eNSP - Spanning-tree (Root Bridge, Root Port, Designated Port)

In a short brief, spanning-tree is a protocol that allow us to live in a loop free network by calculating a unique path between two nodes on the network and disabling redundant links.

The calculation of a unique path between nodes on the network starts by electing a Root bridge which is the logical centre of a network. The bridge with the lowest mac-address or priority is elected the Root. Once the network converge, the root bridge generates and sends configuration BPDUs at specific intervals. Other devices process and forward the configuration BPDU to communicate the topology changes, ensuring a stable network topology.

Spanning-tree is calculated based on two metrics ID's and Path cost:

ID's are classified into Bridge ID (BID) and Port ID (PID)
  • BID - According to IEEE 802.1D, a BID is composed of a bridge priority (leftmost 16 bits) and a bridge MAC address (rightmost 48 bits). On an STP network, the device with the smallest BID is elected as the root bridge.
  • PID - A PID is composed of a port priority (leftmost 4 bits) and a port number (rightmost 12 bits). The PID is used to select the designated port.

Path Cost
  • The path cost is a port variable used for link selection. STP calculates path costs to select robust links and blocks redundant links, and finally trims the network into a loop-free tree topology. On an STP network, a port's path cost to the root bridge is the sum of the path costs of all ports between the port and the root bridge. This path cost is the root path cost.

Spanning-tree uses three elements to prune a ring network in a tree network: Root bridge, Root port and designated port.

Lets have a look to the following topology to understand better how spanning-tree works. In order to follow this lab you must configure the legacy spanning-tree on all switches, by issuing the command: "stp mode stp".



[LSW1] display stp
The command "display stp"  displays the global spanning-tree information and also per port information. The following output is a sample of the "display stp" where we can see the global Spanning-tree information on LSW1.
-------[CIST Global Info][Mode STP]-------
CIST Bridge         :32768.4c1f-cc17-62ac
Config Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC      :32768.4c1f-cc12-4c05 / 40000
CIST RegRoot/IRPC   :32768.4c1f-cc17-62ac / 0
CIST RootPortId     :128.2
BPDU-Protection     :Disabled
TC or TCN received  :139
TC count per hello  :0
STP Converge Mode   :Normal 
Time since last TC  :0 days 0h:0m:35s
Number of TC        :6
Last TC occurred    :GigabitEthernet0/0/2

The Root Bridge:


From the "display stp" command output on LSW1 we can see the Root Bridge priority (32768), the Root Bridge mac-address (4c1f-cc12-4c05), which corresponds to switch LSW3  and the accumulative path cost of 40000 from LSW1 perspective. 
CIST Root/ERPC      :32768.4c1f-cc12-4c05 / 40000
When Spanning-tree starts the Root Bridge election process it first checks for the bridge priority value (in red), if the bridge priority value is the same on all switches spanning-tree will use the lowest mac-address as a tie breaker. Therefore on our topology since all the switches have the same Bridge priority (32768) Spanning-tree elects the switch with the lowest mac address, which is LSW3.

The Root Bridge election can be influenced by configuring a Bridge priority on the switch we want as the Root Bridge. Lets configure LSW1 to be the Root Bridge, by configuring a lower Bridge priority then the default value (32768).
[LSW1] stp priority 4096
On LSW3 run the command "display stp" to confirm that LSW1 is now the Root Bridge. 
[LSW3]display stp
-------[CIST Global Info][Mode STP]-------
CIST Bridge         :32768.4c1f-cc12-4c05
Config Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC      :4096 .4c1f-cc17-62ac / 40000
CIST RegRoot/IRPC   :32768.4c1f-cc12-4c05 / 0
CIST RootPortId     :128.2
BPDU-Protection     :Disabled
TC or TCN received  :90
TC count per hello  :0
STP Converge Mode   :Normal 
Time since last TC  :0 days 0h:1m:52s
Number of TC        :9
Last TC occurred    :GigabitEthernet0/0/2

The Root Port:

