上QQ阅读APP看书，第一时间看更新

Spanning Tree Protocols

Consider the Ethernet switching domain as shown in the following figure. For simplicity, let's assume a single VLAN across the Ethernet segment and untagged frames:

Figure 7: Broadcast Loops in Ethernet

There are two switches A and B with all ports in the same VLAN. The switches are connected to each other with the connections from port A9 to B1 and A13 to B5. Let's consider that the host X connected to port 1 of switch A and called A1 wants to send a frame to host Y. Switch A receives the frame from host X on port A1, and does a lookup of its MAC table to find the port associated with the destination address of the Ethernet frame. Since the switch has an empty MAC table at start up, the switch has to broadcast the frame on all ports. So, switch A broadcasts the frame on ports A2 through A16. The frame exits through port A9, and reaches port B1 on switch B. Switch B also does not have the MAC address of host Y in its MAC table, and hence broadcasts the frame on all ports other than B1. This broadcast reaches port 13 on switch A again through port 5 on switch B, and a loop is formed. Since there is no field that will time out these frames on the switch, there is an endless loop and the magnification effect causes a huge amount of traffic and CPU spikes on the switch and can disrupt the entire switch.

This looping of frames happened because there was a closed physical loop on the Ethernet network. Any Ethernet topology will have problems if there are physical loops in it. One way to solve the problem is to disconnect the second link, but we need that for redundancy purposes. The other way to solve this is to use Spanning Tree Protocol (STP) that can put some ports in the blocking mode by sending a set of STP packets, and avoiding a loop on the Ethernet. In case the active or forwarding link goes down, the STP recalculates the topology and brings the blocking ports into the forwarding state. Loops can also be created when a switching topology has a physical loop across a set of switches. These loops are also handled by STP to provide a loop-free topology. STP is defined as the IEEE Standard 802.1D.

STP can run on the switch either in a per VLAN mode creating a separate forwarding loop free topology for each VLAN or in a multi-vlan mode, where a forwarding topology is created for a bunch of VLANs that can be defined via configuration. These modes are called Per-VLAN Spanning Tree (PVST) and Multiple Spanning Tree (MST) respectively. If there are a large number of VLANs, it is recommended to run MST so that the control packets are minimum and the CPU does not get overloaded due to processing of the STP packets for each VLAN.

STP runs by default on Cisco Ethernet switches in the PVST+ mode. STP sends special packets called Bridge Protocol Data Units (BPDUs), which are encapsulated within Ethernet headers. These frames are sent periodically and processed by all switches to put certain ports in blocking state, thus creating a loop-free topology. The topology is recalculated if a port state changes on the network thereby ensuring redundancy on the network, by unblocking a port. STP uses a concept called root bridge that is used as the root of the loop-free topology tree that connects all Ethernet segments. A sample Ethernet topology and the resulting STP topology is as shown in the following figure:

Figure 8: Blocked ports due to STP

The switch that acts like the root bridge is critical. Traffic from hosts on different branches passes through this root bridge. The root bridge should be the device that is the topmost device in the L2 hierarchy. The root bridge is elected through the processing of BPDU messages. The IOS command to configure the switch as the root bridge is spanning-tree vlan <vlan-id> root primary.

We will cover the security aspects of the root bridge in Chapter 8, Understanding and Configuring Network Security.