If you turn on spanning tree, how do you know there is an issue with your network?

Question

I have been learning about spanning tree protocol (STP/RSTP/MSTP) and was wondering, once I turn it on and it's protecting against for example network loops, how do I know there is a network loop?

I suppose in most cases it would be obvious, because the room the loop is in would be down, but what if there is no complaint?

It seems like I would still want a way to know, that there is a network issue such as this. Maybe the device sending some kind of alert, or maybe someone has to check a log or something else occasionally?

score 22 · Accepted Answer · answered Jan 18 '13 at 19:59

22

You watch your switch logs for spanning tree events, or configure your switches to send SNMP traps when STP shuts down a port.

answered Jan 18 '13 at 19:59

EEAA

108,414
18
172
242

1

Good monitoring will catch that too. – lsd Jan 18 '13 at 20:04
I guess this is the obvious answer. I suppose I could use Splunk and feed it logs, and something like whats up to monitor the snmp traps and alert... – Scott Szretter Mar 19 '13 at 12:39

score 11 · Answer 2 · answered Jan 18 '13 at 20:01

11

Testing. If you want to know that something is working, you test it.

Once you've enabled STP, schedule network maintenance and plug a cable in a loop. If the network is still working then the loop was detected by STP. If your network goes down then STP isn't working.

answered Jan 18 '13 at 20:01

Chris S

77,337
11
120
212

3

+1 because almost half the answers on this site could be changed to your first sentence. – gparent Jan 18 '13 at 20:05
4

The only problem is, that's not the answer to the question I asked. In my case, the network is WORKING. If spanning tree was OFF, and I had a network loop, it would stop working. With spanning tree ON, it theoretically would keep the network working, so how would I know that there is a problem loop for example, since the equipment would mask the issue? (the answer above about snmp/logs so far makes sense) – Scott Szretter Jan 18 '13 at 20:25
2

If you had tested you setup you would know if the management interface indicated the network loop. Since you don't know, you must not have tested your setup. It's common from the setups I've seen for STP status of a port to be indicated with the ports "error" or "exception" status reports. – Chris S Jan 19 '13 at 01:12

Aaron · Answer 3 · 2013-01-22T16:33:32.897

Spanning tree does not think a loop is an "error". They are part of the protocol and it will find the ports that cause loops, and then disable forwarding on them. I think you're trying to use a protocol to find out if a certain condition exists, but that's not really its primary purpose. A "well-designed" network may very well have loops normally (for redundancy). In addition to turning on logging event spanning-tree status (or the equivalent on your platform), think outside the box. A loop in your network (if not disabled by spanning tree) will cause large traffic levels in a broadcast storm. So graph those levels and in your monitoring platform if you see a sharp rise in traffic you've probably got a loop.

This is important to understand. A lot of people erroneously blame spanning tree for loops, but you enable spanning tree *so that you can add loops* to your network for redundancy. — Paul Gear, Jan 22 '13 at 22:19

score 2 · Answer 4 · answered Jan 23 '13 at 01:13

Here are some extra things to consider in your STP/RSTP/MSTP implementation along with your testing:

Set your switch priorities to ensure that a predetermined switch is elected as the root and a secondary is designated to take over as root if the primary fails. This is the most common mistake i see in spanning tree implementations.
Any port where you have a permanently-connected device (e.g. a server, printer, NAS) should be put in port fast mode (Cisco terminology; in HP ProCurve it's called edge port) to ensure they don't have a long wait time for STP convergence when they boot up.
Any port where you connect to an edge device (including PCs, printers, servers, etc.) should have root guard enabled. This prevents people from connecting a misconfigured or unauthorised switch and causing reconvergence unexpectedly.
Any port which is not a switch-to-switch link in your control (including PCs, printers, service provider routers) should have BPDU guard enabled, preferably set to disable the port when an STP BPDU is received. This way you find out immediately when people start doing the wrong things on your edge ports.

This is a very useful answer thank you. By chance you wouldnt know the HP ProCurve equivalent commands for the points you mentioned? This HP link is lacking your best practice recommendations http://h20565.www2.hp.com/hpsc/doc/public/display?sp4ts.oid=241810&docId=emr_na-c02687453 — morleyc, Jul 03 '15 at 12:12
I had a go at answering this question myself feel free to comment :) http://serverfault.com/questions/703386/hp-procurve-preventing-loops-and-users-plugging-in-unauthorized-switches-access — morleyc, Jul 03 '15 at 21:13

Paul Gear · Answer 5 · 2013-01-23T05:58:18.273

In addition to the earlier diagnostic suggestions, you should also learn to interpret the output from your switch's "show spanning-tree" command (or equivalent). It will show you the root port, designated ports, and a number of other important diagnostics.

Here's an example network i just set up with 2 x Cisco 2950 and 1 x HP 3400cl. The connections in the network are as follows:

hp3400cl [24] -> c2950 [g0/2] (1000 Mbps)
c2950 [f0/23] -> c2950b [f0/47] (100 Mbps)
c2950b [f0/45] -> hp3400cl [23] (100 Mbps)

The switches are all in MSTP mode, with only the common spanning tree instance set up. hp3400cl has priority 0, c2950 is the next highest priority at 8192, and c2950b is last with priority 12288. So hp3400cl should be the root. Here's how the "show spanning-tree" output looks:

hp3400cl# show spanning-tree 

 Multiple Spanning Tree (MST) Information

  STP Enabled   : Yes
  Force Version : MSTP-operation
  IST Mapped VLANs : 1-4094
  Switch MAC Address : 001871-8bd020
  Switch Priority    : 0    
  Max Age  : 6 
  Max Hops : 20
  Forward Delay : 4 

  Topology Change Count  : 4           
  Time Since Last Change : 4 mins      

  CST Root MAC Address : 001871-8bd020
  CST Root Priority    : 0           
  CST Root Path Cost   : 0           
  CST Root Port        : This switch is root

  IST Regional Root MAC Address : 001871-8bd020
  IST Regional Root Priority    : 0           
  IST Regional Root Path Cost   : 0           
  IST Remaining Hops            : 20          

  Root Guard Ports : 
  TCN Guard Ports  : 
  BPDU Protected Ports :                                         
  BPDU Filtered Ports  :                                         

                  |           Prio             | Designated    Hello         
  Port  Type      | Cost      rity  State      | Bridge        Time  PtP Edge
  ----- --------- + --------- ----- ---------- + ------------- ----- --- ----
  1     100/1000T | Auto      128   Disabled   |
...
  22    100/1000T | Auto      128   Disabled   |
  23    100/1000T | 200000    128   Forwarding | 001871-8bd020 1     Yes No  
  24    100/1000T | 20000     128   Forwarding | 001871-8bd020 1     Yes No  

c2950#show spanning-tree 

MST00
  Spanning tree enabled protocol mstp
  Root ID    Priority    0
             Address     0018.718b.d020
             Cost        20000
             Port        26 (GigabitEthernet0/2)
             Hello Time   1 sec  Max Age  6 sec  Forward Delay  4 sec

  Bridge ID  Priority    8192   (priority 8192 sys-id-ext 0)
             Address     000c.308f.7f80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
...
Fa0/24           Desg FWD 200000    128.24   P2p 
Gi0/2            Root FWD 20000     128.26   P2p Bound(RSTP) 

c2950b#show spanning-tree 

MST00
  Spanning tree enabled protocol mstp
  Root ID    Priority    0
             Address     0018.718b.d020
             Cost        20000
             Port        47 (FastEthernet0/47)
             Hello Time   1 sec  Max Age  6 sec  Forward Delay  4 sec

  Bridge ID  Priority    12288  (priority 12288 sys-id-ext 0)
             Address     000a.b7e3.30c0
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/45           Altn BLK 200000    128.45   P2p Bound(RSTP) 
Fa0/47           Root FWD 200000    128.47   P2p

The important things to note about port states in the above listing are:

The root switch's links to other switches are forwarding
The non-root switches' links to the root are "Root FWD" in both cases
The non-root switches' link to each other is "Altn BLK" on one end and "Desg FWD" on the other; this means that c2950b knows that f0/45 is an alternate route to the root and has blocked it to prevent the loop. If the root port (f0/47) fails, c2950b will set f0/45 as the root port without reconverging.

If you turn on spanning tree, how do you know there is an issue with your network?

5 Answers5