Classroom Glossary Public page

NET-201 Week 5 -- Switching: VLAN Trunking, STP, RSTP, and Link Aggregation

1,493 words

"The spanning tree protocol is one of the most elegant and over-engineered solutions in all of networking. It solves a real problem -- loops in a switched network -- with a distributed algorithm that most network engineers spend years learning to not fear." -- Russ White & Ethan Banks, Computer Networking Problems and Solutions (Pearson, 2018)

Lecture (100 min, two 50-min blocks)

5.1 Review: How Switches Learn

NET-101 introduced Ethernet switching at first-encounter depth. Before going deeper: a Layer-2 switch maintains a MAC address table (CAM table) mapping MAC addresses to ports. When a frame arrives:

  1. Learn: add (source_MAC, ingress_port) to CAM table
  2. Forward: if destination MAC is in the CAM table, forward to the mapped port; otherwise, flood to all ports except ingress (unknown unicast flooding)
  3. Filter: discard frames whose destination MAC maps to the same port they arrived on

This works correctly in a linear or tree topology. The problem arises when loops exist.

5.2 Why Loops Kill Switched Networks

Unlike routers, switches do not decrement a TTL field. An Ethernet frame circling in a loop circulates indefinitely. Two failure modes:

  1. Broadcast storm: an ARP request (broadcast) is flooded on all ports. If a loop exists, the frame returns to the origin switch, which floods it again. Each copy spawns more copies. Within seconds, all link bandwidth is consumed. Switches become unable to process legitimate traffic.

  2. MAC table instability: a device's MAC address appears first on one port (via a direct path), then on another (via the looped copy), then back to the original. The CAM table continuously flips entries. Traffic is misdelivered.

Ethernet loops are the network equivalent of a hardware short circuit. They happen frequently in real networks whenever a cable is miscabled or a link-aggregation misconfiguration occurs.

5.3 Spanning Tree Protocol (STP, IEEE 802.1D)

STP's solution: elect a logical tree rooted at one switch (the Root Bridge), and block ports that would create loops. The spanning tree is a subset of the physical topology that is loop-free. Blocked ports remain in standby; if an active path fails, a blocked port transitions to forwarding.

STP election process:

  1. Root Bridge election: every switch starts by claiming to be Root. They exchange Bridge Protocol Data Units (BPDUs). A BPDU contains the sender's Bridge ID (8 bytes: 2-byte priority + 6-byte MAC address). The switch with the lowest Bridge ID wins. Default priority is 32768.

  2. Root port selection: every non-root switch selects the port with the lowest-cost path to the Root Bridge as its Root Port. Cost is inversely proportional to bandwidth (1 Gbps = cost 4; 100 Mbps = cost 19; 10 Mbps = cost 100).

  3. Designated port selection: on each network segment, the switch providing the lowest-cost path to Root is the Designated Switch; its port on that segment is the Designated Port. All other ports on that segment are blocked.

STP port states:

  • Blocking: receives BPDUs; does not forward data frames
  • Listening: can send/receive BPDUs; no data forwarding; 15 seconds by default
  • Learning: builds MAC table; no data forwarding; 15 seconds by default
  • Forwarding: passes data normally
  • Disabled: administratively shut down

Total convergence after a topology change: Listening (15s) + Learning (15s) = 30 seconds minimum before traffic flows through a previously-blocked path. This 30-second outage was the primary complaint that drove RSTP development.

Controlling STP topology (critical for operators):

! Set lower priority to make this switch the Root Bridge
spanning-tree vlan 1 priority 4096

! Verify Root Bridge election result
show spanning-tree

! PortFast: skip Listening/Learning on access ports (end-host ports)
! Only safe on ports connected to end-hosts (not other switches)
interface GigabitEthernet0/1
 spanning-tree portfast

5.4 Rapid Spanning Tree (RSTP, IEEE 802.1w)

RSTP (802.1w, integrated into 802.1D-2004) replaces STP's timer-driven convergence with a negotiation-based approach that achieves convergence in under 1 second in most topologies.

