It’s Halloween — a time for an excessive amount of sweet, scary films, youngsters in enjoyable costumes, and plenty of tips and treats. As I considered what to put in writing for my weblog this month, I shortly went to one of many scariest issues for each community engineer: SPANNING TREE!!!! That’s proper… can something else convey the identical degree of dread and chilly sweats because the potential for a bridging loop?!
Concern not. With a bit of fine sensible design and configuration practices, spanning tree doesn’t must be scary. Nonetheless, even the perfect engineers (or reasonably first rate ones like myself) can overlook a greatest apply or two. Let me set the spooky scene for you…
It was a darkish and stormy evening…
The next anecdote happened about three or 4 years in the past once I was a part of the DevNet Sandbox staff. We had not too long ago stood up a brand new information middle for internet hosting labs, and I had returned dwelling from California after spending a number of weeks onsite, standing up the community and programs on the information middle. I used to be feeling fairly good about how nicely issues had gone. Notably, the velocity and effectivity we have been in a position to convey issues on-line, because of a heavy quantity of automation and programmability. On reflection, I ought to have identified one thing was going to go improper…
I feel the primary signal there could be an issue within the community was once I seen my distant connection into the brand new location began to get actually laggy. I even obtained disconnected from some servers. It could clear up pretty shortly. However when the problems repeated a number of instances, I began to surprise what could be the trigger.
I checked different monitoring programs. Intermittent community points had not too long ago began displaying up; sluggish response from programs, occasional disconnects that will clear up pretty shortly, that type of factor. Nothing overly drastic, however they actually have been signs that indicated one thing may not be completely wholesome within the community. I started to poke round a bit extra. Ultimately, I stumbled throughout just a few issues that pointed to a doable problem someplace within the layer 2 components of the community.
It was fairly some time in the past, so the main points are just a little fuzzy. I feel I used to be on one of many prime of rack Nexus 9000 switches in a {hardware} internet hosting rack when syslog messages hit the terminal about MAC flapping occurring. Now, MACs will transfer round a community often. Nonetheless, a flapping MAC deal with occurs when a change sees it altering forwards and backwards between two ports. This isn’t regular. It usually factors to a community loop — one thing spanning tree is meant to stop from occurring.
Right here is an instance syslog message associated to MAC Flapping:
After a bit extra troubleshooting, I additionally seen that the community was reconverging spanning tree, altering the basis bridge time and again. This was undoubtedly an issue. Even “speedy” spanning tree convergence is noticeable to community customers who discover themselves ready for a port to transition to forwarding after ports change state.
Discover how Loop Detection Guard prevents community loops on Catalyst 9000 switches. Learn “Stopping Community Loops! A Function You Should be Conscious of” now.
Sufficient of the trick already, Hank… the place’s the deal with?
Lengthy story quick, the basis of the issue (pun TOTALLY meant) was a brand new bodily change that was being added to the community for one of many {hardware} labs we have been organising.
The brand new change hadn’t been absolutely configured for its new function but, and the upstream switches it was related to already had the ports enabled in preparation for the brand new lab gear being added. The lab topology had a number of ports related between this new change and the info middle cloth for various functions and networks, however not one of the remaining configuration had been utilized but. There have been really some remnants of outdated configuration utilized to the change, which resulted within the bridging loop and MACFLAP log messages.
Moreover, this change had beforehand served because the spanning tree root in a earlier community and had a decrease (i.e., higher) precedence than the precise spanning-tree root in our information middle. Between connections being made/eliminated, ports getting errdisabled for various causes, and different instabilities, the basis was bouncing between this new change and the primary distribution switches within the information middle each couple of minutes.
I used to be in a position to shortly cease the issues from occurring by shutting down the ports related to this new change till it was accurately configured and able to be made an energetic a part of the community. So, downside solved… kinda.
The larger downside was that I had missed the vital spanning tree design and greatest practices for the configuration step in bringing the brand new information middle community up and on-line. Had I remembered my fundamentals, this downside wouldn’t have occurred: The community would have mechanically blocked ports that have been behaving in surprising methods.
You’re NOT root: Stopping surprising root bridges with root guard
Think about this quite simple triangle of switches as a fast evaluation of the significance of the basis bridge in a spanning-tree community.
Switches related along with layer 2 hyperlinks use BPDUs (bridge protocol information items) to find out about one another and decide the place the “root” of the spanning tree might be positioned. The change that has the perfect (i.e., lowest) precedence turns into root. With the basis bridge recognized, switches start the method of breaking loops within the community by blocking ports that spanning tree identifies as having the worst precedence on redundant hyperlinks.
