Networking 101: Understanding Spanning Tree - Page 2

Hopefully the picture is clear enough at this point. We understand that enabling spanning tree will allow us to connect two bridges together via multiple links without creating a loop. If a bridge in-between dies, we can just fail over and use the other link. This works because although the active switch has been blocking its alternative link, it has been listening silently to BPDU updates and knows which links will lead to the root still. That is, if you've configured it properly. Remember VLAN trunks? What would happen if one of the physical links happened to be a VLAN trunk? If we only had one spanning tree instance running, it would probably find that one of the networks on the trunk shouldn't use this link. It has no choice but to turn off the entire link.

Enter per-VLAN spanning trees (PVST). When enabled, a bridge will run one spanning tree instance per VLAN on the bridge. If a trunk link contains VLANs 1, 2, and 3, it can decide that VLANs 1 and 2 should not take that path, but still allow VLAN 3 to use it. In complex networks, there will exist many situations where VLAN 3 only has one way out, probably because the admin wanted to limit where VLAN 3 reached. If we weren't using PVST and the trunk port was blocked by spanning tree, VLAN 3 on this bridge would have no connectivity with the rest of its LAN. Everyone should use PVST.

Finally, you mustn't forget, any port that sends a BPDU can cause a network outage. This includes a computer running ettercap or other nefarious applications. Be sure to enable something akin to BPDU-Guard from Cisco on all host ports to block BPDU packets. Not only can they cause spanning tree recalculations, but a computer can also stuff the ballot and win an election. You really don't want to discover that your spanning tree root is JoeBob's computer. It's really easy to pull off man-in-the-middle attacks when all traffic is flowing through you already!

There are a few unmentioned types of BPDU messages and other details about the spanning tree protocol to learn. The details get a little bit complex, but they should be easy to understand now that you know the big picture. If you want a redundant, yet loop-free layer 2, time spent learning these details will pay off in the long run.

In a Nutshell

• Spanning Tree provides a means to control loops in such a way that you can have an Ethernet network that will "fail over" in the case of failed links.
• The root bridge in a spanning tree is the logical center, and sees all traffic on a network; don't rely on the election to choose which bridge becomes the root.
• Spanning tree recalculations are a pain: configure host-connected ports properly (so they can't cause a recalculation), and use RSTP.