Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERT- SPANNING TREE PROTOCOL

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Spanning Tree Protocol with Cisco expert Francois Tallet. Francois is a developer in Cisco's Internet Switching Business Unit. He is CCIE #3559 and has specialized in LAN Switching since he joined Cisco in early 1997. Feel free to post any questions relating to Spanning Tree. Remember to use the rating system to let Francois know if you’ve received an adequate response.

Francois might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 23. Visit this forum often to view responses to your questions and the questions of other community members.

87 REPLIES
New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Our core 6513 vtp server currently has 83 vlans. Closet 3548's (trunked with only a few vlans allowed) can only support 64 instances of spanning tree. The 3548's appear to randomly set vlans over 64 to no spanning-tree.

What is the correct approach to ensure that the appropriate vlans on any given 3548 receive spanning-tree?

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

This is rather a VTP question;-)

I don't know how the 3548 choses the vlans (probably on a first come first serve basis). As you have more vlans on the core than on the access, I guess each of your access switches need different set of vlans. So, anyway, there is no automatic way for VTP to satisfy your design and you will eventually have to select manually a subset of the vlans on your access switches. Thus, using the transparent mode and configuring only the necessary vlans on your 3548s seems to be the solution.

Regards,

Francois

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Hi,

another solution is to allow only a subset of VLANs on the trunks between 3548 and the core.

If you use (config-if)#switchport trunk allowed vlan remove .....

command on 3548 it will reduce the number of VLANs on the trunk and the number of STP instances, too.

(You need to do this reduction on the other - core - side of the trunk, too.)

This is more comfortable way then transparent mode and manual VLAN definition, I think.

Regards,

Milan

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

The problem is that it's not because you don't allow vlan X from the uplink that vlan X will not be advertised by VTP. If vlan X is configured in the VTP domain, there is simply no way of getting rid of vlan X on the 3548 without leaving the domain.

However, on the cat6k, we only create a spanning tree instance for vlans that have at least one active port on the local box. If the 3548 behaves the same, this method would work provided that you filter out vlan X not only from the uplinks but also from any port of the switch (this may be more config than changing VTP). Another possibility may also be to manually disable the spanning tree for the unwanted vlans (no spanning-tree vlan X).

My feeling is that is more convenient to configure the few required vlans instead of removing the potentially many you don't want. But in the end, all these methods require manual configuration on the access switches, so there is nothing automatic...

Regards,

Francois

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Francois,

to be 100% clear:

1) How do you define "STP instance"? Is it a separate STP process running for each VLAN configured on a switch?

2) You are saying: "...on the cat6k, we only create a spanning tree instance for vlans that have at least one active port on the local box".

But when there is a trunk to the cat6k with VLANx allowed it should be considered as an active port, shouldn't it? (I.e. VLANx BPDUs should be still sent on the trunk.)

3) What is the total number of logical ports across all instances of STP limit for Cat2900/3500/XLs?

http://www.cisco.com/warp/public/473/16.pdf is showing this limits only for Cat4000/5000/6000. It is using following formula to compute the sum of logical ports on the switch:

(number of non-ATM trunks * number of active Vlans on that trunk)

+ 2*(number of ATM trunks * number of active Vlans on that trunk)

+ number of non-trunking ports.

I read somewhere the limit was 64. But counting logical ports on 3548 switch using two trunks 10 VLANs each gives the number of 66 logical ports. So 64 is probably not the correct limit.

Regards,

Milan

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

1) We have one single STP process (actually 2) shared by all the instances, but each instance has its set of data structures: one for the instance itself and one for each port on which it is active. As long as there is no instance port, the instance is not allocated.

2)Yes, a trunk is seen as a port for all the instances that are configured on it. That's why if you don't want the instance to be created, you have to remove its corresponding vlan from all the ports on the box, trunks included.

3) If the switch is able to run 64 spanning tree instances, it means that it is able to have 64 instance port on all its ports... The XL switches don't use the same formula as the 6k and 4k because they support a limited number of instances and have inherently a a known number of ports: there is no need for a complex equation;-)

Regards,

Francois

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

1) In PVST, each vlan has its own independent independent instance of the spanning tree, so you can easily consider that an instance is the spanning tree running for a particular vlan. In MST, the same applies but the concept of instance is more explicit: instance = MST instance.

