This chapter covers Spanning Tree Protocol (STP) troubleshooting, focusing on how loops form, how STP prevents them, and what happens during convergence events. For the N10-009 exam, STP troubleshooting appears in roughly 5-8% of questions, primarily in the Network Troubleshooting domain (Objective 5.2). Mastering STP states, timers, and common failure modes is essential for identifying the root cause of broadcast storms and connectivity outages in switched networks.
Jump to a section
Imagine a large office building with multiple corridors that form loops. The fire marshal requires that all interior doors remain open for easy evacuation, but if two doors at opposite ends of a corridor are both open, a gust of wind can slam them repeatedly—a dangerous flapping loop. To prevent this, the building installs a smart latch system: one designated door (the root) stays open, and every other door calculates the shortest path to it. If any door detects a potential loop (e.g., a door receives its own latch signal), it immediately locks itself (blocking the port) and sends an alert. The system uses timers: every 2 seconds, doors send 'I am here' messages; if a door misses three in a row (6 seconds), it assumes the path is broken and recalculates. In a properly designed building, the root door is chosen by the smallest serial number on its latch. If the root door fails, the next smallest serial number takes over within 30 seconds. The smart latch system prevents the wind loop while ensuring there's always a clear evacuation path. If someone manually forces a door open that should be locked, the entire system may flap until the misconfiguration is fixed.
What is STP and Why Does It Exist?
Spanning Tree Protocol (STP), standardized as IEEE 802.1D, is a Layer 2 protocol that prevents loops in Ethernet networks with redundant links. Without STP, broadcast frames would circulate indefinitely, causing a broadcast storm that consumes bandwidth and CPU, ultimately bringing the network down. STP creates a loop-free logical topology by placing redundant ports in a blocking state.
How STP Works Internally
STP uses the Bridge Protocol Data Unit (BPDU) to exchange information between switches. There are two types of BPDUs: - Configuration BPDUs: Sent by the root bridge every 2 seconds (Hello time). They contain bridge ID, root path cost, port ID, and timers. - Topology Change Notification (TCN) BPDUs: Sent when a topology change is detected (e.g., a link goes down).
Bridge ID: An 8-byte value consisting of a 2-byte priority (default 32768) and a 6-byte MAC address. The switch with the lowest bridge ID becomes the root bridge.
Path Cost: Calculated based on link speed. IEEE 802.1D-2004 specifies: - 10 Mbps: cost 100 - 100 Mbps: cost 19 - 1 Gbps: cost 4 - 10 Gbps: cost 2
Port Roles: - Root Port (RP): The port on a non-root switch with the lowest path cost to the root bridge. - Designated Port (DP): The port on a segment that has the lowest path cost to the root bridge. One per segment. - Alternate Port (AP): A port that provides an alternate path to the root but is placed in blocking state. - Backup Port (BP): A redundant port on the same switch (rare in modern networks).
Port States: - Blocking: No data forwarding, no MAC learning, receives BPDUs. - Listening: No data forwarding, no MAC learning, sends/receives BPDUs, transitions to learning after Forward Delay (default 15 seconds). - Learning: No data forwarding, learns MAC addresses, sends/receives BPDUs, transitions to forwarding after Forward Delay. - Forwarding: Data forwarding and MAC learning enabled. - Disabled: Administratively down.
Convergence: The process of transitioning a port from blocking to forwarding takes 30 seconds (2 * Forward Delay) by default. If a topology change occurs, the switch sends a TCN BPDU to the root bridge, which then sets the Topology Change flag in its BPDUs for Max Age + Forward Delay seconds (default 20 + 15 = 35 seconds).
Key Timers and Defaults
Hello Time: 2 seconds (configurable 1-10 seconds)
Forward Delay: 15 seconds (configurable 4-30 seconds)
Max Age: 20 seconds (configurable 6-40 seconds)
Hold Time: 1 second (minimum interval between BPDUs)
STP Variants
Rapid Spanning Tree Protocol (RSTP), IEEE 802.1w: Reduces convergence to <1 second by introducing discarding/learning/forwarding states and edge ports.
Multiple Spanning Tree Protocol (MSTP), IEEE 802.1s: Allows multiple VLANs to map to different spanning tree instances, reducing CPU load.
Per-VLAN Spanning Tree (PVST/PVST+): Cisco proprietary, runs a separate STP instance per VLAN.
