Spanning Tree Protocol (STP) Load Balancing and Port Manipulation
Overview
This lab demonstrates fundamental and advanced Spanning Tree Protocol (STP) operations using Cisco Packet Tracer. The configuration covers how STP determines root bridges, elects root ports and designated ports, and dynamically changes port roles when costs or priorities are altered. Load balancing was achieved by manually setting different root bridges for separate VLANs. The lab also included security enhancements using PortFast and BPDU Guard.
| Skills Demonstrated |
|---|
| Identifying root bridges and STP port roles |
| Configuring root and secondary root bridges for VLAN load balancing |
| Modifying STP port costs and port priorities |
| Testing root port recalculations due to cost and priority changes |
| Enabling and verifying PortFast and BPDU Guard |
| Observing STP listening, learning, and forwarding states |
| Tools Used |
|---|
| Cisco Packet Tracer |
| Switch Configuration CLI |
| STP Show Commands |
| Link Light Indicators |
| Crossover and Straight-Through Cables |
1. Network Topology
First, I set up a network topology of 4 switches interconnected with straight-through cables and two PCs, with one in each VLAN.
By having the switches all interconnected together, this will be a great way to test and configure STP load balancing.
2. Checking Current STP Topology
Once the network topology is set up, I now want to check the current STP topology — identifying the root bridge and STP role and state of each port on each switch.
First checking SW1, I run the following commands to see the current STP settings:
SW1> enable
SW1# show spanning-tree
I receive the following output:
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.4301.4B81
Cost 19
Port 3(FastEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0060.2F90.D14A
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Altn BLK 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Root FWD 19 128.3 P2p
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 0001.4301.4B81
Cost 19
Port 3(FastEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 0060.2F90.D14A
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Altn BLK 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Root FWD 19 128.3 P2p
Looking at the output, both VLAN1 and VLAN2 are the same since nothing has been configured yet, and we can see that SW1 is not the root bridge because the Root ID MAC address and Bridge ID MAC address is different.
Focusing on VLAN1, we can see that interface F0/3 is the Root port so we can guess that SW2 is the root bridge.
With that being said, running the same show STP command on SW2 we get the following output:
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.4301.4B81
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0001.4301.4B81
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Desg FWD 19 128.3 P2p
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 0001.4301.4B81
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 0001.4301.4B81
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Desg FWD 19 128.3 P2p
By looking at the output, in the Root ID section, it states that "This bridge is the root."
We can also see that each interface has the Designated role port, letting us know SW2 is the root bridge.
Next, let's look at the STP settings for SW3:
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.4301.4B81
Cost 19
Port 2(FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0040.0B50.AA56
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/3 Desg FWD 19 128.3 P2p
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Root FWD 19 128.2 P2p
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 0001.4301.4B81
Cost 19
Port 2(FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 0040.0B50.AA56
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Root FWD 19 128.2 P2p
We know that it can't be the root bridge, but we can see the F0/2 is the Root port and F0/1 is Designated.
Lastly, looking at SW4, we get the following output:
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.4301.4B81
Cost 19
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0090.0C03.2D70
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Altn BLK 19 128.2 P2p
Fa0/1 Root FWD 19 128.1 P2p
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 32770
Address 0001.4301.4B81
Cost 19
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 0090.0C03.2D70
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Altn BLK 19 128.2 P2p
Fa0/1 Root FWD 19 128.1 P2p
Fa0/3 Desg FWD 19 128.3 P2p
We also know this can't be the root bridge, but we can see that F0/1 is the Root port since it's connected to SW2, the root bridge.
So we've identified the root bridge being SW2 and also have an idea of the designated, root, and alternate ports on each switch.
Now let's configure load balancing the switches for each VLAN.
3. STP Load Balancing
Since SW2 is the root bridge for both VLAN1 and VLAN2, I do not want this for load balancing purposes.
By having a different root bridge for VLAN1 and for VLAN2 this can ensure network traffic is more evenly distributed and there are no bottlenecks.
For this lab, I want to make SW1 the primary root for VLAN1 and the secondary root for VLAN2. For SW2, I want to make it the primary root for VLAN2 and the secondary root for VLAN1.
To make SW1 the primary root for VLAN1 and secondary root for VLAN2 I run the following commands:
SW1> enable
SW1# conf t
SW1(config)# spanning-tree vlan 1 root primary
SW1(config)# spanning-tree vlan 2 root secondary
To make SW2 the primary root for VLAN2 and secondary root for VLAN1 I run the following commands:
SW2> enable
SW2# conf t
SW2(config)# spanning-tree vlan 1 root secondary
SW2(config)# spanning-tree vlan 2 root primary
Now when running the command "show spanning-tree" on SW1 we get the following output. We can see that it successfully became the root bridge for VLAN1:
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0060.2F90.D14A
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)
Address 0060.2F90.D14A
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Desg FWD 19 128.3 P2p
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 24578
Address 0001.4301.4B81
Cost 19
Port 3(FastEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 28674 (priority 28672 sys-id-ext 2)
Address 0060.2F90.D14A
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Root FWD 19 128.3 P2p
When we run the "show spanning-tree" command on SW2 we get the following output. We can see that it successfully became the root bridge for VLAN2:
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0060.2F90.D14A
Cost 19
Port 3(FastEthernet0/3)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 28673 (priority 28672 sys-id-ext 1)
Address 0001.4301.4B81
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Root FWD 19 128.3 P2p
VLAN0002
Spanning tree enabled protocol ieee
Root ID Priority 24578
Address 0001.4301.4B81
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24578 (priority 24576 sys-id-ext 2)
Address 0001.4301.4B81
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Desg FWD 19 128.3 P2p
4. Manipulating STP Port Roles
In order to test manipulating the cost to affect STP port roles, I will be changing the cost of Sw4's f0/2 interface for VLAN1.
Since it is connected to the root bridge on VLAN1 (SW1), it is a designated port:
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0060.2F90.D14A
Cost 19
Port 2(FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0090.0C03.2D70
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Root FWD 19 128.2 P2p
Fa0/1 Altn BLK 19 128.1 P2p
If I were to increase the cost from 19 to 100 it will no longer be a root port because cost is the first criteria in selecting the root port.
I run the following commands to increase the cost:
SW4> enable
SW4# conf t
SW4(config)# int f0/2
SW4(config-if)# spanning-tree vlan 1 cost 100
Now that the cost has changed, when running "show spanning-tree" for VLAN1, we can see that the F0/2 interface has changed from Root to Alternate since the cost increased:
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0060.2F90.D14A
Cost 38
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0090.0C03.2D70
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Altn BLK 100 128.2 P2p
Fa0/1 Root LSN 19 128.1 P2p
5. Enabling Portfast and BPDUGuard
Now I will enable Portfast and BPDUGuard on SW3's F0/3 interface and SW4's F0/3 interface since they are connected to clients.
I run the following commands first on SW3:
SW3> enable
SW3# conf t
SW3(config)# int f0/3
SW3(config-if)# spanning-tree portfast
SW3(config-if)# spanning-tree bpduguard enable
Then I run the same commands on SW4:
SW4> enable
SW4# conf t
SW4(config)# int f0/3
SW4(config-if)# spanning-tree portfast
SW4(config-if)# spanning-tree bpduguard enable
Now on the access ports connected to clients, it will move immediately to forwarding state. And with BPDU Guard enabled, if this switch were to somehow get connected to another switch the interface would get shut down to avoid a loop.