From the following output, on LSW3, we can see that the accumulative path cost value is 40000 and the Root Port is GigabitEthernet 0/0/2 with path cost value of 20000.
[LSW3]display stp
-------[CIST Global Info][Mode STP]-------
CIST Bridge         :32768.4c1f-cc12-4c05
Config Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC      :4096 .4c1f-cc17-62ac / 40000
CIST RegRoot/IRPC   :32768.4c1f-cc12-4c05 / 0
CIST RootPortId     :128.2
BPDU-Protection     :Disabled
TC or TCN received  :90
TC count per hello  :0
STP Converge Mode   :Normal 
Time since last TC  :0 days 0h:1m:52s
Number of TC        :9
Last TC occurred    :GigabitEthernet0/0/2
----[Port2(GigabitEthernet0/0/2)][FORWARDING]----
 Port Protocol       :Enabled
 Port Role           :Root Port
 Port Priority       :128
 Port Cost(Dot1T )   :Config=auto / Active=20000
 Designated Bridge/Port   :32768.4c1f-cc24-6747 / 128.1
 Port Edged          :Config=default / Active=disabled
 Point-to-point      :Config=auto / Active=true
 Transit Limit       :147 packets/hello-time
 Protection Type     :None
 Port STP Mode       :STP 
 Port Protocol Type  :Config=auto / Active=dot1s
 BPDU Encapsulation  :Config=stp / Active=stp
 PortTimes           :Hello 2s MaxAge 20s FwDly 15s RemHop 0
 TC or TCN send      :37
 TC or TCN received  :3
 BPDU Sent           :61             
          TCN: 0, Config: 61, RST: 0, MST: 0
 BPDU Received       :18             
          TCN: 3, Config: 15, RST: 0, MST: 0

The Root Port is the port that has the lowest accumulative path cost value to the Root Bridge, on Spanning-tree every port has a path cost value, the accumulative path cost value is the sum of all path cost values that lead to the Root Bridge.

Why did Spanning-tree elected GigabitEthernet0/0/2 as the Root Port?

The first step that Spanning-tree takes to elect a Root Port is to compare the accumulative path cost value of the ports that lead to the Root Bridge, on our topology, on LSW3, the accumulative path cost value of GigabitEthernet0/0/2 and GigabitEthernet0/0/1 is the same, in the event of equal accumulative path cost values Spanning-tree carries on to step two, where it compares the mac-addresses of the neighbouring switches, since the mac-addresses are different, Spanning-tree chooses the port that connects to the neighbouring switch with the lowest mac-address as the Root Port and the election process stops. (remember that Spanning-tree always choose the lowest value)

Lets influence the Root Port election on LSW3 by configuring the path cost value on port GigabitEthernet0/0/1 to be lower than 20000.
[LSW3]interface g0/0/1
[LSW3-GigabitEthernet0/0/1]stp cost 10000
We can confirm on LSW3 that the accumulative path cost value is now 30000 and Root Port is GigabitEthernet 0/0/1 with a path cost of 10000. 
[LSW3]display stp
-------[CIST Global Info][Mode STP]-------
CIST Bridge         :32768.4c1f-cc12-4c05
Config Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC      :4096 .4c1f-cc17-62ac / 30000
CIST RegRoot/IRPC   :32768.4c1f-cc12-4c05 / 0
CIST RootPortId     :128.1
BPDU-Protection     :Disabled
TC or TCN received  :47
TC count per hello  :0
STP Converge Mode   :Normal 
Time since last TC  :0 days 0h:3m:32s
Number of TC        :9
Last TC occurred    :GigabitEthernet0/0/1
----[Port1(GigabitEthernet0/0/1)][FORWARDING]----
 Port Protocol       :Enabled
 Port Role           :Root Port
 Port Priority       :128
 Port Cost(Dot1T )   :Config=10000 / Active=10000
 Designated Bridge/Port   :32768.4c1f-cc94-1c38 / 128.2
 Port Edged          :Config=default / Active=disabled
 Point-to-point      :Config=auto / Active=true
 Transit Limit       :147 packets/hello-time
 Protection Type     :None
 Port STP Mode       :STP 
 Port Protocol Type  :Config=auto / Active=dot1s
 BPDU Encapsulation  :Config=stp / Active=stp
 PortTimes           :Hello 2s MaxAge 20s FwDly 15s RemHop 0
 TC or TCN send      :52
 TC or TCN received  :19
 BPDU Sent           :137             
          TCN: 0, Config: 137, RST: 0, MST: 0
 BPDU Received       :115             
          TCN: 2, Config: 113, RST: 0, MST: 0
Till now we have seen how Spanning-tree elects a Root Port when up links go through different up link switches, let's understand now how Spanning-tree elects a Root Port when up links go through the same switch.

The elected Root  Port by Spanning-tree on switch LSW6 is GigabitEthernet 0/0/2, lets confirm it with the command "display stp" or "display stp brief".
[LSW6]display stp brie
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        ALTE  DISCARDING      NONE
   0    GigabitEthernet0/0/2        ROOT  FORWARDING      NONE
   0    GigabitEthernet0/0/3        DESI  FORWARDING      NONE
   0    GigabitEthernet0/0/4        ALTE  DISCARDING      NONE
Why did Spanning-tree elect GigabitEthernet 0/0/2 on LSW6 as the Root Port? Let's once again go through the steps that Spanning-tree takes to elect a Root Port.

1 - Spanning-tree compares the accumulative path cost value of each up link port and elects the port with the lowest accumulative path cost value as the Root Port.

 Confirm the accumulative path cost value with the command "display stp".
[LSW6]display stp | in CIST Root/ERPC
CIST Root/ERPC      :4096 .4c1f-cc17-62ac / 40000

LSW6 has 4 up-links of which GigabitEthernet 0/0/2 and 0/0/1 have the same accumulative path cost value, since ports GigabitEthermet 0/0/2 and 0/0/1 are equal Spanning-tree needs to find a tie breaker.

 2 - Spanning-tree compares the mac-addresses of the neighbouring switches that are connected through the up links, the lowest mac-address will win the election and break the tie. 

Since the up-links GigabitEthernet 0/0/2 and 0/0/1 have the lowest accumulative path cost we only need to confirm the mac-address of the neighbouring switch connected to these up-links by issuing command "display lldp neighbor interface GigabitEthernet [Slot number]". (note that the LLDP protocol is out of the scope of this tutorial, if you want to learn more about it go here)
[LSW6]display lldp neighbor interface GigabitEthernet 0/0/2 | in Chassis ID
GigabitEthernet0/0/2 has 1 neighbors:

Neighbor index : 1
Chassis ID     :4c1f-cc24-6747


[LSW6]display lldp neighbor interface GigabitEthernet 0/0/1 | in Chassis ID
GigabitEthernet0/0/1 has 1 neighbors:

Neighbor index : 1
Chassis ID     :4c1f-cc24-6747
Spanning-tree has found that the mac-address of the neighbouring switch is the same on GigabitEthernet 0/0/2 and 0/0/1 and needs to find a tie breaker.

3 - Spanning-tree compares the port priority values received from the neighbouring switch, the port that receives the lowest port priority value will win the election and become the Root Port.

Let's look at the port priority values for GigabitEthernet 0/0/2 and 0/0/1 on LSW6 "display stp interface [port]".
[LSW6]display stp interface GigabitEthernet 0/0/1 | in Designated
 Designated Bridge/Port   :38768.4c1f-cc24-6747 / 128.5
[LSW6]display stp interface GigabitEthernet 0/0/2 | in Designated
 Designated Bridge/Port   :38768.4c1f-cc24-6747 / 128.4
Spanning-tree has found the the priority values received on both GigabitEthernet 0/0/2 and 0/0/1 are the same and will go through a final step to find a tie breaker

4 - Spanning-tree will compare the received port ID values form the neighbouring switch and finally will elect a Root Port since there are no two identical port ID values. We can confirm this with the command used on step 3.
[LSW6]display stp interface GigabitEthernet 0/0/1 | in Designated
 Designated Bridge/Port   :38768.4c1f-cc24-6747 / 128.5
[LSW6]display stp interface GigabitEthernet 0/0/2 | in Designated
 Designated Bridge/Port   :38768.4c1f-cc24-6747 / 128.4
Spanning-tree elects port GigabitEthernet 0/0/2 as the Root Port since its receiving the lowest port ID from the neighbouring switch.

To influence the election of the Root port on LSW6 let's configure the port GigabitEthernet 0/0/5 priority value to be lower then 128 on switch LSW4.
[LSW4]interface GigabitEthernet 0/0/5
[LSW4-GigabitEthernet0/0/5]stp port priority 64
Now confirm that port GigabitEthenet 0/0/1 is the Root port on LSW6 with the command "display stp interface GigabitEthernet 0/0/1".
[LSW6]display stp interface GigabitEthernet 0/0/1
----[Port1(GigabitEthernet0/0/1)][FORWARDING]----
 Port Protocol       :Enabled
 Port Role           :Root Port
 Port Priority       :128
 Port Cost(Dot1T )   :Config=auto / Active=20000
 Designated Bridge/Port   :32768.4c1f-cc24-6747 / 64.5

We can also confirm that the priority value received on port GigabitEthernet 0/0/1 on LSW6 is the priority value configured previously on port GigabitEthernet 0/0/5 on LSW4. 


Designated ports:


Designated ports opposite to Root ports are downstream ports that face away from the root bridge, for every network segment on a switch apart from the Root Port, Spanning-tree elects a Designated or Non Designated (alternate) port. The algorithm used to elect Designated ports is the same used in Root Port election.

When electing a Designated Port Spanning-tree will take into consideration the bridge mac-address and as you know with Spanning-tree the lowest value always win. On the network segment between LSW3 and LSW6 the Designated port elected by Spanning-tree is GigabitEthernet 0/0/3 on switch LSW3 since this switch as the lowest mac-address.

We can confirm the port roles/states on LSW3 with the command "display stp brie".
[LSW3]display stp brie
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        ALTE  DISCARDING      NONE
   0    GigabitEthernet0/0/2        ROOT  FORWARDING      NONE
   0    GigabitEthernet0/0/3        DESI  FORWARDING      NONE

Posted by 1 comment:

ASA SSL clientless VPN

SSL clientless VPN's provide support for remote users to access corporate resources from anywhere on the internet. Remote Access is supported through the Secure Socket Layer enabled VPN Gateway, which allow a remote user to establish a secure Virtual Private Network tunnel using the web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support.

SSL Clientless VPN configuration can be done through the CLI or ASDM. This tutorial shows how to configure a SSL VPN through the CLI.

The following topology represents a remote user establishing a secure connection to the corporate network.




The configuration of a SSL ClientLess VPN Tunnel can be done in the following steps.

- Configure an Access-list (WEB ACL).

- Configure a Group-policy.

- Configure a Connection profile (Tunnel-group).

- Create user.

We start by configuring an access-list to allow traffic to access internal resources. In this scenario we want to allow only HTTP traffic to the internal server, to accomplish this we can create a web acl.
ASA2(config)# access-list WebACL webtype permit url http://192.168.10.100 log default
To configure a group-policy we first define where it will be stored. Internal means locally and external means on a RADIUS or LDAP server. 
ASA2(config)# group-policy Remote_Access internal
After creating a group policy, we can configure its attributes.
ASA2(config)# group-policy Remote_Access attributes
ASA2(config-group-policy)# vpn-tunnel-protocol ssl-clientless 
ASA2(config-group-policy)# banner none
ASA2(config-group-policy)# banner value Welcome Remote Access user
ASA2(config-group-webvpn)# webvpn
ASA2(config-group-webvpn)# filter value WebACL
ASA2(config-group-webvpn)# url-entry enable
Enable WebVPN on the outside interface.
ASA2(config)# webvpn
ASA2(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA2(config-webvpn)# tunnel-group-list enable
Finally configure the tunnel-group (connection profile).
ASA2(config)# tunnel-group Remote_Access type remote-access
ASA2(config)# tunnel-group Remote_Access general-attributes
ASA2(config-tunnel-general)# default-group-policy Remote_Access
ASA2(config-tunnel-general)# exit
ASA2(config)# tunnel-group Remote_Access webvpn-attributes
ASA2(config-tunnel-webvpn)# group-alias RAusers enable
ASA2(config-tunnel-webvpn)#   group-url https://10.0.0.254/Raccess enable
ASA2(config-tunnel-webvpn)#   without-csd
To access the internal resources a username/password must be specified. For this tutorial we will create a username in the local database.
ASA2(config)# username RemoteUser password Letmein privilege 1
ASA2(config)# username RemoteUser attributes
ASA2(config-username)# vpn-group-policy Remote_Access
Posted by No comments:
Subscribe to: Posts (Atom)