Spanning Tree Protocol Basics:
In a layer 2 environment with no routing, active redundant paths are neither allowed no desirable, because the can cause loops. Because a switch only segments collision domains it does not segment broadcast domains. STP helps find redundant links and place one in a blocking state.
STP Definitions:
- Root bridge — Center of the spanning tree.
- Nonroot bridge — Every switch not elected the root.
- Root port — Every nonroot bridge has a single root port, decided based on root path cost.
- Designated port — Each segment has a single designated port. All ports on a root bridge are designated.
- Nondesignated port — Every switch port that is neither a root port nor designated port starts blocking.
-
Basic Spanning Tree Operation:
- Elect root bridge — Lowest bridge ID wins, consists of 2 bytes from 0-65,535 defaults to 32,678 + VLAN and the MAC address of 6 bytes, for example 32769 000a.b7d1.9580 for VLAN 1.
- Select root port — One per switch, points toward the root bridge.
- Select designated port — One per segment with the lowest root patch cost.
- Block ports — Block non-root and non-designated ports.
Spanning Tree Port States:
| STP State | The Port Can… | The Port Cannot… | Duration |
| Disabled | Nothing | Send/Receive Data | |
| Blocking | Receive BPDU's | Send/Receive Data Learn MAC Addresses | Indefinite if loop detected |
| Listening | Send/Receive BPDUs | Send/Receive data | Forward Delay Timer (15 Seconds) |
| Learning | S/R BPDU's | S/R data | Forward Delay Timer (15 Seconds) |
| Forwarding | S/R Data S/R BPDU's Learn MAC Addresses |
Securing STP
Root Guard — Is enabled on a per-port basis. When a port receives a superior BPDU, with a lower bridge ID, the local switch will not allow the new switch to become the root. Instead the port is changed to root-inconsistent state, no data can be sent or received until the BPDUs stop.
BPDU Guard — PortFast moves an end-user port to forwarding state without going through all of the STP checks and can induce loops in the network. If any BPDU is received on a port where BPDU guard is enabled that port is put into errdisable state. It can then be recovered manually or through the errdisable timeout function.
Strategy for troubleshooting STP:
Find the root bridge, then learn the designated ports on each subsequent switch. Cisco switches run PVST by default so you will have to work through each vlan.
Commands for STP Troubleshooting:
sh spanning-tree — View all STP parameters for all VLANs.
sh spanning-tree [int fa0/1] detail — View all STP details.
sh spanning-tree [vlan 2] summary — View ports in each of the STP states.
sh spanning-tree [vlan 2] root — Find root bridge ID, root port and root path cost.
sh spanning-tree [vlan 2] bridge — Show local switch bridge ID and STP timers.
sh spanning-tree uplinkfast — Show uplinkfast status.
sh spanning-tree backbonefast — Show the backbonefast status.
sh spanning-tree
ASW1#sh spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 000a.b7d1.9580
Cost 24
Port 65 (Port-channel13)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0013.c36a.4880
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po13 Root FWD 12 128.65 P2p
Po23 Altn BLK 19 128.66 P2p
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 32778
... output omitted for brevity ...
sh spanning-tree int po23 det
ASW1#sh spanning-tree int po23 det Port 66 (Port-channel23) of VLAN0001 is blocking Port path cost 19, Port priority 128, Port Identifier 128.66. Designated root has priority 32769, address 000a.b7d1.9580 Designated bridge has priority 32769, address 0018.1825.2500 Designated port id is 128.232, designated path cost 12 Timers: message age 3, forward delay 0, hold 0 Number of transitions to forwarding state: 0 Link type is point-to-point by default BPDU: sent 2, received 215029
sh spanning-tree vlan 10 summary
ASW1#sh spanning-tree vlan 10 summary Switch is in pvst mode Root bridge for VLAN0010 is 32778.000a.b7d1.9580. Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- VLAN0010 1 0 0 3 4
show spanning-tree root
ASW1#sh spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 32769 000a.b7d1.9580 24 2 20 15 Po13
VLAN0010 32778 000a.b7d1.9580 24 2 20 15 Po13
VLAN0020 32788 000a.b7d1.9580 24 2 20 15 Po13
VLAN0021 32789 000a.b7d1.9580 24 2 20 15 Po13
VLAN0200 32968 000a.b7d1.9580 24 2 20 15 Po13
show spanning-tree bridge
ASW1#sh spanning-tree bridge
Hello Max Fwd
Vlan Bridge ID Time Age Dly Protocol
---------------- --------------------------------- ----- --- --- --------
VLAN0001 32769 (32768, 1) 0013.c36a.4880 2 20 15 ieee
VLAN0010 32778 (32768, 10) 0013.c36a.4880 2 20 15 ieee
VLAN0020 32788 (32768, 20) 0013.c36a.4880 2 20 15 ieee
VLAN0021 32789 (32768, 21) 0013.c36a.4880 2 20 15 ieee
VLAN0200 32968 (32768, 200) 0013.c36a.4880 2 20 15 ieee
ChainRingCircus 