Introduction
While I was working on my Masters degree, I wrote a paper called “The Death of Spanning Tree.” I went into great detail on Spanning Tree and its many different flavors and uses then went on to explain that TRILL and FabricPath were going to kill it off. Well that paper was written in 2012-2013ish and Spanning Tree was old then, almost 10 years later, its very much alive. Maybe as a follow-on, I will post that paper here, if I can find it. That was so long ago. It surprised me, last year, when I went on to a work site and the lead engineer was establishing a spanning tree network with the numerous switches running through out the site. So, I had to really rub quite a bit of rust off of the subject and go back to drawing board.
Let me reiterate a bit on the previous statement about using STP on a job site. STP is enable by default on all switches. Normally the styles of layer 2 networks I work with are a bunch of switches either daisy-chained together or one switch running in star topography with multiple switches connected. Very rarely will I see a network where STP has to managed over trunk ports.
I used a GNS3 lab to go through all of the configurations and attempt to commit them to memory (not as easy as it used to be). In doing so, I ran into problems with one or two commands actually crashing switches–especially when enabling bpdufilter on a network with 3 routers and 4 switches all interconnected.
I am also going to throw a small paragraph on security concerns and possible solutions at the end of each section to hopefully drive a conversation to my small audience (to quote my daughter “sadness”).
802.1D
This is your bottom dollar spanning tree; typical listening, learning, blocking or forwarding, and disabled going on with a time interval ( about 30 seconds total to the forwarding state). Bridge Protocol Data Units (BPDU) are sent out every 2 seconds. Yes, STP is a very chatty protocol. On my initial lab, made up of 4 switches all with multiple interconnects, STP was enabled by default on all the switches. The switch with the lowest mac address is elected as the root bridge if they have equal priorities, which is a default of 32768.
Those of us who are used to a great deal of VLANs on a network, STP priorities are set at a per VLAN basis. So this can get crazy when attempting to delegate what switch you want to utilize as the root bridge for a chatty protocol going across your network–depending on the flavor that’s 45-47 bytes sent to a layer 2 multicast address every 2 seconds.
One thing I would like to mention that STP costs are also dictated by port speed. For those 100 Mbit/s FastEthernet ports its 19 and for those more typical 1 Gbit/s ports its a cost of 4.
Commands to know:
global:
spanning-tree vlan priority <– in multiples of 4096
spanning tree vlan root primary diameter <–n=max number of switches in a path–command calculates the optimum max delay and forwarding delay time values based on the size of the switched network spanning-tree vlan root primary <–sets this switch as the root for this vlan spanning-tree vlan root secondary<–sets this switch as the secondary root for the vlan
Per Interface
spanning-tree vlan port-priority <–n=older switches in increments of 16 max 240 my network was in increments of 32 with a max of 224
Security Concerns: The biggest concern is the ability to connect rogue switches to the network and hijack the entire STP domain especially with an older switch with a lower priority network. This makes the switch the root bridge and can give an attacker access to sniff all traffic. Fixes are to disable all unused ports and make sure they are assigned to a blackhole VLAN. Because all Cisco Switches have dynamic desirable mode enabled by default on all ports, makes this critical to protecting your layer 2 infrastructure.
RSTP