跳到主要內容

Spanning-tree

STP Port的狀態
Forwarding
可以收發Data Frames
可以收發BBPDUs

Blocking
可以收發Data Frames
可以收發BBPDUs

Disabled
未參與STP的運作


Broadcast storms
Multiple frame transmission
MAC Database instability
---------------------------------------------------

Spanning-Tree
預防LOOP協定 , 標準為802.1D
---------------------------------------------------

角色選擇
1.先選擇Root Bridge(Bridge ID較低者),剩下的則為Nonroot Bridge
*若平手比Base Mac,可用Show version指令查詢
*只有Root Bridge會發BPDU

2.每一台Nonroot Bridge一定要選出一個Root Port
RP為離Root Bridge的最佳路徑
RP狀態為Forwarding
選擇方式為:
 *Tootal Path Cost: (Path Cost:10G=2,1G=4,100M=19,10M=100)
 *Port ID
  
3.每個Segment(兩個Switch Port對接的線路)要選出一個Designated Port
DP 發送BPDU
DP狀態為Forwarding
選擇方式為:
 *Sending Path Cost
 *Bridge ID
 *Port ID

4.剩下的則為Nondesignated Port
NDP為其他未指派角色的Ports
NDP狀態為Blocking
---------------------------------------------------

BPDU(Bridge Protocol Data Unit)
預設每2秒傳送
Bridge ID=Bridge Priority(預設32768),MAC Address(Base Mac Address)
---------------------------------------------------
PVST+ Extended Bridge ID
Bridge Priority: 4 bits
Extend System ID:12bits
MAC Address:48 bits

---------------------------------------------------
Port States (不是Forwarding就是Blocking)

Blocking
(loss of bpdu detected)
(max age=20秒)
   |
   |
   |
Listening <-------------Blocking <---------------Link Comes up(Down->UP)
(Forward delay=15秒)

   |
   |
   |
Learning
(Forward delay=15秒)

   |
   |
   |
Forwarding

可以參考這個圖
https://d1hx5100zal7gj.cloudfront.net/images/stories/ccnp-tshoot/ch-4-1-switching/cisco-ccnp-tshoot-switching-6.jpg
---------------------------------------------------

sw02#show spanning-tree

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     000a.8ac0.5280
             Cost        19
             Port        1 (FastEthernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     000a.8ace.2d80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Root FWD 19        128.1    P2p
Fa0/2            Altn BLK 19        128.2    P2p

===============================================================
sw02(config)#spanning-tree vlan 1 priority 2
% Bridge Priority must be in increments of 4096.
% Allowed values are:
  0     4096  8192  12288 16384 20480 24576 28672
  32768 36864 40960 45056 49152 53248 57344 61440
===============================================================
sw02(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
 should now disable portfast explicitly on switched ports leading to hubs,
 switches and bridges as they may create temporary bridging loops.

sw02(config-if)#spanning-tree portfast (Port接到單一設備,建議設為Portfast)
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on FastEthernet0/1 but will only
 have effect when the interface is in a non-trunking mode.

如果介面型成Trunk,Portfast會失效
===============================================================

802.1D  PVST (IEEE)
802.1W RSTP
===============================================================
Root and Secondary bridges (可以做到資料流導向)


sw01(config)#spanning-tree vlan 1 root primary
sw01(config)#spanning-tree vlan 2 root secondary


sw02(config)#spanning-tree vlan 2 root primary
sw02(config)#spanning-tree vlan 1 root secondary


sw02#show running-config | include spanning
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1 priority 28672
spanning-tree vlan 2 priority 24576

這樣打也可以
sw02(config)#spanning-tree vlan 1 priority 4096


sw02(config)#spanning-tree vlan 2 priority 0




*Base Mac Address

Switch#show version
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 18-May-05 22:31 by jharirba
Image text-base: 0x80010000, data-base: 0x80562000

ROM: Bootstrap program is is C2950 boot loader
Switch uptime is 4 minutes, 49 seconds
System returned to ROM by power-on

Cisco WS-C2950-24 (RC32300) processor (revision C0) with 21039K bytes of memory.
Processor board ID FHK0610Z0WC
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

63488K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 0060.70C3.0333
Motherboard assembly number: 73-5781-09
Power supply part number: 34-0965-01
Motherboard serial number: FOC061004SZ
Power supply serial number: DAB0609127D
Model revision number: C0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FHK0610Z0WC
Configuration register is 0xF

Switch#show interfaces vlan 1
Vlan1 is up, line protocol is up
Hardware is CPU Interface, address is 0060.70c3.0333 (bia 0060.70c3.0333)
Internet address is 10.1.1.1/24
MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 21:40:21, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1682 packets input, 530955 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
563859 packets output, 0 bytes, 0 underruns
0 output errors, 23 interface resets
0 output buffer failures, 0 output buffers swapped out
(不同版本或型號的VLAN1不一定是Base Mac Address)

加快Spanning Tree收歛時間

1.PortFast (Edge port調整)

介面

SW3750G(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

Global mode

SW3750G(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
 should now disable portfast explicitly on switched ports leading to hubs,
 switches and bridges as they may create temporary bridging loops.

