L2VPN Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases
Outlines fundamental MSTP information, including Spanning Tree Protocol overview, protocol operation, variants, MSTP region details and interaction, as well as MSTP Port Fast, Root Guard, and Topology Change Guard features.
To configure Ethernet services access lists, you must understand these concepts.
Ethernet is no longer just a link-layer technology used to interconnect network devices and hosts. Its low cost, broad bandwidth options, and simple plug-and-play provisioning have transformed Ethernet into a robust solution for building networks, especially in access and aggregation regions within service provider environments.
Ethernet networks that lack a Time To Live (TTL) field in the Layer 2 header and promote multicast traffic can be vulnerable to broadcast storms if loops are present. However, network loops are often desirable because they provide redundant paths, enabling continued connectivity in the event of link failures.
Spanning Tree Protocol (STP) offers a loop-free topology within Ethernet networks while still supporting redundancy. Within networks that may contain loops, STP disables certain interfaces as needed to ensure there is a single path between any two devices. If a fault occurs on an active link, STP recalculates the spanning tree so all devices remain reachable. STP operates transparently to end stations, ensuring seamless network connectivity while preventing broadcast storms.
There are several variants of STP used in modern networks, each designed to address specific redundancy and loop prevention requirements.
All variants of STP operate in a similar fashion. STP frames, known as bridge protocol data units (BPDUs), are exchanged at regular intervals over Layer 2 LAN segments between network devices that participate in STP. These devices do not forward the frames, but use the information to construct a loop-free spanning tree.
The spanning tree is constructed by first selecting a device that becomes the root of the spanning tree, known as the root bridge, and then by determining a loop-free path from the root bridge to every other device in the network. Redundant paths are disabled by setting the appropriate ports into a blocked state, where STP frames can still be exchanged but data traffic is not forwarded. If a network segment fails and a redundant path exists, STP recalculates the spanning tree topology and activates the redundant path by unblocking the appropriate ports.
The root bridge is selected by the lowest Bridge ID, which is a combination of the configured bridge priority and the embedded MAC address of each device. The device with the lowest priority, or with equal lowest priority but the lowest MAC address, becomes the root bridge.
The root port is selected based on the lowest root path cost to the root bridge. If there is a tie in root path cost, the local switch selects the port that receives the BPDU with the lowest sender bridge ID as the root port.
The designated port is selected as the least-cost port on the local switch toward the root bridge. If there is a tie, the local switch selects the lowest-numbered port as the designated port.
The active path among redundant paths is determined primarily by the port path cost. The port path cost represents the cost of transiting between that port and the root bridge. If two paths from a LAN segment have the same cost, the selection is further determined by the lowest bridge ID of the attached devices and, when needed, by the configured port priority and port ID of the neighboring attached ports.
Once the active paths have been selected, any ports that do not form part of the active topology are moved to the blocking state.
The supported variants of the Spanning Tree Protocol are:
Legacy STP (STP): The original STP protocol was defined in IEEE 802.1D-1998. It creates a single spanning tree that is used for all VLANs and most convergence is timer-based.
Multiple STP (MSTP): A further enhancement was defined in IEEE 802.1Q-2005. It allows multiple spanning tree instances to be created over the same physical topology. By assigning different VLANs to different spanning tree instances, data traffic can be load-balanced over different physical links. Multiple VLANs can be assigned to the same spanning tree instance, and the BPDUs that exchange MSTP information are always sent untagged because the VLAN and spanning tree instance data is encoded inside the BPDU.
MSTP introduces the concept of regions to support multiple spanning trees within a single network. An MSTP region is a group of devices under the same administrative control that share identical configurations.
The configuration attributes that define and identify an MSTP region are:
Region name: The unique identifier assigned to the MSTP region.
Revision number: The configuration version for the region.
VLAN-to-instance mapping: The assignment of VLANs to specific spanning tree instances, which must be the same on all devices within the region.
A digest (hash) of these configuration attributes is included in every MSTP BPDU (Bridge Protocol Data Unit) sent by devices. Other devices in the network use this digest to verify region membership—if the digest matches, devices recognize each other as belonging to the same MSTP region.
For this example, switches SW1, SW2, SW3, and SW4 are MSTP-capable, while switches SW5 and SW6 are not. MSTP must present a unified logical topology at boundaries with non-MSTP devices and with other MSTP regions.
The key components involved in the process are:
Internal spanning tree: Always instance 0, represents the region externally.
MSTP region: Composed of MSTP-capable switches (e.g., SW1, SW2, SW3, SW4).
Non-MSTP-aware devices: Devices not supporting MSTP, such as SW5 and SW6.
MSTP uses the internal spanning tree to represent the region externally, ensuring consistent topology and communication when interacting across region boundaries.
These stages describe how MSTP handles region-boundary communication.
At the region boundary, the MSTP region appears as a single logical switch, and communication between regions—whether to non-MSTP devices or other MSTP regions—relies on the internal spanning tree model, ensuring a stable and consistent topology.
MSTP port fast handles ports at the edge of a switched Ethernet network. The following reference information summarizes its behavior and configuration notes:
For devices with a single network link (typically host devices), MSTP does not need to run, as only one path exists and topology changes are unnecessary.
Port fast prevents unnecessary MSTP participation and topology changes, avoiding MAC flushes when a single link fails or is restored.
By default, MSTP monitors ports where no BPDUs are received; after a timeout, it places them into edge mode so they do not participate in MSTP.
Explicitly configuring edge ports as port fast speeds up the process and improves convergence.
Configuration changes require you to disable and then re-enable the port using the commands shutdown and no shutdown in interface configuration mode.
Port fast is a Cisco-proprietary extension for legacy STP, but in MSTP standards it is known as Edge Port.
MSTP Root Guard is a mechanism that allows administrators to enforce and secure the location of the root bridge in a spanning tree network. This feature is particularly useful in networks with shared administrative control, where it is essential to maintain an optimal network topology by positioning the root bridge at a specific location, often the center of the network.
Key aspects of MSTP Root Guard include:
Preventing designated interfaces from becoming root ports if superior BPDU information is received, instead placing those interfaces in a blocking state to avoid undesired topology changes.
Supporting administrator efforts to set the root bridge priority to the lowest possible value while providing additional protection when competing devices may also use this strategy.
Ensuring that a switch with Root Guard on all interfaces will become the root bridge for the spanning tree, as any conflicting information arriving on those ports causes them to be blocked.
Root Guard originally appeared as a Cisco-proprietary extension in legacy STP implementations but is now standardized in MSTP as the "Restricted Role."
The root bridge itself has no root ports; Root Guard helps maintain this by ensuring a device cannot be displaced as root due to unexpected superior BPDUs.
MSTP topology change guard prevents topology changes that originate at or are received on a specific port from being propagated through the rest of the network.
Key features and behaviors:
Helps prevent MAC address table flushing in the network core by blocking external or unauthorized topology changes.
Is useful when the network is not under single administrative control, to prevent devices outside the network core from affecting core stability.
Can be enabled by configuring topology change guard on individual ports.
Is referred to as "Restricted TCN" in the MSTP standard.