The Packet Wizard : Spanning Tree Explained

Spanning Tree Protocol also known as STP

There are many different types of STP but here are a couple of the main ones

STP/802.1D – Original STP
PVST+ – Cisco Improved STP adding per VLAN feature
RSTP/802.1w – Improved STP with a much faster convergence time (Rapid Spanning Tree)
Rapid PVST+ – Cisco improved RSTP adding per VLAN feature

Why Per VLAN STP?
If you have a large network with lots of switches and VLAN’s you can use Per VLAN STP to plan for a more efficient network

Even although there are many versions of STP they all use a very similar set of rules.

What is STP?

STP is a feature used to prevent loops when you are using redundant switches and without STP a loop could form and cause a number of problems on the network.

During a unicast broadcast message (which happen all the time) the switch will forward the frame out of every port except the one it came in on. Therefore if SW1 sends a frame out and SW2 and SW3 receive it then SW2 and SW3 will forward out all ports except the one it came in on.  SW2 sends to SW3 and SW1. SW3 send to SW2 and SW1 and you can see how the loop is now beginning to form. This is known as a broadcast storm, this can kill a switches CPU and Memory usage very quickly.

The second problem is the MAC address being changed all the time as it receives frames. For example SW1 sends a broadcast message, SW2 and SW3 receive it, then forward it out all other ports like in the scenario above. However each switch learns the MAC address of the next switch and assigns that in the MAC address table, but if you consider SW1 sending to SW2 and SW3 and then SW2 and SW3 forwarding those frames and they eventually get back to SW1 but on different ports, then the MAC Address table will change constantly from I know about SW2 on this port,  I now know about SW2 via SW3 on this port, and that can cause unstable MAC address tables.

Another issues is explained below

HOST1  sends data to HOST2, however since SW2 doesn’t know how to get to SW2 it sends frames out all ports, thus sending to SW1 and SW3 so HOST2 receives frames from HOST1 via SW3 and then again via SW1>SW3. This is known as Duplicate Frames.

So how do we fix the issues mentioned above? Thats right Spanning Tree Protocol by blocking one of the redundant paths.

The question now becomes how do the switches decide on that Port to block? STP follow’s strict rules, when deciding what ports to block. 

1) Elect a Root Bridge (ROOT)
2) Place root interfaces into forwarding (FWD)
3) Select Root Port on non-Root Bridge Switches (RP) – this is the best root to the Root Bridge.
4) Non Root Switches decide on a Designated Port (DP)
5) All other ports put into Blocking State (BLK)

On per VLAN STP You could have this on VLAN 10

and this on VLAN 20

I will now cover the port roles and the port states so you know what each is:

ROLES
Root Ports : The best port to get to the Root Bridge

Designated Ports : The Lowest cost alternate best root to the Root Bridge.
Non Designated Ports : All other ports that are in blocking mode.

STATES
Disabled : A Port is shutdown
Blocking : A Port that is blocking traffic
Listening : A Port that is not forwarding and not learning MAC addresses
Learning: A Port that is learning MAC addresses but is not forwarding traffic
Forwarding : A Port that is sending and receiving traffic as normal

When ports change from one Role to another it will go through the Port States. Note also that the Listening and Learning states are transitional and it wont stay on either.

Root Bridge Election

Each switch has and sends messages to each other called Bridge Protocol Data Units (BPDU’s) These BPDU’s contain specific information pertaining to each switch, such as Root Cost, Bridge ID (BID) for Itself and for the Root.  A BID is made up of STP Priority and MAC address, the default value of The BID on SW1 would be 327691111:1111:1111 since 32769 is the default STP priority and the MAC address. The switch with the lowest BID will become the Root Bridge. This is what is looks like before the Root Bridge Election and the exchange of the BPDU’s

This is what it looks like after, when the lowest BID wins.

The ports on each switch now transition into their respective states following the STP Rules as mentioned above.

The ports can change based on the Cost of each link. The port costs are listed below, however in this example we will just be using Gig Ports, but for clarity a FastEthernet Port will be slower than a GigEthernetPort, the faster the port the lower the cost. The Root Port (RP) is the lowest port cost.

Data rate STP cost RSTP cost
(Link Bandwidth) (802.1D-1998) (802.1W-2004, default value)
4 Mbit/s 250 5,000,000
10 Mbit/s 100 2,000,000
16 Mbit/s 62 1,250,000
100 Mbit/s 19 200,000
1 Gbit/s 4 20,000
2 Gbit/s 3 10,000
10 Gbit/s 2 2,000
100 Gbit/s N/A 200
1 Tbit/s N/A 20

This is a quick diagram of how the port costs are worked out to get back to the Root Bridge. SW2 to get to SW1 is 0+4=4 and SW2 via SW3 to SW1 is 4+4=8

Of course there can be ties between multiple connections and STP can be tuned.

Designated Ports are selected by Root Cost the by Lowest BID and then by lowest numbered Interface. Therefor in the diagram above the Designated port would be GigEth1 on SW3 since it is a lower numbered interface than SW2 GigEth2.

All ports that are not Root Ports or Designated Ports are Blocking Ports.

STP Convergence Times

STP:
BPDU/Hello time = 2 secs – Hello messages to each switch to see its still there
Max Age = 20 secs – How long a switch will wait for a response to the Hello message
Listening = 15 secs
Learning = 15 secs

= 52 secs to convergence

From the time a link goes down to convergence it takes a total of 52 Seconds. When STP was designed that was fine but now, this is much too slow which is where Rapid Spanning Tree Comes in.

RSTP:
3 missed BDPU/Hello at 2 sec each = 6 secs
Learning (no listening) = 15 secs

= 21 secs to convergence.

I hope this have given you a good explanation of STP. 

 

Test Connectivity with Telnet

Telnet is a Network protocol that allows users to connect to and administer a devices Command Line Interface (CLI). However all of the information exchanged on a Telnet session is unencrypted, this means is someone is sniffing the traffic from your host to the device it can be read clearly. So now all know telnet is a super un-secure way to access the CLI of a device, and you should always use SSH where you can, but Telnet can be used in another way. Telnet can only be used to verify network connectivity to remote devices that are TCP based, because TCP is a connection-oriented protocol.

I get requests all the time to open up specific ports on the firewall. You can find a list of the well know port numbers here.

Before I start poking holes in the firewall or other device I check to see if it is already open.

Telnet will by default only check and listen on TCP port 23

If a user asks me is https (port 443) is open to and on a specific server you can easily test with Telnet.

You simply add the port number at the end of the telnet command:

 

As you can see 443 is open. To exit from the Telnet session: 


 

This telnet test to port 23 is not open as it does not say Connected to…


If a remote host does not respond to telnet it can mean a number of things.

  1. The Firewall or Firewalls or other networking devices on the path to the remote host is Denying or Dropping the packets. You will be able to confirm that in the logs on the firewall.
  2. The server or remote host on the other side is not up and active
  3. There is no connectivity to the remote host for some other reason

Further troubleshooting is required if you encounter issues.

Common Port Numbers

Common TCP/IP Protocols and Ports

Protocol TCP/UDP Port Number
File Transfer Protocol (FTP)

(RFC 959)

TCP 20/21
Secure Shell (SSH)

(RFC 4250-4256)

TCP 22
Telnet

(RFC 854)

TCP 23
Simple Mail Transfer Protocol (SMTP)

(RFC 5321)

TCP 25
Domain Name System (DNS)

(RFC 1034-1035)

TCP/UDP 53
Dynamic Host Configuration Protocol (DHCP)

(RFC 2131)

UDP 67/68
Trivial File Transfer Protocol (TFTP)

(RFC 1350)

UDP 69
Hypertext Transfer Protocol (HTTP)

(RFC 2616)

TCP 80
Post Office Protocol (POP) version 3

(RFC 1939)

TCP 110
Network Time Protocol (NTP)

(RFC 5905)

UDP 123
NetBIOS

(RFC 1001-1002)

TCP/UDP 137/138/139
Internet Message Access Protocol (IMAP)

(RFC 3501)

TCP 143
Simple Network Management Protocol (SNMP)

(RFC 1901-1908, 3411-3418)

TCP/UDP 161/162
Border Gateway Protocol (BGP)

(RFC 4271)

TCP 179
Lightweight Directory Access Protocol (LDAP)

(RFC 4510)

TCP/UDP 389
Hypertext Transfer Protocol over SSL/TLS (HTTPS)

(RFC 2818)

TCP 443
Lightweight Directory Access Protocol over TLS/SSL (LDAPS)

(RFC 4513)

TCP/UDP 636
FTP over TLS/SSL

(RFC 4217)

TCP 989/990
The complete list of assigned ports and their assigned services can be seen at http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml.

The Packet Wizard : DHCP Troubleshooting

In todays scenario, I am going to walk through some changes I made and troubleshooting steps for when I recently added a moved a old SSID/Subnet off an old legacy wireless network onto a new network same IP space and SSID that requires RADIUS authentication.

These steps can be applied to many different scenarios for troubleshooting DHCP, I just made these ones specific since it was something I recently had to troubleshoot.

Here is a basic diagram of the setup, showing all the moving parts would be overkill for the diagram. The steps on what to do and troubleshooting are below the diagram.

What you will need:

Authentication Server IP

Authentication Secret Key

DHCP Server IP

Subnet and Mask that is being moved

SSID/Subnet being moved

Work and or Troubleshooting that needs to be done:

  1. Add the VLAN to the switches required
  2. Add the virtual interface on the firewall (gateway)
  3. Trunk the new vlan to the switch and configure the ports
  4. Setup DHCP helper to point to the DHCP server
  5. Allow DHCP traffic from the new subnet to the DHCP server
  6. Configure Radius on new Network
  7. Configure new SSID and network settings on Wireless LAN Controller

The Packet Wizard : VPN Split-Tunneling

Split-tunneling is a networking approach that lets a remote user using Remote Access Virtual Private Network (RAVPN) to have specific traffic sent to the internet instead of being sent over the encrypted VPN tunnel.

E.g. – A remote user is using a home network, hotel network or coffee shop to Remote Access VPN  (RAVPN) to connect to their works corporate network . The user or VPN subnet with split tunneling enabled can allow the user to send specific traffic such as; access to company file stores, company database servers, company mail servers and other servers on the corporate resources through the RAVPN connection. When the user connects to Internet resources such as Web sites, Personal Webmail, Voice or Video calls, etc.), the connection request can be sent directly out the local gateway provided by the home network, hotel network or coffee shop, thus preventing the traffic from being sent to the corporate network to be redirected to the internet, instead just going directly to the internet.

There are some Advantages of Split-Tunneling can be preventing bottlenecks especially if the user uses Voice/Video calls, where the calls can be severely depredated due to having to pass through the VPN tunnel first.

There are also some disadvantages of Split-Tunneling in that the user now by-passes Corporate security controls  that may be in place by the Security team for access to specific sites etc.

The Packet Wizard : Link Aggregation Group

The image above shows a link aggregation group between two switches. The reason we use Link Aggregation Groups (LAGs) are they allow you to combine multiple network physical connections to make a single higher load sharing bandwidth path thus increase the throughput beyond what a single connection could support, and also to provide redundancy incase one of the links should fail.

You can read on how to configure LAG’s on Ruckus Switches here:
Ruckus : Configure Link Aggregation Groups

Ruckus : Configure Link Aggregation Group

This is how to build a Link Aggregation Group on the Ruckus 7150. It is slightly different on the 7250’s.

 

 

Configure the Link Aggregation Group. There are multiple LAG types and they must match on both sides of the lag, other vendors may use different names for the same thing here are the common ones:

Ruckus LAG Types Other Vendor Types
Static On
Dyanmic Active

Configure a static LAG.

 


Configure a dynamic LAG.

 

 

The LAG ID can be automatically generated and assigned to a LAG using the auto option.

 

The Link Aggregation Group IDs are unique for each LAG on the switch. The LAG ID can’t be assigned to more than one LAG. If a LAG ID is already used, the CLI will reject the new LAG configuration and display an error message that suggests the next available LAG ID that can be used.

Once the LAG is built you have to add ports to the LAG.

 

The Packet Wizard : Work Travel

I am home! I have been travelling for work for the best part of the past 5 weeks. I was in Boston doing a network refresh the week before Easter, which included replacing all the network cables, installing new Palo Alto Firewalls and removing Cisco ASA’s. I also removed all Cisco Switches and installed a new stack of Ruckus 7250, replace the core switches with 2 new Arista’s. I then came home for 2 days and I left again for Singapore for 3 weeks. I was in Singapore integrating a new company we bought into our network, this was a team effort as we had other sites to bring online within 48 hours. Copenhagen and a small site in Kaohsiung, Taiwan. I have learned a lot over the past 2 month. I have some articles to write on what I have learned but for now, I just wanted to give a quick update. Here is some cable porn from the Boston Network Refresh.

Before:

After: