected to end stations anticipate that no switch device will be connected to them and immediately transition to the STP forwarding state, thereby skipping the time-consuming listening and learning stages. Unlike PortFast, an edge port that receives a BPDU immediately loses its edge port status and becomes a normal spanning tree port. Portfast If a switch is connected to the interface when PortFast is enabled, temporary bridging loops can occur. When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. Cisco’s RSTP implementation maintains the PortFast keyword for edge port configuration, thus making an overall network transition to RSTP more seamless. Shared Medium Port (Link Type) Port operating in half-duplex mode. It is assumed that the port is connected to shared media where multiple switches might exist.

Rick Graziani Cabrillo College graziani@cabrillo.edu RSTP: An Introduction Rick Graziani Cabrillo College graziani@cabrillo.edu

STP: Configuring Bridge ID Rick Graziani Cabrillo College graziani@cabrillo.edu

Configuring the Root Bridge Switch(config)# spanning-tree vlan 1 root primary or Switch(config)# spanning-tree vlan 1 priority 24576 This command forces this switch to be the root. The spanning-tree root primary command alters this switch's bridge priority to 24,576 (+VLAN ID). If the current root has bridge priority which is more than 24,576, then the current is changed to 4,096 less than of the current root bridge.

Configuring the Root Bridge Switch(config)# spanning-tree vlan 1 root secondary This command configures this switch to be the secondary root in case the root bridge fails. The spanning-tree root secondary command alters this switch's bridge priority to 28,672. If the root switch should fail, this switch becomes the next root switch.

STP: Configuring Bridge ID Rick Graziani Cabrillo College graziani@cabrillo.edu

Rick Graziani Cabrillo College graziani@cabrillo.edu STP: Port Fast Rick Graziani Cabrillo College graziani@cabrillo.edu

I’m adding any addresses on this port to my MAC Address Table. PortFast Forwarding State Learning State Listening State Blocking State I’m adding any addresses on this port to my MAC Address Table. Powered On Host powered on. Port moves from blocking state immediately to listening state (15 seconds). Determines where switch fits into spanning tree topology. After 15 seconds port moves to learning state (15 seconds). Switch learns MAC addresses on this port. After 15 seconds port moves to forwarding state (30 seconds total).

PortFast – Problem DHCP Forwarding State Learning State Listening State Blocking State Powered On DHCP Discovery Timeout IPv4 Address = 169.x.x.x Host sends DHCP Discovery Host never gets IP addressing information Also: Insignificant Topology Change A users PC causes the link to go up or down (normal booting or shutdown process). No significant impact but given enough hosts switches could be in a constant state of flushing MAC address tables. Causes unknown unicast floods.

PortFast Forwarding State Portfast enabled Powered On DHCP Discovery DHCP Offer The purpose of PortFast is to minimize the time that access ports wait for STP to converge. When a port comes up, the port immediately moves into Forwarding state. The advantage of enabling PortFast is to prevent DHCP timeouts. Host sends DHCP Discovery Host can now can IP addressing information.

Configuring Portfast Access2(config)#interface range fa 0/10 - 24 Access2(config-if-range)#switchport mode access <Previously configured> Access2(config-if-range)#spanning-tree portfast OR Access2(config)#spanning-tree portfast default Warning: PortFast should only be enabled on ports that are connected to a single host. If hubs or switches are connected to the interface when PortFast is enabled, temporary bridging loops can occur. If a loop is detected on the port, it will move into Blocking state.

Rick Graziani Cabrillo College graziani@cabrillo.edu STP: Port Fast Rick Graziani Cabrillo College graziani@cabrillo.edu

Rick Graziani Cabrillo College graziani@cabrillo.edu STP: BPDU Guard Rick Graziani Cabrillo College graziani@cabrillo.edu

Problem: Unexpected BPDUs Blocking and now listening to BPDUs BPDU X Forwards BPDUs to other switches. Portfast STP Reconvergence? Enabling PortFast can create a security risk in a switched network. A port configured with PortFast will go into blocking state if it receives a Bridge Protocol Data Unit (BPDU). An unauthorized device can send BPDUs into the PortFast interface and set a port to blocking. When the port is in blocking state it will accept all BPDUs. This could lead to false STP information that enters the switched network and causes unexpected STP behavior. Even though PortFast is enabled, the interface will listen for BPDUs. A port configured with PortFast will go into blocking state if it receives a Bridge Protocol Data Unit (BPDU). This could lead to false STP information that enters the switched network and causes unexpected STP behavior. Newly connected switch could advertise itself as the root. BPDU Guard: Developed to protect integrity of switch ports with PortFast enabled but also keeps maintains STP integrity by disallowing unauthorized switches.

| Solution: BPDU Guard BPDU Portfast & BPDU Guard Err-Disable, Shutdown BPDU | No BPDUs sent Portfast & BPDU Guard When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. PortFast-enabled interfaces do not receive BPDUs in a valid configuration. The BPDU guard feature blocks BPDUs by placing the interface in the ErrDisable state. BPDU guard will also keep switches added outside the wiring closet by users from impacting and possibly violating Spanning Tree Protocol. Distribution1(config)#interface range fa 0/10 - 24 Distribution1(config-if-range)#spanning-tree bpduguard enable When the BPDU guard feature is enabled on the switch, STP shuts down PortFast enabled interfaces that receive BPDUs instead of putting them into a blocking state. Errdisable: Port must be manually re-enabled or automatically recovered via timers. BPDU guard will also keep switches added outside the wiring closet by users from impacting and possibly violating Spanning Tree Protocol.

Rick Graziani Cabrillo College graziani@cabrillo.edu STP: BPDU Guard Rick Graziani Cabrillo College graziani@cabrillo.edu

Rick Graziani Cabrillo College graziani@cabrillo.edu PVST+ Load Balancing Rick Graziani Cabrillo College graziani@cabrillo.edu

Root VLANs 1,10 Root VLAN 20 Distribution1(config)# spanning-tree vlan 1, 10 root primary Distribution2(config)# spanning-tree vlan 20 root primary

Rick Graziani Cabrillo College graziani@cabrillo.edu PVST+ Load Balancing Rick Graziani Cabrillo College graziani@cabrillo.edu