It’s Halloween — a time for an excessive amount of sweet, scary films, youngsters in enjoyable costumes, and many methods and treats. As I thought of what to jot down for my weblog this month, I rapidly went to one of many scariest issues for each community engineer: SPANNING TREE!!!! That’s proper… can something else deliver the identical degree of dread and chilly sweats because the potential for a bridging loop?!
Concern not. With a bit of excellent sensible design and configuration practices, spanning tree doesn’t must be scary. Nonetheless, even the most effective engineers (or reasonably first rate ones like myself) can neglect a finest observe or two. Let me set the spooky scene for you…
It was a darkish and stormy evening…
The next anecdote passed off about three or 4 years in the past after I was a part of the DevNet Sandbox crew. We had just lately stood up a brand new information heart for internet hosting labs, and I had returned residence from California after spending a number of weeks onsite, standing up the community and methods on the information heart. I used to be feeling fairly good about how nicely issues had gone. Significantly, the velocity and effectivity we had been capable of deliver issues on-line, due to a heavy quantity of automation and programmability. On reflection, I ought to have recognized one thing was going to go flawed…
I believe the primary signal there could be an issue within the community was after I observed my distant connection into the brand new location began to get actually laggy. I even bought disconnected from some servers. It will clear up pretty rapidly. However when the problems repeated a number of occasions, I began to marvel what could be the trigger.
I checked different monitoring methods. Intermittent community points had just lately began exhibiting up; gradual response from methods, occasional disconnects that will clear up pretty rapidly, that form of factor. Nothing overly drastic, however they definitely had been signs that indicated one thing won’t be completely wholesome within the community. I started to poke round a bit extra. Finally, I stumbled throughout a couple of issues that pointed to a attainable subject someplace within the layer 2 elements of the community.
It was fairly some time in the past, so the main points are a bit of fuzzy. I believe I used to be on one of many high of rack Nexus 9000 switches in a {hardware} internet hosting rack when syslog messages hit the terminal about MAC flapping occurring. Now, MACs will transfer round a community often. Nonetheless, a flapping MAC handle occurs when a swap sees it altering backwards and forwards between two ports. This isn’t regular. It usually factors to a community loop — one thing spanning tree is meant to forestall from occurring.
Right here is an instance syslog message associated to MAC Flapping:
After a bit extra troubleshooting, I additionally observed that the community was reconverging spanning tree, altering the foundation bridge time and again. This was undoubtedly an issue. Even “speedy” spanning tree convergence is noticeable to community customers who discover themselves ready for a port to transition to forwarding after ports change state.
Discover how Loop Detection Guard prevents community loops on Catalyst 9000 switches. Learn “Stopping Community Loops! A Characteristic You Have to be Conscious of” now.
Sufficient of the trick already, Hank… the place’s the deal with?
Lengthy story brief, the foundation of the issue (pun TOTALLY supposed) was a brand new bodily swap that was being added to the community for one of many {hardware} labs we had been establishing.
The brand new swap hadn’t been totally configured for its new function but, and the upstream switches it was linked to already had the ports enabled in preparation for the brand new lab gear being added. The lab topology had a number of ports linked between this new swap and the information heart material for various functions and networks, however not one of the ultimate configuration had been utilized but. There have been really some remnants of previous configuration utilized to the swap, which resulted within the bridging loop and MACFLAP log messages.
Moreover, this swap had beforehand served because the spanning tree root in a earlier community and had a decrease (i.e., higher) precedence than the precise spanning-tree root in our information heart. Between connections being made/eliminated, ports getting errdisabled for various causes, and different instabilities, the foundation was bouncing between this new swap and the primary distribution switches within the information heart each couple of minutes.
I used to be capable of rapidly cease the issues from occurring by shutting down the ports linked to this new swap till it was accurately configured and able to be made an lively a part of the community. So, drawback solved… kinda.
The larger drawback was that I had missed the vital spanning tree design and finest practices for the configuration step in bringing the brand new information heart community up and on-line. Had I remembered my fundamentals, this drawback wouldn’t have occurred: The community would have mechanically blocked ports that had been behaving in sudden methods.
You might be NOT root: Stopping sudden root bridges with root guard
Take into account this quite simple triangle of switches as a fast overview of the significance of the foundation bridge in a spanning-tree community.
Switches linked along with layer 2 hyperlinks use BPDUs (bridge protocol information models) to study one another and decide the place the “root” of the spanning tree will likely be positioned. The swap that has the most effective (i.e., lowest) precedence turns into root. With the foundation bridge recognized, switches start the method of breaking loops within the community by blocking ports that spanning tree identifies as having the worst precedence on redundant hyperlinks.
A full dialogue on the spanning-tree course of for constructing the tree is out of scope for this weblog submit. It’s a vital matter for community engineers to know, so I would return to spanning tree in future weblog posts. In case you’d wish to dive deeper into the subject now, take a look at our CCNA and ENCOR programs.
The method of electing the foundation bridge and converging on a loop-free community can take tens of seconds to even a minute (or extra) in massive networks, relying on which model of spanning tree is used and the way nicely the community is designed. Throughout the strategy of convergence, the community prevents bridging loops by defaulting to blocking site visitors on ports. This can lead to vital disruption to any customers and functions which might be actively utilizing the community. Bear in mind in my instance above, how my community entry had gotten “laggy” and my connections had even turn out to be disconnected? So long as the foundation bridge stays steady and does NOT change, including a brand new swap to a community is a non-disruptive exercise.
So, how does a community engineer stop the foundation bridge from altering within the community? I’m glad you requested.
Figuring out the foundation bridge for the community
Step one is to take a look at the community design and determine which swap makes probably the most logical sense to be the foundation, explicitly configuring it to have the most effective (i.e., lowest) precedence. Right here, I configure my root swap to run speedy per-vlan spanning tree (rapid-pvst) and set the precedence to 16384.
root#present run | sec spanning
spanning-tree mode rapid-pvst
spanning-tree prolong system-id
spanning-tree vlan 1-4094 precedence 16384
root#present span
VLAN0001
Spanning tree enabled protocol rstp
Root ID Precedence 16385
Handle 5254.000e.dde8
This bridge is the foundation
Hiya Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Bridge ID Precedence 16385 (precedence 16384 sys-id-ext 1)
Handle 5254.000e.dde8
Hiya Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Growing older Time 300 sec
Interface Function Sts Value Prio.Nbr Kind
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.2 P2p
Gi0/2 Desg FWD 4 128.3 P2p
Gi0/3 Desg FWD 4 128.4 P2p
Notice: With “per-vlan spanning-tree” each VLAN may have its personal spanning-tree constructed. The precedence of every bridge is the configured precedence plus the VLAN quantity. So for VLAN 1, the precedence is 16384+1 or 16385.
If we take a look at the spanning-tree state on one of many different switches within the community, we are able to verify the foundation bridge and the creation of a loop-free community.
switch-1#present span
VLAN0001
Spanning tree enabled protocol rstp
Root ID Precedence 16385
Handle 5254.000e.dde8
Value 4
Port 2 (GigabitEthernet0/1)
Hiya Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Bridge ID Precedence 32769 (precedence 32768 sys-id-ext 1)
Handle 5254.0017.ae37
Hiya Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Growing older Time 300 sec
Interface Function Sts Value Prio.Nbr Kind
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Root FWD 4 128.2 P2p
Gi0/2 Desg FWD 4 128.3 P2p
Gi0/3 Altn BLK 4 128.4 P2p
switch-1#present cdp neighbors gigabitEthernet 0/1
Machine ID Native Intrfce Holdtme Functionality Platform Port ID
root Gig 0/1 146 R S I Gig 0/1
In case you evaluate the handle of the foundation bridge proven on switch-1 to the output above from root, you will notice that the Handle and Precedence for the foundation bridge match. Additionally, discover that interface G0/1 has the function of “Root” — that is the interface on the swap that has the most effective path again to the foundation bridge. And because the output from CDP reveals, it’s really straight linked to the foundation.
Stopping a brand new root on the block… err, community
Figuring out an supposed root bridge to your community is nice, however it doesn’t stop a newly added swap from inflicting hassle.
Take into account again to my instance from my anecdote the place a brand new swap was being added to the community that had beforehand been configured as the foundation in one other community. Whereas it could possibly be argued that it’s best observe and essential to clear previous configuration from a swap earlier than including it to the community, the truth is… issues like this occur. It is very important engineer a community to deal with occasions like this.
First, let’s see what occurs to the spanning-tree community when bad-root is cabled into the community with none additional configuration defending the spanning-tree community.
switch-1#present span
VLAN0001
Spanning tree enabled protocol rstp
Root ID Precedence 4097
Handle 5254.001e.82a2
Value 4
Port 1 (GigabitEthernet0/0)
Hiya Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Bridge ID Precedence 32769 (precedence 32768 sys-id-ext 1)
Handle 5254.0017.ae37
Hiya Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Growing older Time 300 sec
Interface Function Sts Value Prio.Nbr Kind
------------------- ---- --- --------- -------- --------------------------------
Gi0/0 Root FWD 4 128.1 P2p
Gi0/1 Desg FWD 4 128.2 P2p
Gi0/2 Desg FWD 4 128.3 P2p
Gi0/3 Altn BLK 4 128.4 P2p
switch-1#present cdp neighbors gigabitEthernet 0/0
Machine ID Native Intrfce Holdtme Functionality Platform Port ID
bad-root Gig 0/0 154 R S I Gig 0/1
Whole cdp entries displayed : 1
Discover how the handle and precedence for the foundation bridge have modified, and that port Gi0/0 is now the “Root” port for switch-1. That is undoubtedly not what we’d need to occur if a bad-root had been linked to the community.
Bringing out the Guard… root guard, that’s
We will leverage root guard to forestall this from occurring. Root guard is likely one of the “elective spanning-tree options” that actually shouldn’t be thought-about “elective” in most community designs.
As a community engineer, it is best to be capable of take a look at your community and know which ports “needs to be” the foundation port on every swap. Then contemplate the redundancy that you simply’ve constructed into the community and determine which port ought to turn out to be the foundation port if the first port had been to have issues. Each different port on every swap ought to by no means turn out to be the foundation port. These are the ports that needs to be configured with root guard.
Notice: The basis bridge in a community has NO root ports as it’s the root of the tree. Subsequently ALL PORTS of the foundation bridge ought to have root guard enabled.
Now we’ll go forward and allow root guard on interface Gig0/0 on each switch-1 and switch-2.
switch-1(config)#interface gigabitEthernet 0/0 switch-1(config-if)#spanning-tree guard root *Oct 13 15:06:28.893: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port GigabitEthernet0/0. *Oct 13 15:06:28.909: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port GigabitEthernet0/0 on VLAN0001.
And take a look at that. As quickly as it’s enabled, we see syslog messages indicating that root guard has begun blocking the port. If we test the standing of spanning tree on switch-1 we are able to confirm that the foundation of the spanning tree has returned to the right root swap.
switch-1#present span
VLAN0001
Spanning tree enabled protocol rstp
Root ID Precedence 16385
Handle 5254.000e.dde8
Value 4
Port 2 (GigabitEthernet0/1)
Hiya Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Bridge ID Precedence 32769 (precedence 32768 sys-id-ext 1)
Handle 5254.0017.ae37
Hiya Time 2 sec Max Age 20 sec Ahead Delay 15 sec
Growing older Time 300 sec
Interface Function Sts Value Prio.Nbr Kind
------------------- ---- --- --------- -------- --------------------------------
Gi0/0 Desg BKN*4 128.1 P2p *ROOT_Inc
Gi0/1 Root FWD 4 128.2 P2p
Gi0/2 Desg LRN 4 128.3 P2p
Gi0/3 Altn BLK 4 128.4 P2p
There’s one different command that’s helpful to know when troubleshooting spanning-tree ports that aren’t behaving as anticipated:
switch-1#present spanning-tree inconsistentports Identify Interface Inconsistency -------------------- ------------------------ ------------------ VLAN0001 GigabitEthernet0/0 Root Inconsistent Variety of inconsistent ports (segments) within the system : 1
Take the scare out of spooky spanning tree with data
Hopefully, this submit helps to decrease your coronary heart price a bit of the subsequent time you consider making adjustments to the community which may influence your spanning-tree community. However I additionally hope it reveals you, as a community engineer, the significance of recalling the basic expertise and data you’ve got discovered as you progress onward to extra specialised areas of networking. I used to be undoubtedly kicking myself after I realized that I had utterly missed guaranteeing that our spanning-tree community was well-designed and protected against sudden or unintended adjustments.
Whereas nobody desires to have a community outage or perhaps a minor disruption, they’ll occur. What’s essential, is that we study from them. And we turn out to be higher community engineers for them.
Do you’ve got a spooky community ghost story from your individual work as a community engineer? Ever had a scary encounter with a community outage or drawback that helped you study a lesson you’ll always remember? Share them within the feedback. Trick or deal with!
Some helpful hyperlinks for digging deeper into spanning tree:
In case you’d wish to dive deeper into this matter, I pulled a couple of hyperlinks collectively for you.
Be a part of the Cisco Studying Community right this moment without cost.
Comply with Cisco Studying & Certifications
Twitter | Fb | LinkedIn | Instagram
Use #CiscoCert to hitch the dialog.
Share:
