Improvements in RSTP
In 2001, IEEE 802.1w was published to introduce the Rapid Spanning Tree Protocol (RSTP), an extension of the Spanning Tree Protocol (STP). RSTP was developed based on STP and makes additions and modifications to STP.
Disadvantages of STP
STP ensures a loop-free network but has a slow network topology convergence speed, leading to service quality deterioration. If the network topology changes frequently, the STP network will frequently lose connection and suffer service interruptions, significantly impacting user experience.
STP has the following disadvantages:
STP does not distinguish port states and port roles clearly.
Ports in Listening, Learning, and Blocking states are the same to users because they are all prevented from forwarding service traffic.
From the perspective of port use and configuration, the essential differences between ports lie in the port roles rather than port states.
Both root and designated ports can be in Listening or Forwarding state, so the ports cannot be distinguished solely by their states.
STP determines topology changes after the timer expires, which slows down network convergence.
STP requires that the root bridge send configuration BPDUs after the network topology becomes stable and other devices process and spread the configuration BPDUs to the entire network. This also slows down topology convergence.
Improvements Made in RSTP
RSTP removes three port states, defines two new port roles, and distinguishes port attributes based on port states and roles. In addition, RSTP provides enhanced features and protection measures to ensure network stability and fast convergence.
RSTP defines additional port roles to simplify the learning and deployment of the protocol.
Figure 14-11 shows the four port roles defined in RSTP: root port, designated port, alternate port, and backup port.
The functions of the root port and designated port are the same as those defined in STP. The alternate port and backup port are defined as follows:- From the perspective of configuration BPDU transmission:
- An alternate port is blocked after learning a configuration BPDU sent from another bridge.
- A backup port is blocked after learning a configuration BPDU sent from itself.
- From the perspective of user traffic:
- An alternate port acts as a backup of the root port and provides an alternate path from the designated bridge to the root bridge.
- A backup port acts as a backup of the designated port and provides a backup path from the root bridge to the related network segment.
After roles of all RSTP ports are determined, the topology convergence is completed.
RSTP redefines port states.
RSTP reduces the number of port states to 3. Depending on whether a port can forward user traffic and learn MAC addresses, the port will be in one of the following states:
- If the port does not forward user traffic or learn MAC addresses, it is in the Discarding state.
- If the port does not forward user traffic but learns MAC addresses, it is in the Learning state.
- If the port forwards user traffic and learns MAC addresses, it is in the Forwarding state.
Table 14-11 compares the port states defined in STP and RSTP. Port states are not necessarily related to port roles. Table 14-11 lists possible states for different port roles.
Table 14-11 Comparison between port states defined in STP and RSTPSTP Port State
RSTP Port State
Port Role
Forwarding
Forwarding
Root port or designated port
Learning
Learning
Root port or designated port
Listening
Discarding
Root port or designated port
Blocking
Discarding
Alternate port or backup port
Disabled
Discarding
-
RSTP changes the configuration BPDU format and uses the Flags field to describe port roles.
RSTP retains the basic configuration BPDU format defined in STP with minor changes:- The value of the Type field is changed from 0 to 2. Devices running STP will discard configuration BPDUs sent from devices running RSTP.
- The Flags field uses the six bits reserved in STP. This configuration BPDU is called an RST BPDU. Figure 14-12 shows the Flags field in an RST BPDU.
- RSTP processes configuration BPDUs differently from STP.
Configuration BPDU transmission
In STP, the root bridge sends configuration BPDUs at Hello timer intervals after the topology becomes stable. Non-root bridges send configuration BPDUs only after they receive configuration BPDUs from upstream devices. This complicates the STP calculation and slows down network convergence.
RSTP allows non-root bridges to send configuration BPDUs at Hello timer intervals after the topology becomes stable, regardless of whether they have received configuration BPDUs from the root bridge.
BPDU timeout period
In STP, a device has to wait for a Max Age period before determining a negotiation failure.
In RSTP, a device determines that the negotiation between its port and the upstream device has failed if the port does not receive any configuration BPDUs sent from the upstream device within the timeout interval (Hello Time x 3 x Timer Factor).
Processing of inferior BPDUs
When an RSTP port receives an RST BPDU from the upstream designated bridge, the port compares the received RST BPDU with its own RST BPDU.
If its RST BPDU is superior to the received one, the port discards the received RST BPDU and immediately responds to the upstream device with its own RST BPDU. After receiving the RST BPDU, the upstream device replaces its RST BPDU with the received RST BPDU. This allows RSTP to rapidly process inferior BPDUs without relying on timers.
In this manner, RSTP processes inferior BPDUs more rapidly, independent of any timer.
Rapid convergence
Proposal/Agreement mechanism
In STP, a port that is selected as a designated port needs to wait at least one Forward Delay interval in the Learning state before it enters the Forwarding state.
In RSTP, a port that is selected as a designated port enters the Discarding state, and then the proposal/agreement mechanism allows the port to immediately enter the Forwarding state. The proposal/agreement mechanism must be applied on P2P links in full-duplex mode.
For details, see RSTP Technology Details.
Fast switchover of the root port
If a root port fails, the best alternate port becomes the root port and enters the Forwarding state. This is because the network segment connected to this alternate port has a designated port connected to the root bridge.
When the port role changes, the network topology changes accordingly. For details, see RSTP Technology Details.
Edge ports
In RSTP, a designated port on the network edge is called an edge port. An edge port directly connects to a terminal and does not connect to any other switching devices.
An edge port does not participate in RSTP calculation. This port can transition from Disabled state to Forwarding state immediately. An edge port becomes a common STP port once it is connected to a switching device and receives a configuration BPDU. The spanning tree needs to be recalculated, which leads to network flapping.
Protection functions
RSTP provides the following functions:
- BPDU protection
On a switching device, ports directly connected to a user terminal such as a PC or file server are edge ports. Usually, no RST BPDUs are sent to edge ports. If a switching device receives malicious RST BPDUs on an edge port, the switching device automatically sets the edge port to a non-edge port and performs STP calculation. This causes network flapping.
BPDU protection enables a switching device to set the state of an edge port to error-down if the edge port receives an RST BPDU. In this case, the port remains the edge port, and the switching device sends a notification to the NMS.
- Root protection
The root bridge on a network may receive superior RST BPDUs due to incorrect configurations or malicious attacks. When this occurs, the root bridge can no longer serve as the root bridge and the network topology will incorrectly change. As a result, traffic may be switched from high-speed links to low-speed links, leading to network congestion.
If root protection is enabled on a designated port, the port role cannot be changed. When the designated port receives a superior RST BPDU, the port enters the Discarding state and does not forward packets. If the port does not receive any superior RST BPDUs within a specified period (two Forward Delay periods by default), the port automatically enters the Forwarding state.Root protection takes effect only on designated ports.
- Loop protection
On an RSTP network, a switching device maintains the states of the root port and blocked ports based on RST BPDUs received from the upstream switching device. If the ports cannot receive RST BPDUs from the upstream switching device because of link congestion or unidirectional link failures, the switching device re-selects a root port. Then, the previous root port becomes a designated port and the blocked ports change to the Forwarding state, which can lead to loops on the network.
In Figure 14-13, when the link between BP2 and CP1 is congested, the root port CP1 on DeviceC cannot receive BPDUs from the upstream device. After a specified period, the alternate port CP2 becomes the root port and CP1 becomes the designated port. As a result, a loop occurs.
If the root port or alternate port does not receive BPDUs from the upstream device for a specified period, a switch enabled with loop protection sends a notification to the NMS. The root port enters the Discarding state and becomes the designated port, whereas the alternate port remains blocked and becomes the designated port. In this case, loops will not occur. After the link is no longer congested or unidirectional link failures are rectified, the port receives BPDUs for negotiation and restores its original role and status.
Loop protection takes effect only on the root port and alternate ports.
- TC BPDU attack defense
A switching device deletes its MAC address entries and ARP entries after receiving TC BPDUs. If an attacker sends a large number of malicious TC BPDUs to the switching device within a short period, the device will constantly delete MAC address entries and ARP entries. This increases the load on the switching device and threatens network stability.
After enabling TC BPDU attack defense on a switching device, you can set the number of TC BPDUs that the device can process within a specified period. If the number of TC BPDUs that the switching device receives within a given time period exceeds the specified threshold, the switching device processes only the specified number of TC BPDUs. After the time period expires, the switching devices process all the excess TC BPDUs together. This function prevents the switching device from frequently deleting MAC entries and ARP entries.
- BPDU protection