Best Practices Part 1 - Layer 2 Spanning-Tree

The topology depicted in the diagrams is used to help demonstrate data flow during failure and to provide discussion around best practices and may not be necessarily be configured as optimal as possible. I will provide examples in a series of blogs that will provide alternate technical solutions that follow best practice guidelines.

Topology Image

Normal Data Path Flow

 Data Path Flow Root Fail

Data Path Flow-Access Trunk Fail

Data Path Flow Router Fail

Spanning-Tree mode Rapid-PVST (802.1w) or MST (802.1s) - I will show more about load balancing techniques leveraging each of these technologies in "Layer 2 Spanning-Tree Best Practices Part-2" Deterministic blocked ports - in this example we know exactly which ports are going to be blocked by STP. All redundant connections to the secondary root bridge will be blocked. Cisco also recommends that you do not exceed STP diameter of seven hops. Ensure that you hard configure your Root and Secondary Root bridges. Ensure that you only allow required VLAN's over the trunks to ensure you are not running unnecessary STP instances.

Features to leverage include:
Access Layer
-portfast
-bdpuguard
-disable DTP
-loopguard
-etherchannel Guard

Distribution Layer
-root and secondary root placement
-root guard
-disable DTP
-etherchannel Guard

Leverage EtherChannel to reduce the number of ports that need to transition from blocking to forwarding state when leveraging multiple links.

EtherChannel Ports
-EtherChannel Guard

Quick Notes - Layer2 MISC

Layer2 MISC

Loop Guard - Prevents alternate port and root ports from becoming designated ports. IF BPDUs are not received on a NON-DP port then the port is moved into err-disabled state
Global config - "spanning-tree loopguard default"

UDLD - Unidirectional Link Detection
- Both sides need to be configured
- default setting is disabled on copper ports and enabled on fibre ports
Enable on copper ports, interface config - udld enable

Root Guard
- the port that has root guard enabled ensures that if a superior BPDU is received the port is put into "root inconsistent state"
Interface config - "spanning-tree guard root"

BPDU Guard
- Ensures that loops are not formed on ports that are enabled to use portfast, if BPDU is recieved the port is put into error disabled state. Two ways to enable BPDU Guard
Global config - "spanning-tree portfast bpduguard" - All ports that have portfast enabled will also have BPDU guard enabled
Interface config - spanning-tree bpduguard enable"

BPDU Filter
- When enabled globally and a BPDU is received on a port the is enabled with portfast the port loses it portfast status
Global config - "spanning-tree portfast bpdufilter default
-when enabled on the interface the port stops sending and recieveing BPDU. This is dangerous as a loop can form
Interface config - "spanning-tree bpdufilter enable

Quick Notes - RSTP

RSTP 802.1w

States
- Discarding, Learning, and forwarding state

Alternative Port
- backup port to the designated port for fast convergence

Backup Port
- backup port to the root port for fast convergence

BPDUs
- sent every 2 seconds and acts as a keepalive, 3 missed hellos and the portocol information is aged

Implmenting RSTP
- MST automatically enables RSTP - spanning-tree mode mst"
- PVST+ - "spanning-tree mode rapid-pvst"

Quick Notes - STP

STP 802.1D

Portfast
- Ports coming up are put into forwarding states
- TCN are not generated when a port comes up or down

Uplinkfast
- detects a directly connected failure and enables a new root port immediately
- increases the root priority to ensure that the switch will not become the root
- sets the port cost to 3000
- tracks alternate root ports

Backbonefast
- speeds convergence when a failure occurs and is indeireclty located. Reduces convergence from 50 seconds to approx 30 seconds.
- all switches need to bne configured with backbonefast

Question 168

What command can be used to ensure that if a port receives a BPDU the port is put into errdisable state?

Question 167

What command can be used to ensure that BPDU's that are received on a port disables the portfast feature?

Question 166

What command can be used to ensure that BPDU's are not transmitted or received on a port?

What is the risk of using this command?

Question 60

Can you use portfast on a trunk?

Question 59

What are the spanning-tree phases?

Question 58

What are the ways spanning-tree paths can be manipulated?

Question 46

How do you change the forward delay for an individual VLAN?

Question 44

How do you modify the max-age of a BPDU and what is its purpose?

Question 21

What does "spanning-tree portfast" do?