01/12/2018

GC
Topic: Spanning Tree Protocol 2018-2019

What you will learn

How Spanning Tree Protocol (STP) works
A glance at Rapid Spanning Tree Protocol (RSTP)

1/28

GC
Spanning Tree Protocol 2018-2019

Defined in IEEE 802.1d standard

To prevent looping frames in bridged (switched)
LANs with redundant links, STP blocks some ports
from forwarding and receiving (data) frames
Only one active path exists between any pair of LAN
segments
Drawbacks:
• The network does not take advantage of some links
• Some traffic travels a longer path, because a shorter path is
blocked

2/28

1
 01/12/2018

GC
What STP does 2018-2019

STP places each bridge/switch port

in either a forwarding state or a
blocking state
H1 H2
Switches can forward frames out
ports and receive frames in ports
that are in forwarding state
Switches do not forward frames out
ports and receive frames in ports
that are in blocking state
A port can be in disabled state (the
port is not included in active STP H3
topology)
Operational state forced by the network
manager
The port is failed
The port is connected to no device 3/28

GC
What STP does (cont.) 2018-2019

If the link between SW1 and SW3 fails, STP converges so that
SW3 no longer blocks its 0/27 interface

H1 H2

H3

4/28

2
 01/12/2018

GC
How STP works 2018-2019

STP creates a spanning tree in three phases:

Election of the root bridge
• The STP elects a single bridge, among all the bridges, to be the root of
the spanning tree
• All ports of the root bridge are put in forwarding state
Selection of the root port
• Each non-root bridge selects the port (known as the root port) that gives
the best path from itself to the root bridge
• The root port is put in forwarding state
Selection of the designated port
• For each LAN segment, from among the bridges attached to the
segment, STP elects the one closest to the root bridge as the designated
bridge
• The designated bridge’s interface attached to that segment is called the
designated port and is put in forwarding state
• All the ports of the root bridge are designated ports
All other ports are placed in blocking state
5/28

GC
Bridge Protocol Data Units (BPDUs) 2018-2019

Bridges exchange protocol frames, called BPDUs

BPDUs are sent to the multicast address 01-80-C2-00-00-00
LLC PDU

Dest. Addr. Source Addr. Length DSAP SSAP Control BPDU

Configuration BPDU
Multicast or
Singlecast
01-80-C2 XY 0x42 0x42 0x03 FCS
00-00-00
Bridge address Topology Change
Notification BPDU

BPDU: Bridge Protocol Data Unit

DSAP: Destination Service Access Point
SSAP: Source Service Access Point

6/28

3
 01/12/2018

GC
Types and format of BPDUs 2018-2019

(a) Configuration BPDU (also called hello messages): used to define

the loop-free topology
(b) Topology Change Notification (TCN) BPDU: used by a bridge to
notify the root bridge about a detected topology change

dictated
by the root
bridge 7/28

GC
Types of BPDUs (cont.) 2018-2019

Root Bridge ID: the identifier of the bridge assumed to be the root
bridge
Root Path cost: cost of the least-cost path to the root bridge from
the bridge transmitting this configuration BPDU
Bridge ID: identifier of the bridge transmitting this configuration
BPDU
Port ID: identifies the port from which the configuration BPDU is
sent
Hello Time: the time that elapses between consecutive configuration
BPDUs, generated by the root (or by a bridge that assumes itself to
be the root); the default value is 2 seconds.
Maximum age: how long a bridge should wait, after beginning not to
hear hellos, before trying to change the topology; the default value is
20 seconds.
Forward Delay: used to defer the transition to the forwarding state
of a port that was in blocking state; the default value is 15 seconds.
8/28

4
 01/12/2018

GC
Bridge identifier and port identifier 2018-2019

Bridge Identifier or Root Bridge Identifier

(Original) bridge priority (16 bits)
Default: 32768
Recommendation: to be modified
with increments or decrements at
Bridge Priority Bridge MAC Address steps of 4096 units

Port priority (1 byte)

Port Port priority Default: 128
Identifier
Port number Recommendation: to be modified
with increments or decrements at
steps of 16 units

Normally, a Port ID is denoted in Hexadecimals. For example, 0x8015 is

equivalent to 128.21 (in binary 1000000000010101), where the first part
is the Port priority and the second part is the Port number
9/28

GC
Port cost 2018-2019

A cost is associated to each port of a bridge

Port costs can be configured
IEEE recommended the following values

The original STP Cost-Bandwidth table

10/28

5
 01/12/2018

GC
Port cost (cont.) 2018-2019

The revised 802.1D has increased the path cost to a

32-bit value, providing more granularity:

The port cost is added to the root path cost in a hello

message received on “this” port in order to determine
the cost of the path to the root through “this” port 11/28

GC
Election of the root bridge 2018-2019

At the beginning of the root-election process, each

bridge assumes itself to be the root and so transmits
hello messages on each of its ports with its ID as
root and as transmitting bridge and zero as cost
A bridge compares the root ID field in the received
configuration messages with its own bridge ID
A bridge with a lower numeric value for the bridge
ID is a better candidate
If a tie occurs based on priority, the MAC address is
compared
If a bridge hears of a better candidate, it stops
advertising itself as root and starts forwarding the
hellos sent by the better bridge
12/28

6
 01/12/2018

GC
Election of the root bridge (cont.) 2018-2019

Eventually, the root bridge will be the bridge with the

lowest numeric value for the bridge ID
Only the root bridge will be generating hello messages
Before forwarding a hello message, a bridge
adds the cost of the port on which the hello was received to
the root path cost (in the hello)
puts its own bridge ID in the homonymous field
puts the identifier of the port from which the hello will be
forwarded in the homonymous field
The bridge priority allows the network manager to
influence the choice of root bridge

13/28

GC
Election of the root bridge (cont.) 2018-2019

The root election process in action:

SW1 and SW3 are advertising themselves as root
SW2 believes that SW1 is a better root candidate
SW1 will be the winner
• a tie occurs based on priority, but SW1’s MAC address is lower than SW3’s
MAC address

Cost = 100

Cost = 100

14/28

7
 01/12/2018

GC
Selection of the root port 2018-2019

If there are alternatives paths

to the root, each non-root
bridge receives hellos on
more ports Cost = 100

The bridge selects its root

port based on the conditions
below (in the order 1-2-3-4, if • SW2’s best cost is seen in the
a tie occurs) hello entering its port 0/26
(1) The port is that from which it has • SW3’s best cost is seen in the
a minimal cost to the root bridge hello entering its 0/26 port
(2) The BPDU received has the
smallest bridge ID
(3) The BPDU received has the
smallest port ID
(4) The port has the smallest port ID
15/28

GC
Selection of the root port (cont.) 2018-2019

A case of ties on the conditions (1) and (2) at SW2

SW1 root bridge

Cost = 100 Cost = 100

SW2

SW1 root bridge

A case of ties on the conditions (1), (2)

Repeater
and (3) at SW2
Cost = 100 Cost = 100

SW2

16/28

8
 01/12/2018

GC
Selection of the designated port 2018-2019

For each LAN segment, the designated bridge (and, thus,

the designated port) is that advertising the lowest cost
hello onto the LAN segment
In case a tie occurs, the priority order above (see the conditions
in the 15th slide) is considered
When STP stabilizes, only the designated bridge advertises
hellos on a LAN segment
Legend
Root bridge
Root port

c Designated port

Port in blocking state

Symbology defined in IEEE 802.1w

(see the slide 22)
17/28

GC
Reacting to changes in the network 2018-2019

Each bridge uses the repetitive (every hello time) hearing of hellos
from the root as a way to know that its path to the root is still
working
The root bridge dictates the Hello time, the Max age, and the Forward
delay
• All the bridges in the bridged LAN use the same values
If a bridge does not receive a hello for Max age seconds,
something is failed or, in general, changed
It injects TCNs into the network in order to start the process of changing
the spanning tree
• It advertises itself as root again or believes the next best claim of who should
be the root
In order to avoid loops, a port that has to move from blocking state to
forwarding state enters the interim listening state first
After the Forward Delay amount of time, the port state is changed to
learning state
After another Forward Delay amount of time, the interface is (finally!)
placed in forwarding state

18/28

9
 01/12/2018

GC
Spanning Tree Intermediate States 2018-2019

The listening state allows each device to wait to make sure that
there are no new, better hellos with a new, better root
The learning state allows the bridge to learn the new location of
MAC addresses without allowing forwarding and possibly causing
loops

Using the default (it means recommended) timers, 50 seconds

(20 +15 +15) are required before a port can switch from blocking
state to forwarding state
19/28

GC
Topology Change Notifications 2018-2019

1. When a bridge notices that the topology is changed, it must inform

the root
2. The bridge periodically transmits a Topology Change Notification
(TCN) BPDU on its root port
It continues to do this until the parent bridge acknowledges by setting the
TCA flag in its configuration BPDU
3. A bridge that receives a TCN on a designated port does two
things
It performs step 2 (that is, it informs its parent …)
It sets the TCA flag in the next configuration message it transmits on the
LAN from which the TCN was received
4. The root bridge, as soon as receives a TCN message, sends a
configuration message with the TC flag set.
5. A bridge that is receiving configuration messages with the TC flag
set puts the ageing-time to the Forward Delay value within them
until it starts receiving configuration messages without the TC flag
set
• Bridges are forced to quickly remove invalid entries from their filtering database
20/28

10
 01/12/2018

GC
How to avoid STP convergence time 2018-2019

The best way to lower STP’s default 50-second

convergence time is to avoid convergence altogether
IEEE 802.1AX standard allows to combine more parallel
Ethernet links, bundled in a single logical link (more
network bandwidth and more availability)
Link Aggregation Control Protocol (LACP)
Ethernet Ethernet
station station

STP treats the aggregate links as a single link

• If at least one of the links is UP, STP convergence does not have to
occur
Only full-duplex point-to-point links, operating at the same
data rate, can be bundled 21/28

GC
Rapid Spanning Tree Protocol 2018-2019

RSTP (IEEE 802.1w) works just like STP in several ways:

It elects the root switch using the same parameters and
tiebreakers
It elects the root port on non-root switches with the same rules
It elects a designated switch on each LAN segment with the
same rules
It places each port in either forwarding or blocking state (RSTP
calls the blocking state “discarding” instead of “blocking”)

22/28

11
 01/12/2018

GC
Rapid Spanning Tree (cont.) 2018-2019

Discarding means that the port does not forward frames, process
received frames, or learn MAC addresses, but it listens for BPDUs
it acts just like the STP blocking state
RSTP uses an interim learning state, which works just like the STP
learning state, but for only a short time
Some mechanisms aiming at reducing convergence time have been
defined. For example,
RSTP designates ports that receive
suboptimal BPDUs as alternate ports Edge
Root switch
• If a non-root switch (e.g., SW3 in the
figure) stops getting hellos from the
root switch, RSTP on that switch Links
chooses the best alternate port as the
new root port
RSTP immediately places the ports
related to edges in forwarding state
when the links are active 23/28

GC
Rapid Spanning Tree (cont.) 2018-2019

RSTP has been defined to reduce network convergence times

(typically, less than 10 seconds, in some cases, as low as 1 to 2
seconds) in networks like that in the left side (case a) of the figure
below, but not in networks like that on the right (case b)

(a) (b)
24/28

12
 01/12/2018

GC
Some STP security considerations 2018-2019

STP has no provisions for authentication of the BPDUs

In order to change the spanning tree, an attacker could send out hello
messages with a bridge priority of zero from his PC

Distribution
Layer B Legend
A
Root port
Root
Designated port

Blocking port

Access Layer
C D

Hello

Rogue switch
(PC with bridging)

25/28

GC
Some STP security considerations (cont.) 2018-2019

The new spanning tree

Distribution
Layer Legend
A B
Root port

Designated port

Blocking port

Access Layer
C D

Rogue switch Root

(PC with bridging)

The network manager could set the root bridge priority to zero in
an effort to secure the root bridge position, but there is no
guarantee against a bridge with a priority of zero and a lower MAC
address 26/28

13
 01/12/2018

GC
Some STP security considerations (cont.) 2018-2019

In the figure below, the attacker has established two links to two
different access switches
The attacker tries to change the spanning tree by sending out BPDUs with a
bridge priority of zero from his PC

Distribution
Layer B Legend
A
Root Root port

Designated port

Blocking port

Access Layer
C D

Hello
Hello
Rogue switch
(PC with bridging)

27/28

GC
Some STP security considerations (cont.) 2018-2019

Consider the new spanning

tree in the figure: all traffic Distribution
A B
Layer
between the access switches
C and D flows through the
attacker’s PC
The attacker can sniff traffic,
act as a man-in-the-middle, Access Layer
C D
create a DoS condition
(making his links much
slower than the other links) Root
Rogue switch
Attack mitigation
Disabling STP in all cases in which there are no loops
(Better!) Filtering which ports are allowed to participate in the STP process.
For example, on Cisco devices two principal options are available:
BPDU Guard disables any port configured with the “PortFast” option that receives
a BPDU
The Portfast option causes a switch port (generally, a user port) to enter the
Forwarding state immediately, bypassing the Listening and Learning states
Root Guard disables a port that would become an STP root port 28/28

14