Key RSTP improvements:

  • Port roles: Root (same as STP), Designated (same), Alternate (replaces Blocking Root Port), Backup (replaces Blocking Designated Port)
  • Proposal/Agreement handshake: when a link comes up, the two switches negotiate using BPDU exchanges. Once agreed, the port transitions to Forwarding immediately -- no 15+15 second wait
  • Rapid transition to Forwarding: only possible for edge ports (connected to end devices) and point-to-point links (full-duplex, which is nearly universal today)
  • Topology Change Notification: localized; only the switch detecting the failure flushes its MAC table for that VLAN; flooding is contained

Modern networks almost universally use RSTP. STP (802.1D) is considered legacy.

5.5 VLANs and Trunking

A VLAN (Virtual LAN) partitions a physical switch into multiple logical broadcast domains. Traffic in VLAN 10 cannot reach traffic in VLAN 20 at Layer 2; they require a Layer-3 router (or inter-VLAN routing on a Layer-3 switch) to communicate.

IEEE 802.1Q trunk: when a link connects two switches (or a switch and a router), it must carry traffic for multiple VLANs simultaneously. 802.1Q trunking inserts a 4-byte tag into the Ethernet frame header:

[Destination MAC 6B] [Source MAC 6B] [802.1Q Tag 4B] [EtherType 2B] [Payload] [FCS 4B]

802.1Q Tag:
  TPID: 0x8100 (2 bytes)
  PCP: Priority Code Point (3 bits, 802.1p QoS)
  DEI: Drop Eligible Indicator (1 bit)
  VID: VLAN ID (12 bits, 0-4095; 0=untagged, 4095=reserved)

The native VLAN is an exception: frames on the native VLAN traverse a trunk port without a tag. Misconfigured native VLANs are a classic VLAN hopping attack vector (see Week 10 NSM coverage).

! Configure trunk port (IOS syntax)
interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 switchport trunk native vlan 999   ! non-default native vlan

! Configure access port
interface GigabitEthernet0/2
 switchport mode access
 switchport access vlan 10

5.6 Per-VLAN Spanning Tree (PVST+) and MST

Standard 802.1D/RSTP runs one STP instance for the entire switched network. This wastes half the uplinks (blocked by STP) regardless of VLAN.

PVST+ (Cisco proprietary): runs a separate STP instance per VLAN. Different VLANs can have different Root Bridges, distributing traffic across both uplinks. VLAN 10 uses Switch A as Root; VLAN 20 uses Switch B as Root. Both uplinks carry traffic; load-balancing achieved.

MST (Multiple Spanning Tree, IEEE 802.1s): groups VLANs into MST instances. More scalable than PVST+ in large networks; one STP instance per instance group rather than per VLAN.

5.7 Link Aggregation (LACP, IEEE 802.3ad)

Link aggregation combines multiple physical links into one logical interface (a LAG or bond) for increased bandwidth and redundancy. LACP (Link Aggregation Control Protocol) is the IEEE-standard negotiation protocol.

A 2-port 1 Gbps LAG provides up to 2 Gbps aggregate bandwidth and survives one link failure without traffic interruption (the remaining link carries all traffic; no STP reconvergence needed).

LACP negotiation: ports exchange LACPDU frames advertising their System ID and Port ID. Both ends must agree on the LAG configuration.

! Configure LACP bond (Linux)
ip link add bond0 type bond
ip link set bond0 type bond mode 802.3ad
ip link set eth0 master bond0
ip link set eth1 master bond0
ip link set bond0 up

# Verify
cat /proc/net/bonding/bond0

Spanning tree treats a LAG as a single logical port. STP and LACP are complementary, not competing.

Lab Preview

Lab 3 builds a switched topology (4 switches, 3 VLANs) using Containerlab or GNS3:

  • Configure 802.1Q trunks between all switches
  • Observe STP Root Bridge election (capture BPDUs in Wireshark)
  • Deliberately force a topology change by disabling the Root Bridge's uplink; measure STP reconvergence time
  • Enable RSTP; repeat the topology change; compare reconvergence time
  • Configure a 2-port LACP bond between two switches; verify both links active; fail one link

Homework

Reading (45 min): Kurose-Ross 9e Ch 6.3 (Link-Layer Addressing and ARP) and Ch 6.4 (Ethernet). Focus on the MAC learning process, broadcast domain concepts, and the VLAN motivation. For STP depth: skim IEEE 802.1D-2004 Section 17 (freely downloadable from IEEE Xplore for the abstract; full text in library).

Hands-on (60 min): Using Containerlab with FRR and Linux bridge containers, build a 2-switch topology with a trunk link between them:

# topo-vlan.clab.yml
name: vlan
topology:
  nodes:
    sw1:
      kind: linux
      image: alpine:latest
    sw2:
      kind: linux
      image: alpine:latest
    h1:
      kind: linux
      image: alpine:latest
    h2:
      kind: linux
      image: alpine:latest
  links:
    - endpoints: ["sw1:eth1", "sw2:eth1"]   # trunk
    - endpoints: ["sw1:eth2", "h1:eth1"]     # access VLAN 10
    - endpoints: ["sw2:eth2", "h2:eth1"]     # access VLAN 10

Configure VLAN interfaces and bridges; ping h1 to h2; capture the 802.1Q-tagged frames on the trunk with tcpdump -i eth1 -n vlan. Identify the VID field in the tag.

Toolchain Diary Entry

First-introduce this week: Containerlab for switching labs; Linux bridge tools

containerlab deploy -t topo-vlan.clab.yml: deploy topology defined in YAML; destroy to tear down.

containerlab inspect -t topo-vlan.clab.yml: show running containers and management IP addresses.

ip link add br0 type bridge: create a Linux software bridge.

ip link set eth1 master br0: add interface eth1 to bridge br0.

bridge vlan add vid 10 dev eth1: add VLAN 10 to bridge port eth1 (requires kernel VLAN filtering).

bridge vlan show: show VLAN filter table on all bridge ports.

tcpdump -i eth1 -n -e vlan: capture frames on eth1, showing Ethernet headers and 802.1Q VLAN tags (-e for link-layer headers; vlan filter shows only tagged frames).

wireshark BPDU display filter: stp -- isolates Spanning Tree BPDU frames. Filter stp.bridge.hw_addr to see Bridge IDs.

Key Terms

  • VLAN: Virtual LAN; logical partition of a switched network into separate Layer-2 broadcast domains; defined by 12-bit VID in 802.1Q header
  • 802.1Q trunk: a switch link that carries tagged frames for multiple VLANs; 4-byte tag inserted between source MAC and EtherType
  • STP (IEEE 802.1D): Spanning Tree Protocol; prevents Layer-2 loops by electing a Root Bridge and blocking redundant ports; 30-second convergence on topology change
  • Root Bridge: the switch elected as the logical root of the spanning tree; lowest Bridge ID wins; all other switches compute least-cost paths toward Root
  • RSTP (IEEE 802.1w): Rapid Spanning Tree Protocol; replaces STP timer convergence with proposal/agreement negotiation; sub-second convergence on point-to-point links
  • PVST+: Per-VLAN Spanning Tree Plus (Cisco); separate spanning tree instance per VLAN; allows load balancing across redundant uplinks
  • LACP (IEEE 802.3ad): Link Aggregation Control Protocol; negotiates bundling of multiple physical links into one logical link for bandwidth and redundancy
  • Native VLAN: frames on this VLAN traverse trunk ports untagged; must match on both ends; mismatch is a classic misconfiguration and VLAN hopping attack vector
  • PortFast: STP optimization on access ports; skips Listening and Learning states; reduces host connectivity delay from 30s to near-zero; must never be configured on switch-to-switch links