Table of Contents Link to heading

• Spanning Tree Versions
• Spanning Tree Protocol (STP)
• Spanning-Tree Algorithm (STA)
  • 1. Root Switch and Spanning Tree Algorithm (STA)
  • 2. Bridge Protocol Data Units (BPDUs)
  • 3. Root Election Process
  • 4. Root Port Selection and Path Cost
  • 5. Port Roles Beyond the Root Port
• How Each Port is Elected
  • Step 1 - Electing Root Switch
  • Step 2 - Electing Root Ports
  • Step 3 - Electing Designated Ports
  • Step 4 - Electing Non-Designated Ports
• Port Cost
• STP Port States
• STP Port Types
• STP Convergence
• STP Timers
• STP Topology Changes
• Per-VLAN Spanning Tree Plus (PVST+)
• Rapid Spanning Tree Protocol (RSTP)
  • RSTP Port States
  • RSTP Port Roles
  • STP versus RSTP
    • Similarities
    • Differences
      • Comparing Port States
• Multiple Spanning Tree (MST)
• Configuring and Verifying BID
• Cisco STP Toolkit
  • EtherChannel
  • PortFast
  • BPDU Guard
  • Configuration
• Troubleshooting STP

Spanning Tree Versions Link to heading

• 802.1D – original specification
  • Good for learning, a single spanning tree is used.
  • Often called Common Spanning Tree (CST) and STP.
• Per-VLAN Spanning Tree (PVST)
  • Uses the Cisco proprietary ISL trunking protocol.
    • Inter-Switch Link (ISL) – a way of tagging like 802.1Q.
  • Each VLAN has an instance of spanning tree.
  • Ability to load balance traffic at L2.
  • Includes extensions BackboneFast, UplinkFast, and PortFast.
• Per-VLAN Spanning Tree Plus (PVST+)
  • Supports ISL and IEEE 802.1Q trunking.
  • Supports Cisco proprietary STP extensions.
  • Adds BPDU guard and root guard enhancements.
  • Root switch selection is done for each VLAN.
  • Generally unusable in mixed vendor environments.
• 802.1W Rapid Per-VLAN Spanning Tree Plus (RPVST+)
  • Has faster convergence than 802.1D.
  • Root switch selection is done for each VLAN.
  • Use RPVST+ if STP is required since it provides for faster convergence than traditional 802.1D default timers.
• 802.1W Rapid Spanning Tree Protocol (RSTP)
  • Introduced in 1982 and provides faster convergence than 802.1D.
  • The replacement for CST/STP (IEEE 802.1D), which also provides backwards compatibility.
  • Implements generic versions of the Cisco-proprietary STP extensions.
  • IEEE has incorporated RSTP into 802.1D, identifying the specification as IEEE 802.1D-2004.
• 802.1S Multiple Spanning Tree (MST)
  • Inspired by the Cisco’s Multiple Instances Spanning Tree Protocol (MISTP).
  • IEEE 802.1Q (2003) now includes MST.
  • Multiple VLANs can be mapped to the same spanning-tree instance.
  • Root switch selection is based on instances.
  • Generally unusable in mixed vendor environments.

Spanning Tree Protocol (STP) Link to heading

Without STP, redundancy in the switched network, albeit useful for network reliability, would introduce the following LAN issues:

Since L2 does not have a “Time To Live” field like L3, the frame will never be discarded if there is a physical or logical loop in a network.

Spanning-Tree Algorithm (STA) Link to heading

1. Root Switch and Spanning Tree Algorithm (STA) Link to heading

• Root Switch/Bridge: One switch is chosen as the root, serving as the reference point for all STP calculations. The root is often called the root bridge because all its active interfaces operate in the forwarding state (known as Designated Ports). Although STP was developed when LAN bridges were prevalent, modern switches perform the same role, making “bridge” and “switch” interchangeable in this context.

