Layer 2 loop prevention. The reason your redundant uplinks don't destroy the network.
You add a second uplink to your core switch for redundancy. Suddenly the entire network grinds to a halt.
The switches are forwarding the same broadcast frames in circles, filling every buffer, consuming all
bandwidth. This is a broadcast storm — and STP exists to prevent exactly this.
10 SlidesN10-009 Obj 1.2Layer 2 — Data Link802.1D + 802.1w
Slide 2 of 10
The Loop Problem
Ethernet has no TTL. A frame caught in a loop runs forever — until the network collapses.
Broadcast Storm
Switch A receives a broadcast and forwards it out all ports. Switch B forwards it back to Switch A.
Switch A forwards it again. The frames multiply exponentially. Bandwidth saturates in seconds.
CPUs peg at 100%. The network is unusable.
MAC Table Instability
The same MAC address arrives on multiple ports as looped frames come in from different directions.
Switches keep rewriting their MAC tables trying to track the source. Known as MAC flapping —
no stable path can be learned.
Duplicate Frame Delivery
Upper-layer protocols receive multiple copies of the same frame. TCP resets connections.
Applications crash. Even after the loop is broken physically, recovery takes time because
buffers are still full of queued duplicates.
Why Redundancy Without STP Is Dangerous
You added the second uplink for redundancy — a good idea in principle. But without STP,
two paths between switches means a loop exists. The moment a broadcast hits that loop,
the storm begins. STP's job is to allow the redundant link to exist while logically
blocking one path to eliminate the loop.
Your second uplink created a physical loop between Switch A and Switch B. STP detects it,
blocks one port on one switch, and the storm stops. If the active link fails, STP
automatically unblocks the standby — redundancy without the storm.
Slide 3 of 10
How STP Works — Root Bridge Election
STP builds a loop-free tree by electing one root and calculating shortest paths back to it.
Step 1 — Elect a Root Bridge
Every switch broadcasts Bridge Protocol Data Units (BPDUs) advertising its Bridge ID.
Bridge ID = Priority (2 bytes) + MAC address (6 bytes).
The switch with the lowest Bridge ID wins and becomes the Root Bridge.
Default priority is 32768 (+ VLAN ID in PVST+).
If all switches have the same priority, the lowest MAC wins.
Step 2 — Select Root Ports
Every non-root switch selects the port with the lowest path cost to the Root Bridge
as its Root Port. This is the one port that points "toward" the root.
Each non-root switch has exactly one Root Port.
Step 3 — Select Designated Ports
On each network segment, one port is elected Designated Port — the one closest to
the root on that segment. All ports on the Root Bridge are Designated Ports.
The Designated Port forwards traffic toward the rest of the network.
Step 4 — Block Everything Else
Any port that is neither a Root Port nor a Designated Port is placed in Blocking state.
This is how the loop is broken. The port still receives BPDUs (to detect topology changes)
but does not forward data frames. Your second uplink is now safely blocked.
STP path cost is based on link speed: 10 Mbps = 100, 100 Mbps = 19, 1 Gbps = 4, 10 Gbps = 2.
Lower cost is preferred. Tiebreaker: lowest Bridge ID, then lowest port ID.
Slide 4 of 10
STP Port Roles
Every STP port has a role. Know what each one does and how it is selected.
Root Port
One per non-root switch. The port with the best (lowest cost) path back to the Root Bridge.
Always in Forwarding state. If the Root Port fails, STP recalculates.
The Root Bridge itself has no Root Port — it IS the root.
Designated Port
One per network segment. Forwards traffic on that segment toward the rest of the tree.
All ports on the Root Bridge are Designated. On non-root switches,
the Designated Port is the one closest to the root on that link.
Always in Forwarding state.
Non-Designated (Blocked) Port
Any port that is not a Root Port or Designated Port. Placed in Blocking state.
Does not forward data frames. Still receives BPDUs to monitor topology.
This is the port that prevents the loop — your second uplink ends up here.
Role Selection Tiebreakers (in order)
1. Lowest Root Path Cost |
2. Lowest Sender Bridge ID |
3. Lowest Sender Port ID (port priority + port number).
These tiebreakers are applied in sequence whenever two ports compete for the same role.
Switch A connects to Switch B via two physical links. STP elects one as the Designated Path —
both switches forward on it. The other link's port on one switch becomes the blocked port.
No loop. Full redundancy waiting in reserve.
Slide 5 of 10
STP Port States
Ports don't jump straight to forwarding — they step through states to avoid micro-loops during convergence.
Disabled
Admin shut or not connected. No BPDU activity.
→
Blocking
Receives BPDUs. Does not forward data or learn MACs.
Up to 20s (Max Age)
→
Listening
Sends and receives BPDUs. Elects root / roles. No data, no MAC learning.
15s (Forward Delay)
→
Learning
Builds MAC table from frames. Still no data forwarding.
15s (Forward Delay)
→
Forwarding
Forwards data frames. MAC table active. Normal operation.
Why the Delays?
The Listening and Learning phases exist to prevent temporary loops during topology changes.
If a port jumped straight to Forwarding, it might forward frames on a path that another switch
hasn't blocked yet, creating a brief loop. The 30-second delay (15+15) is the price of safety.
STP Convergence Time (802.1D)
A blocked port activating after a failure takes:
Max Age (20s) to detect the Root Bridge is gone + Listening (15s) + Learning (15s) =
approximately 50 seconds before traffic flows on the backup link.
This is why RSTP was created.
Slide 6 of 10
STP Timers
Three timers control how fast 802.1D STP reacts. They are set on the Root Bridge and propagated via BPDUs.
Hello Timer
Default: 2 seconds
How often the Root Bridge sends BPDU "heartbeats."
Non-root switches forward these BPDUs downstream.
If a switch stops receiving BPDUs within Max Age, it assumes the Root Bridge (or the path to it) has failed.
Forward Delay
Default: 15 seconds
Time spent in each of Listening and Learning states.
Applied twice during the transition from Blocking to Forwarding (15s + 15s = 30 seconds total transition).
Prevents forwarding before the topology is fully stable.
Max Age
Default: 20 seconds
How long a switch stores a BPDU before discarding it.
If no BPDU arrives within Max Age, the switch assumes a topology failure and begins transitioning
its blocked ports toward Forwarding. This starts the 30-second transition timer.
Total 802.1D Recovery Time
Worst-case path: Max Age (20s) + Listening (15s) + Learning (15s) = 50 seconds
from failure detection to data forwarding on the backup link.
In a modern data center, 50 seconds of downtime is unacceptable — which is why RSTP replaced it.
Timers are configured only on the Root Bridge and propagated through BPDUs.
Do not configure STP timers on non-root switches — changes are ignored and create inconsistency.
The formula Max Age ≥ 2 x (Hello + 1) must hold to avoid topology instability.
Slide 7 of 10
RSTP — Rapid Spanning Tree (802.1w)
RSTP replaced 802.1D in IEEE 802.1D-2004. Convergence under 6 seconds vs. 30-50 seconds.
How RSTP Achieves Speed
Proposal / Agreement
RSTP uses a handshake mechanism. When a link comes up, the switch proposes to be Designated.
The neighbor agrees (or disagrees) immediately — no waiting for timers.
Ports can move to Forwarding within milliseconds on a point-to-point link.
Reduced Port States
802.1D had 5 states. RSTP has 3: Discarding (merges Disabled + Blocking + Listening),
Learning, and Forwarding.
Simpler state machine = faster transitions.
New Port Roles in RSTP
Alternate Port
RSTP version of the blocked port. It is a pre-calculated backup to the Root Port.
If the Root Port fails, the Alternate Port transitions to Forwarding immediately —
no proposal/agreement needed. This is sub-second recovery.
Backup Port
A redundant port on the same segment as the Designated Port on the same switch.
Less common in practice. Transitions quickly if the Designated Port fails.
802.1D vs RSTP convergence: 802.1D = up to 50 seconds. RSTP = typically under 6 seconds,
sub-second on point-to-point links with an Alternate Port available.
RSTP is backward compatible — an RSTP switch connected to an 802.1D switch falls back to 802.1D behavior.
Slide 8 of 10
PortFast and BPDU Guard
End-device ports do not need STP convergence. PortFast skips it — BPDU Guard enforces the rule.
PortFast
Immediately transitions a port to Forwarding — skipping Listening and Learning states entirely.
Eliminates the 30-second delay for devices that connect and expect instant network access (PCs,
printers, servers, IP phones). Only configure on ports connected to end devices, never on
ports connected to other switches.
Command: spanning-tree portfast
BPDU Guard
Shuts down a PortFast-enabled port the moment it receives a BPDU. Since BPDUs come from
switches — not end devices — receiving one on a PortFast port means someone connected
a switch where only an end device should be. The port goes err-disabled immediately,
preventing any loop from forming.
Command: spanning-tree bpduguard enable
Why Use Both Together
PortFast alone is a loop risk if someone plugs a switch into that port.
BPDU Guard catches that mistake and disables the port before a loop forms.
Always deploy BPDU Guard on every PortFast port. They are designed to work as a pair.
Err-Disabled Recovery
When BPDU Guard triggers, the port enters err-disabled state. To recover:
remove the offending switch, then run
shutdown followed by
no shutdown on the interface.
Or configure automatic recovery: errdisable recovery cause bpduguard.
Slide 9 of 10
Common Issues & Troubleshooting
STP problems cause complete outages, slow networks, or silent traffic drops. Know the symptoms.
Unintended Root Bridge
A new switch with a lower default priority or lower MAC becomes the Root Bridge, forcing all traffic through a suboptimal path. Fix: manually set priority on the intended root to 4096 (or use spanning-tree vlan 1 root primary).
STP Not Running
If STP is disabled (common on some managed switches or after misconfiguration) and a physical loop exists, a broadcast storm follows immediately. Symptom: all ports saturated, switch CPU maxed, users report total outage.
Topology Change Flapping
A flapping link generates continuous Topology Change Notifications, forcing MAC table flushes across the domain. Every flush causes flooding until MACs are re-learned. Symptom: intermittent slowness, high broadcast rate.
Key Verification Commands
! Full STP status for VLAN 1show spanning-treevlan 1! Which switch is the root, all VLANsshow spanning-tree summary! Port roles and states on this switchshow spanning-treedetail! Check for err-disabled portsshow interfaces status err-disabled! Verify PortFast / BPDU Guard on portshow spanning-tree interfaceGi0/1detail
Slide 10 of 10 | N10-009 Obj 1.2
The Network That Didn't Storm
You added a second uplink and the broadcast storm started. STP was doing its job on the original link —
but the new link created a loop that STP hadn't processed yet. Once STP converged, it elected the
Root Bridge, assigned Root Ports and Designated Ports,
and placed one port in Blocking state. The storm stopped. The backup path is there
if the primary fails — STP will unblock it. You kept your redundancy and your network.
7 Facts to Carry Out of This Presentation
1STP (802.1D) prevents Layer 2 loops by blocking redundant paths. RSTP (802.1w) is the faster modern standard.