Browsed by
Tag: CCIE

CCIE: 802.1s (MST)

CCIE: 802.1s (MST)

Overview:

MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.

All the details can be found here.

My personal field experience:

It’s funny, I always hear how great MST is (and it does have advantages) but, I only saw it in a production enterprise environment a handful of times. The primary drivers are lots of VLANs (500+) and load balancing traffic (VLAN traffic engineering) across redundant links. Service providers could use this on small metro rings that utilize STP as the ring failover mechanism (RPR may be a better option).

Configuration:

For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root.

For two or more switches to be in the same MST region, they must have the same VLAN-to-instance map, the same configuration revision number, and the same name.

SW1 (Root for Instance 2 and 3, backup root for Instance 1)

spanning-tree mst configuration

instance 1 vlan 1-100

instance 2 vlan 101-200

instance 3 vlan 201-4094

spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 0
spanning-tree mst 3 priority 0
Additional information:  
http://en.wikipedia.org/wiki/Spanning_Tree_Protocol#Multiple_Spanning_Tree_Protocol_.28MSTP.29
http://www.ieee802.org/1/pages/802.1s.html

 

CCIE: Root Guard, BPDU Guard, BPDU Filter, and Loop Guard

CCIE: Root Guard, BPDU Guard, BPDU Filter, and Loop Guard

The BPDU guard feature can be globally enabled on the switch or can be enabled per port, but the feature operates with some differences.
At the global level, you enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Spanning tree shuts down ports that are in a Port Fast-operational state if any BPDU is received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred.

The “default” global option works in conjunction with spanning-tree portfast default on interfaces that are in the portfast state.

verify with “sh interface fa x/x status”
test bpdu to router with bridging interface “bridge 1 proto ieee , int fa x/x bridge-group 1”

The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences.

At the global level, you can enable BPDU filtering on Port Fast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.

At the interface level, you can enable BPDU filtering on any interface by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs.
BPDU filter works in conjuction with portfast as well.

If BPDU’s are dectect the interfaces will revert out of portfast mode.

Verify with “sh span inter fa x/x portfast” RootGuard will not errdisable a port. It will go into root inconsistant state until superior BPDUs cease.

Loop Guard is similar to UDLD except it uses STP bpdu keepalives to determine if there is a uni-directional link failure.

Understanding Loop Guard

You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link.This feature is most effective when it is enabled on the entire switched network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.

You can enable this feature by using the spanning-tree loopguard default global configuration command.

When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.

When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MST instances.

Understanding Root Guard

The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 18-8. You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer’s network. If spanning-tree calculations cause an interface in the customer network to be selected as the root port, root guard then places the interface in the root-inconsistent (blocked) state to prevent the customer’s switch from becoming the root switch or being in the path to the root.

If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent state), and spanning tree selects a new root switch. The customer’s switch does not become the root switch and is not in the path to the root.

If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the interface to be a designated port. If a boundary port is blocked in an internal spanning-tree (IST) instance because of root guard, the interface also is blocked in all MST instances. A boundary port is an interface that connects to a LAN, the designated switch of which is either an IEEE 802.1D switch or a switch with a different MST region configuration.

Root guard enabled on an interface applies to all the VLANs to which the interface belongs. VLANs can be grouped and mapped to an MST instance.

You can enable this feature by using the spanning-tree guard root interface configuration command.

CCIE: VTP or not to VTP, that is the question.

CCIE: VTP or not to VTP, that is the question.

In *most* productions networks device limitations (VLAN,TCAM entries) must be taken into consideration. This is one of the downsides of using VTP. All switches will get the entire database regardless if they have local assignments or even are in the transit L2 path. Transparent mode and manually creating the necessary VLANs may be your best option. Switches to not create a STP instance for unnecessary VLANs thus conserving resources and CPU cycles. If you are using VTP be sure to enable pruning to conserve bandwidth or statically remove unnecessary VLANs from the trunk links. “sh interface pruning” or “sh interface trunk | begin pruned” to verify.

Two quick ways to view port/vlan assignment.

“sh vlan brief” or “sh interface status”

VTP can save time by allowing a central place to manage and create VLANs. Here are some tips when implementing VTP.

1) Make sure your trunk (ISL/.1q) interfaces are healthy.

2) Assign a domain name on the VTP server. All other clients will inherit this.

3) Create VLANs on server and verify creation/revision sync on clients.

Verify with “sh vtp status” and if a password is configured “sh vtp password”.

Transparent mode switches will pass updates but not accept them. Their revision number should be “0”.

"Sh interface trunk" can help determine the L2 transit path if the VLAN exists. This helps with tasks that required you to restrict the VLAN's allowed on trunks. 

Investigate pruning elegiable list (except/all/none). "sw tr prun vlan"