Rapid PVST+: Cisco's implementation of RSTP per VLAN.
Common STP Troubleshooting Issues
1. Unidirectional Links: If a link is only passing traffic in one direction (e.g., fiber TX/RX mismatch), STP may not receive BPDUs on one side, leading to a loop. The switch with a failed receive path will not hear superior BPDUs and may transition its port to forwarding, creating a loop.
2. BPDU Guard: A security feature that disables a port if it receives a BPDU. Commonly used on access ports. If a switch is connected to a port configured with BPDU Guard, the port goes into errdisable state.
3. Root Guard: Prevents a port from becoming a root port. If a superior BPDU is received on a root-guarded port, the port goes into root-inconsistent state (blocked).
4. Loop Guard: Prevents alternate/root ports from becoming designated if BPDUs stop being received (e.g., due to unidirectional link). The port is placed in loop-inconsistent state (blocked) until BPDUs resume.
5. UDLD (Unidirectional Link Detection): A Cisco-proprietary protocol that detects unidirectional links and puts the port in errdisable state. Two modes: normal (advertise) and aggressive (resets the interface if no reply).
Verification Commands
show spanning-tree
show spanning-tree vlan 10
show spanning-tree interface gigabitethernet0/1 detail
show spanning-tree root
show spanning-tree blockedports
show spanning-tree summaryExample output:
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32768
Address 0011.2233.4455
This bridge is the root
Bridge ID Priority 32768 (priority 32768 sys-id-ext 1)
Address 0011.2233.4455
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.1 P2p
Gi0/2 Desg FWD 4 128.2 P2pTroubleshooting Steps
Identify the root bridge: Use show spanning-tree root. If the root bridge is not the expected switch, check bridge priorities.
Check for blocked ports: Use show spanning-tree blockedports. If no ports are blocked, there may be no redundancy or a loop exists.
Verify port roles and states: Look for ports in unexpected blocking or forwarding states.
Check for TCNs: Use show spanning-tree detail | include TCN to see topology change notifications.
Examine logs: Look for messages about BPDU guard, root guard, or loop guard violations.
Use debug commands: debug spanning-tree events (caution: high CPU on production).
How STP Interacts with Related Technologies
VLANs: PVST+ runs a separate STP instance per VLAN, allowing load balancing. However, it increases CPU usage. MSTP reduces instances by grouping VLANs.
EtherChannel: STP treats an EtherChannel as a single logical link. All ports in the channel must have the same configuration.
StackWise/Virtual Switching System (VSS): Stacked switches appear as one logical switch with one STP instance.
PortFast: Bypasses listening/learning states on access ports (connected to end devices). Should never be used on trunk ports.
BPDU Filter: Disables BPDU transmission and reception on a port; dangerous if used incorrectly.
Default Values Summary
| Parameter | Default | Range | |-----------|---------|-------| | Bridge Priority | 32768 | 0-61440 in increments of 4096 | | Hello Time | 2 sec | 1-10 sec | | Forward Delay | 15 sec | 4-30 sec | | Max Age | 20 sec | 6-40 sec | | Path Cost (1 Gbps) | 4 | 1-200000000 | | Path Cost (10 Gbps) | 2 | 1-200000000 |
Exam Tip
The N10-009 exam expects you to know the default timers, the four port states (blocking, listening, learning, forwarding), and the difference between classic STP and RSTP. Be prepared to interpret show spanning-tree output and identify the root bridge, root port, and designated port. Also know the purpose of BPDU guard, root guard, and loop guard.
Identify the Root Bridge
Use `show spanning-tree root` to determine which switch is the root bridge. The root bridge is the switch with the lowest bridge ID (priority + MAC). If no root is elected, check if BPDUs are being exchanged. A common issue is a switch with a lower priority than expected becoming root. If the root is not the intended core switch, adjust the priority using `spanning-tree vlan <vlan> priority <0-61440>`.
Check for Blocked Ports
Run `show spanning-tree blockedports` to confirm that STP has placed some ports in blocking state. If no ports are blocked, the network may have no redundancy (all links active) or there may be a loop because STP is not functioning. Also check for ports in 'listening' or 'learning' state longer than expected, which indicates convergence issues.
Verify Port Roles and States
Examine each switch's port roles using `show spanning-tree interface <int> detail`. Look for unexpected designated ports on a non-root switch (should be root port or alternate). If a port that should be blocking is in forwarding, a loop may exist. Check for 'root-inconsistent' or 'loop-inconsistent' states that indicate guard features are triggered.
Examine BPDU Exchange
Use `debug spanning-tree events` (with caution) to see BPDU reception and transmission. If a switch stops receiving BPDUs on a root or alternate port, it may transition to forwarding after Max Age (20 sec). This can happen due to unidirectional links, faulty cables, or high CPU. Also check for TCNs that indicate frequent topology changes.
Check for Configuration Errors
Incorrect configuration of PortFast, BPDU guard, or root guard can cause connectivity loss. For example, enabling PortFast on a trunk port can cause a temporary loop. Verify that PortFast is only on access ports. Also check for inconsistent VLANs across trunks—STP runs per VLAN, so a missing VLAN on one side can cause a loop in that VLAN.
In a large enterprise campus network with hundreds of switches, STP is critical for redundancy while preventing loops. A common deployment scenario is a collapsed core with two distribution switches and multiple access switches. Each access switch connects to both distribution switches via two uplinks. STP blocks one uplink per VLAN to prevent loops. The root bridge is set to one of the distribution switches (priority 4096) to ensure deterministic behavior. The other distribution switch has a higher priority (8192) to act as backup.
In production, performance considerations include CPU load from multiple STP instances (one per VLAN) and convergence time during link failures. To mitigate, many organizations use Rapid PVST+ or MSTP. MSTP is preferred when there are many VLANs (e.g., 100+), as it maps them to a few instances, reducing CPU usage. A common mistake is forgetting to configure the same MST region name and revision number on all switches, causing them to treat each other as separate regions, which breaks load balancing.
Another scenario is a data center with top-of-rack switches connecting to end-of-row aggregation switches. Here, STP is often disabled on server-facing ports (using PortFast and BPDU guard) to allow immediate connectivity. However, if a server is accidentally replaced with a switch, BPDU guard will errdisable the port, preventing a loop. Misconfiguration occurs when an administrator enables BPDU filter instead of BPDU guard on a trunk port, suppressing BPDUs and potentially causing a loop. A real-world example: a network engineer once applied BPDU filter globally, causing all ports to stop sending BPDUs, resulting in a massive broadcast storm that took down the entire network for 10 minutes until the configuration was reversed.
Scale considerations: In a network with over 1000 VLANs, running PVST+ can overwhelm the switch CPU. MSTP with 10-20 instances is recommended. Also, using EtherChannel between switches reduces the number of STP ports and simplifies troubleshooting.
The N10-009 exam (Objective 5.2) tests your ability to troubleshoot STP loops and convergence issues. Specifically, you must:
Identify the root cause of a broadcast storm (e.g., unidirectional link, BPDU filter misconfiguration).
Interpret show spanning-tree output to determine root bridge, port roles, and states.
Know default timers: Hello (2 sec), Forward Delay (15 sec), Max Age (20 sec).
Understand the difference between STP and RSTP (RSTP converges faster via edge ports and proposal/agreement).
Recognize the function of BPDU guard, root guard, and loop guard.
Common wrong answers and traps: 1. 'The root bridge is the switch with the highest bridge priority.' Wrong: It's the lowest. Candidates confuse priority with IP routing metrics. 2. 'PortFast should be enabled on trunk ports to speed convergence.' Wrong: PortFast is for access ports only. Enabling it on trunks can cause loops. 3. 'BPDU guard prevents loops by filtering BPDUs.' Wrong: BPDU guard errdisables the port upon receiving a BPDU. BPDU filter suppresses BPDUs, which can cause loops. 4. 'STP convergence takes 50 seconds.' Wrong: Classic STP takes 30 seconds (2 * Forward Delay) for a port to go from blocking to forwarding after a link failure. The 50-second figure includes Max Age (20 sec) + 2 * Forward Delay (30 sec) when a root bridge fails.
Edge cases: - If a switch receives a BPDU with a lower bridge ID than its own, it will accept that switch as the new root. This can happen if a new switch with default priority (32768) but lower MAC address is plugged in—it becomes root, potentially causing suboptimal paths. - In a network with multiple VLANs, a loop may exist in only one VLAN if STP is not running (e.g., due to misconfiguration).
How to eliminate wrong answers: Always trace the BPDU path. If a question describes a broadcast storm, look for a reason BPDUs are not being received—unidirectional link, BPDU filter, or disabled STP. If a port is in forwarding but should be blocking, suspect Max Age expiry due to BPDU loss.
