LearnNetwork
Spanning tree (STP, RSTP, MSTP)

Spanning Tree (STP) — preventing the loop apocalypse

12 min

A Layer-2 loop is catastrophic. A single broadcast frame in a looped topology gets re-broadcast forever, multiplied by every loop path, and the whole network melts within seconds. Spanning Tree Protocol (IEEE 802.1D) prevents this by automatically detecting loops and putting redundant links into a blocking state until they're actually needed.

Why loops happen

You want redundancy: two cables between Switch A and Switch B so a single cable cut doesn't isolate a building. The same logic plays out at every level: between distribution and access, between two cores, in a ring topology. Anywhere two paths exist between two switches, you have a potential loop. STP is the protocol that makes redundancy safe.

What STP does, in plain words

  1. Switches discover each other by exchanging BPDUs (Bridge Protocol Data Units, multicast to 01:80:C2:00:00:00).
  2. They elect one switch as the Root Bridge (lowest Bridge ID wins).
  3. Every other switch identifies its single best path back to the Root.
  4. Ports on each switch are then assigned roles:
    • Root port (RP) — the one port leading to the Root via the best path.
    • Designated port (DP) — the port elected for each L2 segment as the one that forwards traffic.
    • Non-Designated (Blocking) port — any other redundant port. Receives BPDUs but does NOT forward data.
  5. The result is a single loop-free tree rooted at the Root Bridge.

When a link fails, blocked ports re-evaluate; one transitions through Listening → Learning → Forwarding to take over. Classic STP convergence is ~30–50 seconds. (RSTP — next lesson — fixes that.)

Bridge ID anatomy

+--------------------+----------------+----------------+
| Bridge Priority    | (Sys ID Ext)   | Base MAC       |
| 4 bits (×4096)     | 12 bits (VLAN) | 48 bits        |
+--------------------+----------------+----------------+

The Bridge Priority defaults to 32768 on all Cisco switches. Lowest priority + lowest MAC wins. The "Sys ID Ext" embeds the VLAN ID so a per-VLAN root election (PVST) is possible — by adding 1 per VLAN, the same priority value in two switches will still differentiate per VLAN.

To force a specific switch to be the root, set its priority lower:

Cisco IOSMake SW1 the root for VLAN 10
[object Object]

root primary examines the current root's priority and sets the local one 4096 lower. root secondary sets it to 28672 (one priority increment above default) to be the backup if the primary fails.

Path cost

Once the root is elected, the path cost to the root determines RP/DP selection. Cost is summed along the path; lower wins. Standard costs (IEEE 802.1D-2004 short cost):

| Link speed | Cost | |---|---| | 10 Mbps | 100 | | 100 Mbps | 19 | | 1 Gbps | 4 | | 10 Gbps | 2 | | ≥40 Gbps | 1 (but "long" cost recommended for modern speeds) |

Tie-breakers on equal cost: lowest sender Bridge ID, then lowest sender Port ID.

Port states (classic 802.1D)

| State | Forwards data? | Learns MACs? | Listens to BPDUs? | |---|---|---|---| | Disabled | no | no | no | | Blocking | no | no | yes | | Listening (15s) | no | no | yes | | Learning (15s) | no | yes | yes | | Forwarding | yes | yes | yes |

That 15+15=30 second delay between activating a port and forwarding is why classic STP is slow. RSTP transitions faster by talking to its neighbor about whether to forward.

PortFast (for the love of users' patience)

Access ports connected to hosts shouldn't wait 30 seconds when a laptop plugs in. PortFast skips Listening + Learning and goes straight to Forwarding. Combined with BPDU Guard (shuts the port if a BPDU is received — because a host should never send BPDUs), this is the safe edge-port configuration:

Cisco IOSEdge port — PortFast + BPDU Guard
[object Object]

What to remember

  • L2 loops are catastrophic; STP prevents them.
  • Lowest Bridge ID = Root. Force it by lowering priority on your intended core switch.
  • Port roles: RP (to root), DP (forwards on a segment), Blocking (redundant, doesn't forward).
  • Classic STP converges in ~30–50 s; RSTP much faster.
  • Use PortFast + BPDU Guard on every access port.