Optional Spanning Tree Features

PortFast:

Enabled only on edge ports and once it is enabled and if the port receives an electric signal immediately transitions to Forwarding state.

BPDUGuard:

If enabled along with Portfast and if the port receives BPDU port will be moved to err-disabled state.

Uplink Fast:

In this section, refer to the previous diagram, which uses a minimal backbone. The behavior of the STP is inspected in the event of uplink failure. Each step is followed with a diagram.

D1 and D2 are core switches. D1 is configured as the root bridge of the network. A is an access switch with one of its uplinks in blocking mode

1. Assume that the primary uplink from A to D1 fails.
   
2. Port P1 goes down immediately and switch A declares its uplink to D1 as down.
   Switch A considers its link to D2, which still receives BPDUs from the root, as an alternate root port. Bridge A can start to transition port P2 from the blocking state to the forwarding state. In order to achieve this, it has to go through the listening and learning stages. Each of these stages last forward_delay (15 seconds by default), and holds port P2 blocking for 30 seconds.
3. Once port P2 reaches the forwarding state, the network connectivity is re-established for hosts attached to switch A.
   The network outage lasted 30 seconds.
   
   The minimum value allowed for the forward_delay timer is seven seconds. Tuning the STP parameters can lead to a recovery time of 14 seconds. This is still a noticeable delay for a user, and this kind of tuning should be done with caution. This section of this document shows how UplinkFast dramatically reduces the downtime.

Backbone Fast:

This scenario is based on the first example, but, this time with backbone fast enabled on the three switches.

1. If link L1 goes down, switch B immediately detects the failure and assumes it is the root. It starts to send BPDUs to S and claims to be the new root.
2. As soon as S receives the inferior BPDU from B, it starts to reconfirm its non-designated ports instead of waiting max_age. It sends a RLQ query on its root port for root bridge R.
3. Root bridge R receives the query and immediately answers with a RLQ response that specifies there is still a root R in that direction.
4. S has now checked all its non-designated ports, and it still has connectivity to the root. It can then age out immediately the information stored on port P. P transitions to listening and starts to send BPDUs. At that stage, you have already saved max_age seconds, and the standard Spanning-Tree Algorithm (STA) applies then.
5. B receives the better BPDU from S (R better root than B) and considers now the ports that lead to L3 as its root port.

Root Guard:

The Root Guard feature can be enabled on all switch ports in the network off of which the root bridge should not appear (that is, every port that is not a root port , the port on each switch that is considered to be closest to the root

bridge). If a port configured for Root Guard receives a superior BPDU, instead of believing the BPDU, the port goes into a root-inconsistent state. While a port is in the root-inconsistent state, no user data is sent across it. However, after the superior BPDUs stop, the port returns to the forwarding state.

LACP

http://www.9tut.com/etherchannel-tutorial#more-2039

Dynamic Trunking Protocol

Dynamic Trunk Protocol (DTP) to dynamically learn whether the

device on the other end of the cable wants to perform trunking and, if so, which trunking

protocol to use.

1. dynamic auto: The port will negotiate the mode automatically; however, it prefers to be an access port.
2. dynamic desirable: The port will negotiate the mode automatically; however, it prefers to be a trunk port.

Dynamic Auto	Creates the trunk based on the DTP request from the neighboring switch.
Dynamic Desirable	Communicates to the neighboring switch via DTP that the interface would like to become a trunk if the neighboring switch interface is able to become a trunk.
Trunk	Automatically enables trunking regardless of the state of the neighboring switch and regardless of any DTP requests sent from the neighboring switch.
Access	Trunking is not allowed on this port regardless of the state of the neighboring switch interface and regardless of any DTP requests sent from the neighboring switch.
Nonegotiate	Prevents the interface from generating DTP frames. This command can be used only when the interface switchport mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link.

Trunk + Trunk = Trunk

Trunk + Des = Trunk

Trunk + Auto = Trunk

Des + Des = Trunk

Des + Auto = Trunk

Auto + Auto = No Trunk

Any + Access = No Trunk

Default on swtich ports is Auto.

Preferred dynamic desirable and if both ports are dynamic but one is configured as auto and the other as desirable, the resulting operating mode will be trunk.

DTP also negotiates the type of encapsulation on the trunk should either of the two devices support both ISL and 802.1Q.If both devices support both trunk types, they will choose ISL. Should the DTP negotiation fail, any port in dynamic mode, either desirable or auto, will be operating as an access port

Catalyst 2950 and 3550 models default to dynamic desirable mode

Catalyst 2960, 3560 or 3750, default to dynamic auto mode.

While DTP and VTP are independent protocols, DTP carries the VTP domain name in its messages

Example:

! The administrative mode of dynamic desirable (trunking) and negotiate (trunking

! encapsulation) means that Switch1 attempted to negotiate to trunk, but the

! operational mode of static access means that trunking negotiation failed.

! The reference to "operational trunking encapsulation" of native means that

! no tagging occurs.

Switch1# show int fa 0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: dynamic desirable

Operational Mode: static access

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

++++++++++++++++++++++++++++++++++++++++++++++++++++++

! Next, the show int gig 0/1 trunk command shows the configured mode

! (desirable), and the current status (n-isl), meaning negotiated ISL. Note

! that the trunk supports the extended VLAN range as well.

Switch1# show int gig 0/1 trunk

Port      Mode    Encapsulation    Status         Native vlan

Gi0/1 desirable      n-isl              trunking            1

++++++++++++++++++++++++++++++++++++++++++++++++++++++

! The TOS/TAS/TNS stand for Trunk Operating/Administrative/Negotiation Status

! The TOT/TAT/TNT stand for Trunk Operating/Administrative/Negotiation Type

! In the following output, Fa0/12 is configured as dynamic desirable

SW1# show dtp interface fa0/12

DTP information for FastEthernet0/12:

TOS/TAS/TNS: TRUNK/DESIRABLE/TRUNK

TOT/TAT/TNT: ISL/NEGOTIATE/ISL

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Without any configuration, the default port settings on recent Catalyst switch

series such as 2960, 3560, 3750, 3650, and 3850 are as follows: mode set to dynamic auto,

native VLAN set to 1, access VLAN set to 1, trunk encapsulation set to auto (if both ISL

and dot1q supported) or dot1q, all VLANs allowed, and VLANs 2–1001 eligible for pruning.

On older 2950 and 3550 models, the default mode was dynamic desirable.

Private VLAN

http://blog.ine.com/tag/promiscuous/

1. Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
2. Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
3. Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

Example

! If not running VTPv3, a switch must be put into VTP Transparent mode before

! configuring Private VLANs

AccessSw(config)# vtp mode transparent

Setting device to VTP Transparent mode for VLANS.

! One isolated secondary VLAN and three community secondary VLANs will now be

! created. Afterwards, they will be associated with the primary VLAN 100.

AccessSw(config)# vlan 199

AccessSw(config-vlan)# name Isolated

AccessSw(config-vlan)# private-vlan isolated

AccessSw(config-vlan)# vlan 101

AccessSw(config-vlan)# name Community1

AccessSw(config-vlan)# private-vlan community

AccessSw(config-vlan)# vlan 102

AccessSw(config-vlan)# name Community2

AccessSw(config-vlan)# private-vlan community

AccessSw(config-vlan)# vlan 103

AccessSw(config-vlan)# name Community3

AccessSw(config-vlan)# private-vlan community

AccessSw(config-vlan)# vlan 100

AccessSw(config-vlan)# name Primary1

AccessSw(config-vlan)# private-vlan primary

AccessSw(config-vlan)# private-vlan association 101-103,199

AccessSw(config-vlan)# exit

AccessSw(config)# do show vlan private-vlan

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

100 101 community

100 102 community

100 103 community

100 199 isolated

! Now, ports will be assigned to these VLANs:

! Fa0/1 - 3: Secondary community VLAN 101

! Fa0/4 - 5: Secondary community VLAN 102

! Fa0/6 - 8: Secondary community VLAN 103

! Fa0/9 - 12: Secondary isolated VLAN 199

! Fa0/13: Promiscuous port in primary VLAN 100

! For brevity purposes, only the configuration of Fa0/1 - 3 will be shown, as all

! other ports in secondary VLANs, isolated or community, are configured similarly

! Afterwards, show vlan private-vlan is issued to verify the port assignment.

! As Fa0/13 is a promiscuous port, it will be shown in all associated secondary

! VLANs

AccessSw(config)# interface range fa0/1 - 3

AccessSw(config-if-range)# switchport mode private-vlan host

AccessSw(config-if-range)# switchport private-vlan host-association 100 101

AccessSw(config-if-range)# interface fa0/13

AccessSw(config-if)# switchport mode private-vlan promiscuous

AccessSw(config-if)# switchport private-vlan mapping 100 101-103,199

AccessSw(config-if)# do show vlan private-vlan

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

100 101 community Fa0/1, Fa0/2, Fa0/3, Fa0/13

100 102 community Fa0/4, Fa0/5, Fa0/13

100 103 community Fa0/6, Fa0/7, Fa0/8, Fa0/13

100 199 isolated Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13

! If a SVI is used as a gateway for devices associated with the primary VLAN 100

! If a SVI is used as a gateway for devices associated with the primary VLAN 100,

! it must also be configured as promiscuous

AccessSw(config-if)# interface Vlan100

AccessSw(config-if)# private-vlan mapping 101-103,199

AccessSw(config-if)# ip address 192.168.100.254 255.255.255.0