I wasn't being completely honest when I was talking about STP in my last post. There are several versions of STP, and the one I introduced in the previous post is known as Common Spanning Tree (CST). Now, this was the original spanning tree, but is rarely used in a modern network due to its limitations. In fact, by default, it isn't run on Cisco switches. Cisco switches run what is known as Per VLAN Spanning Tree (PVST). It is just what its name suggests, PVST runs an instance of STP on each VLAN. PVST is Cisco-proprietary, as is PVST+. PVST+ runs PVST, but is backwards compatible with CST. So if there is a single switch that is running CST, all PVST+ switches will revert back to CST, so only use it if you are sure you need to be able to switch to running CST quickly, while preserving your PVST information.
So why is running an instance of STP in each VLAN a good thing? Well' it isn't always. If you have a very large amount of VLANs and only a few switches, your root bridges will be overloaded with overhead. There's a fix for that too, and it's known as MST, Multiple Spanning Tree. MST breaks STP into zones, so it can handle a collection of VLANs in one instance.
Let's go over the individual enhancements to STP to overcome the limitations I discussed in my last post.
PortFast - Turns off STP on an interface. Why oh why would you ever want to use this?! Well, say you build a new computer with one of those fancy SSDs that makes your server boot up in 10 seconds flat. Well, you'll have to wait another 40 seconds to use the network, since STP will take 50 seconds to converge. Portfast bypasses this by saying "I'm not a switch, I'll never cause a switching loop so I don't need to participate in STP". Now, this command can be VERY DANGEROUS. If you turn PortFast on and someone plugs in a switch to that port, or connects two ports via crossover cable, you have potential for a switching loop. Only use PortFast on access ports, and only if you are sure no one will cause a loop on it.
Switch(config-if)#spanning-tree portfast
BPDUGuard/BPDUFilter - Many switches support this addition to PortFast. Basically, this prevents the scenario I just described by monitoring for BPDUs on a PortFast enabled port. If it hears a BPDU (this will mean a switching loop), it shuts down that port into errdisable state. BPDUFilter accomplishes the same goal, but by disabling PortFast when it hears a BPDU, forcing that port to participate in STP. Be sure to use one or the other when you turn on PortFast.
Switch(config-if)#spanning-tree bpduguard enable
Switch(config-if)#spanning-tree bpdufilter enable
UplinkFast - Cisco-specific feature that improves STP convergence time when a link failure occurs. Used when the switch has at least one backup root port currently in blocking state. Basically, if a primary link fails, the backup link comes online quickly, instead of waiting 50s for STP to re-converge. Typically used on Access layer switches, and only those that know alternative paths.
Switch(config)#spanning-tree uplinkfast
BackboneFast - Used for speeding up convergence when a link not directly connected to the switch fails. This one is a little tricky, if the switch hears what's called an "inferior BPDU"
In the picture above, A is the root bridge, and the link between A and C goes down. C has lost its path to root, and has no alternate path to it, since it was using that link to get to bridge B. So it think that it's the new root. It'll send out BPDUs on the link to bridge B. Bridge B will see these BPDUs, and say, "Well, wait a second, my link to the root bridge(A) is fine, these BPDUs are inferior". So it'll ignore BPDUs on the blocked port. After 20 seconds, max_age for the blocked port will time out, and B will send out a BPDU to bridge C, which will be better than the BPDUs C is sending out. Bridge C will stop sending BPDUs, and the blocked port will go through listening, learning, and finally forwarding states. The whole process takes about 50 seconds.
BackboneFast overcomes this by timing out the max_age as soon as an inferior BPDU is heard. This saves 20 seconds. Like I said, it's alittle very confusing, just know that Cisco recommends enabling BackboneFast on all Catalyst switches so they can dtetect indirect link failures.
Switch(config)#spanning-tree backbonefast
Last, we have my favorite part of STP, 802.1w - or Rapid Spanning Tree Protocol (RSTP). RSTP can run on all brands of switches, and includes all of the features I just discussed. Remember, the enhancements I just wrote about were created by Cisco to fix the problems of CST, and as such, they were Cisco-proprietary. RSTP essentially combines the Listening, Blocking, and Disabled modes into the new mode Discarding. This is because all of these modes are simply not forwarding packets, and are not learning MAC addresses. In RSTP bridges also send out BPDUs every hello time, not just when they hear a BPDU from their root port. These two changes cause convergence time to drop to mere seconds, rather that 50 seconds of other versions. That's why if you can run RSTP, you should, just make sure all switches are running it, since it'll provide no benefit if it has to conform to 802.1D (RSTP will work with regular STP, but will none of the enhancements).
