Skip to main content

Spanning Tree: Friend or Foe?

August 18, 2016

In some degree or another, some of us have run into Spanning Tree issues over the years. Either full on Spanning Tree re-convergence timeout issues, loops in networks, or even a Spanning Tree “Root Bridge” issue that’s pointing to a device that lives on the edge of the network. I’ve personally diagnosed three or four fully disabled networks over the years. Think about that -- an entire network that was completely disabled due to someone plugging in a simple device attempting to make their lives easier.  A device such as a small five port switch to create more ports, perhaps for a computer and printer.

There’s no doubt that in a proper environment, Spanning Tree needs care and feeding. By that, I mean – proper configuration. Absolutely setting your Spanning Tree “root bridge” on the core device(s) of your network, at a bare minimum. But also the consideration of enabling BPDU guard on interfaces to block other switches from participating in on your network without your consent. There’s a myriad of other options you may want to set at your interface level to help with Spanning Tree loops, and protecting your environment. I’d certainly suggest spending time reading a few online documents describing what’s best for your given switch manufacture.

Spanning Tree is a very old Layer 2 protocol (802.1D-1990) and its election process is archaic, relying on “Spanning Tree Priority” first. Keeping in mind that every switch delivered today has a default priority of 32768.  Since every switch has the same priority (unless configured otherwise) the next method for deciding the “Spanning Tree Root Bridge” is by the switch’s hardware encoded MAC address. The device with the lowest MAC address wins Root Bridge. Thinking about that, what devices have the lowest MAC address numbers? The oldest device on your network.  This is typically a 10-15 year old switch that sits on the edge of your network, serving up a handful of clients and on its way out the door upon its failure.

I’ve recently been introduced to ELRP, or Extreme Loop Recovery Protocol which is a technology brought forth by Extreme Networks to protect your network of loops without the need for configuring Spanning Tree. I have to say, it’s certainly nice not having to configure Spanning Tree, and simply turning on ELRP on all client ports. ELRP works great and is extremely fast at identifying and disabling looped ports without any complexity. I think it high time Spanning Tree is weeded out of a network for another L2 protocol that can safely and easily protect our investments, time and money without excessive configuration practices. Of course ELRP is manufacturer specific.

TRILL, or Transparent Interconnection of Lots of Links is another option, as a proposed technology to replace Spanning Tree and is currently in the process of obtaining an IETF standard. Certainly worth a look, but as of yet, unless you want to switch to a manufacture specific technology, consider evaluating your Spanning Tree configurations.

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

June 26, 2014

Three "E"s of Modern Email Security for Phishing: #2 Employee Focus

The first "E" of modern email security for phishing is Enhanced technology that works to limit the delivery of phishing emails to users within your or...

See Details

March 29, 2017

Attack and Penetration Services

Learn how our experts work to expose weakness to validate your security program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.