Some information about STP.
#STP - 802.1D and enable on all switches by default
#*PVST - ie STP (ISL=Intel-Switch Link) only Cisco
#*PVST+ - ISL+802.1Q can work with all vendors
#RSTP - 802.1w
#*Rapid PVST+ - for average networks, each VLAN has its instance
#MSTP -802.1s - uses MSTI, backward compatible STP (802.1D) & RSTP (802.1w) for huge networks
#*MST - - ie MSTP
#Loops->MAC address flapping
#RSTP and STP have different priority
#RSTP link types: EGDE - PC & net deices, Point-to-Point - between switches, Shared - a hub connection. Must operate in half-duplex mode.
#RSTP port states: Discarding, Learning, Forwarding
#RSTP port roles: Root, Designated, Alternative, Backup=hub)
#RSTP built in features: UplinkFast, BackboneFast,Portfast
#RSTP BPDU send by all switches not just the root bridge
#Interfaces in Blocking state only send or recieve STP messages (called BPDUs)
#Default Bridge ID priority is 32768 on all switches, so by default the MAC address is used as a tie-breaker.
#A switch with the lowest MAC address becomes the root bridge.
#PVST - per VLAN Spaning Tree. Different interfaces can be Forwarding / Blocking states.
#Bridge priority is 16 bit (Bridge Priority 4 bits + Extended System ID (VLAN ID) 12 bit)
#32768 16384 8192 4096 | 2048 1024 ... 1
| |
default default
#Example. For VLAN 1, the default bridge priority is actually 32769 (32768+1)
#If I want to reduce it
#0 1 1 1 + VLAN ID 1=28673 (16384+8192+4096+1)
#In this case I only can use: {0,4096,8192,12288,16384,20480,24576,28672,32768,36864,40960,45056,49152,53248,57344,61440}+1
#Speed STP Cost
#10 mbit/s 100
#100 mbit/s 19
#1Gbit/s 4
#10Gbit/s 2
#Root port selection
#1) Lower root cost
#2) Lower neighbor bridge ID
#3) Lower neighbor port ID
enable
configure terminal
show spanning-tree #get STP interface information. STP port priority = 128 by default
The neighbor switches port is used to break the tie, not the local switches port ID.
#Blocking ports
#1) The switch with the lowest root cost will make its ports designated (all ports)
#2) If the root cost is the same, the switch with the lowest bridge ID will make its ports designated (all ports)
#3) The other switches will make its ports non-designated (Blocking)
#Cisco PVST+ uses a destination MAC address of: 01:00:0C:CC:CC:CD
#Regular STP uses a destination MAC address of: 01:80:C2:00:00:00
============================STP TOOLKIT=========================
#PORTFAST
#BPDU FILTER
#BPDU GUARD
#ROOT GUARD
#UPLINK FAST
#LOOP GUARD
#BACKBONEFAST
#ETHERCHANEL GUARD
#PORTFAST - don`t wait 30 sec. FWD state immediately
spanning-tree portfast default #enable portfast by default on all ports in access mode (only PC and devices)
int f0/1
switchport portfast #enable portfast on delected interface (only PC and devices)
show spanning-tree interface <interface> portfast #to show portfast state on the interface
#BPDU FILTER - port will not send any BPDU
spanning-tree portfast bpdufilter default #global enable on all access ports in portfast mode. Switch will not send BPDU.
###BUT### if an interface in DTP mode and some switch connected to the interface and BPDU received, the interface join to STP
int f0/1
spanning-tree bpdufilter enable #stops the port from sending and recieving BPDUs. Don`t connect any swiches / LOOP is posible
#BPDU GUARD - port will shutdown (err-disable) if the switch port recieved any BPDU
spanning-tree portfast bpduguard default #makes all access ports to use bpduguard <-prefer mode
OR
int f0/1
switchport portfast #skip 30 sec waiting
spanning-tree bpduguard enable #to prevent impact from unauthorized switches
#if a port with BPDU Guard recieve any BPDUs the port will shutdown with err-disable
#ROOT GUARD - garanties than only selected switch is a root.
