All of us have worked with, or at least heard about, STP (Spanning Tree Protocol). The reason I call this recipe Analyzing Spanning Tree Protocols is because there are three major versions of it as follows:
There are also some proprietary versions from Cisco and other vendors. In this recipe we will focus on the standard versions, and learn how to troubleshoot problems that might occur during STP/RSTP/MST operations.
The best way to find out STP problems is to log in to the LAN switches and use the vendor's commands (for example, Cisco IOS or Juniper JUNOS CLI) to find and fix the problem. If you have properly configured SNMP on your network device, you will get all the messages on the management console.
The purpose of this recipe is to see how to use Wireshark for this purpose, even though we still recommend to use it as a second line tool for this purpose.
So just open your laptop, start Wireshark, and start capturing data on the LAN.
There are several things to notice in a network regarding STP:
Wireshark will provide you with the version of the STP type (STP, RSTP, or MST) running on the network by looking at the Bridge Protocol Data Units (BPDUs). BPDUs are the update frames that are multicast between switches.
The protocol versions are:
When you monitor STP operations, you may be concerned when you see many topology changes. Topology changes are normal in STP, but too many of them can have an impact on network performances.
A topology change happens when a new device is connected to the network. You can see a topology change in the following screenshot:
When you see too many topology changes, configure the LAN switch ports that are connected to hosts, which do not support STP, (typically, end stations that users frequently power on and off) with the portfast feature (applied for Cisco switches; for other vendors, check the vendor's manual).
In the old STP (IEEE 802.1d), after connecting a device to a switch port, it takes the switch around a minute to start and forward packets. This can be a problem when a client tries to log in to the network servers during this period of time. The portfast feature forces the port to start forwarding within a few seconds (usually 8 to 10), in order to prevent these kinds of problems.
If topology changes continue, check what can be the problem and who is causing it.
Spanning Tree Protocol prevents a loop in the local area networks. A loop can happen if you connect two or more switches with multiple connections as shown in the following figure:
Let's see how a loop is created:
The Spanning Tree Protocol prevents this from happening by simply building a tree topology, that is, by defining a loop-free topology. Links are disconnected and brought back to service in the case of a failure.
In the following figure, we see how we initially connect all switches with multiple connections between them, and how STP creates the tree:
BPDUs are update frames that are sent by multicast between the LAN switches.
First, on the Ethernet level as we see in the following screenshot, the packet will be multicast from the source MAC of the switch sending the update:
The BPDU is carried by Ethernet 802.3 frame has the format as shown in the next diagram:
In the following table, you can see the fields in the STP frame:
Note that in the case of MST, an additional header will be added for the MST parameters.
In STP, the port states are as follows:
The moment you connect a device to the LAN switch, the port goes through these stages and the time it takes is as follows:
In RSTP and MST, the port states are as follows:
The entire port state transition from Discarding to Forwarding should take a few seconds, depending on the network topology and complexity.
For Spanning Tree debugging, the best thing is to get the data from a direct connection to the LAN switches. A well-configured SNMP trap to a management system can also assist in this task.
Some examples of STP packets are as follows:
3.15.177.135