A full dialogue on the spanning-tree course of for constructing the tree is out of scope for this weblog put up. It’s a vital matter for community engineers to know, so I would return to spanning tree in future weblog posts. Should you’d wish to dive deeper into the subject now, try our CCNA and ENCOR programs.
The method of electing the basis bridge and converging on a loop-free community can take tens of seconds to even a minute (or extra) in massive networks, relying on which model of spanning tree is used and the way nicely the community is designed. In the course of the technique of convergence, the community prevents bridging loops by defaulting to blocking visitors on ports. This can end in vital disruption to any customers and purposes which can be actively utilizing the community. Bear in mind in my instance above, how my community entry had gotten “laggy” and my connections had even turn out to be disconnected? So long as the basis bridge stays secure and does NOT change, including a brand new change to a community is a non-disruptive exercise.
So, how does a community engineer stop the basis bridge from altering within the community? I’m glad you requested.
Figuring out the basis bridge for the community
Step one is to have a look at the community design and determine which change makes essentially the most logical sense to be the basis, explicitly configuring it to have the perfect (i.e., lowest) precedence. Right here, I configure my root change to run speedy per-vlan spanning tree (rapid-pvst) and set the precedence to 16384.
root#present run | sec spanning
spanning-tree mode rapid-pvst
spanning-tree prolong system-id
spanning-tree vlan 1-4094 precedence 16384
root#present span
VLAN0001
Spanning tree enabled protocol rstp
Root ID Precedence 16385
Tackle 5254.000e.dde8
This bridge is the basis
Howdy Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Bridge ID Precedence 16385 (precedence 16384 sys-id-ext 1)
Tackle 5254.000e.dde8
Howdy Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Growing older Time 300 sec
Interface Position Sts Value Prio.Nbr Sort
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.2 P2p
Gi0/2 Desg FWD 4 128.3 P2p
Gi0/3 Desg FWD 4 128.4 P2p
Observe: With “per-vlan spanning-tree” each VLAN could have its personal spanning-tree constructed. The precedence of every bridge is the configured precedence plus the VLAN quantity. So for VLAN 1, the precedence is 16384+1 or 16385.
If we take a look at the spanning-tree state on one of many different switches within the community, we will affirm the basis bridge and the creation of a loop-free community.
switch-1#present span
VLAN0001
Spanning tree enabled protocol rstp
Root ID Precedence 16385
Tackle 5254.000e.dde8
Value 4
Port 2 (GigabitEthernet0/1)
Howdy Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Bridge ID Precedence 32769 (precedence 32768 sys-id-ext 1)
Tackle 5254.0017.ae37
Howdy Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Growing older Time 300 sec
Interface Position Sts Value Prio.Nbr Sort
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Root FWD 4 128.2 P2p
Gi0/2 Desg FWD 4 128.3 P2p
Gi0/3 Altn BLK 4 128.4 P2p
switch-1#present cdp neighbors gigabitEthernet 0/1
Gadget ID Native Intrfce Holdtme Functionality Platform Port ID
root Gig 0/1 146 R S I Gig 0/1
Should you examine the deal with of the basis bridge proven on switch-1 to the output above from root, you will note that the Tackle and Precedence for the basis bridge match. Additionally, discover that interface G0/1 has the function of “Root” — that is the interface on the change that has the perfect path again to the basis bridge. And because the output from CDP exhibits, it’s really straight related to the basis.
Stopping a brand new root on the block… err, community
Figuring out an meant root bridge on your community is nice, nevertheless it doesn’t stop a newly added change from inflicting bother.
Think about again to my instance from my anecdote the place a brand new change was being added to the community that had beforehand been configured as the basis in one other community. Whereas it could possibly be argued that it’s best apply and vital to clear outdated configuration from a change earlier than including it to the community, the fact is… issues like this occur. You will need to engineer a community to deal with occasions like this.