 查看是否啟用Portfast


SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 detail
 Port 11 (GigabitEthernet1/0/11) of VLAN0001 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.11.
   Designated root has priority 32769, address 000a.8ac0.5280
   Designated bridge has priority 32769, address 0016.9d99.3e80
   Designated port id is 128.11, designated path cost 19
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 110, received 0

SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 portfast
VLAN0001            enabled


SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 detail
 Port 11 (GigabitEthernet1/0/11) of VLAN0001 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.11.
   Designated root has priority 32769, address 000a.8ac0.5280
   Designated bridge has priority 32769, address 0016.9d99.3e80
   Designated port id is 128.11, designated path cost 19
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 129, received 0

SW3750G#show spanning-tree interface gigabitEthernet 1/0/11 portfast
VLAN0001            disabled


2.Rapid Spanning Tree(802.1W),可向下相容802.1D(Nonedge Port調整)

SW3750G(config)#spanning-tree mode rapid-pvst
SW3750G#show spann
*Mar  1 00:07:48.713: %SYS-5-CONFIG_I: Configured from console by console

VLAN0001
  Spanning tree enabled protocol rstp
  Root ID    Priority    32769
             Address     000a.8ac0.xxxx
             Cost        19
             Port        1 (GigabitEthernet1/0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0016.9d99.xxxx
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1             Root FWD 19        128.1    P2p
Gi1/0/2             Altn BLK 19        128.2    P2p
Fa1/0/11         Desg FWD 19        128.13   Edge P2p (該Port設了Portfast)
Gi1/0/12            Desg BLK 19        128.12   P2p


3.Root and Secondary bridges (做到資料流導向)

sw01(config)#spanning-tree vlan 1 root primary
sw01(config)#spanning-tree vlan 2 root secondary


sw02(config)#spanning-tree vlan 2 root primary
sw02(config)#spanning-tree vlan 1 root secondary


*
2台Switch對接時,因為Cisco 3750預設Trunk是dynamic auto,所以被Blocking的那個Port會亮橘燈,手動改成Trunk後則會變為綠燈




BPDU Guard

防止未經授權的Switch接到Switch,設為BPDU Guard的Port偵到BPDU的封包時,則會關閉該Port,要注意的是,若該台Switch若跑802.1D,且他不是Root Bridge,該Port不會被關閉!

例如我私接一台Switch到公司網路,雖然有設定BPDU Guard,但因為他沒有發送BPDU,所以該Port也不會被關閉,就算他是Cisco 2950系列Switch

設定方法如下:

Switch#configure terminal
Switch(config)#interface fastEthernet 1/0/11
Switch(config-if)#spanning-tree bpduguard enable

收到對接設備有發送BPDU,立即關閉該Port
06:03:49: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet1/0/11 with BPDU Guard enabled. Disabling port.
06:03:49: %PM-4-ERR_DISABLE: bpduguard error detected on Fa1/0/11, putting Fa1/0/11 in err-disable state
06:03:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/11, changed state to down
06:03:51: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to down


Switch#show interfaces fastEthernet 1/0/11
FastEthernet1/0/11 is down, line protocol is down (err-disabled)
  Hardware is Fast Ethernet, address is 000d.282a.068d (bia 000d.282a.068d)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:55, output 00:00:55, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     4471 packets input, 463723 bytes, 0 no buffer
     Received 2373 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 2366 multicast, 0 pause input
     0 input packets with dribble condition detected
     15672 packets output, 1305013 bytes, 0 underruns
     0 output errors, 0 collisions, 9 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


因為是err-Disabled,所以可以使用之前提到的errdisable recovery,讓他自動復原

Switch(config)#errdisable recovery cause bpduguar                                                       
Switch(config)#errdisable recovery interval 30(復原秒數)



留言

這個網誌中的熱門文章

使用Cisco L3 Switch做VLAN的Routing

目標: 讓VLAN100與VLAN200的電腦透過L3 Swtich做VLAN的Routing,並且可以互相存取資源與上網,另外再使用Windows Server 2012配發VLAN100,VLAN200的IP Firewall: 使用ASUS AP當Firewall,並設兩條Static Route Switch: Core Switch為Cisco 3750切VLAN 10,VLAN100,VLAN200,VLAN10為預設的VLAN,VLAN100為Sales,VLAN200為RD Edge Switch為Cisco 3750與2950,其中2950為VLAN100,3750為VLAN200,如果要By Port切VLAN也可以,這裡只是為了方便說明,所以Edge Switch都直接設為單一VLAN Core Switch的設定 原本我只想Show Running-config其中比較重要的設定,後來想想還是全部列出,用紅色標記重要的設定 Gi 1/0/1接2950 Gi 1/0/2接3750 Gi 1/0/24接Router Core-3750#show running-config Building configuration... Current configuration : 2436 bytes ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Core-3750 ! boot-start-marker boot-end-marker ! ! ! ! no aaa new-model switch 1 provision ws-c3750g-24t system mtu routing 1546 ip routing no ip domain-lookup ! ! ! ! ! ! ! ! spanning-tree mode pvst spanning-tree portfas...

Cisco Switch 發生Loopback

User告知網路無法使用,看了Switch的狀況後,發現那個Port的狀態是Error Disable,接著又看了Switch的log Feb  8 12:14:14 TW: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: 2c56.dc86.xxxx Feb  8 12:15:49 TW: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: 2c56.dc86.xxxx Feb  8 12:18:00 TW: %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/10. Feb  8 12:18:00 TW: %PM-4-ERR_DISABLE: loopback error detected on Fa0/10, putting Fa0/10 in err-disable state Feb  8 12:18:01 TW: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down Feb  8 12:18:02 TW: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to down 應該是User私接設備,除了造成Loopback之外,又在隨便發放IP....... 不過因為那個User比較特殊,先教育了一下之後,再把那個Port shutdown , no shutdown,接著把Recovery設了上去,下次如果再遇到相同狀況,10分鐘後會自動恢復 xxx...

2台 Vigor 2920建立 LAN To LAN VPN (IPsec)

我有兩台Vigor 2920,環境如下: Vigor B 撥出 LAN:192.168.1.0/24 Vigor A 撥入 LAN:172.16.1.0/24 設定如下: Vigor B設定 Vigor A設定 詳細設定請參考官網 http://www.draytek.com/index.php?option=com_k2&view=item&id=2666&Itemid=264&lang=tw