Shulou(Shulou.com)06/01 Report--

Blog outline:

What is MSTP? 2. What is the basic principle of MSTP?

The network hierarchy of the 1.MSTP.

2.MST domain.

3.MSTI .

4. Port role.

Port status of the 5.MSTP. Third, the protection function of MSTP.

1.BPDU protection.

two。 Root protection.

3. Loop protection.

4.TC protection. Fourth, the configuration process of MSTP. What is MSTP?

MSTP is a common spanning tree protocol, which is widely used in the actual production environment.

MSTP (Multiple Spanning tree Algorithm and protocol) is a multi-spanning tree technology that allows multiple spanning trees to run in a switched environment, each spanning tree is called an instance (instance). The spanning tree of instance time is independent of each other, for example, the blocking interface under one instance may be a forwarding port on another instance. Different from Cisco's private PVST technology, MSTP allows multiple vlan to run a spanning tree instance. Compared with Cisco's PVST technology, this is an advantage, because in Cisco switches, running PVST technology is an instance of a tree. The more instances, the more spanning trees. The switch also needs to consume hardware resources and network overhead to maintain these spanning trees. In most cases, the benefit of running multiple spanning tree instances lies in link load sharing, but when there is only one redundant link, running two spanning tree instances can achieve load balancing and save system overhead, as shown in the following figure:

There are two spanning tree instances in the network environment in the figure above. The root bridges of different instances on different physical switches can not only share the load, but also will not occupy system resources because of too many instances.

MSTP prunes the loop network into a non-loop tree network to avoid broadcast storms and provides multiple redundant paths for data forwarding to achieve load balancing of vlan data in the process of data forwarding. MSTP is also compatible with STP and RSTP.

MSTP divides a switching network into multiple domains, and multiple spanning trees are formed in each domain, which are independent of each other. Each spanning tree is called a multiple spanning tree instance (Multiple spanning tree instance,MSTI), and each domain is called an MST domain.

MSTP associates vlan and MSTI by setting up the vlan mapping table (that is, the corresponding table of vlan and MSTP). Each vlan can only correspond to one MSTI, that is, data from the same vlan can only be transmitted in one MSTI, while a MSTI can correspond to multiple vlan.

2. What is the basic principle of MSTP?

In MSTP, the whole interconnected layer 2 network is divided into several domains. In the domain, the vlan is divided into several groups, each with the same topology, and then several MSTI are defined and these spanning tree instances are mapped to different vlan.

An instance is a collection of multiple vlan. By mapping multiple vlan to a single instance, communication overhead and resource utilization can be saved. The calculation of the topology of each instance of MSTP is independent of each other, and load balancing can be achieved on these instances. Multiple vlan with the same topology can be mapped to the same instance, and the forwarding status of these vlan on the interface depends on the status of the interface in the corresponding MSTP instance.

If it is just to prevent loop problems such as broadcast storms, it is sufficient to run CST (CST is also a spanning tree protocol, which is not described here about CST technology). The main purpose of running multiple instances is to make their load share the link load. So the number of spanning tree instances running generally depends on the number of redundant lines, and if there is only one redundant link, it is best to run two instances. If there are two redundant links, running three instances will be the best choice, and try to keep the traffic in each instance as small as possible.

1. The network level of MSTP.

A layer 2 switching network can be divided into multiple MSTI domains (multiple spanning tree domains), each spanning tree domain can be divided into multiple MST domains, and multiple MST domains can be mapped in each instance.

The MSTP network in the following figure contains three MST domains, A, B, and C. Each MST domain contains one or more MSTI. MST domain B contains two MSTI, instance 1 and instance 2. Instance 1 and vlan 1-5 mappings, instance 2 and vlan 6-10 mappings.

2. MST domain.

The MST domain is a multi-spanning tree domain, which is composed of multiple switches in the local area network and the network segments between them. Multiple MST domains can exist in a local area network. The MST domains are physically directly or indirectly connected. Users can divide multiple switches into the same MST domain through the MSTP configuration command. The switches in the MST domain all have MSTP enabled and are configured with the same domain name and vlan mapping table (vlan mapping table is an attribute of the MST domain, which describes the mapping relationship between vlan and MSTI).

3 、 MSTI .

Multiple MSTI,MSTI can be run in a MST domain independently of each other, and MSTI can correspond to one or more vlan, but each vlan can only correspond to one MSTI. Does it feel a bit like a father-son relationship? Haha, a son can only have one real father, but a father can have many sons.

4. Port role.

The main port roles in MSTP are root port, designated port, standby port, backup port and edge port. With the exception of edge ports, other port roles participate in the calculation of MSTP, and the same port can play different roles in different MSTI. (the role of the relevant ports is explained below, as these port roles are automatically negotiated by spanning Tree Protocol and do not need to be artificially specified. )

Root port: the least expensive port from the non-root switch to the root switch is the root port of the switch, and the root port can forward data traffic to the root switch. P3, P4, and P8 in the figure above are the root ports. Designated port: the port on which the switch sends BPDU (a bridge protocol data unit used to exchange information such as bridge ID, root path cost, and so on, to elect the switch port role) or data traffic to the downstream switch. In the figure above, P1, P2, and P6 are designated ports (when S3 priority is higher than S2). Edge port: located at the most edge of the network, does not participate in spanning tree calculation, and generally connects non-switch devices, such as terminal servers, PC, routers, etc. Reserve port: from the point of view of forwarding data traffic, the reserve port provides a backup link to the root switch. its interface state is blocked and does not forward data traffic. when the root port is blocked, the reserve port will become the new root port. In the figure above, P5 is the standby port. Backup port: when two ports of the same switch are connected to each other, there is a loop (except the aggregation link). In this case, the switch blocks one of the ports, and the backup port is the one that is blocked. From the point of view of sending BPDU, a backup port is a port that is blocked due to learning the BPDU sent by other ports on this device. In terms of forwarding data traffic, the backup port, as a backup of the designated port, provides a backup link from the root switch to the non-root switch. In the figure above, P7 is the backup port. 5. The port status of MSTP.

There are only three port states for MSTP (knowing the port status, you can skillfully troubleshoot spanning tree):

Forwarding: in this state, the port forwards user traffic and receives / sends BPDU messages. Learning: this is a transitional state. In this state, the switch learns the MAC address table based on the user traffic received, but does not forward user traffic, so it is called the learning state. Ports in learning state accept / send BPDU messages and do not forward user traffic. Discarding: in this state, the port only receives BPDU messages. Third, the protection function of MSTP.

When faced with some two-tier spanning trees, the following four techniques can increase the security of spanning trees.

1. BPDU protection.

On a switch, ports that are directly connected to user terminals (such as PCs) or servers that are not connected to non-switch devices are usually configured as edge interfaces to achieve fast convergence of these ports. Normally, these ports do not receive BPDU. If someone falsifies the BPDU malicious * * switch, when these ports receive BPDU, the switch automatically sets these ports as non-edge ports and recalculates the spanning tree, causing network shock.

When the BPDU protection feature is enabled, if the interface receives a BPDU message, the interface will be automatically shut down, thus avoiding subsequent * * and the resulting network shock.

The configuration commands are as follows:

[Huawei] stp bpdu-protection # enables BPDU protection 2. Root protection.

Due to network management errors or malicious attacks, legitimate switch ports in the network may receive a higher priority BPDU, which will make the roots of the current network lose their root status, and then recalculate the spanning tree, causing network shock, and possibly diverting network traffic from high-speed links to vulgar links, resulting in network congestion. To prevent this from happening, the switch provides root protection. The root protection function protects the status of the root switch by maintaining the role of the designated port. For ports configured with root protection, the port role remains the designated port on all instances. When a port receives a higher priority BPDU, the port role does not become a non-designated port, but enters the listening state and no longer forwards messages. After a long enough time, if the port no longer receives a higher priority BPDU, the port will return to its original normal state.

Configuration commands:

[Huawei] in g0Compact 1 # enter the designated port [Huawei-GigabitEthernet0/0/1] stp root-protection # to turn on root protection 3, loop protection.