• Spanning Tree Algorithm (STA): This is the process STP uses to determine which interfaces will remain in the forwarding state.

2. Bridge Protocol Data Units (BPDUs) Link to heading

• BPDUs Overview: BPDUs are frames exchanged between switches that contain STP information.

• Hello BPDUs: These are the most common type and include:

  • Root BID: The Bridge ID of the sender that is currently considered the root.
  • Sender’s BID: The Bridge ID of the switch sending the BPDU.
  • Sender’s Root Cost: The cumulative cost from the sender to the root switch.
  • Timer Values: These include the Hello timer, MaxAge timer, and the forward delay timer.

• Transmission: The root switch sends Hello BPDUs periodically (by default, every 2 seconds).

• Bridge ID (BID):

  • An 8-byte identifier consisting of:
    • Priority (2 bytes): Configurable in increments of 4096 (default is 32768, valid range 0–61440).
    • System ID (6 bytes): A burned-in MAC address that uniquely identifies each switch.
  • Extended System ID: A 12-bit field taken from the priority value to indicate the VLAN ID within the BPDU.

• Root Election Basis: The switch with the lowest BID becomes the root.

3. Root Election Process Link to heading

• Initial Claims: Every switch initially claims to be the root by sending Hello BPDUs with its own Bridge ID as the root BID.

• Determining the Root: When a switch receives a Hello BPDU with a lower (better) BID, it stops claiming root status and begins forwarding the superior BPDU.

• Manual Adjustment: Administrators can manually lower a switch’s priority to influence root election, ensuring the desired switch becomes the root.

4. Root Port Selection and Path Cost Link to heading

• Root Port (RP): Each non-root switch selects one port—the root port—through which the shortest (least cost) path to the root switch is reached. There is only one root port per VLAN on a switch.

• Calculating Root Cost: A switch calculates its root cost by summing the STP cost of each port along the path to the root. When a BPDU is received, the cost associated with the ingress port is added to the sender’s reported cost.

• Tiebreakers for Equal-Cost Paths: If multiple paths have the same cost, the switch uses the following criteria (in order) to choose:

  1. Lowest Bridge ID (BID)
  2. Lowest interface STP priority (default is 128)
  3. Lowest numerical interface number (for example, F0/1 before F0/2)

  (Note: The last two criteria are rarely applied in modern networks.)

5. Port Roles Beyond the Root Port Link to heading

• Designated Port (DP): An active port in the forwarding state that sends and receives BPDU frames. Each network segment (between switches) should have only one DP to connect downstream devices and switches.

• Non-Designated Port: These ports are blocked from forwarding traffic. They do not serve as either root ports or designated ports and are kept inactive for STP purposes.

How Each Port is Elected Link to heading

Step 1 - Electing Root Switch Link to heading

The first step with STP is to identify the root switch. As a switch initialises, it assumes that it is the root switch and uses the local bridge identifier as the root switch identifier.

It then listens to its neighbour’s configuration BPDU and does the following:

• If the neighbour’s configuration BPDU is inferior to its own BPDU, the switch ignores that BPDU.
• If the neighbour’s configuration BPDU is preferred to its own BPDU, the switch updates its BPDUs to include the new root switch identifier along with a new root path cost that correlates to the total path cost to reach the new root bridge.
• This process continues until all switches in a topology have identified the root switch.
• STP prefers lower priority number then goes to lower MAC address.

Step 2 - Electing Root Ports Link to heading

Once the Root Switch is found, the switch must determine its Root Port. The RP is selected using the following logic:

1. The interface associated to lowest path cost is more preferred.
2. The interface associated to the lowest system priority of the advertising switch is preferred next.
3. The interface associated to the lowest system MAC address of the advertising switch is preferred next.
4. When multiple links are associated to the same switch, the lowest port priority from the advertising switch is preferred.
5. When multiple links are associated to the same switch, the lower port number from the advertising switch is preferred.

