This article provides information and commands concerning the following topics:
Configuring optional spanning-tree features
BPDU Guard (2xxx/3xxx series)
Spanning Tree Protocol Definition
The spanning tree standards offer the same safety that routing protocols provide in Layer 3 forwarding environments to Layer 2 bridging environments. A single best path to a main bridge is found and maintained in the Layer 2 domain, and other redundant paths are managed by selective port blocking. Appropriate blocked ports begin forwarding when primary paths to the main bridge are no longer available.
There are several different spanning-tree modes and protocols:
Per VLAN Spanning Tree (PVST+): This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. The PVST+ runs on each VLAN on the device up to the maximum supported, ensuring that each has a loop-free path through the network. PVST+ provides Layer 2 load balancing for the VLAN on which it runs. You can create different logical topologies by using the VLANs on your network to ensure that all of your links are used but that no one link is oversubscribed. Each instance of PVST+ on a VLAN has a single root device. This root device propagates the spanning-tree information associated with that VLAN to all other devices in the network. Because each device has the same information about the network, this process ensures that the network topology is maintained.
Rapid PVST+: This spanning-tree mode is the same as PVST+ except that it uses a rapid convergence based on the IEEE 802.1w standard. Beginning from Cisco IOS Release 15.2(4)E, the STP default mode is Rapid PVST+. To provide rapid convergence, Rapid PVST+ immediately deletes dynamically learned MAC address entries on a per-port basis upon receiving a topology change. By contrast, PVST+ uses a short aging time for dynamically learned MAC address entries. Rapid PVST+ uses the same configuration as PVST+ and the device needs only minimal extra configuration. The benefit of Rapid PVST+ is that you can migrate a large PVST+ install base to Rapid PVST+ without having to learn the complexities of the Multiple Spanning Tree Protocol (MSTP) configuration and without having to reprovision your network. In Rapid PVST+ mode, each VLAN runs its own spanning-tree instance up to the maximum supported.
Multiple Spanning Tree Protocol (MSTP): This spanning-tree mode is based on the IEEE 802.1s standard. You can map multiple VLANs to the same spanning-tree instance, which reduces the number of spanning-tree instances required to support a large number of VLANs. MSTP runs on top of the Rapid Spanning Tree Protocol (RSTP) (based on IEEE 802.1w), which provides for rapid convergence of the spanning tree by eliminating the forward delay and by quickly transitioning root ports and designated ports to the forwarding state. In a device stack, the cross-stack rapid transition (CSRT) feature performs the same function as RSTP. You cannot run MSTP without RSTP or CSRT.
Default spanning-tree implementation for Catalyst 2950, 2960, 3550, 3560, and 3750 switches is PVST+. This is a per-VLAN implementation of 802.1D. Beginning from Cisco IOS Release 15.2(4)E, the STP default mode is Rapid PVST+ on all switch platforms.
Enabling Spanning Tree Protocol
Switch(config)# spanning-tree vlan 5 | Enables STP on VLAN 5 |
Switch(config)# no spanning-tree vlan 5 | Disables STP on VLAN 5 |
Many access switches such as the Catalyst 2960, 3550, 3560, 3750, 9200, and 9300 support a maximum 128 spanning trees using any combination of PVST+ or Rapid PVST+. The 2950 model supports only 64 instances. Any VLANs created in excess of 128 spanning trees cannot have a spanning-tree instance running in them. There is a possibility of an L2 loop that could not be broken in the case where a VLAN without spanning tree is transported across a trunk. It is recommended that you use MSTP if the number of VLANs in a common topology is high.
Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit. Disable spanning tree only if you are sure there are no loops in the network topology. When spanning tree is disabled and loops are present in the topology, excessive traffic and indefinite packet duplication can drastically reduce network performance. Networks have been known to crash in seconds due to broadcast storms created by loops.
Changing the Spanning-Tree Mode
You can configure different types of spanning trees on a Cisco switch. The options vary according to the platform.
Switch(config)# spanning-tree mode pvst | Enables PVST+. This is the default setting |
Switch(config)# spanning-tree mode mst | Enters MST mode |
Switch(config)# spanning-tree mst configuration | Enters MST configuration submode Use the command no spanning-tree mst configuration to clear the MST configuration |
Switch(config)# spanning-tree mode rapid-pvst | Enables Rapid PVST+ |
Switch# clear spanning-tree detected-protocols | If any port on the device is connected to a port on a legacy IEEE 802.1D device, this command restarts the protocol migration process on the entire device This step is optional if the designated device detects that this device is running Rapid PVST+ |
BPDU Guard (3650/9xxx Series)
You can enable the BPDU Guard feature if your switch is running PVST+, Rapid PVST+, or MSTP.
The Bridge Protocol Data Unit (BPDU) Guard feature can be globally enabled on the switch or can be enabled per port.
When you enable BPDU Guard at the global level on PortFast-enabled ports, spanning tree shuts down ports that are in a PortFast-operational state if any BPDU is received on them. When you enable BPDU Guard at the interface level on any port without also enabling the PortFast feature, and the port receives a BPDU, it is put in the error-disabled state.
Switch(config)# spanning-tree portfast bpduguard default | Enables BPDU guard globally By default, BPDU Guard is disabled. |
Switch(config)# interface gigabitethernet 1/0/2 | Enters into interface configuration mode |
Switch(config-if)# spanning-tree portfast edge | Enables the PortFast edge feature |
Switch(config-if)# end | Returns to privileged EXEC mode |
Configuring the Root Switch
Switch(config)# spanning-tree vlan 5 | Modifies the switch priority from the default 32768 to a lower value to allow the switch to become the primary or secondary root switch for VLAN 5 (depending on which argument is chosen) This switch sets its priority to 24576. If any other switch has a priority set to below 24576 already, this switch sets its own priority to 4096 less than the lowest switch priority. If by doing this the switch has a priority of less than 1, this command fails |
Switch(config)# spanning-tree vlan 5 root primary | Configures the switch to become the root switch for VLAN 5 The maximum switch topology width and the hello-time can be set within this command The root switch should be a backbone or distribution switch |
Switch(config)# spanning-tree vlan 5 root | Configures the switch to be the root switch for VLAN 5 and sets the network diameter to 7 The diameter keyword defines the maximum number of switches between any two end stations. The range is from 2 to 7 switches The hello-time keyword sets the hello-interval timer to any amount between 1 and 10 seconds. The default time is 2 seconds |
Configuring a Secondary Root Switch
Switch(config)# spanning-tree vlan 5 root secondary | Configures the switch to become the root switch for VLAN 5 should the primary root switch fail This switch resets its priority to 28672. If the root switch fails and all other switches are set to the default priority of 32768, this becomes the new root switch |
Switch(config)# spanning-tree vlan 5 root | Configures the switch to be the secondary root switch for VLAN 5 and sets the network diameter to 7 |
Configuring Port Priority
Switch(config)# interface gigabitethernet 0/1 | Moves to interface configuration mode |
Switch(config-if)# spanning-tree port-priority 64 | Configures the port priority for the interface that is an access port |
Switch(config-if)# spanning-tree vlan 5 port-priority 64 | Configures the VLAN port priority for an interface that is a trunk port If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state. Assign a higher priority value (lower numerical number) to interfaces you want selected first and a lower priority value (higher numerical number) to interfaces you want selected last The number can be between 0 and 240 in increments of 16. The default port priority is 128 |
The port priority setting supersedes the physical port number in spanning tree calculations.
Configuring the Path Cost
Switch(config)# interface gigabitethernet 0/1 | Moves to interface configuration mode |
Switch(config-if)# spanning-tree cost 100000 | Configures the cost for the interface that is an access port. The range is 1 to 200000000; the default value is derived from the media speed of the interface |
Switch(config-if)# spanning-tree vlan 5 cost 1500000 | Configures the VLAN cost for an interface that is a trunk port. The VLAN number can be specified as a single VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094. For the cost, the range is 1 to 200000000; the default value is derived from the media speed of the interface If a loop occurs, STP uses the path cost when trying to determine which interface to place into the forwarding state. A higher path cost means a lower-speed transmission |
Configuring the Switch Priority of a VLAN
Switch(config)# spanning-tree vlan 5 priority 12288 | Configures the switch priority of VLAN 5 to 12288 |
With the priority keyword, the range is 0 to 61440 in increments of 4096. The default is 32768. The lower the priority, the more likely the switch will be chosen as the root switch. Only the following numbers can be used as priority values:
0 | 4096 | 8192 | 12288 |
16384 | 20480 | 24576 | 28672 |
32768 | 36864 | 40960 | 45056 |
49152 | 53248 | 57344 | 61440 |
Cisco recommends caution when using this command. Cisco further recommends that the spanning-tree vlan x root primary or the spanning-tree vlan x root secondary command be used instead to modify the switch priority.
