CCNP Switch - STP Configuration

  - By default, STP is enabled for all active VLANs and on all ports of a switch
 - STP is wonderfully automatic with its default values and election processes, the resulting tree structure might perform quite differently than expected.  
 - A Catalyst switch can be configured to use one of the following formats for its STP bridge ID (tyraditional and extended_sys-id) 
 - By default, PortFast is disabled on all switch ports.
 -  timers need to be modified only on the root bridge 

STP port transition time:

 - when Sw is booted, Sw consider itself as STP Root, transition time ~ 30 seconds (LSN+LRN forwarding delay)
 - when STP Root is known, if Root port fails, ports with BLK transition time ~ 50 sec (Max-Age  +  LSN+LRN forwarding delay) 
 - if a switch port is running PAgP to negotiate EtherChannel configuration, transition time ~ 50 sec

STP Root Bridge
Spanning Tree Protocol (STP) and its computations are predictable; however, other factors might subtly influence STP decisions, making the resulting tree structure neither expected nor ideal.

 - The location of the root bridge should be determined as part of the design process.
 - You can use redundant links for load balancing in parallel, if configured correctly.
 - STP should remain enabled in a network to prevent bridging loops from forming. However, you might find that STP has been disabled in some way.
Switch(config)# spanning-tree vlan vlan-id         <----   reenable an entire instance of STP
Switch (config-if)# spanning-tree vlan vlan-id        <----   reenable STP for a specific VLAN on a specific port
Root Bridge Placement 
 - if the root bridge election is left to its default state, several things can occur to result in a poor choice. For example, the slowestswitch (or bridge) could be elected as the root bridge.
 - if all switches are left at their default states, only one root bridge is elected, with no clear choice for a backup. If that switch fails, another root bridge election occurs, but again, the choice might not be the ideal switch or the ideal location.
 - an election with default switch values could place the root bridge in an unexpected location in the network. More important, an inefficient spanning-tree structure could result, causing traffic from a large portion of the network to take a long and winding path just to pass through the root bridge.

Bridge ID
A Catalyst switch can be configured to use one of the following formats for its STP bridge ID:
Traditional 802.1D bridge priority value (16 bits), followed by the unique switch MAC address for the VLAN
■ The 802.1t extended system ID (4-bit priority multiplier, plus a 12-bit VLAN ID), followed by a nonunique switch MAC address for the VLAN.
If the switch can’t support 1024 unique MAC addresses for its own use, the extended system ID is always enabled by default. Otherwise, the traditional method is enabled by default.
Switch(config)# spanning-tree extend system-id
All BID combinations
4 bits  - priority  => 2^4=16 combinations

12 bits  - sys-id(vlan)  => 2^12=4096 vlans
16 bits - priority           48 bits - MAC address
0000"0000'0000'0000          0000....
prio sys-id(vlan)            MAC
0000 0000 0000 0000        0  <--- minimun BID (BEST BID)
0001 0000 0000 0000     4096
0010 0000 0000 0000     8192
0011 0000 0000 0000    12288
0100 0000 0000 0000    16384
0101 0000 0000 0000    20480
0110 0000 0000 0000    24576
0111 0000 0000 0000    28672
1000 0000 0000 0000    32768   <--- default
1001 0000 0000 0000    36864
1010 0000 0000 0000    40960
1011 0000 0000 0000    45056
1100 0000 0000 0000    49152
1101 0000 0000 0000    53248
1110 0000 0000 0000    57344
1111 0000 0000 0000    61440

N4(config)#spanning-tree vlan 3 priority 61000
% Bridge Priority must be in increments of 4096.
% Allowed values are:
  0     4096  8192  12288 16384 20480 24576 28672
  32768 36864 40960 45056 49152 53248 57344 61440

Root Bridge Configuration
To prevent the surprises outlined in the previous section, you should always do two things:
■ Configure one switch as a root bridge in a determined fashion.
■ Configure another switch as a secondary root bridge, in case of a primary root bridge failure.As the common reference point, the root bridge (and the secondary) should be placed near the center of the Layer 2 network.