Turning RSTP on is very simple.
Switch#conf t
Switch(config)#spanning-tree mode rapid-pvst
I'm going to wrap up with verification commands that should be memorized.
The show spanning-tree command show important information to see who is the root bridge, what priorities are set to the VLANs, what role ports are in, their costs, and priorities. If you are running PVST (as all Cisco switches are by default), you can specify which VLAN to see information for. If you don't, it'll show all of them.
S1#show spanning-tree
S1#show spanning-tree vlan 10
The show mac address table command shows what VLAN ports are in, what MAC address(es) is/are assigned to that port, and whether those MACs are statically or dynamically assigned.
S1#show mac address-table
This command helps verify the IP address of the switch
S1#sh int vlan 1
Thanks for reading!
So why is running an instance of STP in each VLAN a good thing? Well' it isn't always. If you have a very large amount of VLANs and only a few switches, your root bridges will be overloaded with overhead. There's a fix for that too, and it's known as MST, Multiple Spanning Tree. MST breaks STP into zones, so it can handle a collection of VLANs in one instance.
Let's go over the individual enhancements to STP to overcome the limitations I discussed in my last post.
PortFast - Turns off STP on an interface. Why oh why would you ever want to use this?! Well, say you build a new computer with one of those fancy SSDs that makes your server boot up in 10 seconds flat. Well, you'll have to wait another 40 seconds to use the network, since STP will take 50 seconds to converge. Portfast bypasses this by saying "I'm not a switch, I'll never cause a switching loop so I don't need to participate in STP". Now, this command can be VERY DANGEROUS. If you turn PortFast on and someone plugs in a switch to that port, or connects two ports via crossover cable, you have potential for a switching loop. Only use PortFast on access ports, and only if you are sure no one will cause a loop on it.
Switch(config-if)#spanning-tree portfast
BPDUGuard/BPDUFilter - Many switches support this addition to PortFast. Basically, this prevents the scenario I just described by monitoring for BPDUs on a PortFast enabled port. If it hears a BPDU (this will mean a switching loop), it shuts down that port into errdisable state. BPDUFilter accomplishes the same goal, but by disabling PortFast when it hears a BPDU, forcing that port to participate in STP. Be sure to use one or the other when you turn on PortFast.
Switch(config-if)#spanning-tree bpduguard enable
Switch(config-if)#spanning-tree bpdufilter enable
UplinkFast - Cisco-specific feature that improves STP convergence time when a link failure occurs. Used when the switch has at least one backup root port currently in blocking state. Basically, if a primary link fails, the backup link comes online quickly, instead of waiting 50s for STP to re-converge. Typically used on Access layer switches, and only those that know alternative paths.
Switch(config)#spanning-tree uplinkfast
BackboneFast - Used for speeding up convergence when a link not directly connected to the switch fails. This one is a little tricky, if the switch hears what's called an "inferior BPDU"
BackboneFast overcomes this by timing out the max_age as soon as an inferior BPDU is heard. This saves 20 seconds. Like I said, it's a
Switch(config)#spanning-tree backbonefast
Last, we have my favorite part of STP, 802.1w - or Rapid Spanning Tree Protocol (RSTP). RSTP can run on all brands of switches, and includes all of the features I just discussed. Remember, the enhancements I just wrote about were created by Cisco to fix the problems of CST, and as such, they were Cisco-proprietary. RSTP essentially combines the Listening, Blocking, and Disabled modes into the new mode Discarding. This is because all of these modes are simply not forwarding packets, and are not learning MAC addresses. In RSTP bridges also send out BPDUs every hello time, not just when they hear a BPDU from their root port. These two changes cause convergence time to drop to mere seconds, rather that 50 seconds of other versions. That's why if you can run RSTP, you should, just make sure all switches are running it, since it'll provide no benefit if it has to conform to 802.1D (RSTP will work with regular STP, but will none of the enhancements).
Turning RSTP on is very simple.
Switch#conf t
Switch(config)#spanning-tree mode rapid-pvst
I'm going to wrap up with verification commands that should be memorized.
The show spanning-tree command show important information to see who is the root bridge, what priorities are set to the VLANs, what role ports are in, their costs, and priorities. If you are running PVST (as all Cisco switches are by default), you can specify which VLAN to see information for. If you don't, it'll show all of them.
S1#show spanning-tree
S1#show spanning-tree vlan 10
The show mac address table command shows what VLAN ports are in, what MAC address(es) is/are assigned to that port, and whether those MACs are statically or dynamically assigned.
S1#show mac address-table
This command helps verify the IP address of the switch
S1#sh int vlan 1
Thanks for reading!
No comments:
Post a Comment