Spaning Tree Protocol

1
STP
1. Overview
To prevent loops from causing broadcast storms and making the MAC address table unstable,
the Spanning Tree Protocol (STP) runs switches when redundant links are used on the network.
STP serves two purposes:
▪ It prevents problems caused by loops on a network.
▪ When redundant loops are planned on a network, STP deals with remediation of
network changes or failures.
The IEEE Standard 802.1 uses the term bridge to define the spanning tree operation. When a
bridge receives a frame, it reads the source and destination address fields. The bridge then enters
the frame’s source address in its forwarding database. In doing this the bridge associates the
frame’s source address with the network attached to the por t on which the frame was received.
The bridge also reads the destination address and if it can find this address in its forwarding
database, it forwards the frame to the appropriate por t. If the bridge does not recognize the
destination address, it forwards the frame out from all its por ts except for the one on which the
frame was received, and then waits for a reply. This process is known as “flooding”. Similarly,
packets with broadcast or multicast destination MAC addresses will be flooded by a bridge.
A significant problem arises where bridges connect via multiple paths. A frame that arrives
with an unknown or broadcast/multicast destination address is flooded over all available paths.
The arrival of these frames at another network via different paths and bridges produces major
problems. The bridges find the same source MAC address arriving on multiple different por ts,
making it impossible to maintain a reliable forwarding database. As a result, increasing numbers
of packets will be forwarded to multiple paths. This process is selfperpetuating and produces a
condition known as a packet storm, where the increase of circulating frames can eventually
overload the network.
2. 802.1D
Where a LAN’s topology results in more than one path existing between bridges, there is
always a risk of the packet storm scenario described above. However, multiple paths through the
extended LAN are often required in order to provide redundancy and backup in the event of a
bridge or link failure.
Therefore, network designers face a problem - multiple paths are desired for resiliency
purposes, but multiple paths can lead to broadcast storms. A solution to this problem is to eliminate
some physical paths from the active forwarding topology, so that the active forwarding topology
has only one path between any two locations.Then, if a link in the active forwarding topology
becomes unavailable, one or more of the previously eliminated paths can be brought into the active
forwarding topology, to restore full connectivity through the network. The loop-free active
forwarding topology is referred to as a Spanning Tree, as it is a tree topology that spans the whole
network.

2
The spanning tree is created through the exchange of Bridge Protocol Data Units (BPDUs)
between the bridges in the LAN.
The spanning tree algorithm operates by:
▪ Automatically computing a loop-free portion of the topology, called a spanning tree.
The topology is dynamically pruned to the spanning tree by declaring cer tain por ts
on a switch to be redundant, and placing them into a ‘blocking’ state.
▪ Automatically recovering from a switch failure that would partition the extended LAN
by reconfiguring the spanning tree to use redundant paths, if available.

3
The logical tree computed by the spanning tree algorithm has the following proper ties:
▪ A single bridge is selected to become the spanning tree’s unique root bridge. This is
the device that advertises the lowest Bridge ID. Each bridge is uniquely identified by
its Bridge ID, which comprises the bridge’s root priority (a spanning tree parameter)
followed by its MAC address.
▪ Each bridge or LAN segment in the tree, except the root bridge, known as the
designated bridge. The designated bridge, connects a LAN segment to the next segment
on the path towards the root bridge.
▪ Each port connecting a bridge to a LAN segment has an associated cost, called the root
path cost. This is the sum of the costs for each link in the path between the particular
bridge port and the root bridge.The designated bridge for a LAN segment is the one
that advertises the lowest root path cost. If two bridges on the same LAN segment have
the same lowest root path cost, then the switch with the lowest bridge ID becomes the
designated bridge.
The spanning tree computation is a continuous, distributed process to establish and maintain a
spanning tree as shown below flow chart. The basic algorithm is similar for all STP types.
The logical spanning tree, sometimes called the active topology, includes all root ports and all
designated ports. These ports are in the forwarding state. Ports removed from the logical spanning
tree are not in the forwarding state.
Each switch port can be in one of five spanning tree states, and one of two switch states. The
state of a switch port is taken into account by STP. The STP port states affect the behavior of ports
whose switch state is enabled.

4
We have learned about the general STP terms up to this stage, but as seen in the flow diagram
shared above, there are serious birth lack on the STP. For example, when an interface is in blocking
mode and the topology changes, it’s possible that an interface that is currently in blocking mode
has to move to the forwarding state. When this is the case, the blocking mode will last for 20
seconds before it moves to the listening state. This means that it takes 20 (blocking) + 15
(listening) + 15 (learning) = 50 seconds before the interface is in the forwarding state.
For these and some different situations, some extra configurations in the next topics discussed
in the times evolved later in the STP.

5
3. STP Toolkit
3.1. PortFast
It is a Cisco proprietary solution to deal with spanning-tree topology changes. Portfast does
two things for us:
▪ Interfaces with portfast enabled that come up will go to forwarding mode immediately,
the interface will skip the listening and learning state.
▪ A switch will never generate a topology change notification for an interface that has
portfast enabled.
It’s a good idea to enable portfast on access interfaces because these interfaces are likely to go
up and down all the time. Don’t enable portfast on interface to another hub or switch.
3.2. BPDU Guard/Protection
During the deployment of a STP, in most cases, the ports that connect switches to non-
switching devices as edge ports or PortFast. These ports do not participate in spanning tree
calculation and can transition from the Disable state to the Forwarding state immediately, as if the
spanning tree protocol were disabled on these ports. When user terminals frequently go online and
offline, configuring edge ports will prevent switches from recalculating the spanning tree topology,
improving network reliability.
BPDU protection prevents rogue switches from connecting to the network and causing
undesired Layer 2 topology changes and possible outages. If a BPDU is received on a protected
interface, the interface is disabled and transitions to the blocking state. So, this feature using on
edge ports to block incoming BPDUs.

6
3.3. BPDU Filter
The spanning-tree BPDU Filter works similar to BPDU Guard as it allows you to block
malicious BPDUs on Cisco enviroment. The difference is that BPDU Guard will put the interface
that it receives the BPDU on in err-disable mode while BPDUfilter just “filters” it.
BPDU Filter can be configured globally or on the interface level and there’s a difference:
▪ Global: Any interface with portfast enabled will not send or receive any BPDUs.
When you receive a BPDU on a portfast enabled interface then it will lose its portfast
status, disables BPDU filtering and acts as a normal interface.
▪ Interface: It will ignore incoming BPDUs and it will not send any BPDUs. This is the
equivalent of disabling spanning-tree.
You have to be careful when you enable BPDUfilter on interfaces. You can use it on interfaces
in access mode that connect to computers but make sure you never configure it on interfaces
connected to other switches; if you do you might end up with a loop.
3.4. Root Guard/Protection
It will make sure you don’t accept a certain switch as a root bridge. BPDUs are sent and
processed normally but if a switch suddenly sends a BPDU with a superior bridge ID you won’t
accept it as the root bridge. A root port elected through this process has the possibility of being
wrongly elected. Root guard/protection allows network administrators to manually enforce the root
bridge placement in the network. If a superior BPDU is received on a protected interface, the
interface is disabled and transitions to the blocking state. After the switch stops receiving
superior BPDUs on the interface with root guard/protection, the interface returns to a listening
state, followed by a learning state, and ultimately back to a forwarding state. Recovery process is
automatic.
When root guard/protection is enabled on an interface, it is enabled for all the STP instances
on that interface. The interface is blocked only for instances for which it receives superior BPDUs.
Otherwise, it participates in the spanning-tree topology.

7
3.5. Loop Guard/Protection
The exchange of BPDUs determines which interfaces block traffic (preventing loops) and
which interfaces become root ports and forward traffic. However, a blocking interface can
transition to the forwarding state in error if the interface stops receiving BPDUs from its designated
port on the segment.
When the link between BP2 and CP1 is congested, root port CP1 on DeviceC cannot receive
BPDUs from the upstream device within the timeout interval. After the timeout interval, the
alternate port CP2 becomes the root port and CP1 becomes the designated port. As a result, a loop
occurs.
When loop guard/protection is enabled, the spanning-tree topology detects root ports and
blocked ports and makes sure both keep receiving BPDUs. If a loop-guard/protection-enabled
interface stops receiving BPDUs from its designated port, it reacts as it would react to a problem
with the physical connection on this interface. It does not transition the interface to a forwarding
state, but instead transitions it to a loop-inconsistent state. The interface recovers and then it
transitions back to the spanning-tree blocking state as soon as it receives a BPDU.
Loop guard/protection is a spanning-tree optimization and its function is to stop root or
alternate ports transitioning into the designated/forwarding state.
3.6. UDLD
It ways to protect your fiber cables from causing loops in the network. It is a layer 1/2 protocol
(unrelated to spanning-tree) that protects your upper layer protocols from causing loops in the
network. In case you are not familiar with fiber, you need to make sure you understand the
connection between Sw2 and Sw3 in the diagram on the right hand side. This is two physical
cables, one is to transmit data and the other is to receive data.

8
When the fiber to Sw2’s Rx port fails, and UDLD is in aggressive mode, the port is put into
error disabled. The way UDLD works out that there is a unidirectional link failure. Each switch
sends out periodic Ethernet multicast UDLD hello’s destined to 0100.0ccc.cccd and lists its own
device ID, port ID, time-out value, and a bunch of other parameters.
When a switch receives this UDLD frame, it does two things;
▪ It stores and caches this information from the neighbor
▪ It echos the same device ID and Port ID it just received in the UDLD hello back towards
originating switch.
When the originating switch sees the UDLD frame come in with his own device ID and
Port ID, it knows a UDLD neighbor exists out of the interface. These multicast hellos are used to
build and maintain the neighbor relationship, and are expected to be received before the time-out
interval expires in order to keep the neighbor alive from a UDLD perspective.
Note though, that UDLD is not a part of spanning-tree, nor does it play any part in a
spanning-tree topology. It is merely there as a helper for spanning-tree because spanning-tree is
unable to identify a fault at Layer 1 like this that would cause a loop in the network.

9
3.7. UplinkFast
In the event of failure of the primary uplink to upstream switch, the STP recalculates and
eventually unblocks the second uplink to upstream switch, therefore it restores connectivity. With
the default STP parameters, the recovery takes up to 30 seconds, and with aggressive timer
tuning, this lapse of time can be reduced to 14 seconds. The UplinkFast feature is a Cisco
proprietary technique that reduces the recovery time further down to the order of one second.
The UplinkFast feature is based on the definition of an uplink group. On a given switch, the
uplink group consists in the root port and all the ports that provide an alternate connection to the
root bridge. If the root port fails, which means if the primary uplink fails, a port with next lowest
cost from the uplink group is selected to immediately replace it.
UplinkFast only works when the switch has blocked ports. The feature is typically designed
for an access switch that has redundant blocked uplinks. When you enable UplinkFast, it is enabled
for the entire switch and cannot be enabled for individual VLANs. This example details the steps
for UplinkFast recovery:
1. The uplink group of A consists of P1 and its non-self-looped blocked port, P2.
2. When the link between D1 and A fails, A detects a link down on port P1. It knows
immediately that its unique path to the root bridge is lost, and other paths are through
the uplink group, for example, port P2 , which is blocked.
3. A places port P2 in forwarding mode immediately, thus it violates the standard STP
procedures. There is no loop in the network, as the only path to the root bridge is
currently down. Therefore, recovery is almost immediate.

10
Once UplinkFast has achieved a fast-switchover between two uplinks, the MAC table in the
different switches of the network can be momentarily invalid and slow down the actual
convergence time. The backup link is brought up so quickly, however, that the CAM tables are no
longer accurate. If some clients behind on the D2 switch, which is X, sends a packet to other
clients behind on the A switch, which is Y, it is forwarded to D1, where it is dropped.
Communication between X and Y is interrupted as long as the MAC table is incorrect. Even with
the topology change mechanism, it can take up to 15 seconds before the problem is solved.
In order to solve this problem, switch A begins to flood dummy packets with the different
MAC addresses that it has in its MAC table as a source. In this case, a packet with Y as a source
address is generated by A. Its destination is a Cisco proprietary multicast MAC address that ensures
that the packet is flooded on the whole network and updates the necessary CAM tables on the other
switches.
In the event of failure of the primary uplink, a replacement is immediately selected within the
uplink group. What happens when a new port comes up, and this port, in accordance with STP
rules, should rightfully become the new primary uplink (root port)?
An immediate switchover to port P1, which immediately blocks port P2 and put port P1 in
forwarding mode, is not wanted, for these reasons:
▪ Stability, if the primary uplink is flapping, it is better to not introduce instability in the
network by re-enabling it immediately. You can afford to keep the existing uplink
temporarily.
▪ The only thing UplinkFast can do is to move port P1 in forwarding mode as soon as it
is up. The problem is that the remote port on D1 also goes up and obeys the usual
STP rules.

11
3.8. Backbone Fast
It is used to recover from an indirect link failure. This illustrates how STP behaves when it has
to recalculate after an indirect link failure, that is, when a bridge has to change the status of some
of its ports because of a failure on a link that is not directly attached to it.
1. If link L1 goes down, switch B immediately detects the failure and assumes it is the
root. It starts to send BPDUs to S and claims to be the new root.
2. When S receives this new BPDU from B, it realizes it is inferior to the one it had stored
for port P and ignores it.
3. After max_age timer expires (20 seconds by default), the BPDU stored on S for port
P ages out. The port goes immediately to listening and S starts to send its better BPDU
to B.
4. As soon as B receives the BPDU from S, it stops sending its BPDU.
5. Port P moves to the forwarding state through listening and learning states. This takes
twice the fw_delay value, an additional 30 seconds. Full connectivity is then restored.
It took the max_age value (20 seconds) plus twice the fw_delay value (2x15 seconds) to
recover from this indirect link failure. This is 50 seconds with the default parameters. The
backbone fast feature proposes to save max_age (20 seconds). In order to do this, it ages out
immediately after the port receive inferior BPDUs.
STP invalidates information that becomes wrong because of an indirect link failure. In order
to do this, it passively waits for max_age. In order to get rid of this max_age delay, backbone fast
introduces two enhancements:
▪ The ability to detect an indirect link failure as soon as possible. This is achieved by
tracking the inferior BPDUs that a designated bridge sends when it experiences a
direct link failure.
▪ A mechanism that allows for an check immediate check if the BPDU information
stored on a port is still valid. This is implemented with a new protocol data unit (PDU)
and the Root Link Query, referred to in this document as the RLQ PDU.

12
4. 801.1W
STP ensures a loop-free network but has a slow network topology convergence speed, leading
to service deterioration. If the network topology changes frequently, the connections on the STP-
enabled network are frequently torn down, causing frequent service interruption. Users can hardly
tolerate such a situation.
RSTP, as an enhancement of STP, converges a network topology at a faster speed. In both
RSTP and STP, all VLANs share one spanning tree. All VLAN packets cannot be load balanced,
and some VLAN packets cannot be forwarded along the spanning tree. RSTP is backward
compatible with STP and can be used together with STP on a network. Disadvantages of STP are
as follows:
▪ Port states or port roles are not subtly distinguished. Ports in the Listening, Learning,
and Blocking states do not forward user traffic and are not even slightly different to
users.
▪ The STP algorithm determines topology changes after the time set by the timer expires,
which slows down network convergence.
▪ The STP algorithm requires a stable network topology. After the root bridge sends
configuration BPDUs, other routers forward them until all bridges on the network
receive the configuration BPDUs. This also slows down topology convergence.
To make up for STP disadvantages, Rapid Spanning Tree Protocol (RSTP) deletes three port
states, introduces two port roles, and distinguishes port attributes based on port states and roles to
provide more accurate port description. This offers beginners easy access to protocols and speeds
up topology convergence.
The functions of the root port and designated port are the same as those defined in STP. The
alternate port and backup port are described as follows:
▪ From the perspective of configuration BPDU transmission:
❖ An alternate port is blocked after learning the configuration BPDUs sent by
other bridges.
❖ A backup port is blocked after learning the configuration BPDUs sent by itself.

13
▪ From the perspective of user traffic
❖ An alternate port backs up the root port and provides an alternate path from the
designated bridge to the root bridge.
❖ A backup port backs up the designated port and provides an alternate path from
the root bridge to the related network segment.
Port states are simplified from five types to three types. Based on whether a port forwards
user traffic and learns MAC addresses, the port is in one of the following states:
Configuration BPDUs in RSTP are differently defined. Port roles are described based on
the Flags field defined in STP. Compared with STP, RSTP slightly redefined the format of
configuration BPDUs.
Configuration BPDUs are processed in a different manner.
▪ Transmission of configuration BPDUs
❖ In STP, after the topology becomes stable, the root bridge sends configuration
BPDUs at an interval set by the Hello timer. A non-root bridge does not send
configuration BPDUs until it receives configuration BPDUs sent from the
upstream router. This renders the STP calculation complicated and time-
consuming.
❖ In RSTP, after the topology becomes stable, a non-root bridge sends
configuration BPDUs at Hello intervals, regardless of whether it has received
the configuration BPDUs sent from the root bridge. Such operations are
implemented on each router independently.

14
▪ BPDU timeout period
❖ In STP, a router has to wait a Max Age period before determining a negotiation
failure.
❖ In RSTP, if a port does not receive configuration BPDUs sent from the upstream
router for three consecutive Hello intervals, the negotiation between the local
router and its peer fails.
▪ Processing of inferior BPDUs
❖ When a port receives an BPDU from the upstream designated bridge, the port
compares the received BPDU with its own BPDU.
❖ If its own BPDU is superior to the received one, the port discards the received
BPDU and immediately responds to the upstream router with its own BPDU.
After receiving the BPDU, the upstream router updates its own BPDU based on
the corresponding fields in the received BPDU.
❖ In this manner, RSTP processes inferior BPDUs more rapidly, independent of
any timer that is used in STP.
▪ Rapid convergence
❖ A designated port on the network edge is called an edge port. An edge port
directly connects to a terminal and does not connect to any other routers. An
edge port does not receive configuration BPDUs, and therefore does not
participate in the RSTP calculation. It can directly change from the Disabled
state to the Forwarding state without any delay, just like an STP.
❖ If the root port fails, the most superior alternate port on the network becomes
the root port and enters the Forwarding state. This is because there must be a
path from the root bridge to a designated port on the network segment
connecting to the alternate port. When the port role changes, the network
topology will change accordingly.
❖ The port enters the Discarding state, and then the proposal/agreement
mechanism allows the port to immediately enter the Forwarding state. BPDU
exchange during the P/A negotiation:

15
As shown in below, a new link is established between the root bridges Device A and Device
B. On Device B, p2 is an alternate port; p3 is a designated port in the Forwarding state; p4 is an
edge port. The P/A mechanism works in the following process:
1. p0 and p1 become designated ports and send BPDUs.
2. After receiving an BPDU with a higher priority, p1 realizes that it will become a
root port but not a designated port, and therefore it stops sending BPDUs.
3. p0 enters the Discarding state, and sends BPDUs with the Proposal field being 1.
4. After receiving an BPDU with the Proposal field being 1, Device B sets the sync
variable to 1 for all its ports.
5. As p2 has been blocked, its status keeps unchanged; p4 is an edge port, and
therefore it does not participate in calculation. Therefore, only the non-edge
designated port p3 needs to be blocked.
6. After p2, p3, and p4 enter the Discarding state, their synced variables are set to 1.
The synced variable of the root port p1 is then set to 1, and p1 sends an BPDU with
the Agreement field being 1 to Device A. Except for the Agreement field, which
is set to 1, and the Proposal field, which is set to 0, the BPDU is the same as that
was received.
7. After receiving this BPDU, Device A identifies it as a reply to the proposal that it
just sent, and therefore p0 immediately enters the Forwarding state.
This P/A negotiation process finishes, and Device B continues to perform the P/A negotiation
with its downstream router. Theoretically, STP can quickly select a designated port. To prevent
loops, STP has to wait for a period of time long enough to determine the status of all ports on the
network. All ports can enter the Forwarding state at least one forward delay later. RSTP is
developed to eliminate this bottleneck by blocking non-root ports to prevent loops. By using the
P/A mechanism, the upstream port can rapidly enter the Forwarding state.

16
RSTP provides backward compatibility with 802.1D bridges as follows:
▪ RSTP selectively sends 802.1D-configured BPDUs and Topology Change Notification
(TCN) BPDUs on a per-port basis.
▪ When a port initializes, the migration delay timer starts and RSTP BPDUs are
transmitted. While the migration delay timer is active, the bridge processes all BPDUs
received on that port.
▪ If the bridge receives an 802.1D BPDU after a port’s migration delay timer expires, the
bridge assumes it is connected to an 802.1D bridge and starts using only 802.1D
BPDUs.
▪ When RSTP uses 802.1D BPDUs on a port and receives an RSTP BPDU after the
migration delay expires, RSTP restarts the migration delay timer and begins using
RSTP BPDUs on that port.
##Example-1##
Considering the network topology below:
In this example, we will consider 2 scenarios:
1. The preferred path for root bridge will be changed by manipulating the active path for
SW-4 perspective.
2. The root guard feature, an example regarding the stable operation of our existing stp
topology will be realized.

17
## Configuration of SW-1 Switch ##
root@SW-1# run show configuration | display set | match rstp
set protocols rstp bridge-priority 8k
set protocols rstp interface xe-0/0/2 cost 100
set protocols rstp interface xe-0/0/2 mode point-to-point
set protocols rstp interface ae0 cost 10
set protocols rstp interface ae0 mode point-to-point
set protocols rstp interface all priority 16
set protocols rstp interface xe-0/0/10 no-root-port
set protocols rstp interface xe-0/0/11 no-root-port
You can see that the root port for SW-4 was manipulated by changing the RPC value in
the following outputs:

18
The following outputs include screenshots of adding SW-5 to the existing topology and
changing the bridge-priority value to 4k after adding.
SW-5 is isolated from the current STP topology because the root guard feature is active in
the relevant interfaces of the upstream switches. As a result of this situation, SW-5 now sees itself
as a root bridge in a different STP topology.

19
5. VSTP
It allows for spaning-tree to be calculated for each VLAN. It maintains a separate spaning-tree
instance for each VLAN allowing load balancing of Layer 2 traffic. Proprietary protocol that is
compatible with similar protocols from other vendors. When using VSTP, you can selectively
configure up to 253 VLANs which map to distirict spaning-tree topologies.
Also you can enable RSTP for all VLANs not participating in VSTP. VSTP and RSTP are the
only STP protocols that can be configured concurrently. So for this example, RSTP in addition to
VSTP to account for any VLANs above and beyond 253.
Swtiches configured to run VSTP automatically assign each VLAN to one spanning tree
instance that runs RSTP. While this approach is useful to optimize network usage in small
networks with a limited number of VLANs. VSTP configuration in networks with several hundred
VLANs can overload switch CPUs, because every VLANs have a separate unique BPDU for itself.
VSTP has the following benefits:
▪ Connects devices that are not part of the network
▪ Compatible with Cisco PVST+
▪ VSTP and RSTP are the only spanning-tree protocols that can be configured
concurrently on a device
6. 802.1S
The IEEE version was adapted for use with multiple VLANs using 802.1Q frames tagging. A
shared spanning-tree, sometimes called Mono Spanning Tree (MST) by Cisco, or more often -
Common Spanning Tree (CST) was used to create a single loop-free topology. The drawback of
this approach is inability to perform VLAN traffic engineering across redundant links: if a link is
blocked, it is blocked for all VLANs. Another issue related to STP construction - more traffic is
forwarded over the links closer to the root bridge, which puts higher demand on the root bridge
resources - both in terms of CPU and links capacity utilization.
To overcome these limitations using separate STP instance per VLAN, such as VSTP or
PVSTP. It allowed for using different logical topology with every VLAN, enhancing basic Layer
2 traffic engineering. Every VLAN may use its own root bridge and forwarding topology allowing
for more fair resource utilization. This method has some limitation as it does not deal with the
actual network link capacities and utilization, but rather statistically multiplexes VLANS to
different topologies. However, this is the limitation inherent to any load-balancing method based

20
on STP. The main problem of this approach was that with the number of VLANs growing, it
becomes a waste of switch resources and management burden. This is because the number of
different logical topologies is usually much smaller than the number of active VLANs.
The core idea of MSTP is utilizing the fact that a redundant physical topology only has a small
amount of different spanning-trees (logical topologies). MST allows you to build multiple
spanning trees over trunks. You can group and associate VLANs to spanning tree instances. Each
instance can have a topology independent of other spanning tree instances. This architecture
provides multiple forwarding paths for data traffic and enables load balancing. Network fault
tolerance is improved because a failure in one instance (forwarding path) does not affect other
instances.The figure below shows a ring topology of three switches and three different spanning
trees that may result from different root bridge placements.
MSTP runs a number of VLAN-independent STP instances (representing logical topologies)
and then administrator maps each VLAN to the most appropriate logical topology (STP instance).
The number of STP instances is kept to minimum (saving switch resources), but the network
capacity is utilized in more optimal fashion, by using all possible paths for VLAN traffic.
The switch logic for VLAN traffic forwarding has changed a little bit. In order for a frame to
be forwarded out of a port, two conditions must be met:
1. VLAN must be active on this port (e.g. not filtered)
2. The STP instance the VLAN maps to, must be in non-discarding state for this port. It
is normally enforced automatically, as MAC addresses are not learned on discarding
ports. It is worth reminding that due to multiple logical topologies active on a port, the
port could be blocking for one instance and forwarding for another
The figure below demonstrates six VLANs using two MSTP instances, thus reducing the
number of STP trees that would be required with (P)VSTP from 6 to 2.

21
Follow these restrictions and guidelines to avoid configuration problems on MSTP:
▪ Do not disable spanning tree on any VLAN in any of the bridges, and do not connect
switches with access links, because access links may partition a VLAN.
▪ Ensure that all root bridges have lower (numerically higher) priority than the CST root
bridge.
▪ Ensure that trunks carry all of the VLANs mapped to an instance or do not carry any
VLANs at all for this instance.
▪ Complete any MST configuration that incorporates a large number of either existing or
new logical VLAN ports during a maintenance window because the complete MST
database gets reinitialized for any incremental change (such as adding new VLANs to
instances or moving VLANs across instances).
Every MSTP region runs special instance of spanning-tree known as IST or Internal Spanning
Tree (=MSTI0). This instance mainly serves the purpose of disseminating STP topology
information for MSTIs. IST has a root bridge, elected based on the lowest Bridge ID (Bridge
Priority + MAC address). The situation changes with multiple MSTP regions in the network. When
a switch detects BPDU messages sourced from another region, it marks the corresponding port as
MSTP boundary. A switch that has boundary ports is known as boundary switch.
When multiple regions connect together, every region needs to construct its own IST and all
regions should build one common CIST spanning across the regions. On the figure below, notice
MSTP uses protocol version 3 as opposed to RSTP's version 2.

22
The MSTP BPDU contains two important block of information. One, highlighted in red, is
related to CIST Root and CIST Regional Root election. CIST Root is elected among all regions
and CIST Regional Root is elected in every region. The green block outlines the information about
CIST Regional Root (which becomes the IST Root in presence of multiple regions). The CIST
Internal Root path cost is the intra-region cost to reach the CIST Regional Root.
It is important to keep in mind that IST Root = CIST Regional Root in case where multiple
regions interoperate. This transformation is explained further in the text. Now, to define the CIST
Root and CIST Regional Root roles:
▪ CIST Root is the bridge that has the lowest Bridge ID among ALL regions. This
could be a bridge inside a region or a boundary switch in a region.
▪ CIST Regional Root is a boundary switch elected for every region based on the
shortest external path cost to reach the CIST Root. Path cost is calculated based on
costs of the links connecting the regions, excluding the internal regional paths. CIST
Regional Root becomes the root of the IST for the given region as well.
CIST Root bridges election process steps follow in the below subsequents:
1. When a switch boots up, it declares itself as CIST Root and CIST Regional Root and
announces this fact in outgoing BPDUs. The switch will adjust its decision upon
reception of better information and continue advertising the best known CIST Root
and CIST Regional Root on all internal ports. On the boundary ports, the switch
advertises only the CIST Root Bridge ID and CIST External Root Path Cost thus
hiding the details of the region’s internal topology.
2. CIST External Root Path Cost is the cost to reach the CIST Root across the links
connecting the boundary ports – i.e. the inter-region links. When a BPDU is received
on an internal port, this cost is not changed. When a BPDU is received on a boundary

23
port, this cost is adjusted based on the receiving boundary port cost. In result, the
CIST External Root Path Cost is propagated unmodified inside any region.
3. Only a boundary switch could be elected as the CIST Regional Root, and this is the
switch with the lowest cost to reach the CIST Root. If a boundary switch hears better
CIST External Root Path cost received on its internal link, it will relinquish its role of
CIST Regional Root and start announcing the new metric out of its boundary ports.
4. Every boundary switch needs to properly block its boundary ports. If the switch is a
CIST Regional Root, it elects one of the boundary ports as the “CIST Root port” and
blocks all other boundary ports. If a boundary switch is not the CIST Regional Root,
it will mark the boundary ports as CIST Designated or Alternate. The boundary port
on a non regional-root bridge becomes designated only if it has superior information
for the CIST Root
▪ Better External Root Path cost
▪ If the costs are equal better CIST Regional Root Bridge ID.
5. As a result of CIST construction, every region will have one switch having single
port unblocked in the direction of the CIST Root. This switch is the CIST Regional
Root. All boundary switches will advertise the region’s CIST Regional Root Bridge
ID out of their non-blocking boundary ports. From the outside perspective, the whole
region will look like a single virtual bridge with the Bridge ID = CIST Regional
Root ID and single root port elected on the CIST Regional Root switch.
6. The region that contains the CIST Root will have all boundary ports unblocked and
marked as CIST designated ports. Effectively the region would look like a virtual root
bridge with the Bridge ID equal to CIST Root and all ports being designated. Notice
that the region with CIST Root has CIST Regional Root equal to CIST Root as they
share the same lowest bridge priority value across all regions.
Have a look at the diagram below. It demonstrates the CIST topology calculated from the
physical topology we outlined above. First, SW1-1 is elected as the CIST Root as it has the lowest
Bridge ID among all bridges in all regions. This automatically makes region 1 a virtual bridge with
all boundary ports unblocked. Next, SW2-1 and SW3-1 are elected as the CIST Regional Roots in
their respective regions. Notice that SW3-1 and SW2-3 have equal External Costs to reach the
CIST Root but SW3-1 wins the CIST Regional Root role due to lower priority. Keep in mind that
in the topology with multiple MSTP regions, every region that does not contain the CIST Root has
to change the IST Root election process and make IST Root equal to CIST Regional Root.

24
MSTIs are constructed independently in every region, but they have to be mapped to the CIST
at the boundary ports. This means inability to load-balance VLAN traffic on the boundary links by
mapping VLANs to different instances. All VLANs use the same non-blocking boundary ports,
which are either upstream or downstream with respect to the CIST Root. This statement is only
valid with respect to the CST paths connecting the regional virtual bridges. Inside any region
VLANs follow the internal topology paths, based on the respective MSTI configurations.
The MSTIs have no idea of the CIST Root whatsoever; they only use internal paths and internal
MSTI root to build the spanning trees. However, all MSTP instances see the root port (towards the
CIST Root) of the CIST Regional Bridge as a special Master Port connecting them to the CIST
Root bridge. This port serves the purpose of the “gateway” linking MSTI's to other regions. Recall
that switches do not send M-Records (MSTI information) out of boundary ports, only CIST
information. Thus, the CIST and MSTI's may converge independently and in parallel. The Master
Port will only begin forwarding when all respective MSTI ports are in sync and forwarding to
avoid temporary bridging loops.
The concept of MSTP region allows for bounding STP re-computations. Since MSTIs in every
region are independent, any change affecting MSTI in one region will not affect MSTIs in other
regions. This is a direct result of the fact that M-Record information is not exchanged between the
regions. However, the CIST recalculations affect every region and might be slow converging. This
is why it is a good idea not to map any VLAN to CIST and avoid connecting MSTP regions to
IEEE STP domains.

25
Topology changes in MSTP are treated the same way as in RSTP. That is, only non-edge links
going to forwarding state will cause a topology change and the switch detecting the change will
flood this information through the domain. However, single physical link may be forwarding for
one MSTI and blocking for another. Thus, a single physical change may have different effect on
MSTIs and the CIST. Topology changes in MSTIs are bounded to a single region, while topology
changes to the CIST propagate through all regions. Every region treats the TC notification from
another region as “external” and applies them to CIST-associated ports only.
A topology change to CST (the tree connecting the virtual bridges) will affect all MSTIs in all
regions and the CIST. This is due to the fact that new link becoming forwarding between the virtual
bridges may change all paths in the topology and thus require massive MAC address re-learning.
Thus, from the standpoint of topology change, something happening to the CST will have most
massive impact of flooding in the set of interconnected MSTP regions.
The above observations advise a good design rule for MSTP networks – separate “meshy”
topologies in their own regions and interconnect regions using “sparse” mesh, keeping in mind
balance between redundancy and topology changes effect. This is an adaptation of well-know
design principle - separate complexity from complexity to keep networks more stable and isolate
fault domains. In addition, exposing a lot of links to CST will reduce your load-balancing choices,
as CST supports only one STP instance. You want to avoid designs like the one diagrammed
below, which effectively disabled load balancing on the mesh of links that belong to CST. The
reason is that now the full-mesh of links belongs on CST and it elects only one unblocked path
between the two regions.
Even though region partitioning offers better fault isolation it still does not eliminate well-
known Ethernet issues such as unicast and broadcast flooding. Those may still occur and disrupt
network connectivity. For example, unicast flooding could be caused by unidirectional traffic and
broadcast flooding may be a result of transient bridging loops when a root bridge fails. Transient
bridging loops are reality with RSTP/MSTP especially in larger topologies due to various
synchronization problems resulting in count to infinity behavior. This problem is especially
dangerous when a root bridge crashes and the remaining topology contains loops – old information
may circulate until its aged out using hop counting (counting to infinity).

26
##Example-1##
Considering the network topology with a single region MSTP below:
In this example, we will consider 2 scenarios:
1. Two different instances will be created
▪ MST 1 – 10, 20, 30
▪ MST 2 – 100, 200, 300
2. Path manipulation will be performed for each instance
root@SW-1# run show configuration | display set | match mstp
set protocols mstp configuration-name Region-1
set protocols mstp bridge-priority 16k
set protocols mstp interface xe-0/0/2 cost 1000
set protocols mstp interface xe-0/0/2 mode point-to-point
set protocols mstp interface ae0 cost 100
set protocols mstp interface ae0 mode point-to-point
set protocols mstp msti 1 bridge-priority 32k
set protocols mstp msti 1 vlan 10
set protocols mstp msti 1 interface xe-0/0/2 cost 10
set protocols mstp msti 1 interface ae0 cost 10

27
set protocols mstp msti 2 interface ae0 cost

28
As can be seen from the output of the command below, basically information about the
MSTP configuration can be obtained. In the same region configuration, the values in the field
marked with red must be the same.
The confguration digest value refers to the vlan-to-instance mapping value and must be the
same for all switches. Changing the revision or region name value does not affect the digest value.
It is also worth noting that VLANs that are not included in the current configuration can be added
to the MSTI as the MSTP operation is performed over the data plane.
Also, if we do not use these vlans the connections between the switches, which is referred
as a vlan members all, we only see MSTI 0 in the configuration, the rest is not visible for vlan-
instance mapping not created.

29
We can make the following inferences from the output below:
▪ For MSTI 1, we can verify that SW-1 is Root Bridge with data in the area marked
in blue. In addition, 4097 value here consists of Bridge ID (4096) + Instance ID
(MSTI 1) value.
❖ Because the Bridge ID value equals the MSTI Regional Root value
▪ For MSTI 2, we can verify that SW-3 is Root Bridge with data in the area marked
in brown.
❖ Because the Bridge ID value does not equal the MSTI Regional Root value
▪ You can also see the value of CST calculated for all other VLANs used outside of
the configuration in the field marked in red.
❖ This VLANs is referred above output as a MSTI 0 value
❖ This is the IST Root Bridge and then it refers by SW-5

30
You can see easily verify to root bridge with a current MSTI 1 is a SW-1. Also, if you are
using other VLANs such as members of MSTI 2 configuration is using the xe-0/0/2 interface to
sending data flow. All other traffics with no matching MSTI 1-2 choice the ae0 interface to sending
data flow, because here we can do path manipulation with a increasing cost value on xe-0/0/2
interface.
Inferences similar to the above also apply here.

31
##Example-2##
Considering in the above network topology with a multiple region MSTP below:
set protocols mstp configuration-name REGION-2

32
As can be seen from the output of the command below, basically information about the
MSTP configuration can be obtained. Note that since MSTP is used between different regions, the
configuration digest value occurs with different values on switches located in different regions.

33
Our topology here consists of two different regions as can be understood from the
configuration commands above. We can summarize these regions as follows:
▪ SW-1 – SW-4 --- REGION-2
▪ SW-2 – SW-3 – SW-5 --- REGION-1
We can summarize the actions to be done here as follows:
▪ REGION-1
❖ SW-5 is a root bridge for MSTI Instance 10

34
❖ Verify the current interface status on SW-3
▪ REGION-2

35
❖ Verify the current interface status on SW-4
▪ CST
❖ SW-1 is CIST regional root for REGION-1

36
❖ SW-2 is CIST regional root for REGION-2
Other than that for CST SW-1 is received by new roles in interface may display as
follows. In this case, traffic transmitted between regions, between SW-2 and SW-1:

Spaning Tree Protocol

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Spaning Tree Protocol

Similar to Spaning Tree Protocol (20)

Recently uploaded

Recently uploaded (20)

Spaning Tree Protocol