We have one single STP process (actually rather 2) shared by all the instances, but each instance has its set of data structures: one for the instance itself and one for each port on which it is active. As long as there is no instance port, the instance is not allocated.

2)Yes, a trunk is seen as a port for all the instances that are configured on it. That's why if you don't want the instance to be created, you have to remove its corresponding vlan(s) from all the ports on the box, trunks included.

3) If the switch is able to run 64 spanning tree instances, it means that it is able to have 64 instance port on all its ports... The XL switches don't use the same formula as the 6k and 4k because they support a limited number of instances and have inherently a a known number of ports: there is no need for a complex equation;-)

Regards,

Francois

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Well, I dont understand your answer 3) completely (BTW English is not my native language).

Do you mean I can have all ports on an XL switch participating in up to 64 spanning trees? Theoretically: I can have 64 VLANs configured on an XL switch with all ports configured as trunks?

And after adding 65th VLAN one VLAN will stop running STP?

Does the rule "As long as there is no instance port, the instance is not allocated" also apply to XLs, i.e. I can have 200 VLANs in VLAN database but if only 64 of them are alowed on trunks or are having access ports assigned everything is OK?

Regards,

Milan

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Hi Milan,

Well, English is not my native language either, that may be part of the problem;-)

Yes, assuming that your XL supports 64 spanning tree instances and has 24 ports, you can have up to 64x24 logical ports (that was just to keep the comparison with the cat4/5/6k of counting logical ports, even if it is not really relevant in that case).

After you have created 64 vlans that have a running spanning tree instance, if you create a 65th one, it will not run the spanning tree.

I think I understand where I confused you. I did not mention that a spanning tree instance can be created and not running. Basically you have 3 cases for an existing vlan (we are talking pvst here):

- vlan has no active port on the switch: the corresponding instance is not created (no memory allocation, no cpu used).

- vlan has at least an active port, an instance is created in memory but two subcases:

- spanning tree is running for the instance=> memory allocated, cpu used

- spanning tree is not running => memory allocated, cpu "not used"

That's a simplistic explanation, but I just want to say that the limit on the spanning tree instances is rather cpu utilization related.

Regards,

Francois

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Thanks,

It's clear now.

Regards,

Milan,

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

When exactly udld is necessary ?

I have core switch 3550 (SMI) and 2950 access level (FX100 between them).

Links were lost between both at random.

Loop-back were detected on the ports udld helped, but then I wonder if it was the good thing to do, rather than only disable keepalive on the interfaces.

When do u suggest to enable udld exactly

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

I have three questions,please help me.

1. whta is keepalive message? Is it end-to-end?when two router A and B

are connected by a switch C,if router A sends out a keepalive message,the switch C will process it or transfer it to router B?If it is not end-to-end message,how can the routers find the link between them is down when the routers are using static route?

2.The ISP provides MPLS VPN service to the customer,but the customer

donot want run routing protocols between the MPLS VPN VRF and the

CEs,it want the MPLS VPN VRF just like a bridge to transparently transfers the CEs' routing protocols,Can the MPLS VPN VRF work like a bridge?

3.Two ISPs provide MPLS VPN service to a customer's two branchs,every

ISP provides one 10M link to connect each the customer's two branch.The

customer want to load-share on the two links,but if one is down,the CE

router can transfer all traffic to the other one link in less 5 second,and it want all the CEs run ospf , then which ospf area the CE will belong to?can OSPF or static route protocol satisfy the customer's fault tolerance in less 5 second?

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

IMO it's always a good thing to run UDLD and loopguard. On a L2 network, a unidirectional link failure is close to be the worst case scenario.

http://www.cisco.com/warp/customer/473/16.html#2b

It is thus very important you try to understand why UDLD detected a problem with your links rather that just hiding the issue.

Loopguard is the STP mechanism that takes care of protecting against that kind of failure.

PROS: loopguard is quick to block a potential bridging loop or re-establish the traffic when the problem is cleared.

CONS: loopguard is not able to detect a failure that is already present a link-up.

You can enable both features at the same time, so you don't have to decide between one or the other anyway.

Other URLs for reference:

http://www.cisco.com/warp/customer/473/77.html

http://www.cisco.com/warp/customer/473/84.html#feature

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Francois,

I have a rather basic STP question. I realize that spanning tree will reconverge anytime a network change occurs, but I'm wondering what exactly happens when I just add a new switch to the network if the new switch doesn't cause any loops. For instance, if I just add a switch to a closet and uplink it to the next switch in the stack. It doesnt make sense to me that the network will reconverge and have all the switches go through blocking, listening, learning, and forwarding---this seems like it would unnecessarily block the whole network for 50 or so seconds. So I am wondering what is actually going on. Is the reconvergence only local--between the new switch and its uplink partner? Or does STP reconverge for the whole network in a way that doesnt include the blocking phase?

Thanks.

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Hi William,

This sounds like a basic question but actually, that's a very important one because there are a lot of myths associated with that;-)

In the case you have described, if of course the switch you are adding is not the new Root, no reconvergence will happen and the impact will be purely local (except that a topology change will be generated but a TC will not trigger any kind of STP recalculation).

There is no case is STP where all the bridges start over all their ports in blocking mode (except power-up of the whole network). This is the myth! Spanning tree recalculation is needed when the network needs to transition to a new final topology. And the transition is evaluated on a per-port basis for all bridges. Here are the four possible transition between stable port states:

(1). blocking-blocking

(2). blocking-forwarding

(3). forwarding-forwarding

(4). forwarding-blocking.

(1), (3) and (4) are immediate. Only (2) will need 30 seconds through the listening-learning stages. So when the topology of your network changes, only the ports that are moving from a blocking state in the old topology to a forwarding state in the new topology will be temporarily affected, potentially disrupting the communication.

If you are adding an access bridge, the only change in the final network topology is an additional link up. Only the ports on this link will be affected in order to transition from blocking to forwarding...

If the bridge you are adding was the root, the final topolgy of the whole network might be changed, and many other ports in the network would be affected (introducing temporary loss of connectivity potentially anywhere). But even in this case, there is no reason that all the ports in the network should go to blocking.

Regards,

Francois

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Francois,

Thank you for answering this so clearly and thoroughly. That question has been bugging me for some time, but I think I'm finally understanding what goes on.

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

While a TCN will not necessarily trigger a STP recalculation, it *will* trigger a CAM flush in the switches, leading to unnecessary flooded traffic.

So it's always a good idea to keep STP stable, which includes using PortFast to get rid of unnecessary TCNs.

But you know this, of cause.

-A

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Hi Asbjoern,

I globally agree with you but would like to rephrase your statements a little bit:

- A TC will never trigger a STP recalculation. The topology change mechanism is rather a consequence of a change in the STP rather than a cause.

- The flush is necessary in the case William described. If the switch he newly connected was removed from another core switch, the flush is vital in order to recover connectivity. And in this case you may have unnecessary flooded traffic, even if you configured portfast wherever possible.

Note also that the flooding will be limited in STP because we just reduce the aging time to forward delay, so only stations that are silent for more than that time will have their mac address flushed. RSTP introduce a much more "violent" behavior by roughly flushing the CAM tables in the whole network. So the IEEE does not worry that much about unecessary flooding (which may not be that good in some cases;-))

Regards,

Francois

For reference, here are two of my documents regarding STP TC and RSTP TC:

http://www.cisco.com/warp/customer/473/17.html

http://www.cisco.com/warp/customer/473/146.html#topic5

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

IMO it's always a good thing to run UDLD and loopguard. On a L2 network, a unidirectional link failure is close to be the worst case scenario.

http://www.cisco.com/warp/customer/473/16.html#2b

It is thus very important you try to understand why UDLD detected a problem with your links rather that just hiding the issue.

Loopguard is the STP mechanism that takes care of protecting against that kind of failure.

PROS: loopguard is quick to block a potential bridging loop or re-establish the traffic when the problem is cleared.

CONS: loopguard is not able to detect a failure that is already present a link-up.

You can enable both features at the same time, so you don't have to decide between one or the other anyway.

Other URLs for reference:

http://www.cisco.com/warp/customer/473/77.html

http://www.cisco.com/warp/customer/473/84.html#feature

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

What I read on UDLD, Cisco suggest to have UDLD turned on globally. I've Catalyst 6513 with UDLD enabled on the uplink GIG ports Globally. It works with the GIG ports. 10/100 ports you do not require.

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Please forgive me for confusing SPAN with spanning tree, but if you can help I'd appreciate it. On a 3548XL (12.0(5.2)XU), can you communicate with a host on a port that's monitoring/spanning another port? Our 6509 seems to do this fine.

If not, will it likely happen on 3548 in a future IOS?

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Indeed there is no relation between span and spanning tree. That's why they had the great idea of naming the feature port monitoring on the XL switches;-)

I wrote long ago the following paper on the feature:

http://www.cisco.com/warp/customer/473/41.html#topic1

From what I wrote at that time, it seems it is possible to communicate with a host on a destination port. Now, it's been a while have not dealt with this feature/platform and I don't have a 3548 in my lab to quickly test. I'm afraid I cannot be more specific.

Regards,

Francois

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Windows XP has the capacity of sharing an Internet connection fron a modem to an Ethernet port. Now, if you have a wired Ethernet port, a Wireless Ethernet port and a modem port with Internet Sharing turned on, Windows XP creates a virtual bridge between the wired and wireless ports. If you come to a network that has wired and wireless access, and do not turn off the Internet Sharing, This machine acts as a bridge between the wired and wireless ports ¡¡. I tried to avoid this loop using STP, but Cisco's STP cannot detect this kind of loop.

I will appreciate any comments regarding this scenario, that is happening ina big school in Mexico.

Regards.

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Hi Gabriel,

The case is identical to bridging between two wired LANs. I assume that there is only one Cisco switch involved in this loop. It should send bpdus on both the wired and wireless lan. When the windows box start bridging between these two lans, the switch with receive its own bpdus an will immediately move one of the two designated port into backup role blocking state.

That's what should happen, at least. There are several reasons why this could fail:

- There may be another device eating up the bpdus somewhere in the loop. Check what devices are involved between the two ports of the Cisco bridge, be sure they transmit the bpdus they receive. In particular, check that the windows box is propagating the bpdus it received on the wired lan to the wireless lan. If the bpdus are not going through, there is nothing our switch can do.

- The switch may not be sending bpdus on its ports: check that you don't have any bpdu filtering configured on the ports.

So basically, without introducing this internet sharing feature, check on the switch that it is sending bpdus using interface counters. On the windows box, capture packets on both the wired and wireless lan and check these bpdus are coming in. Then, create the loop enabling this internet sharing feature and check on the switch that at least one port keeps receiving bpdus from the other one. You should identify a problem at one of these stages.

My only concern is that even if you succeed in blocking the loop, the result will not be very nice anyway. Suppose that the port leading to the wireless lan is getting blocked: this means that now all the wireless users will have connectivity through your windows box and its wired lan! If the wired lan is not shared, be sure you block the potential loop on this side rather than on the wireless lan;-)

Hope this helps,

Francois

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

I have one questions.

.When I set STP root on 3550,the priority will be set to 16384 in sh run's display.But I sh spanning-tree vlan 1,I found it is 16385(priority 16384 sys-id-ext 1).So my question is why it will be add 1 and what is advantage of this?

thanks!

C3550-12G#sh spanning-tree vlan 1

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 16385

Address 000b.be58.eb00

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 16385 (priority 16384 sys-id-ext 1)

Address 000b.be58.eb00

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Hi Henry,

The reason is that you have extended system id enabled on your switch.

A bridge ID consist of a 16 bit priority field and a 48 bit mac address. Each of the bridge ID, for each vlan, is supposed to be different from any other. Initially, we were giving one different mac address per vlan to ensure that. It was already expensive for 1K vlans but clearly did not scale to the 4K vlans we now support.