#Doesn`t work with LOOP GUARD
#If a port recieved lower Bridge ID, the port become root-inconsistent and stop all traffic
interface f0/1 #do it on all ports on the root bridge
spanning-tree guard root #enable root guard
show spanning-tree inconsistentports #to check
#This may be the reason that the link between the switches on both sides may be displayed as designated
#LOOP GUARD -checking for existence BPDUs on ports in Blocking или Listening states.
#Doesn`t work with ROOT GUARD
#If a port in Blocking or Forwarding state stoped to recieve BPDU, the port becomes Loop-Inconsistent.
#When BPDUs recieve again, the port becomes Normal
#No need to apply on access ports. Use BPDU Guard insted Loop Guard.
#Some IOS doesn`t support this function
spanning-tree guard loop default #enable loop guard on all trunk ports
int g0/1
spanning-tree guard loop #to enable loop guard on the port
int range g0/1-2
spanning-tree guard loop #to enable loop guard on the range of ports
show interface status
show errdisable recovery
show logging | include Err
===========================RECOMENDATIONS=======================
#Enable PortFast and BPDU Guard (per port or by default)
#Only enable BPDU Filter by default (global config mode) unless you have a very good reason to enable it per port
BPDU Guard and BPDU Filter can be enable at the same port at the same time
#If BPDU Filter is enabled in global mode and the port recieves BPDU, then:
-BPDU Filter will be disabled port;
-BPDU Guard will be triggered and errdisable the interface
#If BPDU Filter is enabled in interface config mode and the port recieves a BPDU, then:
-The BPDU packet will be ignored;
-BPDU Guard will not be triggered
=================================================================
spanning-tree mode {stp | pvst | rapid-pvst | mst } #to change STP mode on the switch
spanning-tree vlan 1 root primary #it will set the root priority to 24576 for VLAN 1, it this priority exists then do -4096
spanning-tree vlan 1 root secondary #to set redurant root switch for VLAN 1
#Port Priority
int f0/24
spanning-tree port-priority <0-240> #must be a multiple of 16. By default=128. It affects the selection of the Designated Port
#Port ID = 16 bits. Port priority (4 bits) + Port Number on the switch (12 bits).
int f0/24
spanning-tree cost <1-200000000> #to change the cost of the interface
show spanning-tree interface <interface> detail #to get more information
show spanning-tree vlan <vlan_number> #to get more information
show spanning-tree vlan <vlan_number> interface <interface> detail #to get more information
show spanning-tree summary #
show running-config | include spanning-tree #to show a field related STP in the running config
show interface <interface> status err-disable #to show the reason why port disabled
#UPLINKFAST
#Do not use it on the root bridge and no need to use in RSTP
#An alternate Port become a root at the same time, then root port failed. State Blocking->Forwardind.
#Then, using multicast group, it sends MAC addresses to other switches they to update paths (came table!?).
#Active UplinkFast аutomaticaly increases ports cost to prevent the switch from becoming root.
spanning-tree uplinkfast #enable uplinkfast
spanning-tree uplinkfast max-update-rate <0-65535> #packet per second to send MAC addresses
#BACKBONEFAST
#the mechanism used in the Spanning Tree Protocol (STP) to speed up the restoration of connectivity in the network when an indirect
#link failure occurs. A non-direct error occurs if the failure occurred not on the root port of the switch, but somewhere in the
#intermediate segment.
#No need to use in RSTP
#Must be enable on all switches in STP
spanning-tree backbonefast #to activate
show spanning-tree backbonefast #to check the status
#ETHERCHANEL GUARD
#Enable by default
#Monitors whether the settings of all ports involved in the EtherChannel are consistent.
#If parameters such as speed, duplex, or EtherChannel mode do not match, the ports are switched to the err-disable state.
spanning-tree etherchannel guard misconfig #to activate
show spanning-tree summary #to check the status