Spanning Tree Protocol (STP)

The Problem: Broadcast Storms

Switches forward broadcast frames (ARP requests, DHCP discovers, etc.) to all ports except the one they arrived on. In a loop, broadcasts circulate forever:

Switch A ─────── Switch B
    │                 │
    └──────────────────
         (redundant link)

ARP broadcast enters Switch A:
→ Switch A sends it to Switch B via both links
→ Switch B receives 2 copies, sends each to Switch A via both links
→ Switch A receives 4 copies...
→ Broadcast storm! Network saturates in milliseconds.

This crash happens in seconds and is invisible until the network dies. STP prevents it by blocking redundant links while keeping them available as failover.

Caution

A broadcast storm can saturate a 10 Gbps switch to 100% CPU utilization within 2-3 seconds. If you ever see all switch ports flashing simultaneously at full speed and the network is completely unresponsive - suspect a loop. Disconnect suspect cables immediately.

---

How STP Works (IEEE 802.1D)

STP builds a loop-free logical topology by electing a root bridge and blocking the least-preferred ports on redundant paths.

Step 1: Elect a Root Bridge

All switches exchange BPDU (Bridge Protocol Data Units) messages. The switch with the lowest Bridge ID wins and becomes the Root Bridge.

Bridge ID = Priority (2 bytes) + MAC Address (6 bytes)

Default priority = 32768
Lower priority = preferred
If same priority, lower MAC address breaks the tie

# Check STP root and port roles (Cisco IOS)
show spanning-tree

# On Linux with brctl (software bridge)
brctl showstp br0

Step 2: Designate Root Ports

On every non-root switch, STP selects the Root Port - the port with the lowest-cost path to the Root Bridge.

Path cost by link speed:

Speed	STP Cost (802.1D)
10 Mbps	100
100 Mbps	19
1 Gbps	4
10 Gbps	2

Step 3: Block Designated Ports on Redundant Links

After all root ports are elected, any remaining active links would create loops. STP blocks the inferior port on each such segment:

Root Bridge (Switch A)
        │ (Root port on Switch B)
   Switch B ─── Switch C (Root port on Switch C)
        │               │
        └───────────────┘
            (one of these ports becomes BLOCKING)

STP Port States

State	Duration	What happens
Blocking	20s (MaxAge)	Receives BPDUs but doesn’t forward frames
Listening	15s (Forward Delay)	Processes BPDUs, doesn’t forward frames
Learning	15s (Forward Delay)	Processes BPDUs, learns MAC addresses, doesn’t forward
Forwarding	Until topology change	Fully operational
Disabled	N/A	Port is admin down

Note

Standard STP convergence takes 30-50 seconds after a topology change (ports must move through Listening and Learning states). This is way too long for modern networks. RSTP (below) fixes this.

---

RSTP - Rapid Spanning Tree (802.1w)

RSTP converges in 1-2 seconds instead of 30-50. Key improvements:

Aspect	STP (802.1D)	RSTP (802.1w)
Convergence time	30-50 seconds	1-2 seconds
Port states	5 (blocking/listening/learning/forwarding/disabled)	3 (discarding/learning/forwarding)
Port roles	Root / Designated / Blocking	Root / Designated / Alternate / Backup
BPDU origin	Only Root Bridge generates BPDUs	Each switch generates its own
Negotiation	Timer-based	Proposal/Agreement handshake
Backward compatible	N/A	Yes - degrades to STP if legacy switch detected

RSTP pre-designates Alternate Ports (backup root port paths) that can immediately transition to Forwarding if the current root port fails - no waiting for timers.

---

Per-VLAN Spanning Tree (PVST+)

Cisco’s PVST+ runs a separate STP instance per VLAN. This allows different VLANs to have different root bridges and different blocked ports - enabling load balancing across redundant links:

VLAN 10: Root is Switch A, link A→C is blocked
VLAN 20: Root is Switch B, link B→C is blocked

Traffic flows:
  VLAN 10: A → B (direct)
  VLAN 20: B → A (direct)
Both links are in use!

IEEE standard equivalent: MSTP (802.1s) - Multiple Spanning Tree, maps VLANs to instances.

---

PortFast and BPDU Guard

For ports connected to end devices (not other switches), waiting through STP states wastes 30 seconds on every reboot.

# Cisco: Enable PortFast on an access port
interface GigabitEthernet0/1
 spanning-tree portfast          # skip Listening and Learning - go straight to Forwarding

# BPDU Guard: if a BPDU is received on a PortFast port, shut it down
# (protects against someone plugging a switch into an access port)
 spanning-tree bpduguard enable

Tip

Always enable PortFast + BPDU Guard on switch ports connected to end hosts. Without PortFast, DHCP clients time out before the port comes up. BPDU Guard protects against rogue switches creating loops.

---

STP Troubleshooting

# Cisco - see current STP topology
show spanning-tree vlan 10

# See which ports are blocking
show spanning-tree blockedports

# Check if root bridge is the expected one
show spanning-tree | include Root

# See STP events (topology changes cause MAC table flushes → traffic floods)
show spanning-tree detail | include changes

# Linux software bridge
bridge link show
brctl showstp br0

Common STP problems:

Symptom	Likely Cause
Network freezes for 30s when a device connects	STP reconvergence; enable PortFast on access ports
Intermittent MAC flapping in switch logs	Topology change happening repeatedly - investigate rogue switch or link flap
Unexpected root bridge	Someone accidentally set a lower priority on a server’s bridged interface
Broadcast storm	Loop exists - STP not running on a switch in the path, or STP disabled