Spanning Tree Protocol and Loop Protection – CompTIA Security+ SY0-401: 1.2

Spanning Tree Protocol (STP) is an important standard that provides a mechanism for switched networks to avoid outages due to network loops. In this video, you’ll learn how loops can cause network issues and I’ll demonstrate what happens when Spanning Tree constantly adjusts to avoid network loops.

<< Previous Video: Flood GuardsNext: Network Separation >>

A very common way to create problems on a network is to build a loop, is to connect two switches to each other and then connect them to each other again, and watch the packets start circling between them as fast as they can go. And as they go by, more traffic gets on to the network, and more traffic starts looping. And eventually you completely overwhelm your infrastructure devices just because of all the packets that are looping back and forth. And the only way to resolve it is to break the loop, wherever it happens to be.

Hopefully that’s not something that is happening normally. And you have to be very careful when you start plugging in devices to your switches to make sure that a loop is not going to occur, because if one happens then you have big problems. And you’re going to know very, very, very quickly that a loop has occurred, because your entire network is going to come to a screeching halt.

Fortunately, we built mechanisms and protocols within things like our switches and our bridges to prevent these things from happening. These Mac layer protocols themselves have no way to know if they’re in the middle of a loop, so what we’ve done is put the intelligence on the switch or on the bridge. And we use a standard called IEEE 802.1D. This is something called spanning tree that prevents loops.

And one of the nice parts about spanning tree is that it is very much a standard that everyone uses. Maybe it’s not called spanning tree– maybe a manufacturer has taken spanning tree and has done a little bit extra to it to make it a little faster, or to change the way it operates a bit. But it’s all really based on this spanning tree technology that was created by Radia Perlman, and it’s really used everywhere. Every switch, every bridge you’re going to run into has some methodology to prevent loops, and it’s really built on the fundamentals of IEEE 802.1D.

One key aspect of the Spanning Tree Protocol is that all of your bridges on your network, or your switches, can all talk to each other. And most of the time that’s exactly the way your network is set up. In the Layer 2 mode all the devices can see everybody else.

There’s three types of ports in a spanning tree technology. There is a root port, and that’s the port that talks back to the root bridge. One bridge on the network is the root bridge, and it’s usually the one with the smallest Mac address number associated with it, or one that you would designate as the root bridge. Here’s Bridge 1 at the top of my list. It is designated as the root bridge. It does not have a root port because it is the root– it doesn’t need a link to the root. What it does have are designated ports, which are ports that are available to send traffic out over the network.

And as you can see this network is very much interconnected. It would be very, very easy to have a loop appear if spanning tree wasn’t in place. But every bridge knows of everyone else’s. If it knows where the root bridge is, it creates an open port to the root bridge with the root port, it creates a link to the rest of the network that’s your designated port, and then it recognizes that there’s a potential for a loop, and creates a blocked port so that traffic will not go out of that connection. Now if you’re in this type of scenario and you need to get, for instance, from Bridge 21 if you’re on Network C and you need to get to Network B, you’re going to have to go all the way back out to the bridge and back down again to get to Network B because these particular ports on Bridge 21 and Bridge 11 are blocked.

Well, this is great. Everybody knows about each other. They keep track of each other. Messages are sent very often between these bridges. But what if something happens? What if there’s a problem? For instance, you have a break right here in the network. If you wanted to get to Network Y from Network C, normally you would go all the way around, and it would take this connection all the way through the network. But if you can’t get to Bridge 6, now you have no way to get down to Network Y.

Now since all these bridges are talking to each other, they would immediately go into a mode where they decide– wait a second, I can no longer communicate down to Bridge 5. I need to find some way in Bridge 6 to get that direction. And so what happens is it reconfigures itself on the fly and changes. The root port now on Bridge 5 swaps over so that now it passes through Network Y, and Bridge 11 recognizes that and gets rid of its blocked port there. And now Network C and Network Y are directly connected to each other, and we still maintain communication from Network A back up to the root or anywhere else on the network if we want to.

This is a critical piece to how this spanning tree technology works. There’s a lot of details underneath the surface. This is a very high level view. But you can see here this is a great way to prevent loops. And it’s also a great way to create redundancy in your network, and if you do happen to have an outage, still maintain the availability of what’s happening. From a security perspective this also maintains uptime and prevents those loops for bringing down your network and creating a denial of service situation.