First, let’s see what occurs to the spanning-tree community when bad-root is cabled into the community with none further configuration defending the spanning-tree community.
switch-1#present span
VLAN0001
Spanning tree enabled protocol rstp
Root ID Precedence 4097
Tackle 5254.001e.82a2
Value 4
Port 1 (GigabitEthernet0/0)
Howdy Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Bridge ID Precedence 32769 (precedence 32768 sys-id-ext 1)
Tackle 5254.0017.ae37
Howdy Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Growing older Time 300 sec
Interface Position Sts Value Prio.Nbr Sort
------------------- ---- --- --------- -------- --------------------------------
Gi0/0 Root FWD 4 128.1 P2p
Gi0/1 Desg FWD 4 128.2 P2p
Gi0/2 Desg FWD 4 128.3 P2p
Gi0/3 Altn BLK 4 128.4 P2p
switch-1#present cdp neighbors gigabitEthernet 0/0
Gadget ID Native Intrfce Holdtme Functionality Platform Port ID
bad-root Gig 0/0 154 R S I Gig 0/1
Complete cdp entries displayed : 1
Discover how the deal with and precedence for the basis bridge have modified, and that port Gi0/0 is now the “Root” port for switch-1. That is undoubtedly not what we’d wish to occur if a bad-root have been related to the community.
Bringing out the Guard… root guard, that’s
We are able to leverage root guard to stop this from occurring. Root guard is likely one of the “non-compulsory spanning-tree options” that basically shouldn’t be thought-about “non-compulsory” in most community designs.
As a community engineer, you need to be capable of take a look at your community and know which ports “must be” the basis port on every change. Then take into account the redundancy that you just’ve constructed into the community and determine which port ought to turn out to be the basis port if the first port have been to have issues. Each different port on every change ought to by no means turn out to be the basis port. These are the ports that must be configured with root guard.
Observe: The basis bridge in a community has NO root ports as it’s the root of the tree. Due to this fact ALL PORTS of the basis bridge ought to have root guard enabled.
Now we’ll go forward and allow root guard on interface Gig0/0 on each switch-1 and switch-2.
switch-1(config)#interface gigabitEthernet 0/0 switch-1(config-if)#spanning-tree guard root *Oct 13 15:06:28.893: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet0/0. *Oct 13 15:06:28.909: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet0/0 on VLAN0001.
And take a look at that. As quickly as it’s enabled, we see syslog messages indicating that root guard has begun blocking the port. If we verify the standing of spanning tree on switch-1 we will confirm that the basis of the spanning tree has returned to the right root change.
switch-1#present span
VLAN0001
Spanning tree enabled protocol rstp
Root ID Precedence 16385
Tackle 5254.000e.dde8
Value 4
Port 2 (GigabitEthernet0/1)
Howdy Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Bridge ID Precedence 32769 (precedence 32768 sys-id-ext 1)
Tackle 5254.0017.ae37
Howdy Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Growing older Time 300 sec
Interface Position Sts Value Prio.Nbr Sort
------------------- ---- --- --------- -------- --------------------------------
Gi0/0 Desg BKN*4 128.1 P2p *ROOT_Inc
Gi0/1 Root FWD 4 128.2 P2p
Gi0/2 Desg LRN 4 128.3 P2p
Gi0/3 Altn BLK 4 128.4 P2p
There’s one different command that’s useful to know when troubleshooting spanning-tree ports that aren’t behaving as anticipated:
switch-1#present spanning-tree inconsistentports Title Interface Inconsistency -------------------- ------------------------ ------------------ VLAN0001 GigabitEthernet0/0 Root Inconsistent Variety of inconsistent ports (segments) within the system : 1
Take the scare out of spooky spanning tree with information
Hopefully, this put up helps to decrease your coronary heart fee just a little the following time you concentrate on making adjustments to the community which may affect your spanning-tree community. However I additionally hope it exhibits you, as a community engineer, the significance of recalling the basic abilities and information you will have discovered as you progress onward to extra specialised areas of networking. I used to be undoubtedly kicking myself once I realized that I had utterly missed making certain that our spanning-tree community was well-designed and protected against surprising or unintended adjustments.
Whereas nobody desires to have a community outage or perhaps a minor disruption, they’ll occur. What’s vital, is that we be taught from them. And we turn out to be higher community engineers for them.
Do you will have a spooky community ghost story from your individual work as a community engineer? Ever had a scary encounter with a community outage or downside that helped you be taught a lesson you’ll always remember? Share them within the feedback. Trick or deal with!
Some useful hyperlinks for digging deeper into spanning tree:
Should you’d wish to dive deeper into this matter, I pulled just a few hyperlinks collectively for you.
Be part of the Cisco Studying Community as we speak at no cost.
Comply with Cisco Studying & Certifications
Twitter | Fb | LinkedIn | Instagram
Use #CiscoCert to affix the dialog.
Share:
