Spanning Tree
🌲

Spanning Tree

STP Versions

  • STP - 802.1D - Original
  • PVST (ISL) - Cisco enhanced - per-VLAN
  • PVST+ (802.1Q) - Cisco enhanced - per-VLAN (Default)
  • RSTP - 802.1W - faster
  • RPVST - Cisco enhanced faster - per-VLAN
  • MSTP - 802.1Q-2005 - a group of VLANs in an instance

Root Bridge Election

By default, a Cisco switch that is using RSTP sends out BPDU every 2 seconds.
BPDU is multicast
The BPDU has three fields; the bridge priority, the extended system ID, and the MAC address. The extended system ID contains 12 bits that identify the VLAN ID.
The default priority is 32768, and additional roots are set below this number. STP increments priority by 4096, so the next priority is 4096 below 32768. The lower the number, the higher the priority.
The switch with the lowest MAC address breaks the tie

Port Blocking

After the election of a root bridge has occurred, each switch will have to determine the best path from its location to the root bridge. The path is determined by summing the individual port costs along the path from each switch port to the root bridge.
All ports on the root bridge are selected as designated ports. Root ports are selected on all non-root bridges.
  1. Lowest cost
      2. 10 - 10Mbps
      19 - 100 Mbps
      4 - 1 Gbps
      2 - 10 Gbps
  1. Lowest bridge ID
  1. Lowest port number
 
  • The root port is the port on the switch that has the lowest cost to the root bridge.
  • A designated port is a non-root port that can still forward traffic.
  • Alternate and backup ports are types of blocking ports that do not forward traffic.
Switches learn MAC addresses at the learning and forwarding port states.
They receive and process BPDUs at the blocking, listening, learning, and forwarding port states.
The Rapid PVST+ port states are discarding, learning, and forwarding.
show spanning-tree

spanning-tree mode rapid-pvst

STP stability mechanisms

There are several recommended STP stability mechanisms to help mitigate STP manipulation attacks:
  • PortFast - Used to immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state. Applied to all end-user ports.
  • BPDU guard - Immediately error-disables a port that receives a BPDU. Applied to all end-user ports.
  • Root guard - Prevents a switch from becoming the root switch. Applied to all ports where root switch should not be located.
  • Loop guard - Detects unidirectional links to prevent alternate or root ports from becoming designated ports. Applied to all ports that are or can become non-designated.

Multiple Spanning Tree (MST)

802.1S
Runs one instance for each group instead of each VLAN.
spanning-tree mst configuration
	name MSTP
	revision 1
	instance 1 vlan 1313-1500
	instance 2 vlan 2424-3000

spanning-tree mst 0-1 root primary
spanning-tree mst 2 root secondary

spanning-tree mode mst
MST region - name, revision, and VLAN mapping needs to match.

• spanning-tree mst instance-number root {primary | secondary}[diameter diameter], where the primary keyword sets the priority to 24,576, and the secondary keyword sets the priority to 28,672
Instance is 0 is common Spanning Tree, VLANs not assigned to instance or switch outside of region
, 16 instances by default
Â