STP prevents loops by placing redundant ports in blocking state; default timers: Hello 2s, Forward Delay 15s, Max Age 20s.
Root bridge is elected by lowest bridge ID (priority + MAC); default priority is 32768.
Port states in classic STP: Blocking, Listening, Learning, Forwarding (BLF).
RSTP (802.1w) converges faster with only Discarding, Learning, Forwarding states.
BPDU guard errdisables a port on BPDU reception; BPDU filter suppresses BPDUs and can cause loops.
Unidirectional links cause STP to fail to detect loops; use UDLD or loop guard to mitigate.
PVST+ runs separate STP per VLAN; MSTP groups VLANs to reduce instances.
Common exam numbers: Max Age 20s, Forward Delay 15s, Hello 2s, default priority 32768.
These come up on the exam all the time. Here's how to tell them apart.
Classic STP (802.1D)
Convergence time: 30-50 seconds
Port states: Blocking, Listening, Learning, Forwarding
Uses timer-based convergence
No edge port concept
Slower to recover from link failures
Rapid STP (802.1w)
Convergence time: <1 second typically
Port states: Discarding, Learning, Forwarding (only 3)
Uses proposal/agreement handshake
Edge ports (PortFast equivalent) bypass discarding
Backward compatible with 802.1D
Mistake
STP blocks all redundant links permanently.
Correct
STP blocks redundant links only until the active path fails. It then unblocks a previously blocked port to restore connectivity, typically within 30-50 seconds (classic STP) or sub-second (RSTP).
Mistake
The root bridge is always a core switch with high priority.
Correct
The root bridge is the switch with the lowest bridge ID (priority + MAC). By default, all switches have priority 32768, so the one with the lowest MAC becomes root. Network engineers must manually set a lower priority on the desired root switch.
Mistake
BPDU guard and BPDU filter are interchangeable.
Correct
BPDU guard errdisables a port when a BPDU is received, preventing loops. BPDU filter suppresses BPDU transmission and reception, which can cause loops if a switch is connected. They serve opposite purposes.
Mistake
STP only matters in large networks.
Correct
STP is essential in any network with redundant links, even a small office with two switches connected by two cables. Without STP, a loop would cause a broadcast storm immediately.
Mistake
RSTP eliminates all STP convergence delays.
Correct
RSTP reduces convergence to <1 second in most cases, but it still uses timers for certain scenarios (e.g., indirect link failure via shared medium). It also requires proper configuration of edge ports to achieve fast convergence.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
BPDU guard errdisables a port if a BPDU is received, protecting against accidental switch connections on access ports. BPDU filter suppresses BPDU transmission and reception on a port; it can cause loops if a switch is connected because the port will not learn about superior BPDUs. On the exam, remember: guard = protect, filter = ignore.
In classic STP, if the root bridge fails, convergence takes Max Age (20s) + 2 * Forward Delay (30s) = 50 seconds. If a directly connected link fails, the switch detects it immediately and transitions through listening/learning (30s). RSTP converges in <1 second using proposal/agreement.
A broadcast storm occurs when a loop allows broadcast frames to circulate indefinitely, consuming bandwidth and CPU. STP prevents this by blocking redundant ports so that only one active path exists between any two switches. If STP fails (e.g., due to unidirectional link), a storm can occur.
Use `show spanning-tree vlan <vlan-id> root`. The output shows the root bridge's priority, MAC address, and cost to root. If the root is not the expected switch, adjust priorities using `spanning-tree vlan <vlan-id> root primary` (sets priority to 24576) or manually.
PortFast immediately transitions a port from blocking to forwarding, bypassing listening/learning. It is intended for access ports connected to end devices. Never use it on trunk ports because it can cause temporary loops if a switch is connected.
RSTP (802.1w) is an evolution of STP (802.1D) that provides faster convergence. RSTP uses only three port states (discarding, learning, forwarding) and a proposal/agreement handshake instead of timers. It also introduces edge ports and alternate/backup roles. RSTP is backward compatible with STP.
PVST+ runs a separate STP instance per VLAN, which can consume significant CPU on switches with many VLANs. MSTP (802.1s) allows mapping multiple VLANs to a single spanning tree instance, reducing overhead. MSTP also supports load balancing across instances.
You've just covered STP Troubleshooting: Loops and Convergence — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?