Chapter 33: Advanced STP and MST
Learning Objectives
By the end of this chapter, you will be able to: - Configure Multiple Spanning Tree (MST) protocol - Implement advanced STP optimization techniques - Configure STP security features and protection mechanisms - Troubleshoot complex spanning tree scenarios - Design resilient Layer 2 topologies with optimal STP configuration
Multiple Spanning Tree (MST) Protocol
MST Fundamentals
Multiple Spanning Tree (MST) allows multiple VLANs to be mapped to a single spanning tree instance, reducing the number of spanning tree instances while providing load balancing across different VLANs.
MST Benefits
- Scalability: Reduces number of spanning tree instances
- Load Balancing: Different VLANs can use different paths
- Convergence: Faster convergence than PVST+
- Bandwidth Efficiency: Fewer BPDUs transmitted
- Interoperability: Works with RSTP and PVST+
MST Concepts
MST Regions
- MST Region: Group of switches with same MST configuration
- Region Name: Text string identifying the region
- Revision Number: Configuration version number
- VLAN-to-Instance Mapping: Which VLANs belong to which instance
MST Instances
- Instance 0 (IST): Internal Spanning Tree, always exists
- Instance 1-4094: User-defined instances
- MSTI: Multiple Spanning Tree Instance
MST Lab Environment
# MST demonstration lab
name: mst-advanced
prefix: mst
topology:
nodes:
# Core switches with MST
core-sw1:
kind: cisco_iosxe
image: cisco/catalyst:latest
mgmt-ipv4: 172.20.20.10
startup-config: |
hostname Core-SW1
!
! Enable MST globally
spanning-tree mode mst
!
! MST configuration
spanning-tree mst configuration
name ENTERPRISE-REGION
revision 1
instance 1 vlan 10,30,50,70
instance 2 vlan 20,40,60,80
instance 3 vlan 100-199
!
! MST instance priorities
spanning-tree mst 0 priority 4096
spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 8192
spanning-tree mst 3 priority 4096
!
! VLANs
vlan 10,20,30,40,50,60,70,80
vlan 100-199
!
! Trunk interfaces
interface range GigabitEthernet1/0/1-4
switchport mode trunk
switchport trunk allowed vlan 10,20,30,40,50,60,70,80,100-199
spanning-tree portfast trunk
no shutdown
!
core-sw2:
kind: cisco_iosxe
image: cisco/catalyst:latest
mgmt-ipv4: 172.20.20.11
startup-config: |
hostname Core-SW2
!
spanning-tree mode mst
!
spanning-tree mst configuration
name ENTERPRISE-REGION
revision 1
instance 1 vlan 10,30,50,70
instance 2 vlan 20,40,60,80
instance 3 vlan 100-199
!
! MST instance priorities (alternate root)
spanning-tree mst 0 priority 8192
spanning-tree mst 1 priority 8192
spanning-tree mst 2 priority 4096
spanning-tree mst 3 priority 8192
!
vlan 10,20,30,40,50,60,70,80
vlan 100-199
!
interface range GigabitEthernet1/0/1-4
switchport mode trunk
switchport trunk allowed vlan 10,20,30,40,50,60,70,80,100-199
no shutdown
!
# Distribution switches
dist-sw1:
kind: cisco_iosxe
image: cisco/catalyst:latest
mgmt-ipv4: 172.20.20.12
startup-config: |
hostname Dist-SW1
!
spanning-tree mode mst
!
spanning-tree mst configuration
name ENTERPRISE-REGION
revision 1
instance 1 vlan 10,30,50,70
instance 2 vlan 20,40,60,80
instance 3 vlan 100-199
!
! MST priorities for load balancing
spanning-tree mst 0 priority 16384
spanning-tree mst 1 priority 12288
spanning-tree mst 2 priority 16384
spanning-tree mst 3 priority 12288
!
vlan 10,20,30,40,50,60,70,80
vlan 100-199
!
! Uplink trunks
interface range GigabitEthernet1/0/1-2
switchport mode trunk
switchport trunk allowed vlan 10,20,30,40,50,60,70,80,100-199
no shutdown
!
! Access ports
interface range GigabitEthernet1/0/3-10
switchport mode access
switchport access vlan 10
spanning-tree portfast
spanning-tree bpduguard enable
no shutdown
!
dist-sw2:
kind: cisco_iosxe
image: cisco/catalyst:latest
mgmt-ipv4: 172.20.20.13
startup-config: |
hostname Dist-SW2
!
spanning-tree mode mst
!
spanning-tree mst configuration
name ENTERPRISE-REGION
revision 1
instance 1 vlan 10,30,50,70
instance 2 vlan 20,40,60,80
instance 3 vlan 100-199
!
spanning-tree mst 0 priority 16384
spanning-tree mst 1 priority 16384
spanning-tree mst 2 priority 12288
spanning-tree mst 3 priority 16384
!
vlan 10,20,30,40,50,60,70,80
vlan 100-199
!
interface range GigabitEthernet1/0/1-2
switchport mode trunk
switchport trunk allowed vlan 10,20,30,40,50,60,70,80,100-199
no shutdown
!
interface range GigabitEthernet1/0/3-10
switchport mode access
switchport access vlan 20
spanning-tree portfast
spanning-tree bpduguard enable
no shutdown
!
# Access switches
access-sw1:
kind: cisco_iosxe
image: cisco/catalyst:latest
mgmt-ipv4: 172.20.20.14
startup-config: |
hostname Access-SW1
!
spanning-tree mode mst
!
spanning-tree mst configuration
name ENTERPRISE-REGION
revision 1
instance 1 vlan 10,30,50,70
instance 2 vlan 20,40,60,80
instance 3 vlan 100-199
!
vlan 10,20,30,40
!
! Uplink to distribution
interface GigabitEthernet1/0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30,40
no shutdown
!
! Access ports with different VLANs
interface range GigabitEthernet1/0/2-5
switchport mode access
switchport access vlan 10
spanning-tree portfast
spanning-tree bpduguard enable
no shutdown
!
interface range GigabitEthernet1/0/6-9
switchport mode access
switchport access vlan 20
spanning-tree portfast
spanning-tree bpduguard enable
no shutdown
!
# Test devices
pc1:
kind: linux
image: alpine:latest
exec:
- ip addr add 192.168.10.10/24 dev eth1
pc2:
kind: linux
image: alpine:latest
exec:
- ip addr add 192.168.20.10/24 dev eth1
links:
# Core interconnection
- endpoints: ["core-sw1:eth1", "core-sw2:eth1"]
- endpoints: ["core-sw1:eth2", "core-sw2:eth2"]
# Core to distribution
- endpoints: ["core-sw1:eth3", "dist-sw1:eth1"]
- endpoints: ["core-sw1:eth4", "dist-sw2:eth1"]
- endpoints: ["core-sw2:eth3", "dist-sw1:eth2"]
- endpoints: ["core-sw2:eth4", "dist-sw2:eth2"]
# Distribution to access
- endpoints: ["dist-sw1:eth3", "access-sw1:eth1"]
# End devices
- endpoints: ["access-sw1:eth2", "pc1:eth1"]
- endpoints: ["access-sw1:eth6", "pc2:eth1"]MST Configuration
Basic MST Setup
# Deploy MST lab
containerlab deploy -t mst-advanced.yml
# Configure MST on Core-SW1
docker exec -it clab-mst-core-sw1 cli
configure terminal
! Enable MST mode
spanning-tree mode mst
! Configure MST region
spanning-tree mst configuration
name ENTERPRISE-REGION
revision 1
instance 1 vlan 10,30,50,70
instance 2 vlan 20,40,60,80
instance 3 vlan 100-199
exit
! Set MST priorities
spanning-tree mst 0 priority 4096
spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 8192MST Verification
# Verify MST configuration
show spanning-tree mst configuration
show spanning-tree mst
show spanning-tree mst 1
show spanning-tree mst interface GigabitEthernet1/0/1
# Check MST region consistency
show spanning-tree mst configuration digestAdvanced STP Features
Rapid Spanning Tree Protocol (RSTP) Enhancements
Port Roles and States
# RSTP port roles
# Root Port: Best path to root bridge
# Designated Port: Forwarding port on segment
# Alternate Port: Backup path to root
# Backup Port: Backup designated port
# RSTP port states
# Discarding: Not forwarding, learning, or relaying
# Learning: Not forwarding but learning MAC addresses
# Forwarding: Fully operational
# Configure RSTP
spanning-tree mode rapid-pvst
spanning-tree vlan 1-4094 priority 4096Edge Ports and Link Types
# Configure edge ports (PortFast equivalent)
interface range GigabitEthernet1/0/1-24
spanning-tree portfast
spanning-tree bpduguard enable
# Configure link types
interface GigabitEthernet1/0/1
spanning-tree link-type point-to-point
interface GigabitEthernet1/0/2
spanning-tree link-type sharedSTP Optimization Features
Root Guard
Prevents unauthorized switches from becoming root bridge.
# Configure Root Guard
interface GigabitEthernet1/0/1
spanning-tree guard root
# Verify Root Guard
show spanning-tree interface GigabitEthernet1/0/1 detailLoop Guard
Prevents alternate or root ports from becoming designated ports due to unidirectional failures.
# Configure Loop Guard globally
spanning-tree loopguard default
# Configure Loop Guard per interface
interface GigabitEthernet1/0/1
spanning-tree guard loop
# Verify Loop Guard
show spanning-tree interface GigabitEthernet1/0/1 detailBPDU Guard
Disables ports that receive BPDUs when they shouldn’t.
# Configure BPDU Guard globally
spanning-tree portfast bpduguard default
# Configure BPDU Guard per interface
interface GigabitEthernet1/0/1
spanning-tree portfast
spanning-tree bpduguard enable
# Recover from BPDU Guard
errdisable recovery cause bpduguard
errdisable recovery interval 300BPDU Filter
Prevents sending or receiving BPDUs on specific ports.
# Configure BPDU Filter
interface GigabitEthernet1/0/1
spanning-tree bpdufilter enable
# Global BPDU Filter for PortFast ports
spanning-tree portfast bpdufilter defaultUnidirectional Link Detection (UDLD)
UDLD detects and disables unidirectional links that can cause spanning tree loops.
# Enable UDLD globally
udld enable
udld aggressive
# Configure UDLD per interface
interface GigabitEthernet1/0/1
udld port aggressive
# Verify UDLD
show udld
show udld interface GigabitEthernet1/0/1STP Security Features
STP Attack Mitigation
BPDU Attack Protection
# Protect against BPDU attacks
spanning-tree portfast bpduguard default
spanning-tree loopguard default
# Rate limit BPDUs
interface GigabitEthernet1/0/1
storm-control broadcast level 50.00
storm-control multicast level 50.00
storm-control action shutdownRoot Bridge Protection
# Secure root bridge selection
spanning-tree vlan 1-4094 root primary
spanning-tree vlan 1-4094 priority 0
# Monitor root bridge changes
spanning-tree logging
# Root bridge backup
spanning-tree vlan 1-4094 root secondarySTP Hardening Configuration
# Comprehensive STP security configuration
! Global settings
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree loopguard default
udld aggressive
! Root bridge security
spanning-tree vlan 1-4094 priority 0
spanning-tree logging
! Interface security template
interface range GigabitEthernet1/0/1-24
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
udld port aggressive
storm-control broadcast level 50.00
storm-control action shutdown
! Trunk interface security
interface range GigabitEthernet1/0/25-28
switchport mode trunk
spanning-tree guard root
udld port aggressiveAdvanced STP Troubleshooting
Common STP Issues
Topology Changes
# Monitor topology changes
show spanning-tree vlan 1 | include changes
show spanning-tree summary totals
# Debug topology changes (use carefully)
debug spanning-tree events
debug spanning-tree root
debug spanning-tree topologyConvergence Issues
# Analyze convergence problems
show spanning-tree interface GigabitEthernet1/0/1 detail
show spanning-tree vlan 1 detail
show spanning-tree blockedports
# Check for inconsistent port states
show spanning-tree inconsistentports
show spanning-tree interface GigabitEthernet1/0/1 portfastMST Troubleshooting
# MST-specific troubleshooting
show spanning-tree mst configuration
show spanning-tree mst configuration digest
show spanning-tree mst 1 detail
# Check MST region consistency
show spanning-tree mst interface GigabitEthernet1/0/1 detail
show spanning-tree mst 1 interface GigabitEthernet1/0/1STP Diagnostic Commands
# Essential STP show commands
show spanning-tree
show spanning-tree summary
show spanning-tree vlan 1
show spanning-tree interface GigabitEthernet1/0/1
show spanning-tree root
show spanning-tree bridge
# Advanced diagnostics
show spanning-tree pathcost method
show spanning-tree uplinkfast
show spanning-tree backbonefast
show errdisable recovery
show udldSTP Performance Optimization
Convergence Optimization
Timer Tuning
# Optimize STP timers (use carefully)
spanning-tree vlan 1-4094 hello-time 1
spanning-tree vlan 1-4094 forward-time 4
spanning-tree vlan 1-4094 max-age 6
# MST timer optimization
spanning-tree mst hello-time 1
spanning-tree mst forward-time 4
spanning-tree mst max-age 6UplinkFast and BackboneFast
# Configure UplinkFast (access layer)
spanning-tree uplinkfast
# Configure BackboneFast (all switches)
spanning-tree backbonefast
# Verify optimization features
show spanning-tree uplinkfast
show spanning-tree backbonefastLoad Balancing with MST
# Optimize MST load balancing
spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 8192
# Per-VLAN load balancing
spanning-tree vlan 10,30,50 priority 4096
spanning-tree vlan 20,40,60 priority 8192
# Verify load balancing
show spanning-tree mst 1 | include Root
show spanning-tree mst 2 | include RootSTP Design Best Practices
Hierarchical STP Design
# Core layer configuration
spanning-tree mode mst
spanning-tree mst 0 priority 0
spanning-tree mst 1 priority 0
spanning-tree mst 2 priority 4096
# Distribution layer configuration
spanning-tree mode mst
spanning-tree mst 0 priority 4096
spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 0
# Access layer configuration
spanning-tree mode mst
spanning-tree portfast default
spanning-tree portfast bpduguard defaultSTP Scalability Guidelines
- Use MST: Reduce spanning tree instances
- Proper Root Placement: Place root bridges in core
- Load Balancing: Distribute traffic across links
- Security Features: Enable protection mechanisms
- Monitoring: Implement comprehensive monitoring
STP Monitoring and Maintenance
# STP monitoring script
#!/bin/bash
echo "=== STP Status Report ==="
echo "Root Bridge Status:"
show spanning-tree root | include Root
echo "Topology Changes:"
show spanning-tree summary totals | include changes
echo "Blocked Ports:"
show spanning-tree blockedports
echo "Error Disabled Ports:"
show interfaces status | include err-disabled
echo "UDLD Status:"
show udld | include PortTesting STP Scenarios
Failure Simulation
# Simulate link failure
interface GigabitEthernet1/0/1
shutdown
# Monitor convergence
show spanning-tree vlan 1 | include Root
show spanning-tree interface GigabitEthernet1/0/2 detail
# Restore link
interface GigabitEthernet1/0/1
no shutdownLoad Testing
# Generate traffic for load balancing test
docker exec -it clab-mst-pc1 sh
ping 192.168.20.10 &
# Monitor traffic distribution
docker exec -it clab-mst-core-sw1 cli
show interfaces GigabitEthernet1/0/1 | include rate
show interfaces GigabitEthernet1/0/2 | include rateSummary
Advanced STP features and MST provide the foundation for resilient and efficient Layer 2 networks. Understanding MST configuration, STP security features, and optimization techniques is essential for designing scalable enterprise networks with proper loop prevention and load balancing.
Key concepts covered: - Multiple Spanning Tree (MST) protocol configuration - Advanced STP features (Root Guard, Loop Guard, BPDU Guard) - STP security and attack mitigation - Performance optimization and convergence tuning - Troubleshooting complex spanning tree scenarios
In the next chapter, we’ll explore advanced VLAN features including Private VLANs and VTP configuration.
Review Questions
- What are the benefits of MST over PVST+?
- How do Root Guard and Loop Guard protect STP topology?
- What is the purpose of BPDU Guard and BPDU Filter?
- How do you optimize STP convergence time?
- What are best practices for STP security hardening?
Hands-on Exercises
Exercise 1: MST Configuration
- Deploy the MST lab topology
- Configure MST regions and instances
- Implement load balancing across instances
- Verify MST operation and convergence
Exercise 2: STP Security Implementation
- Configure Root Guard and Loop Guard
- Implement BPDU Guard on access ports
- Enable UDLD for unidirectional link detection
- Test security features with attack simulations
Exercise 3: STP Optimization
- Tune STP timers for faster convergence
- Configure UplinkFast and BackboneFast
- Implement proper root bridge placement
- Monitor and verify optimization results
Exercise 4: Advanced STP Troubleshooting
- Create complex STP problems and failures
- Practice diagnostic commands and procedures
- Analyze topology changes and convergence
- Develop systematic troubleshooting approaches