Configuring STP Timers
Switch(config)# spanning-tree vlan 5 hello-time 4 | Changes the hello-delay timer to 4 seconds on VLAN 5 |
Switch(config)# spanning-tree vlan 5 forward-time 20 | Changes the forward-delay timer to 20 seconds on VLAN 5 |
Switch(config)# spanning-tree vlan 5 max-age 25 | Changes the maximum-aging timer to 25 seconds on VLAN 5 |
For the hello-time command, the range is 1 to 10 seconds. The default is 2 seconds.
For the forward-time command, the range is 4 to 30 seconds. The default is 15 seconds.
For the max-age command, the range is 6 to 40 seconds. The default is 20 seconds.
Configuring Optional Spanning-Tree Features
Although the following commands are not mandatory for STP to work, you might find these helpful to fine-tune your network.
PortFast
Switch(config)# interface fastethernet 0/10 | Moves to interface configuration mode |
Switch(config-if)# spanning-tree portfast | Enables PortFast on an access port |
Switch(config-if)# spanning-tree portfast trunk | Enables PortFast on a trunk port Use the PortFast command only when connecting a single end station to an access or trunk port. Using this command on a port connected to a switch or hub might prevent spanning tree from detecting loops If you enable the voice VLAN feature, PortFast is enabled automatically. If you disable voice VLAN, PortFast is still enabled |
Switch(config)# spanning-tree portfast default | Globally enables PortFast on all switchports that are nontrunking You can override the spanning-tree portfast default global configuration command by using the spanning-tree portfast disable interface configuration command |
Switch# show spanning-tree interface | Displays PortFast information on interface fastethernet 0/10 |
BPDU Guard (2xxx/Older 3xxx Series)
Switch(config)# spanning-tree portfast bpduguard default | Globally enables BPDU Guard on ports where portfast is enabled |
Switch(config)# interface range fastethernet 0/1 - 5 | Enters interface range configuration mode |
Switch(config-if-range)# spanning-tree portfast | Enables PortFast on all interfaces in the range Best practice is to enable PortFast at the same time as BPDU Guard |
Switch(config-if-range)# spanning-tree bpduguard enable | Enables BPDU Guard on the interface By default, BPDU Guard is disabled |
Switch(config-if)# spanning-tree bpduguard disable | Disables BPDU Guard on the interface |
Switch(config)# errdisable recovery cause bpduguard | Allows port to reenable itself if the cause of the error is BPDU Guard by setting a recovery timer |
Switch(config)# errdisable recovery interval 400 | Sets recovery timer to 400 seconds. The default is 300 seconds. The range is from 30 to 86,400 seconds |
Switch# show spanning-tree summary totals | Verifies whether BPDU Guard is enabled or disabled |
Switch# show errdisable recovery | Displays errdisable recovery timer information |
Enabling the Extended System ID
Switch(config)# spanning-tree extend system-id | Enables the extended system ID, also known as MAC address reduction Catalyst switches running software earlier than Cisco IOS Release 12.1(8) EA1 do not support the extended system ID |
Switch# show spanning-tree summary | Verifies that the extended system ID is enabled |
Switch# show spanning-tree bridge | Displays the extended system ID as part of the bridge ID The 12-bit extended system ID is the VLAN number for the instance of PVST+ and PVRST+ spanning tree. In MST, these 12 bits carry the instance number |
Verifying STP
Switch# show spanning-tree | Displays STP information |
Switch# show spanning-tree active | Displays STP information on active interfaces only |
Switch# show spanning-tree bridge | Displays status and configuration of this bridge |
Switch# show spanning-tree detail | Displays a detailed summary of interface information |
Switch# show spanning-tree interface gigabitethernet 1/0/1 | Displays STP information for interface gigabitethernet 1/0/1 |
Switch# show spanning-tree summary | Displays a summary of port states |
Switch# show spanning-tree summary totals | Displays the total lines of the STP section |
Switch# show spanning-tree vlan 5 | Displays STP information for VLAN 5 |
Troubleshooting Spanning Tree Protocol
Switch# debug spanning-tree all | Displays all spanning-tree debugging events |
Switch# debug spanning-tree events | Displays spanning-tree debugging topology events |
Switch# debug spanning-tree backbonefast | Displays spanning-tree debugging BackboneFast events |
Switch# debug spanning-tree uplinkfast | Displays spanning-tree debugging UplinkFast events |
Switch# debug spanning-tree mstp all | Displays all MST debugging events |
Switch# debug spanning-tree switch state | Displays spanning-tree port state changes |
Switch# debug spanning-tree pvst+ | Displays PVST+ events |
Configuration Example: PVST+
Figure 11-1 shows the network topology for the configuration of PVST+ using commands covered in this post. Assume that other commands needed for connectivity have already been configured.
Core Switch (3650)
Switch> enable | Moves to privileged EXEC mode |
Switch# configure terminal | Moves to global configuration mode |
Switch(config)# hostname Core | Sets host name |
Core(config)# no ip domain-lookup | Turns off Dynamic Name System (DNS) queries so that spelling mistakes do not slow you down |
Core(config)# vtp mode server | Changes the switch to VTP server mode. This is the default mode |
Core(config)# vtp domain STPDEMO | Configures the VTP domain name to STPDEMO |
Core(config)# vlan 10 | Creates VLAN 10 and enters VLAN configuration mode |
Core(config-vlan)# name Accounting | Assigns a name to the VLAN |
Core(config-vlan)# exit | Returns to global configuration mode |
Core(config)# vlan 20 | Creates VLAN 20 and enters VLAN configuration mode |
Core(config-vlan)# name Marketing | Assigns a name to the VLAN |
Core(config-vlan)# exit | Returns to global configuration mode |
Core(config)# spanning-tree vlan 1 root primary | Configures the switch to become the root switch for VLAN 1 |
Core(config)# exit | Returns to privileged EXEC mode |
Core# copy running-config startup-config | Saves the configuration to NVRAM |
Distribution 1 Switch (3650)
Switch> enable | Moves to privileged EXEC mode |
Switch# configure terminal | Moves to global configuration mode |
Switch(config)# hostname Distribution1 | Sets host name |
Distribution1(config)# no ip domain-lookup | Turns off DNS queries so that spelling mistakes do not slow you down |
Distribution1(config)# vtp domain STPDEMO | Configures the VTP domain name to STPDEMO |
Distribution1(config)# vtp mode client | Changes the switch to VTP client mode |
Distribution1(config)# spanning-tree vlan 10 root primary | Configures the switch to become the root switch of VLAN 10 |
Distribution1(config)# exit | Returns to privileged EXEC mode |
Distribution1# copy running-config startup-config | Saves the configuration to NVRAM |
Distribution 2 Switch (3650)
Switch> enable | Moves to privileged EXEC mode |
Switch# configure terminal | Moves to global configuration mode |
Switch(config)# hostname Distribution2 | Sets the host name |
Distribution2(config)# no ip domain-lookup | Turns off DNS queries so that spelling mistakes do not slow you down |
Distribution2(config)# vtp domain STPDEMO | Configures the VTP domain name to STPDEMO |
Distribution2(config)# vtp mode client | Changes the switch to VTP client mode |
Distribution2(config)# spanning-tree vlan 20 root primary | Configures the switch to become the root switch of VLAN 20 |
Distribution2(config)# exit | Returns to privileged EXEC mode |
Distribution2# copy running-config startup-config | Saves the configuration to NVRAM |
Access 1 Switch (2960)
Switch> enable | Moves to privileged EXEC mode |
Switch# configure terminal | Moves to global configuration mode |
Switch(config)# hostname Access1 | Sets the host name |
Access1(config)# no ip domain-lookup | Turns off DNS queries so that spelling mistakes do not slow you down |
Access1(config)# vtp domain STPDEMO | Configures the VTP domain name to STPDEMO |
Access1(config)# vtp mode client | Changes the switch to VTP client mode |
Access1(config)# interface range fastethernet 0/6 - 12 | Moves to interface range configuration mode |
Access1(config-if-range)# switchport mode access | Places all interfaces in switchport access mode |
Access1(config-if-range)# spanning-tree portfast | Places all ports directly into forwarding mode |
Access1(config-if-range)# spanning-tree bpduguard enable | Enables BPDU Guard |
Access1(config-if-range)# exit | Moves back to global configuration mode |
Access1(config)# exit | Returns to privileged EXEC mode |
Access1# copy running-config startup-config | Saves the configuration to NVRAM |
Access 2 Switch (2960)
Switch> enable | Moves to privileged EXEC mode |
Switch# configure terminal | Moves to global configuration mode |
Switch(config)# hostname Access2 | Sets the host name |
Access2(config)# no ip domain-lookup | Turns off DNS queries so that spelling mistakes do not slow you down |
Access2(config)# vtp domain STPDEMO | Configures the VTP domain name to STPDEMO |
Access2(config)# vtp mode client | Changes the switch to VTP client mode |
Access2(config)# interface range fastethernet 0/6 - 12 | Moves to interface range configuration mode |
Access2(config-if-range)# switchport mode access | Places all interfaces in switchport access mode |
Access2(config-if-range)# spanning-tree portfast | Places all ports directly into forwarding mode |
Access2(config-if-range)# spanning-tree bpduguard enable | Enables BPDU Guard |
Access2(config-if-range)# exit | Moves back to global configuration mode |
Access2(config)# spanning-tree vlan 1,10,20 priority 61440 | Ensures this switch does not become the root switch for VLAN 10 |
Access2(config)# exit | Returns to privileged EXEC mode |
Access2# copy running-config startup-config | Saves config to NVRAM |
Spanning-Tree Migration Example: PVST+ to Rapid-PVST+
The topology in Figure 11-1 is used for this migration example and adds to the configuration of the previous example.
Rapid-PVST+ uses the same BPDU format as the 802.1D. This interoperability between the two spanning tree protocols enables a longer conversion time in large networks without disrupting services.
The Spanning Tree features UplinkFast and BackboneFast in 802.1D-based PVST+ are already incorporated in the 802.1w-based Rapid-PVST+ and are disabled when you enable Rapid-PVST+. The 802.1D-based features of PVST+ such as PortFast, BPDU Guard, BPDU filter, root guard, and loop guard are applicable in Rapid-PVST+ mode and need not be changed.
The 802.1D-based features of PVST+ are not part of the CCNA 200-301 exam topics; they are, however, part of the CCNP Implementing Cisco Enterprise Network Core Technologies (ENCOR 300-401) exam topics.
Access 1 Switch (2960)
Access1> enable | Moves to privileged EXEC mode |
Access1# configure terminal | Moves to global configuration mode |
Access1(config)# spanning-tree mode rapid-pvst | Enables 802.1w-based Rapid-PVST+ |
Access1(config)# no spanning-tree uplinkfast | Removes UplinkFast programming line |
Access1(config)# no spanning-tree backbonefast | Removes BackboneFast programming line |
Access 2 Switch (2960)
Access2> enable | Moves to privileged EXEC mode |
Access2# configure terminal | Moves to global configuration mode |
Access2 (config)# spanning-tree mode rapid-pvst | Enables 802.1w-based Rapid-PVST+ |
Distribution 1 Switch (3650)
Distribution1> enable | Moves to privileged EXEC mode |
Distribution1# configure terminal | Moves to global configuration mode |
Distribution1 (config)# spanning-tree mode rapid-pvst | Enables 802.1w-based Rapid-PVST+ |
Distribution 2 Switch (3650)
Distribution2> enable | Moves to privileged EXEC mode |
Distribution2# configure terminal | Moves to global configuration mode |
Distribution2 (config)# spanning-tree mode rapid-pvst | Enables 802.1w-based Rapid-PVST+ |
Core Switch (3650)
Core> enable | Moves to privileged EXEC mode |
Core# configure terminal | Moves to global configuration mode |
Core(config)# spanning-tree mode rapid-pvst | Enables 802.1w-based Rapid-PVST+ |