The root port and other blocking port states periodically receive BPDU from the upstream switch (R1 is the upstream switch of R2 and R3 and R4 is the downstream switch of R2 and R3 in the third configuration figure of this post). When the link is congested or the unidirectional link fails, these ports cannot receive BPDU from the upstream switch, and the switch reselects the root port. The original root port is converted to a designated port, and the previously blocked port is migrated to the forwarding state, resulting in loops in the switched network. The loop protection function suppresses the generation of this loop. After the loop protection function is enabled, if the root port does not receive the BPDU from the upstream, the root port will be set to enter the blocking state, while the blocking port will remain in the blocking state and will not forward messages, so that a loop will not be formed in the network.

Configuration commands:

[Huawei] in g0Compact 1 # enter the root port [Huawei-GigabitEthernet0/0/1] stp loop-protection # to enable loop protection 4. TC protection.

After receiving the TC-BPDU message, the switch will delete the MAC address table entry and the ARP table entry. If someone forges the TC-BPDU message maliciously * the switch will receive a lot of TC-BPDU message in a short time. Frequent deletion operation will cause a great burden to the switch and bring great hidden trouble to the stability of the network. After enabling the TC protection function, within a fixed time The number of times the MSTP process processes TC-type BPDU messages is configurable. If the number of BPDU messages of type TC received by the MSTP process is greater than the configured threshold within a fixed period of time, the MSTP process will only process the number of times specified by the threshold. For other TC type BPDU messages that exceed the threshold, the MSTP process processes them once after the timer expires. This avoids frequent deletion of MAC address table entries and ARP table entries, thus achieving the purpose of protecting the switch.

Configuration commands:

[Huawei] stp tc-protection threshold 3 # specifies a threshold of 3. Fourth, the configuration process of MSTP. The network environment is as follows:

The requirements are as follows: VLAN10 and VLAN20 visit each other VLAN10:S3- > S1-> R1VLAN20virtual S3-> S2-> R1 implementation ideas:

1. Configure PC and the IP address of the router.

2. Configure the vlan and trunk of the switch.

3. The switch enables the MSTP protocol and configures the same area name.

4. The switch establishes two instances, adds vlan 10 and vlan 20 to different instances, and specifies different root bridges for the two instances. The root bridge of instance 1 is on S1, and the root bridge of instance 2 is on S2.

Start the configuration:

1. Configure the router IP address (the IP address of the PC is self-configured):

[R1] in g0/0/0 [R1-GigabitEthernet0/0/0] ip add 10.1.10.254 24 [R1-GigabitEthernet0/0/0] in g0/0/1 [R1-GigabitEthernet0/0/1] ip add 10.1.20.254 24 [R1-GigabitEthernet0/0/1] un shut

2. Configure the VLAN and Trunk of each switch:

Here I configure all the interfaces connected to the client as Access interfaces, and the interfaces connected to the switch and the switch as trunk interfaces. The interface between the switch and the router is configured as a Hybrid interface.

S1 is configured as follows:

[S1] vlan ba 10 20 [S1] in g0/0/2 [S1-GigabitEthernet0/0/2] port link-type trunk [S1-GigabitEthernet0/0/2] port trunk allow-pass vlan all [S1-GigabitEthernet0/0/2] in g0/0/1 [S1-GigabitEthernet0/0/1] port link- Type trunk [S1-GigabitEthernet0/0/1] port trunk allow-pass vlan all [S1-GigabitEthernet0/0/1] in g0/0/3 [S1-GigabitEthernet0/0/3] port link-type hybrid [S1-GigabitEthernet0/0/3] port hybrid untagged vlan 10 [S1-GigabitEthernet0/0/3] port hybrid pvid vlan 10

S2 is configured as follows:

[S2] vlan ba 10 20 [S2] in g0/0/2 [S2-GigabitEthernet0/0/2] port link-type trunk [S2-GigabitEthernet0/0/2] port trunk allow-pass vlan all [S2-GigabitEthernet0/0/2] in g0/0/1 [S2-GigabitEthernet0/0/1] port link-type Trunk [S2-GigabitEthernet0/0/1] port trunk allow-pass vlan all [S2-GigabitEthernet0/0/1] in g0/0/3 [S2-GigabitEthernet0/0/3] port link-type hybrid [S2-GigabitEthernet0/0/3] port hybrid untagged vlan 20 [S2-GigabitEthernet0/0/3] port hybrid pvid vlan 20

The configuration of S3 is as follows:

[S3] vlan ba 10 20 [S3] in g0/0/3 [S3-GigabitEthernet0/0/3] port link-type access [S3-GigabitEthernet0/0/3] port default vlan 10 [S3-GigabitEthernet0/0/3] in g0/0/4 [S3-GigabitEthernet0/0/4] port link-type access [S3-GigabitEthernet0/0/4] port default vlan 20 [S3-GigabitEthernet0/0/4] in g0 * GigabitEthernet0/0/2] port link-type trunk [S3-GigabitEthernet0/0/2] port trunk allow-pass vlan all

3. Configure MSTP

The above requirement is to require the client of vlan 10 to reach the gateway through S3 and S1, and the client of vlan 20 to reach the gateway through S3 and S2, thus realizing the load sharing of the link. In the next configuration, S1 is configured as the root of instance 1, and an instance of instance 1 is associated with vlan 10, so vlan traffic reaches the gateway on the left because of a blocked link between S2 and S3. Similarly, S2 is configured as the root in the instance 2 instance and reaches the gateway on the right.

S1 is configured as follows:

[S1] stp mo mstp [S1] stp region-configuration [S1-mst-region] region-name lv [S1-mst-region] revision-level 1 [S1-mst-region] instance 1 vlan 10 [S1-mst-region] instance 2 vlan 20 [ S1-mst-region] active region-configuration [S1-mst-region] quit [S1] stp instance 1 root primary [S1] stp instance 2 root secondary

S2 is configured as follows:

[S2] stp mode mstp [S2] stp region-configuration [S2-mst-region] region-name lv [S2-mst-region] revision-level 1 [S2-mst-region] instance 1 vlan 10 [S2-mst-region] instance 2 vlan 20 [S2-mst-region] active region-configuration [S2-mst-region] quit [S2] stp instance 1 root secondary [S2] stp instance 2 root primary

The configuration of S3 is as follows:

[S3] stp mode mstp [S3] stp region-configuration [S3-mst-region] region-name lv [S3-mst-region] revision-level 1 [S3-mst-region] instance 1 vlan 10 [S3-mst-region] instance 2 vlan 20 [S3-mst-region] active region-configuration

4. Verify:

View the role and status information of the STP interface on S3. The results are as follows (where the MSTID column represents the instance):

[S3] dis stp brief # View STP interface role and status information MSTID Port Role STP State Protection 0 GigabitEthernet0/0/1 DESI FORWARDING NONE 0 GigabitEthernet0/0/2 ROOT FORWARDING NONE 0 GigabitEthernet0/0/3 DESI FORWARDING NONE 0 GigabitEthernet0/0/4 DESI FORWARDING NONE 1 GigabitEthernet0/0/1 ROOT FORWARDING NONE 1 GigabitEthernet0/0/2 ALTE DISCARDING NONE 1 GigabitEthernet0/0/3 DESI FORWARDING NONE 2 GigabitEthernet0/0/1 ALTE DISCARDING NONE 2 GigabitEthernet0/0/2 ROOT FORWARDING NONE 2 GigabitEthernet0/0/4 DESI FORWARDING NONE

You can see that GigabitEthernet0/0/2 in instance 1 and GigabitEthernet0/0/1 in instance 2 are in a blocking state. At the same time, the two instances are independent of each other and not affected by each other. And now clients in vlan 10 can communicate with clients in vlan 20.

5. Summary:

From the above configuration, it is found that to configure all instances in the same domain, you only need to configure the same domain name, but the version level needs to be the same, and the corresponding instances of each vlan in the domain need to be the same. There can be only one primary root and one spare root in the same spanning tree instance. It should be noted that spanning Tree Protocol cannot backup each other (that is, the master device is down and the backup device immediately takes over the work of the master device). It can only achieve load balancing. If you need to back up each other, you also need to use VRRP technology, which will be written in subsequent blog posts.

This is the end of this article. Thank you for reading.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.