Spanning Tree
What It Is
Spanning Tree prevents Layer 2 loops by building a loop-free forwarding tree across Ethernet switches. It elects a root bridge, chooses best paths toward that root, and blocks redundant paths until they are needed. Modern networks should still understand STP, even when designs use routed access, EVPN, or controller-based fabrics, because a bad Layer 2 loop can still take down a site fast.
Protocol Variants
| Variant | Scope | Convergence | Where You See It |
|---|---|---|---|
| STP | One tree | Slow | Legacy only |
| PVST+ | One tree per VLAN | Slow | Older Cisco campus networks |
| RSTP | One tree | Faster | Standards-based switching |
| Rapid PVST+ | One tree per VLAN | Faster | Common Cisco campus mode |
| MSTP | Multiple VLANs mapped to instances | Faster | Large L2 domains needing fewer instances |
Modern note: Most Cisco campus switches still run Rapid PVST+ or MST. Newer designs often reduce the STP problem by routing closer to access or using fabrics, but access switches still need sane STP guardrails.
Root Election
| Item | Meaning | Lower Wins |
|---|---|---|
| Bridge priority | Configured priority, normally in steps of 4096 | Yes |
| System ID extension | Usually the VLAN or MST instance ID | Yes |
| MAC address | Bridge MAC used as tie breaker | Yes |
Root bridge selection:
- Lowest bridge ID becomes root.
- Non-root switches choose one root port toward the root.
- Each segment chooses one designated port.
- Other redundant ports become alternate or blocking.
Design note: Pick the root intentionally. Distribution, core, or paired aggregation switches should usually be root and secondary root for the VLANs they serve.
Port Roles And States
| Role | Meaning | Normal State |
|---|---|---|
| Root port | Best path from this switch to the root | Forwarding |
| Designated port | Best port on a segment toward the root | Forwarding |
| Alternate port | Backup path to root | Discarding |
| Backup port | Backup on the same shared segment | Discarding |
| Disabled | Administratively or operationally down | Disabled |
RSTP states:
| State | Forwards Traffic | Learns MACs | Notes |
|---|---|---|---|
| Discarding | No | No | Replaces legacy blocking, listening, disabled behavior |
| Learning | No | Yes | Builds MAC table before forwarding |
| Forwarding | Yes | Yes | Active data path |
Watch out: A blocked STP port is often healthy. It may be preventing a loop. Do not force it forwarding unless you understand the topology.
Path Selection
STP chooses the best path using these tie breakers:
| Order | Decision |
|---|---|
| 1 | Lowest root bridge ID |
| 2 | Lowest root path cost |
| 3 | Lowest sender bridge ID |
| 4 | Lowest sender port ID |
| 5 | Lowest local port ID |
| Speed | Typical Long Path Cost |
|---|---|
| 10 Mbps | 2,000,000 |
| 100 Mbps | 200,000 |
| 1 Gbps | 20,000 |
| 10 Gbps | 2,000 |
| 100 Gbps | 200 |
Modern note: Old short path costs made high-speed links collapse into tiny values. Use the platform default unless you have a reason to standardize path cost method across old and new switches.
Guard Features
| Feature | Use It On | What It Prevents |
|---|---|---|
| PortFast / edge | Endpoint-facing ports | Waiting for STP convergence on hosts |
| BPDU Guard | PortFast / edge ports | Accidental switch connection on endpoint ports |
| Root Guard | Downstream ports that must not become root paths | Rogue or misplaced root bridge |
| Loop Guard | Redundant switch links | Unidirectional failures causing blocked ports to forward |
| BPDU Filter | Rare cases only | Hiding BPDUs, often dangerous |
| UDLD | Fiber and some copper uplinks | One-way links |
Watch out: BPDU Filter can create outages when used casually. If you are trying to protect edge ports, BPDU Guard is usually the safer default.
Design Notes
- Keep Layer 2 domains smaller than your failure tolerance.
- Make root and secondary root explicit per VLAN or MST instance.
- Use PortFast and BPDU Guard on normal access ports.
- Use Root Guard on ports where downstream switches should never win root.
- Use Loop Guard or equivalent protection on redundant inter-switch links.
- Prefer routed links when a link does not need Layer 2 adjacency.
- Document any VLANs intentionally stretched between closets, buildings, sites, or data centers.
- Test failover paths. A blocked link that never gets tested is not a reliable backup.
Cisco IOS/IOS-XE Examples
Rapid PVST+ with root placement:
spanning-tree mode rapid-pvst
spanning-tree vlan 10,20,30 root primary
spanning-tree vlan 40,50,60 root secondaryAccess port with edge protection:
interface GigabitEthernet1/0/10
description Workstation
switchport mode access
switchport access vlan 20
spanning-tree portfast
spanning-tree bpduguard enableUplink with root guard:
interface GigabitEthernet1/0/48
description Downstream access switch
switchport mode trunk
switchport trunk allowed vlan 10,20,30
spanning-tree guard rootGlobal defaults often used in campus access:
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree loopguard defaultNotes:
- Use PortFast only on ports connected to endpoints or carefully understood edge trunks.
- Do not enable root guard and loop guard on the same interface.
- Global defaults are powerful. Confirm uplinks and special ports before enabling them.
Troubleshooting
| Symptom | Check | Likely Cause |
|---|---|---|
| VLAN down across a trunk | show interfaces trunk, show spanning-tree vlan X |
VLAN missing or STP blocking |
| Root bridge is unexpected | show spanning-tree root |
Wrong priority or rogue switch |
| Access port err-disabled | show errdisable recovery, logs |
BPDU Guard, link flap, security feature |
| One uplink never forwards | Port role and path cost | Normal alternate path or wrong cost |
| Loop symptoms, high CPU, broadcast storm | MAC flaps, STP topology changes, interface counters | L2 loop or unmanaged switch |
| Intermittent outage after link failure | Loop Guard, UDLD, STP topology | One-way link or blocked path not recovering |
Commands
show spanning-tree summary
show spanning-tree root
show spanning-tree vlan 20
show spanning-tree blockedports
show spanning-tree inconsistentports
show interfaces trunk
show logging | include SPANTREE|STP|BPDU|ERRExpected clues:
- The intended switch is root for the VLANs it should own.
- Access ports are edge or PortFast where appropriate.
- Endpoint ports do not receive BPDUs.
- Trunks carry only required VLANs.
- Blocked ports match the expected redundant topology.
- Topology change counters are not constantly increasing.
Watch Out
- Do not let VLAN 1 defaults decide your production topology.
- Do not stretch VLANs casually between buildings or sites.
- Do not disable STP to "fix" a blocked port.
- Do not assume a port channel protects you from every L2 loop.
- Do not connect unmanaged switches to access ports without BPDU Guard or loop protection.
- Do not mix MST regions casually. Region name, revision, and VLAN mappings must match.