Step 3 - Electing Designated Ports Link to heading

Step 4 - Electing Non-Designated Ports Link to heading

The RPs have been identified and all other ports are considered designated ports. If two non-root switches are connected to each other on their designated ports, one port must be set to a blocking state to prevent a forwarding loop.

Calculate which ports should be blocked between two non-root switches:

1. The interface is a designated port and must not be considered an RP.
2. The switch with the lower path cost to the root switch forwards, and the one with the higher path cost blocks. If they tie, they move on to the next step.
3. The system priority of the local switch is compared to the system priority of the remote switch. The local port is moved to a blocking state if the remote system priority is lower than that of the local switch. If they tie, they move on to the next step.
4. The system MAC address of the local switch is compared to the system priority of the remote switch. The local designated port is moved to a blocking state if the remote system MAC address is lower than that of the local switch. If the links are connected to the same switch, they move on to the next step.

Port Cost Link to heading

• The interface STP cost was originally stored as a 16-bit value, called short mode, with a reference value of 20 Gbps.
  • This is the default mode.
• Another method, called long mode, uses a 32-bit value and uses a reference speed of 20 Tbps.

STP Port States Link to heading

Every port on a switch using STP exist in one of the following five states:

STP Port Types Link to heading

STP Convergence Link to heading

1. All root and designated ports are in a forwarding state and all other active ports are in a blocking state.
2. The switches collectively realise that something has changed in the LAN topology and dynamically determine whether they need to change which ports block and which ports forward.

STP Timers Link to heading

STP Topology Changes Link to heading

BPDUs always flow from the root switch towards the edge switches, unless there are changes in the topology.

• The switch that detects a link status change sends a Topology Change Notification (TCN) BPDU out of its RP to the root switch.
• If an upstream switch receives the TCN, it sends out an acknowledgement and forwards the TCN out its RP to the root switch.
• Upon receipt of the TCN, the root switch creates a new configuration BPDU with the Topology Change flag set, and it is then flooded to all the switches.
• When switches receive this, they set their MAC address timer to a default 15 seconds. Then the device flushes its MAC table if has not heard from a device in that last 15 seconds.
• TCNs are generated on a VLAN basis, so the impact of TCNs directly correlates to the number of hosts in a VLAN.

Per-VLAN Spanning Tree Plus (PVST+) Link to heading

• A drawback to PVST+ is that there is solely one instance of PVST+ running for each VLAN in the network, regardless of whether there are different spanning-tree topologies required. This presents the potential for overwhelming the switch CPU and memory.
• Additionally, Cisco switches support a finite number of PVST instances. If more VLANs are created than there are PVST+ instances supported on a particular switch, some of the VLANs will not have any STP running, and therefore not having any switching loop protection.
• Rapid Per VLAN Spanning Tree (PVST+) is the Cisco implementation of RSTP on a per-VLAN basis.
  • Each VLAN runs an independent spanning tree instance of RSTP.
  • The number of VLANs = the number of root switches existing in the topology
• To identify which VLAN is described by a BPDU:
  1. List the VLAN ID in the System ID Extension field of the BPDU
  2. Add the VLAN ID in an extra TLV field in the BPDU
  3. Add a VLAN tag when forwarding a BPDU over VLAN trunks
• The receiving switch can check all three locations that list the VLAN ID to ensure that they all agree about what VLAN the BPDU is describing.

Rapid Spanning Tree Protocol (RSTP) Link to heading

• Most parameters have been left unchanged, meaning anyone who has configured STP before can easily configure RSTP.
• RSTP increases recalculation speed and also reaches convergence faster.
• If a port is configured to be an alternate port, it can immediately change to a forwarding state without waiting for the network to converge.

RSTP Port States Link to heading

1. Discarding
2. Learning
3. Forwarding

RSTP Port Roles Link to heading

• Alternate and Backup ports are additional types of non-forwarding (blocked) port states defined in RSTP.
• Backup ports apply only to designs that use hubs, so they are unlikely to be useful today.

STP versus RSTP Link to heading

Similarities Link to heading

• RSTP and STP elect the root switch using the same rules and tiebreakers.
• RSTP and STP switches select their root ports with the same rules.
• RSTP and STP elect designated ports on each LAN segment with the same rules and tiebreakers.
• RSTP and STP place each port in either forwarding or blocking state, although RSTP calls the blocking state the discarding state.

Differences Link to heading

• RSTP adds a mechanism by which a switch can replace its RP, without any waiting to reach a forwarding state (in some conditions).
• RSTP adds a new mechanism to replace a DP, without any waiting to reach a forwarding state (in some conditions).
• RSTP lowers waiting times for cases in which RSTP must wait for a timer.

Comparing Port States Link to heading

Multiple Spanning Tree (MST) Link to heading

Configuring and Verifying BID Link to heading

Regardless of the which per-VLAN Spanning Tree is used, two main configuration options can be used to achieve load-balancing:

1. Bridge ID - The bridge ID influences the choice of root switch and can be configured per VLAN.
2. Port cost - Each interface’s (per-VLAN) STP cost to reach the root influences the choice of designated port on each LAN segment.

Because PVST requires that a separate instance of spanning tree run for each VLAN, the BID field is required to carry VLAN ID (VID) information. This is accomplished by reusing a portion of the Priority field as the extended system ID to carry a VID.

STP defaults and configurations options:

• The primary keyword sets the priority to 24576 or to the next 4096 increment value below the lowest bridge priority detected on the network.
• The secondary keyword sets the priority to 28672, assuming the rest of the network is set to the default priority of 32768.
• Alternatively, a specific priority value can be directly configured; however, priority value must be in increments of 4096 between 0 and 65536.

Cisco STP Toolkit Link to heading

Cisco recommends that you design for the use of the Cisco STP Toolkit to enhance the performance of IEEE 802.1D STP on your network.

EtherChannel Link to heading

One of the best ways to lower STP’s convergence time is to avoid convergence altogether. EtherChannel provides a way to prevent STP convergence from being needed when only a single port or cable failure occurs.

PortFast Link to heading

Ports connected to non-switch, non-bridge, or non-hub devices should be configured with PortFast, such as PCs, servers, and routers. However, make sure that you PortFast is not enabled on a port connected to another L2 switch, since this might inadvertently be creating a L2 loop, which will create broadcast storms and the mislearning of MAC addressing information.

BPDU Guard Link to heading

• Security exposures may include:
  • An attacker could connect a switch to one of these ports, one with a low STP/RSTP priority value, and become the root switch. The new STP/RSTP topology could have worse performance than the desired topology.
  • The attacker could plug into multiple ports, into multiple switches, become root, and actually forward much of the traffic in the LAN. Without the networking staff realising it, the attacker could use a LAN analyser to copy large numbers of data frames sent through the LAN.
  • Users could innocently harm the LAN when they buy and connect an inexpensive consumer LAN switch (one that does not use STP/RSTP). Such a switch, without any STP/RSTP function, would not choose to block any ports and could cause a loop.
• In addition, the BPDU Guard feature helps prevent problems with PortFast. PortFast should be enabled only on access ports that connect to user devices, not to other LAN switches. Using BPDU Guard on these same ports makes sense because if another switch connects to such a port, the local switch can disable the port before a loop is created.

Configuration Link to heading

Configure a specific access port (per interface):

Configure all access ports (globally):

Troubleshooting STP Link to heading

STP runs by default on switches and rarely causes problems in small- to medium-sized networks. However, if encountering STP problems, use the following steps to analyse:

1. Determine the root switch.
2. For each non-root switch, determine its one root port (RP) and cost to reach the root switch through that RP.
3. For each segment, determine the designated port (DP) and the cost advertised by the DP onto that segment.

Troubleshooting commands: