Courseiva
Spanning TreeCCNA 200-301

STP Port Stuck in Blocking State — Users Can't Reach Server

Presenting Symptom

Users in VLAN 10 report they cannot reach the server at 192.168.10.100, and the switch port connected to the server shows a blocking state.

Network Context

A small branch office network with three Cisco Catalyst 2960 switches (SW1, SW2, SW3) running IOS 15.0. SW1 is the root bridge for VLAN 10. The server is connected to SW2's GigabitEthernet0/1 port. STP is Rapid PVST+ with default priorities. The network has redundant links between switches, and the server port is an access port in VLAN 10.

Diagnostic Steps

1

Check the STP state of the server port on SW2

show spanning-tree vlan 10 interface gigabitethernet0/1
VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    32778
             Address     0001.1111.1111
             This bridge is the root
  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     0002.2222.2222
  Interface  Role Sts Cost      Prio.Nbr Type
  Gi0/1      Altn BLK 4         128.1    P2p

The port role is 'Altn' (alternate) and state is 'BLK' (blocking). This indicates STP has placed the port in a blocking state to prevent loops. The server cannot communicate because the port is not forwarding traffic.

2

Identify the root bridge for VLAN 10

show spanning-tree vlan 10 root
VLAN0010
  Root ID    Priority    32778
             Address     0001.1111.1111
             This bridge is the root
  Root Bridge hello time 2, max age 20, forward delay 15

Confirm which switch is the root bridge. If the root bridge is not the expected switch (e.g., a low-end switch), it may cause suboptimal path selection. In this case, SW1 is root.

3

Check the STP topology and port roles on SW2

show spanning-tree vlan 10
VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    32778
             Address     0001.1111.1111
             This bridge is the root
  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     0002.2222.2222
  Interface  Role Sts Cost      Prio.Nbr Type
  Gi0/1      Altn BLK 4         128.1    P2p
  Gi0/2      Root FWD 4         128.2    P2p
  Gi0/3      Desg FWD 4         128.3    P2p

The server port (Gi0/1) is an alternate port blocking. The root port is Gi0/2, and Gi0/3 is designated forwarding. This suggests that the server port is a redundant link that STP blocked to prevent a loop. However, if the server is an end device, it should not be blocked. This indicates a misconfiguration: the port is likely connected to a switch or a device that STP treats as a bridge.

4

Verify the server port configuration and connected device

show interfaces gigabitethernet0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 10 (VLAN0010)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none

Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001

Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled

Appliance trust: none

The port is configured as an access port in VLAN 10, which is correct for a server. However, the output does not show any STP-related misconfiguration. The problem is likely that the server is running a spanning tree protocol (e.g., Linux bridge) or the port is connected to another switch inadvertently. Check the connected device.

5

Check the CDP/LLDP neighbors on the server port

show cdp neighbors gigabitethernet0/1 detail
Device ID: Server
Entry address(es):
  IP address: 192.168.10.100
Platform: Linux,  Capabilities: Host
Interface: GigabitEthernet0/1, Port ID (outgoing port): eth0
Holdtime : 150 sec

Version :
Linux 4.15.0-20-generic

advertisement version: 2
Duplex: full
Management address(es):
  IP address: 192.168.10.100

The neighbor is a Linux server, not a switch. However, the server might be running a bridge or STP software. If the server sends BPDUs, the switch will treat it as a bridge and may block the port. This is a common issue when a server runs software that enables STP (e.g., Linux bridge with spanning tree enabled).

Root Cause

The server is running a Linux bridge with spanning tree protocol enabled (e.g., via bridge-stp or systemd-networkd). The server sends BPDUs, causing the switch to consider it as a potential bridge. STP then places the switch port in an alternate blocking state to prevent a loop, even though the server is an end host. This prevents the server from receiving traffic.

Resolution

Disable spanning tree on the server's bridge interface, or configure the switch port to ignore BPDUs using BPDUguard. The recommended fix is to enable PortFast and BPDUguard on the access port. Commands on SW2: ``` interface gigabitethernet0/1 spanning-tree portfast spanning-tree bpduguard enable ``` Explanation: - `spanning-tree portfast`: Immediately transitions the port to forwarding state, bypassing STP listening/learning. Use only on access ports connected to end devices. - `spanning-tree bpduguard enable`: Shuts down the port if a BPDU is received, preventing accidental loops from misconfigured devices. This also disables the port if the server sends BPDUs, which would alert the administrator. Alternatively, on the Linux server, disable STP on the bridge: ``` brctl stp <bridge-name> off ```

Verification

After applying the fix, verify the port state and connectivity: ``` show spanning-tree vlan 10 interface gigabitethernet0/1 ``` Expected output: ``` VLAN0010 Spanning tree enabled protocol rstp Root ID Priority 32778 Address 0001.1111.1111 This bridge is the root Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0002.2222.2222 Interface Role Sts Cost Prio.Nbr Type Gi0/1 Desg FWD 4 128.1 P2p Edge ``` The port role should be 'Desg' (designated) and state 'FWD' (forwarding). The 'Edge' flag indicates PortFast is enabled. Also verify the port is not err-disabled: ``` show interfaces gigabitethernet0/1 status ``` Expected: 'connected' or 'up'. Test connectivity from a client to the server (e.g., ping 192.168.10.100).

Prevention

["Always enable PortFast and BPDUguard on all access ports connected to end devices (servers, PCs, printers). This prevents STP delays and protects against accidental BPDU reception.","Use the 'spanning-tree portfast default' global command to automatically enable PortFast on all access ports, then explicitly disable it on trunk ports.","Educate server administrators to disable spanning tree protocols on server network interfaces unless they are intentionally acting as bridges."]

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests understanding of STP port states, PortFast, and BPDUguard. Expect a troubleshooting question where you must identify why an access port is blocking. The exam may present a topology and ask which command resolves the issue. Key fact: PortFast transitions an access port directly to forwarding, and BPDUguard disables the port upon BPDU reception.

Exam Tips

1.

Memorize that PortFast is only for access ports; never enable it on trunk ports.

2.

Remember that BPDUguard puts the port in errdisable state when a BPDU is received; use 'show interfaces status err-disabled' to check.

3.

Know that the 'spanning-tree portfast default' global command enables PortFast on all access ports, but you still need to enable BPDUguard per interface or globally with 'spanning-tree portfast bpduguard default'.

Commands Used in This Scenario

show cdp neighbors detail

Displays detailed information about directly connected Cisco devices discovered via CDP, including IP addresses, IOS version, platform, and interface details, useful for verifying neighbor relationships and troubleshooting Layer 2 connectivity.

show interfaces switchport

Displays the administrative and operational status of a switch port, including VLAN membership, trunking mode, and access VLAN, used to verify VLAN configuration and port security settings.

show spanning-tree

Displays the Spanning Tree Protocol (STP) state and configuration for all VLANs or a specific VLAN, used to verify root bridge, port roles, and STP topology.

spanning-tree bpduguard enable

Enables BPDU guard on an interface to protect against unauthorized switches by disabling the port if a BPDU is received, typically used on access ports to prevent bridge loops from rogue devices.

spanning-tree portfast

Enables PortFast on an interface to immediately transition from blocking to forwarding state, bypassing STP listening and learning phases, used on access ports connected to end devices to speed up convergence.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions