STP Port的狀態
Forwarding
可以收發Data Frames
可以收發BBPDUs
Blocking
不可以收發Data Frames
可以收發BBPDUs
Disabled
未參與STP的運作
Broadcast storms
Multiple frame transmission
MAC Database instability
---------------------------------------------------
Spanning-Tree
預防LOOP協定 , 標準為802.1D
---------------------------------------------------
角色選擇
1.先選擇Root Bridge(Bridge ID較低者),剩下的則為Nonroot Bridge
*若平手比Base Mac,可用Show version指令查詢
*只有Root Bridge會發BPDU
2.每一台Nonroot Bridge一定要選出一個Root Port
RP為離Root Bridge的最佳路徑
RP狀態為Forwarding
選擇方式為:
*Tootal Path Cost: (Path Cost:10G=2,1G=4,100M=19,10M=100)
*Port ID
3.每個Segment(兩個Switch Port對接的線路)要選出一個Designated Port
DP 發送BPDU
DP狀態為Forwarding
選擇方式為:
*Sending Path Cost
*Bridge ID
*Port ID
4.剩下的則為Nondesignated Port
NDP為其他未指派角色的Ports
NDP狀態為Blocking
---------------------------------------------------
BPDU(Bridge Protocol Data Unit)
預設每2秒傳送
Bridge ID=Bridge Priority(預設32768),MAC Address(Base Mac Address)
---------------------------------------------------
PVST+ Extended Bridge ID
Bridge Priority: 4 bits
Extend System ID:12bits
MAC Address:48 bits
---------------------------------------------------
Port States (不是Forwarding就是Blocking)
Blocking
(loss of bpdu detected)
(max age=20秒)
|
|
|
Listening <-------------Blocking <---------------Link Comes up(Down->UP)
(Forward delay=15秒)
|
|
|
Learning
(Forward delay=15秒)
|
|
|
Forwarding
可以參考這個圖
https://d1hx5100zal7gj.cloudfront.net/images/stories/ccnp-tshoot/ch-4-1-switching/cisco-ccnp-tshoot-switching-6.jpg
---------------------------------------------------
sw02#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000a.8ac0.5280
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000a.8ace.2d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Altn BLK 19 128.2 P2p
802.1D PVST (IEEE)
802.1W RSTP
===============================================================
Root and Secondary bridges (可以做到資料流導向)
sw01(config)#spanning-tree vlan 1 root primary
sw01(config)#spanning-tree vlan 2 root secondary
sw02(config)#spanning-tree vlan 2 root primary
sw02(config)#spanning-tree vlan 1 root secondary
sw02#show running-config | include spanning
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1 priority 28672
spanning-tree vlan 2 priority 24576
sw02(config)#spanning-tree vlan 2 priority 0
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 detail
Port 11 (GigabitEthernet1/0/11) of VLAN0001 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.11.
Designated root has priority 32769, address 000a.8ac0.5280
Designated bridge has priority 32769, address 0016.9d99.3e80
Designated port id is 128.11, designated path cost 19
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
BPDU: sent 110, received 0
SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 portfast
VLAN0001 enabled
SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 detail
Port 11 (GigabitEthernet1/0/11) of VLAN0001 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.11.
Designated root has priority 32769, address 000a.8ac0.5280
Designated bridge has priority 32769, address 0016.9d99.3e80
Designated port id is 128.11, designated path cost 19
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 129, received 0
SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 portfast
VLAN0001 disabled
SW3750G#show spann
*Mar 1 00:07:48.713: %SYS-5-CONFIG_I: Configured from console by console
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 000a.8ac0.xxxx
Cost 19
Port 1 (GigabitEthernet1/0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0016.9d99.xxxx
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Root FWD 19 128.1 P2p
Gi1/0/2 Altn BLK 19 128.2 P2p
Fa1/0/11 Desg FWD 19 128.13 Edge P2p (該Port設了Portfast)
Gi1/0/12 Desg BLK 19 128.12 P2p
sw01(config)#spanning-tree vlan 2 root secondary
sw02(config)#spanning-tree vlan 2 root primary
sw02(config)#spanning-tree vlan 1 root secondary
*
2台Switch對接時,因為Cisco 3750預設Trunk是dynamic auto,所以被Blocking的那個Port會亮橘燈,手動改成Trunk後則會變為綠燈
Switch#show interfaces fastEthernet 1/0/11
FastEthernet1/0/11 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 000d.282a.068d (bia 000d.282a.068d)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:55, output 00:00:55, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4471 packets input, 463723 bytes, 0 no buffer
Received 2373 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 2366 multicast, 0 pause input
0 input packets with dribble condition detected
15672 packets output, 1305013 bytes, 0 underruns
0 output errors, 0 collisions, 9 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
Forwarding
可以收發Data Frames
可以收發BBPDUs
Blocking
不可以收發Data Frames
可以收發BBPDUs
Disabled
未參與STP的運作
Broadcast storms
Multiple frame transmission
MAC Database instability
---------------------------------------------------
Spanning-Tree
預防LOOP協定 , 標準為802.1D
---------------------------------------------------
角色選擇
1.先選擇Root Bridge(Bridge ID較低者),剩下的則為Nonroot Bridge
*若平手比Base Mac,可用Show version指令查詢
*只有Root Bridge會發BPDU
2.每一台Nonroot Bridge一定要選出一個Root Port
RP為離Root Bridge的最佳路徑
RP狀態為Forwarding
選擇方式為:
*Tootal Path Cost: (Path Cost:10G=2,1G=4,100M=19,10M=100)
*Port ID
3.每個Segment(兩個Switch Port對接的線路)要選出一個Designated Port
DP 發送BPDU
DP狀態為Forwarding
選擇方式為:
*Sending Path Cost
*Bridge ID
*Port ID
4.剩下的則為Nondesignated Port
NDP為其他未指派角色的Ports
NDP狀態為Blocking
---------------------------------------------------
BPDU(Bridge Protocol Data Unit)
預設每2秒傳送
Bridge ID=Bridge Priority(預設32768),MAC Address(Base Mac Address)
---------------------------------------------------
PVST+ Extended Bridge ID
Bridge Priority: 4 bits
Extend System ID:12bits
MAC Address:48 bits
---------------------------------------------------
Port States (不是Forwarding就是Blocking)
Blocking
(loss of bpdu detected)
(max age=20秒)
|
|
|
Listening <-------------Blocking <---------------Link Comes up(Down->UP)
(Forward delay=15秒)
|
|
|
Learning
(Forward delay=15秒)
|
|
|
Forwarding
可以參考這個圖
https://d1hx5100zal7gj.cloudfront.net/images/stories/ccnp-tshoot/ch-4-1-switching/cisco-ccnp-tshoot-switching-6.jpg
---------------------------------------------------
sw02#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000a.8ac0.5280
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000a.8ace.2d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Altn BLK 19 128.2 P2p
===============================================================
sw02(config)#spanning-tree vlan 1 priority 2
% Bridge Priority must be in increments of 4096.
% Allowed values are:
0 4096 8192 12288 16384 20480 24576 28672
32768 36864 40960 45056 49152 53248 57344 61440
===============================================================
sw02(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
sw02(config-if)#spanning-tree portfast (Port接到單一設備,建議設為Portfast)
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast has been configured on FastEthernet0/1 but will only
have effect when the interface is in a non-trunking mode.
如果介面型成Trunk,Portfast會失效
===============================================================
802.1D PVST (IEEE)
802.1W RSTP
===============================================================
Root and Secondary bridges (可以做到資料流導向)
sw01(config)#spanning-tree vlan 1 root primary
sw01(config)#spanning-tree vlan 2 root secondary
sw02(config)#spanning-tree vlan 2 root primary
sw02(config)#spanning-tree vlan 1 root secondary
sw02#show running-config | include spanning
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1 priority 28672
spanning-tree vlan 2 priority 24576
這樣打也可以
sw02(config)#spanning-tree vlan 1 priority 4096
sw02(config)#spanning-tree vlan 2 priority 0
*Base Mac Address
Switch#show version
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 18-May-05 22:31 by jharirba
Image text-base: 0x80010000, data-base: 0x80562000
ROM: Bootstrap program is is C2950 boot loader
Switch uptime is 4 minutes, 49 seconds
System returned to ROM by power-on
Cisco WS-C2950-24 (RC32300) processor (revision C0) with 21039K bytes of memory.
Processor board ID FHK0610Z0WC
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
63488K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 0060.70C3.0333
Motherboard assembly number: 73-5781-09
Power supply part number: 34-0965-01
Motherboard serial number: FOC061004SZ
Power supply serial number: DAB0609127D
Model revision number: C0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FHK0610Z0WC
Configuration register is 0xF
Switch#show interfaces vlan 1
Vlan1 is up, line protocol is up
Hardware is CPU Interface, address is 0060.70c3.0333 (bia 0060.70c3.0333)
Internet address is 10.1.1.1/24
MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 21:40:21, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1682 packets input, 530955 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
563859 packets output, 0 bytes, 0 underruns
0 output errors, 23 interface resets
0 output buffer failures, 0 output buffers swapped out
(不同版本或型號的VLAN1不一定是Base Mac Address)
加快Spanning Tree收歛時間
1.PortFast (Edge port調整)
介面
SW3750G(config-if)#spanning-tree portfast%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
Global mode
SW3750G(config)#spanning-tree portfast default%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
查看是否啟用Portfast
SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 detail
Port 11 (GigabitEthernet1/0/11) of VLAN0001 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.11.
Designated root has priority 32769, address 000a.8ac0.5280
Designated bridge has priority 32769, address 0016.9d99.3e80
Designated port id is 128.11, designated path cost 19
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
BPDU: sent 110, received 0
SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 portfast
VLAN0001 enabled
SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 detail
Port 11 (GigabitEthernet1/0/11) of VLAN0001 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.11.
Designated root has priority 32769, address 000a.8ac0.5280
Designated bridge has priority 32769, address 0016.9d99.3e80
Designated port id is 128.11, designated path cost 19
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 129, received 0
SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 portfast
VLAN0001 disabled
2.Rapid Spanning Tree(802.1W),可向下相容802.1D(Nonedge Port調整)
SW3750G(config)#spanning-tree mode rapid-pvstSW3750G#show spann
*Mar 1 00:07:48.713: %SYS-5-CONFIG_I: Configured from console by console
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 000a.8ac0.xxxx
Cost 19
Port 1 (GigabitEthernet1/0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0016.9d99.xxxx
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Root FWD 19 128.1 P2p
Gi1/0/2 Altn BLK 19 128.2 P2p
Fa1/0/11 Desg FWD 19 128.13 Edge P2p (該Port設了Portfast)
Gi1/0/12 Desg BLK 19 128.12 P2p
3.Root and Secondary bridges (做到資料流導向)
sw01(config)#spanning-tree vlan 1 root primarysw01(config)#spanning-tree vlan 2 root secondary
sw02(config)#spanning-tree vlan 2 root primary
sw02(config)#spanning-tree vlan 1 root secondary
*
2台Switch對接時,因為Cisco 3750預設Trunk是dynamic auto,所以被Blocking的那個Port會亮橘燈,手動改成Trunk後則會變為綠燈
BPDU Guard
防止未經授權的Switch接到Switch,設為BPDU Guard的Port偵到BPDU的封包時,則會關閉該Port,要注意的是,若該台Switch若跑802.1D,且他不是Root Bridge,該Port不會被關閉!
例如我私接一台Switch到公司網路,雖然有設定BPDU Guard,但因為他沒有發送BPDU,所以該Port也不會被關閉,就算他是Cisco 2950系列Switch
設定方法如下:
Switch#configure terminal
Switch(config)#interface fastEthernet 1/0/11
Switch(config-if)#spanning-tree bpduguard enable
收到對接設備有發送BPDU,立即關閉該Port
06:03:49: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet1/0/11 with BPDU Guard enabled. Disabling port.
06:03:49: %PM-4-ERR_DISABLE: bpduguard error detected on Fa1/0/11, putting Fa1/0/11 in err-disable state
06:03:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to down
06:03:51: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to down
FastEthernet1/0/11 is down, line protocol is down (err-disabled)
Hardware is Fast Ethernet, address is 000d.282a.068d (bia 000d.282a.068d)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:55, output 00:00:55, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4471 packets input, 463723 bytes, 0 no buffer
Received 2373 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 2366 multicast, 0 pause input
0 input packets with dribble condition detected
15672 packets output, 1305013 bytes, 0 underruns
0 output errors, 0 collisions, 9 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
因為是err-Disabled,所以可以使用之前提到的errdisable recovery,讓他自動復原
Switch(config)#errdisable recovery cause bpduguar
Switch(config)#errdisable recovery interval 30(復原秒數)
留言
張貼留言