Catalyst switch to become the root bridge:
1) manually settings
The bridge-priority value defaults to 32,768, but you can also assign a value of 0 to 65,535. If STP extended system ID is enabled, the default bridge-priority is 32,768 plus the VLAN number. In that case, the value can range from 0 to 61,440, but only as multiples of 4096. A lower bridge priority is preferable.
Switch(config)# spanning-tree vlan <vlan-list> priority <bridge-priority>
Switch(config)# spanning-tree vlan 5,100-200 priority 4096
On the root, it is usually good practice to directly modify the bridge priority to an artificially low value (even priority 1 or 0)
2) Causing the would-be root bridge switch to choose its own priority, based on some assumptions about other switches in the network.
Switch(config)# spanning-tree vlan <vlan-id> root {primary | secondary}  [diameter <diameter>]
This command is actually a macro on the Catalyst that executes several other commands. The result is a more direct and automatic way to force one switch to become the root bridge. Notice that the actual bridge priorities are not given in the command. Instead, the switch modifies its STP values according to the current values in use within the active network. These values are modified only once, when the macro command is issued.
primary - to make the switch attempt to become the primary root bridge. This command modifies the switch’s bridge priority value to become less than the bridge
priority of the current root bridge.

If the current root priority is more than 24,576, the local switch sets its priority to 24,576. If the current root priority is less than that, the local
switch sets its priority to 4096 less than the current root.

secondary root bridge, the root priority is set to an artificially low value of 28,672 (the fixed secondary priority is used under the assumption that it will be
less than the default priorities).

diameter - you can also modify the network diameter

If current root bridge has a bridge priority of 4200. Because that priority is less than 24,576, the local switch will try to set its priority to 4096 less than the current root. Although the resulting priority would be 104, the local switch is using an extended system ID, which requires bridge priority values that are multiples of 4096. The only value that would work is 0, but the automatic method will not use it. Instead, the only other option is to manually configure the bridge priority to 0:
Switch(config)# spanning-tree vlan 100 priority 0

spanning-tree vlan <vlan-id> root command will not be shown in a Catalyst switch configuration because the command is actually a macro executing other switch
commands. Be aware that this macro doesn’t guarantee that the switch will become the root and maintain that status.
Switch(config)# spanning-tree vlan 1 root primary
vlan 1 bridge priority set to 24576
vlan 1 bridge max aging time unchanged at 20
vlan 1 bridge hello time unchanged at 2
vlan 1 bridge forward delay unchanged at 15
fter the macro is used, it is entirely possible for another switch in the network to have its bridge priority configured to a lower value.

Spanning-Tree Customization
Tuning the Root Path Cost
The port or port path cost is inversely proportional to the port’s bandwidth. If desired, a port’s cost can be modified from the default value.
Before modifying a switch port’s path cost, you should always calculate the root path costs of other alternative paths through the network.
Switch (config-if)# spanning-tree [vlan <vlan-id>] cost <cost>
Switch(config-if)# spanning-tree vlan 10 cost 2
Displaying STP Port Cost Values on an Interface

Switch# show spanning-tree interface gigabitEthernet 0/1
Vlan Role Sts Cost Prio.Nbr Type
----------------- ---- --- ---------- -------- -----------------------------VLAN0001  Root FWD 4 128.1  P2p
VLAN0010  Desg FWD 2 128.1 P2p
VLAN0020  Root FWD 4 128.1  P2p
Tuning the Port ID
The fourth criteria of an STP decision is the port ID.
The port ID value that a switch uses is actually a 16-bit quantity: 8 bits for the port priority and 8 bits for the port number.
 - The port priority is a value from 0 to 255 and defaults to 128 for all ports.
 - The port number can range from 0 to 255 and represents the port’s actual physical mapping. Port numbers begin with 1 at port 0/1 and increment across each module.
Switch# show spanning-tree interface gigabitEthernet 3/1     <-----  Gigabit Ethernet 3/16 is also known as port number 144
Vlan       Role Sts  Cost     Prio.Nbr  Type
----------------- ---- --- --------- -------- ----------
VLAN0010   Desg FWD  4        128.144   Edge P2p
VLAN0100   Desg FWD  4        128.144   Edge P2p
VLAN0200   Desg FWD  4        128.144   Edge P2p
Configure the port priority with this interface-configuration command:
Switch(config-if)# spanning-tree [vlan <vlan-list>] port-priority <port-priority>
Switch(config)# interface gigabitethernet 3/16
Switch(config-if)# spanning-tree vlan 10,100 port-priority 64
Switch# show spanning-tree interface gigabitEthernet 3/1
Vlan       Role Sts  Cost     Prio.Nbr  Type
----------------- ---- --- --------- -------- ----------
VLAN0010   Desg FWD  4        64.144   Edge P2p
VLAN0100   Desg FWD  4        64.144   Edge P2p
VLAN0200   Desg FWD  4        128.144   Edge P2p

Tuning Spanning-Tree Convergence
Default STP can cause network access to be delayed while timers expire and while preventing loops on links where loops are not possible.
Remember that the timers need to be modified only on the root bridge because the root bridge propagates all three timer values throughout the network as fields in the configuration BPDU.

Modifying STP Timers

Switch(config)# spanning-tree [vlan <vlan-id>] hello-time <seconds>     <----default 2, can be value of 1 to 10 seconds
Switch(config)# spanning-tree [vlan <vlan-id>] forward-time <seconds>     <----- default 15, can be value of 4 to 30 seconds
Switch(config)# spanning-tree [vlan <vlan-id>] max-age <seconds>     <----- default 20 (10x hello-time), can be value of 6 to 40 seconds
If you omit the vlankeyword, the timer values are configured for allinstances (all VLANs) of STP on the switch.
Hello timer - periodic “hello” messages that are sent from the root to other bridges in the network, also is the interval in which a bridge expects to hear a hello relayed from its neighboring bridges.
Forward Delay timer determines the amount of time a port stays in the Listening state before moving into the Learning state, and how long it stays in the Learning state before moving to the Forwarding state. A value that is too low allows loops to form, possibly crippling a network.
Max Age timer specifies a stored BPDU’s lifetime that has been received from a neighboring switch with a designated port.

Automatically Configuring STP Timers

Timer values are basically dependent on the Hello Time and the switched network’s diameter.
spanning-tree vlan <vlan-list>root - macro command is a better tool to use than setting the timers
Switch(config)# spanning-tree vlan <vlan-list> root {primary | secondary} [diameter diameter [hello-time <hello-time>]]
This command can be used only on a per-VLAN basis to modify the timers for a particular VLAN’s spanning tree instance.
Switch# show spanning-tree vlan 100
Spanning tree enabled protocol ieee
Root ID    Priority     100
           Address      000c.8554.9a80
           This bridge is the root
            Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Example network:
 - The longest path that a packet can take through the network is three switches.
 - Can safely assume that this network diameter is three, provided that no additional switches will be added to lengthen the longest path
 - Hello Time of 1 second is also desired, to shorten the time needed to detect a dead neighbor.
Switch(config)# spanning-tree vlan 100 root primary diameter 3 hello-time 1
Switch# show spanning-tree vlan 100
....This bridge is the root
      Hello Time 1 sec Max Age 7 sec Forward Delay 5 sec

Redundant Link Convergence
Some additional methods allow faster STP convergence if a link failure occurs:
■ PortFast—Enables fast connectivity to be established on access-layer switch ports to workstations that are booting
■ UplinkFast—Enables fast-uplink failover on an access-layer switch when dual uplinks are connected into the distribution layer
■ BackboneFast—Enables fast convergence in the network backbone or core layer switches after a spanning-tree topology change occurs
Instead of modifying timer values, these methods work by controlling convergence on specifically located ports within the network hierarchy.

PortFast: Access-Layer Nodes
By default, PortFast is disabled on all switch ports.
With the default STP timers, STP transition takes at least 30 seconds (15 seconds for Listening to Learning, and 15 seconds for Learning to Forwarding) and workstation cannot transmit or receive any useful data until the Forwarding state finally is reached on the port.
On switch ports that connect only to single workstations or specific devices, bridging loops never should be possible.

Catalyst switches offer the PortFast feature:
 - shortens the Listening and Learning states to a negligible amount of time.
 - when a workstation link comes up, the switch immediately moves the PortFast port into the Forwarding state.
 - STP loop detection is still in operation, however, and the port moves into the Blocking state if a loop is ever detected on the port.
- If BPDU is received after portfast was enabled, this port lose PortFast status (Portfast will be disabled and need to be reenabled)

Configure PortFast as a global default, affecting all switch ports access mode (nontrunking) will have PortFast automatically enabled.
Switch(config)# spanning-tree portfast default
OR Per interface
Switch(config-if)# [no] spanning-tree portfast
Macro Script : Switchport-host
Switch(config-if)# switchport host   
  ! macro that :
   - enables STP PortFast ---spanning-tree portfast will be enabled
   - sets the port to access (nontrunking) mode ---switchport mode will be set to access
   - disables Etherchannel (PAgP/LACP) ---channel group will be disabled
Display the current PortFast status
Switch# show spanning-tree interface <type mod/num> portfast
Switch# show spanning-tree interface fastethernet 0/1 portfast
VLAN0010 enabled
UplinkFast: Access-Layer Uplinks
Access-layer switch that has redundant uplink connections to two distribution-layer switches will have one uplink in the Forwarding state and the other would be in the Blocking state. If the primary uplink went down, up to 50 seconds could elapse before the redundant uplink could be used

The UplinkFast feature on Catalyst switches:
 -  enables leaf-node switches or switches at the ends of the spanning-tree branches to have a functioning root port while keeping one or more redundant or potential root ports in Blocking mode.
 - when the primary root port uplink fails, another blocked uplink immediately can be brought up for use.
 - keeps a record of all parallel paths to the root bridge. All uplink ports but one are kept in the Blocking state.
 - makes some modifications to the local switch to ensure that it does not become the root bridge and that the switch is not used as a transit switch to get to the root bridge
 - switch’s bridge priority is raised to 49,152,
 - port cost of all local switch ports is incremented by 3000,
 - when uplink goes down, SW needs to update CAM. Done by sending dummy multicast frames (are sent out at a rate specified by the max-update-rate) to destination 0100.0ccd.cdcd on behalf of the stations contained in CAM table (as source) giving upstream hosts a chance to receive the frames and learn of the new path to those source addresses

To enable the UplinkFast feature (it is enabled for the entire switch and all VLANs).
Switch(config)# spanning-tree uplinkfast [max-update-rate <pkts-per-second>]
This command is not allowed on the root bridge switch. 

Display the current status of STP UplinkFast
Switch# show spanning-tree uplinkfast
UplinkFast is enabled
Station update rate set to 150 packets/sec.
UplinkFast statistics
Number of transitions via uplinkFast (all VLANs) : 2
Number of proxy multicast addresses transmitted (all VLANs) : 52
Name Interface List
--------------------- --------------------------------
VLAN0001 Gi0/1(fwd)
VLAN0010 Gi0/1(fwd)
VLAN0100 Gi0/1(fwd)
BackboneFast: Redundant Backbone Paths
By default, BackboneFast is disabled.
At backbone or core layer, a different method is used to shorten STP convergence.
BackboneFast works by having a switch actively determine whether alternative paths exist to the root bridge, in case the switch detects an indirect link failure.
Indirect link failures occur when a link that is not directly connected to a switch fails.

A switch detects an indirect link failure when it receives inferior BPDUs from its designated bridge on either its root port or a blocked port.

Normally, a switch must wait for the Max Age timer to expire before responding to the inferior BPDUs.
BackboneFast begins to determine whether other alternative paths to the root bridge exist according to the following port types that received the inferior BPDU:
■ If the inferior BPDU arrives on a port in the Blocking state, the switch considers the root port and all other blocked ports to be alternative paths to the root bridge.
■ If the inferior BPDU arrives on the root port itself, the switch considers all blocked ports to be alternative paths to the root bridge.
■ If the inferior BPDU arrives on the root port and no ports are blocked, however, the switch assumes that it has lost connectivity with the root bridge. In this case, the switch assumes that it has become the root bridge, and BackboneFast allows it to do so before the Max Age timer expires.

Detecting alternative paths to the root bridge also involves an interactive process with other bridges.
If the local switch has blocked ports, BackboneFast begins to use the Root Link Query (RLQ)protocol to see whether upstream switches have stable connections to
the root bridge.

First,RLQ Requests are sent out. If a switch receives an RLQ Request and either is the root bridge or has lost connection to the root, it sends an RLQ Reply. Otherwise, the RLQ Request is propagated on to other switches until an RLQ Reply can be generated. On the local switch, if an RLQ Reply is received on its current root port, the path to the root bridge is intact and stable. If it is received on a nonroot port, an alternative root path must be chosen. The Max Age timer immediately is expired so that a new root port can be found.

Enable BackboneFast
Switch(config)# spanning-tree backbonefast

When used, BackboneFast should be enabled on allswitches in the network because BackboneFast requires the use of the RLQ Request and Reply mechanism to inform switches of Root Path stability.

Switch# show spanning-tree backbonefast
BackboneFast is enabled

Monitoring STP
It can be displayed information about many aspects of the STP from a Catalyst switch command-line interface (CLI).
Switch# show spanning-tree     <---View all possible STP parameters for all VLANs. Port information is summarized.
Switch# show spanning-tree detail     <---View all possible STP information for all VLANs. Port information is very detailed.
Switch# show spanning-tree [vlan vlan-id] summary  <---View the number of switch ports currently in each of the STP states
Switch# show spanning-tree [vlan vlan-id] root     <---Find the root bridge ID, the root port, and the root path cost.
Switch# show spanning-tree [vlan vlan-id] bridge   <---Show the bridge ID and STP timers for the local switch.
Switch# show spanning-tree interface <type port>   <---Show the STP activity on a specific interface.
Switch# show spanning-tree uplinkfast              <---Show the STP UplinkFast status.
Switch# show spanning-tree backbonefast            <---Show the STP BackboneFast status.