MST - Multiple Spanning Tree - Don't change the mappings!

MST allows you to create spanning-tree instances and map VLANs into them.

Combined with VTP version 3 means you can advertise the MST mappings automatically, as shown here.

MST has the concept of regions.

Whether a switch is a member of a particular region depends on three things:

• The configured MST region name.


• The configured MST revision number.


• The VLAN to MSTI mappings.

The entire VLAN to MSTI mapping isn't advertised in each BPDU but a checksum of the mapping table is.

So why do I care?

Because if you change the mappings, you change the region.

If you change the region that the root bridge belongs to, it's a topology change and you trigger a total STP re-convergence.


So if you're in a live network and you tweak the VLAN-to-MSTI mappings then you'll cause a complete outage. If it's running VTPv3 then the outage will be longer as the change ripples through the network and switches "re-join" the region.

The solution

The solution in this case is fairly easy, set up all your mappings on day 1 and stick to them!

If you've two switches then you're best off finding a suitable way to distribute the VLANs, e.g.

MSTI 1 - VLANS 1 to 1999 - Root bridge SW1
MSTI 2 - VLANS 2000 to 4096 - Root bridge SW2

Then make sure you set up HSRP/VRRP in future to match where the MSTI is rooted for each particular VLAN.

Read more...

Cisco Gotchas - 1800 Virtual Ports

This is a (very late) addition to the article here.

Cisco 6500 doesn't directly limit the number of spanning-tree instances. It has limits on the number of virtual ports per line card.


A virtual port is a VLAN being forwarded on a trunk. So if you have 10 VLANs and 5 active trunks with no pruning then you have 50 virtual ports.

A 6500 is limited to 1800 virtual ports per line-card (with caveats, see below!).

If you have a full 48-port linecard and use PVST then you can only create 37 VLANs before you hit the limit. If you intend to go over this then either manually prune some VLANs or upgrade.

Some of the SX IOS versions have removed the virtual port limit on the newer linecards (6500 and 6700 series), however the per-chassis limits still apply.

The per-chassis limits are shown here.

They are 10000 for RPVST+ and 13000 for PVST+, updated in IOS 12.2(33)SXI to be 12000/15000 respectively.


If you want to get extra lifetime out of older linecards then look into using MST as it drastically simplifies the forwarding. Unless you have a need for a different STP topology for every VLAN then it's a great idea.


Read more...

Rapid Spanning Tree Notes

Just been reading a bit on RSTP, there are plenty of excellent detailed resources around. Here's my summary.




PDF version available here

Rapid Spanning Tree - 802.1w

Port Roles

Role	Description	Detailed
Root	Path to root bridge	The port that is closest to the root bridge in terms of path cost.
Designated	Forwarding to a segment	The port that sends the best BPDU on the segment to which it is connected.
Alternate	Alternative path to root	Alternate route to the root bridge. This port receives more useful BPDUs from another bridge. State blocked. Can be activated if the root port fails (RSTP equivalent to uplinkfast).
Backup	Redundant port	This port receives more useful BPDUs from the local bridge, therefore is redundant. State is blocked.
Disabled	Shutdown	Administratively shut down.

Port States

State	Description
Discarding	Combines the 802.1D disabled, blocking and listening states.
Learning	Drops frames but learns MAC addresses.
Forwarding	Sends frames

Port Types

Type	Description
Edge	End host, selected when portfast is enabled.
Root	Path to root bridge.
Point-to-point	Designated port to another switch. Selected when non-edge port is in full duplex mode.

• It is assumed that a non-edge port in half-duplex mode may connect to a shared medium with multiple peer switches. These ports will fall back to 802.1D compatibility mode.

• A non-edge port transitioning to forwarding will generate a TCN.

BPDUs

• All switches send BPDUs out of all ports.

• Loss of 3 BPDUs from a neighbour is taken to mean the neighbour is down. All information on that port is aged out.

• If an 802.1D BPDU is received then that port falls back to 802.1D mode from RSTP.

Read more...

BDPU Guard Vs Filter

Spanning-tree BPDU Guard or BPDU Filter?

A question that has cropped up on more than one occasion is which of these options should be used? BPDU Guard or BPDU filter?

You may think it safest to use both, however that isn't the case.


BPDU Guard
The port is error disabled when a BPDU is received.

BPDU Filter
If the port receives BPDUs then portfast is disabled and it functions as a normal STP port.


You may think that BPDU filter is the more useful setting as it always results in a functioning port, however consider two switches connected together to form a bridging loop as shown here.

With BPDU guard configured on all four ports, the BPDUs are detected and ports are shut down.

With BPDU filter configured on all four ports, no BPDUs are transmitted. The switches are not aware of each other and happily forward traffic down all links, creating a bridging loop.

With both options enabled the same thing happens.

The important difference is that BPDU filter prevents transmission of BPDUs.

If you're looking at standard switchport setting then this is not desirable, so the configuration of choice is:

spanning-tree portfast
spanning-tree bpduguard enable

Read more...

Secure Switchport Template

There are several reasons why you might want to use a switch port template.

• Make life easier for administrators.
• Standardize configuration.
• Allow people without specific Cisco knowledge to configure ports.
• Increase security.
  

An example template in macro form:

macro name accessport
switchport mode access
switchport nonegotiate
switchport access vlan 99
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
storm-control multicast level 20.00
storm-control broadcast level 20.00
@

To apply this to a port run:

configure terminal
interface fa0/xx
macro apply accessport

It is probably advisable to reset the port configuration in advance in which case the commands become:

configure terminal
default interface fa0/xx
interface fa0/xx
macro apply accessport

So what do these commands do?

switchport mode access

Specify the port is an access port.

switchport nonegotiate

Disable Dynamic Trunking Protocol (DTP).

switchport access vlan 99

Set the port into a VLAN to avoid VLAN hopping shenanigens. Replace VLAN 99 with the ID of an unused VLAN on your network (not VLAN 1!).

no cdp enable

Disable CDP to stop attackers flooding the CDP neighbor table using Yersinia or similar tools.

spanning-tree portfast

Turn on portfast for access ports, usually a good idea. If you use boot-from-LAN then you'll need this!
Note that turning on portfast does NOT disable STP on that port, it just allows the port to go directly to the forwarding state. You could still create a temporary bridging loop however so also apply:

spanning-tree bpduguard enable

Turn on BPDU Guard to shut the port down if it gets connected to another switch, but allow this switch to keep sending BPDUs on that port.

You can turn this on globally with the command:

spanning-tree portfast bpduguard default

storm-control multicast level 20.00
storm-control broadcast level 20.00

Configure storm-control.



Further reading:

The NSA guide to Cisco switch security.
Read more...

Storm Control

Storm-control is a very useful command for all switch-ports which allows you to set limits for Broadcast and Multicast traffic. When those limits are exceeded, traffic of that type is blocked on the interface until the storm has passed.

The configuration for the storm control level as a percentage of the link size is:

storm-control {broadcast|multicast} level {level} [level-low]

You can also set the action to take, either to filter the traffic or just to send an SNMP trap. The default action is to filter traffic and not send a trap.

storm-control action {shutdown|trap}

There are a couple of reasons why you may encounter large amounts of multicast or broadcast traffic on a LAN:

1. There are lots of Multicast/Broadcast applications
2. There is a bridging loop
3. A device is malfunctioning and spamming the network

Some traffic monitoring is needed to check how much multicast/broadcast is normal on the network before configuring storm-control. You should also allow a reasonable amount of contingency so that ports don't start getting blocked if the CEO decides to multicast his video diary out to the company!

So why is it useful?

The major advantage to storm control is in the situation of a bridging loop. Typically it will be broadcast and multicast traffic that takes the network down as it gets perpetually forwarded.

With storm control the damage is limited, hopefully enough to allow LAN access to continue with reduced performance. It may not keep the users happy but it should allow you to remotely troubleshoot the network.

Without it you may be looking at a major outage lasting days while you walk around the site with a laptop trying to find the source of the failure.


Warning

Be careful setting the level-low (falling threshold) value. If this is set too low then you may find that storm-control blocks a port and never unblocks it. The following config looks innocent enough:

storm-control multicast level 20.00 0.00

It tells storm control to block the port if multicast traffic exceeds 20% of the total link size which seems perfectly reasonable.

The second option tells storm control to un-block the port when multicast traffic falls below 0% of the link size. Depending on your network this may never happen so the port will remain permanently blocked until someone runs shut/no shut on it.
Read more...