Common Cisco STP Configuration Commands & Examples
VTP Gotchyas
Erasing a switch with the erase startup-config command will not erase the VTP config which is stored in a seperate file in flash. To completely erase the switch including the VTP config you need to also use the delete flash:vlan.dat.
SW2#delete flash:vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm]
Another gotchya so to speak with VTP exists in the way an unconifgured switch works when connected to an existing topology with VTP running. An unconfigured switch will have a VTP domain name of null, the behaviour of the switch when connected to a network where a VTP domain name has been set is to configure itself with that same domain name. If you were to try and configure the new switch with that same domain name at this point you would get the message shown below:
SW2(config)#vtp domain foopowered Domain name already set to foopowered.
Influecing the STP Topology
Using BPDU Guard
BPDU guard stop an interface or multiple interfaces from accepting any BPDUs from other switches, using BPDU guard you can prevent other switches from becoming the root bridge, and therefor influence the STP topology. When a BPDU is received on a switch interface configured with BPDU guard the switch will disable the port, and place it into an err-disabled state. When this happens the following will be written to the console
00:10:49: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/9 with BPDU Guard enabled. Disabling port. 00:10:49: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/9, putting Fa0/9 in err-disable state 00:10:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/9, changed state to down 00:10:51: %LINK-3-UPDOWN: Interface FastEthernet0/9, changed state to down
And using the show interface command will display the interface in an err-disabled state:
FastEthernet0/9 is down, line protocol is down (err-disabled)
Interfaces can be recoved manually or by setting an automatic recovery interval. To recover manually first shutdown the interface then run no shutdown to bring it back up. To set an automatic recovery interval use the following commands:
SW1(config)#errdisable recovery cause bpduguard SW1(config)#errdisable recovery interval 180
Where 180 is the time interval in seconds. When the automatic recovery interval is configured, and a port is brought back up the following will be logged to the console:
00:23:20: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Fa0/9 00:23:24: %LINK-3-UPDOWN: Interface FastEthernet0/9, changed state to up
BPDU guard can be enabled globally by using the spanning-tree portfast bpduguard command from global configuration mode, this will enabled BPDU guard on all PortFast interfaces. BPDU guard can also be enabled on a per interface level using the interface config mode command spanning-tree bpduguard enable.
Using Manually Configured Interface Cost
STP uses interface costs to evaluate the best path to the root bridge. The switch adds the cost value listed in a received Hello to the STP interface cost assigned to the that same interface. By manually setting a lower interface cost than the interface types default, you can force STP to use a specific interface as the root port. For example, in the lab we have 2 switches with 3 trunk interfaces all of the same type, STP with default configuration will use the lowest numbered interface to reach the root bridge. By changing the interface cost on interface fastethernet 0/12 we force STP to use it as the root port:
SW1#configure terminal SW1(config)#interface fastethernet 0/12 SW1(config-if)#spanning-tree cost 1
[truncated for brevity]
SW1(config)#show spanning-tree Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Desg FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p Fa0/4 Desg FWD 100 128.4 Shr Fa0/9 Altn BLK 19 128.9 P2p Fa0/10 Altn BLK 19 128.10 P2p Fa0/12 Root FWD 1 128.12 P2p
As you can see in the command output the root port is Fa0/12 with a cost of 1.
Using STP Priority Commands
You can force a particular switch to have a lower priority then other switches on a per VLAN basis in one of two ways. The first method is to use the spanning-tree vlan x root primary global configuration command. This command changes the switches base priority to:
- 24,576, if the current root has a base priority higher than 24,576.
- If the current root's base priority is 24,576 or lower then the switch will set its priority to 4096 lower than the roots priority.
The output of show spanning tree, on a non root bridge switch when the other switch has been configured with the root primary command. As you can see the Root ID Priority (the bridge priority + vlan) has changed to 24,676:
VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 24676
Address 000a.8ab9.7e40
Cost 19
Port 9 (FastEthernet0/9)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 000a.8ab9.7ac0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300The second method is to use the spanning-tree vlan x priority x where you specifically set the priority value using increments of 4096.
SW1(config)#spanning-tree vlan 1 priority 4096 SW1(config)#show spanning-tree
[truncated for brevity]
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 000a.8ab9.7e40
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 4097 (priority 4096 sys-id-ext 1)
Address 000a.8ab9.7e40
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15Here you can see the priority has updated to 4097. You may be asking why 4097 didn't we just set it to 4096? The reason its 4097 is the Bridge Priority is combined with the VLAN value, in this case 1 to create the Bridge ID Priority.
There is a third command spanning-tree vlan x root secondary which will set the switches base priority to 28,672 regardless of the current root's priority.
Load Balancing with Per-VLAN Spanning Tree PVST and Rapid Per-VLAN Spanning Tree RPVST
To configure Per-VLAN Spanning tree (PVST) use the global configuration command spanning-tree mode pvst. To configure Rapid Per-VLAN Spanning Tree (RPVST) use the global configuration command spanning-tree mode rapid-pvst.
When using either PVST or RPVST you can control what ports are in forwarding and blocking states on a per VLAN basis. This allows you to force specific VLAN traffic over one path/interface and another VLAN over another. This is done by using the interface configuration command spanning-tree vlan x cost x. In the example below we'll make VLAN 100 use interface Fa0/12 instead of Fa0/9, by setting the cost from 19 to 10, making interface Fa0/12 the better interface.
Before the change:
SW2#show spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 4097
Address 000a.8ab9.7e40
Cost 19
Port 9 (FastEthernet0/9)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000a.8ab9.7ac0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/9 Root FWD 19 128.9 P2p
Fa0/10 Altn BLK 19 128.10 P2p
Fa0/12 Altn BLK 19 128.12 P2p
VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 24676
Address 000a.8ab9.7e40
Cost 19
Port 9 (FastEthernet0/9)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 000a.8ab9.7ac0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/9 Root FWD 19 128.9 P2p
Fa0/10 Altn BLK 19 128.10 P2p
Fa0/12 Altn BLK 19 128.12 P2p Now we change the interface cost:
SW2#configure terminal SW2(config)#interface fastethernet 0/12 SW2(config-if)#spanning-tree vlan 100 cost 10
And now you can see the Root Port has changed to Fa0/12 while on VLAN0001 the Root Port remains Fa0/9:
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 4097
Address 000a.8ab9.7e40
Cost 19
Port 9 (FastEthernet0/9)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 000a.8ab9.7ac0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/9 Root FWD 19 128.9 P2p
Fa0/10 Altn BLK 19 128.10 P2p
Fa0/12 Altn BLK 19 128.12 P2p
VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 24676
Address 000a.8ab9.7e40
Cost 10
Port 12 (FastEthernet0/12)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 000a.8ab9.7ac0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/9 Altn BLK 19 128.9 P2p
Fa0/10 Altn BLK 19 128.10 P2p
Fa0/12 Root FWD 10 128.12 P2p Show Commands
Some of the show commands available for viewing stp configuration and troubleshooting.
Show spanning-tree root will show the Root ID for each VLAN, the root cost, STP Timers and the Root Port.
SW1#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- ------ ----- --- --- ----------------
VLAN0001 4097 000a.8ab9.7e40 0 2 20 15
VLAN0056 32824 000a.8ab9.7ac0 19 2 20 15 Fa0/9
VLAN0100 32868 000a.8ab9.7ac0 19 2 20 15 Fa0/9 Show spanning-tree bridge will show you the bridge ID for each VLAN, STP timers and the protocol.
SW1#show spanning-tree bridge
Hello Max Fwd
Vlan Bridge ID Time Age Dly Protocol
---------------- --------------------------------- ----- --- --- --------
VLAN0001 4097 ( 4096, 1) 000a.8ab9.7e40 2 20 15 rstp
VLAN0056 32824 (32768, 56) 000a.8ab9.7e40 2 20 15 rstp
VLAN0100 32868 (32768, 100) 000a.8ab9.7e40 2 20 15 rstp
Show spanning-tree summary will show you you some additional information including the port states.
SW1#show spanning-tree summary Switch is in rapid-pvst mode Root bridge for: VLAN0001 EtherChannel misconfig guard is enabled Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled UplinkFast is disabled BackboneFast is disabled Pathcost method used is short Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- VLAN0001 0 0 0 6 6 VLAN0056 2 0 0 1 3 VLAN0100 2 0 0 1 3 ---------------------- -------- --------- -------- ---------- ---------- 3 vlans 4 0 0 8 12
A handy debug for use with STP is debug spanning-tree events. Also enabling the logging spanning-tree events at the interface level can be handy.
Example STP Operations
With rapid-pvst enabled on the switch, I shutdown the other side of the etherchannel which was the current root port. RPVST detects the link go down, moves the etherchannel from forwarding to disabled and moves the alternate port from blocking to forwarding in less than 1 second:
01:28:54: %SPANTREE-6-PORT_STATE: Port Po2 instance 1 moving from forwarding to disabled 01:28:54: %SPANTREE-6-PORT_STATE: Port Po1 instance 1 moving from blocking to forwarding 01:28:54: %SPANTREE-7-PORTDEL_SUCCESS: Port-channel2 deleted from Vlan 1 01:28:54: %SPANTREE-6-PORT_STATE: Port Po2 instance 3 moving from forwarding to disabled 01:28:54: %SPANTREE-6-PORT_STATE: Port Po1 instance 3 moving from blocking to forwarding 01:28:54: %SPANTREE-7-PORTDEL_SUCCESS: Port-channel2 deleted from Vlan 3 0 SW3#1:28:54: %SPANTREE-6-PORT_STATE: Port Po2 instance 4 moving from forwarding to disabled 01:28:54: %SPANTREE-6-PORT_STATE: Port Po1 instance 4 moving from blocking to forwarding 01:28:54: %SPANTREE-7-PORTDEL_SUCCESS: Port-channel2 deleted from Vlan 4 01:28:54: %SPANTREE-6-PORT_STATE: Port Po2 instance 5 moving from forwarding to disabled SW3# 01:28:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/45, changed state to down 01:28:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/46, changed state to down 01:28:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel2, changed state to down SW3# 01:28:56: %LINK-3-UPDOWN: Interface FastEthernet0/45, changed state to down 01:28:56: %LINK-3-UPDOWN: Interface Port-channel2, changed state to down 01:28:56: %LINK-3-UPDOWN: Interface FastEthernet0/46, changed state to down
When running STP or PVST you need to note the following behaviour:
- If the RP interface goes down STP will move the ALT/DP directly to the Listening state bypassing the MAX AGE timer. It does this because there is no way it could receive a Hello BPDU over the interface. The time for convergance when this happens is 30 seconds.
- One way to view the MAX AGE timer at work is to use the spanning-tree bpdufilter enable command on the opposite end of the RP interface. This will stop the switch from receiving BPDUs from the Root Bridge, but leaving the interface up/up state therefor the MAX AGE timer will take affect and the entire convergance will take 50 seconds. Use the debug spanning-tree bpdu command to view the BPDUs being sent and received.