The solution is the extended system id feature (mac reduction in catos). This has been added to the IEEE standard with 802.1t amendment. The principle is to steal 12 bits from the priority fields to differentiate the bridge ID of the 4K vlans. Imagine that the default priority P (32768) is configured for all vlans. With extended system id, P+1 is the priority for vlan 1, P+2 is the priority for vlan 2 and P+N the priority for vlan N etc... This trick allows us to use a single mac address for the bridge id of all the vlans: if the priority are necessary different for each and every vlan, the mac address does not have to be different to ensure uniqueness of the bridge id.

The only drawback is that there are only 4 bits left available for the user in the priority field, thus the bridge priority can only be set to multiple of 4096 (2 power 12).

Hope this clarifies a little bit. Search for mac address reduction (macreduction) or extended system-id for more information.

Regards,

Francois

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Hi Francois,

I got the answer and I have another three stp question;-D

1. I want to enable portfast on all ports of the switch except which I already know have a loop to improve network performance.But many people told me don't do that.

I know If one port have a loop caused accidentally by somebody,the port will be blocked by stp even if it is enable portfast and will not bring down the whole network.

So what's the disadvantages of this?

2. My network topu is like this:

two core 6509 and 8 access switch.Each access switch is directly connect to two 6509 with fible and one 6509 is odd vlan's root another is even vlan's root.

I want to remove our 4 access switch,When I unplugged all cable from two core 6509 trunked to the 4 access switchs,the whole network hang up for about 1 minutes.I think it is maybe stp's recaulation.But from your reply to William,you said There is no case is STP where all the bridges start over all their ports in blocking mode .

I am puzzling what's the possible reason of this.

3. I have a develop envionment which is comprised by one 3550-emi and four 3550-smi.3550-emi is all vlan's root.For more redundancy,I add a new 3550-emi which will be odd's vlan root. After I connect new 3550-emi to existed network,I config it to be all odd's vlan root.I found the priorty is a new value which can make the new 3550-emi become the odd's vlan root instead of default value 24576.I think switch will auto adjust the priorty to enable it to be vlan's root if I issue "spanning-tree vlan 1 root prim" command. Am I right ?

thanks for your reply.

Regards,

Henrry

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Hi again Henry,

1) As everybody else, I would not encourage you to enable portfast

anywhere in your network. You are right, a portfast enabled port is

still able to move immediately to a blocking state. However, spanning

tree was designed to block while reconverging for good reasons. If you

override this behavior by configuring portfast on a port that should

be blocking in the final topology, you introduce temporary bridging

loops. The problem is that you don't know exactly how "temporary" it

will be: a loop can use the full bandwidth of your network in a

fraction of second, leading to further bpdu losses and thus creating a

snowball effect that can prevent your network from stabilizing. You

don't want this to happen each time one of your portfast enabled link

flaps...

You should rather consider moving to rapid-pvst than taking this risk.

2) From your network description, it seems that there is no link

between your two core switches. This means that the traffic between

them is going through one of your access bridges. When disconnecting

this access bridge, spanning tree had to reconverge in order to

unblock the uplink of another access bridge. Note that the same

problem could occur if you had a link between the two cores but there

was a better connection through the access switch (like a 100MB inter

core trunk and a gigabit attached access). It's not because a switch

looks like an access bridge that it is one for the spanning tree;-)

Please open a case to the TAC if the above hint is not enough: this

problem is certainly easy to fix but we need a much more detailed

description of the network and I don't want to overload the forum with

a case.

PS: I don't see in this network where it would be safe to enable portfast

between switches.

3) Yes you are right.

Finally, I know there are a lot of documents that are showing this

odd/even vlan load balancing, but this is the DE who speaks

now;-). Could you use ranges of vlans instead? Something like vlan

1000-2000 have their root on the left core switch, vlan 3000-4000 on

right core switch. This is more efficient for our internal

implementation. This is not a big deal however, don't start rebuilding

your network because of this recommendation.

Regards,

Francois

New Member

Re: ASK THE EXPERT- SPANNING TREE PROTOCOL

Are there any known issues with UDLD and etherchannel?

Quite frankly, I can't think of a reason not to use UDLD and am wondering why it' s not a default setting.

Also, as far as best practices go, when you have redundant sup's in your 6500 series switches, what would you recommend as far as using those gig ports or not using those gig ports on the supervisor.

Thanks in advance!

-D

320
Views
47
Helpful
87
Replies