2.5 Spanning Tree Protocol (STP) and RSTP
Key Takeaways
- STP prevents Layer 2 loops by blocking redundant paths while keeping one path active.
- The root bridge is the switch with the lowest Bridge ID (priority + MAC address).
- RSTP (802.1w) converges in seconds compared to STP's 30-50 seconds.
- Port roles in RSTP: root port, designated port, alternate port, backup port.
- Rapid PVST+ runs a separate RSTP instance per VLAN, allowing per-VLAN root bridge placement.
Spanning Tree Protocol (STP) and RSTP
Spanning Tree Protocol (STP) prevents Layer 2 loops in switched networks with redundant links. Without STP, broadcast storms, MAC address table instability, and duplicate frame delivery would cripple the network.
Why STP Is Necessary
Redundant links between switches are essential for high availability. But at Layer 2, redundant links create loops:
- Broadcast storms: Broadcasts circle endlessly between switches, consuming all bandwidth
- MAC table instability: The switch learns the same MAC address on multiple ports, causing constant updates
- Duplicate frames: End hosts receive multiple copies of the same frame
STP solves these problems by logically blocking redundant links, creating a loop-free tree topology while maintaining backup paths.
Root Bridge Election
The root bridge is the central point of the spanning tree. All traffic flows through or toward the root bridge.
Bridge ID (BID)
The Bridge ID determines root bridge election:
| Component | Size | Description |
|---|---|---|
| Bridge Priority | 4 bits | Default 32768, configurable in increments of 4096 |
| Extended System ID | 12 bits | VLAN number (for PVST+) |
| MAC Address | 48 bits | Switch's base MAC address |
Root bridge election rules:
- The switch with the lowest Bridge Priority becomes root
- If priorities are equal, the switch with the lowest MAC address wins
Configuring Root Bridge
Switch(config)# spanning-tree vlan 10 root primary ! Sets priority to 24576
Switch(config)# spanning-tree vlan 10 root secondary ! Sets priority to 28672
Switch(config)# spanning-tree vlan 10 priority 4096 ! Manual priority setting
On the Exam: Remember that priority must be set in multiples of 4096 (0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, ...). The default priority is 32768.
STP Port Roles
| Role | Description |
|---|---|
| Root port | Port with the best path to the root bridge (one per non-root switch) |
| Designated port | Port that forwards traffic on a segment (one per segment) |
| Non-designated/Blocked port | Port that is blocked to prevent loops |
How Ports Are Selected
Root port selection (per non-root switch):
- Lowest root path cost (sum of all link costs to the root)
- Lowest sender Bridge ID
- Lowest sender port priority
- Lowest sender port number
STP Path Costs:
| Link Speed | STP Cost | RSTP Cost |
|---|---|---|
| 10 Mbps | 100 | 2,000,000 |
| 100 Mbps | 19 | 200,000 |
| 1 Gbps | 4 | 20,000 |
| 10 Gbps | 2 | 2,000 |
STP Port States (Classic STP — 802.1D)
| State | Duration | Forwards Data? | Learns MACs? | Sends/Receives BPDUs? |
|---|---|---|---|---|
| Blocking | 20 seconds (max age) | No | No | Receives only |
| Listening | 15 seconds | No | No | Yes |
| Learning | 15 seconds | No | Yes | Yes |
| Forwarding | Stable state | Yes | Yes | Yes |
| Disabled | N/A | No | No | No |
Total convergence time for classic STP: 30-50 seconds (max age + listening + learning)
RSTP (Rapid Spanning Tree Protocol — 802.1w)
RSTP significantly improves convergence time compared to classic STP—converging in seconds instead of 30-50 seconds.
RSTP Port States
| RSTP State | Forwards? | Learns? | Equivalent STP State |
|---|---|---|---|
| Discarding | No | No | Blocking + Listening + Disabled |
| Learning | No | Yes | Learning |
| Forwarding | Yes | Yes | Forwarding |
RSTP Port Roles
| Role | Description |
|---|---|
| Root port | Best path to root bridge (same as STP) |
| Designated port | Forwards traffic on the segment (same as STP) |
| Alternate port | Backup path to the root bridge (replaces STP blocking port) — provides rapid failover for root port failure |
| Backup port | Backup to a designated port on the same switch (rare) |
How RSTP Achieves Faster Convergence
- Proposal/Agreement mechanism: Switches negotiate port roles directly instead of waiting for timers
- Alternate port: Pre-determined backup root port that activates immediately
- Edge ports: Ports connected to end devices transition immediately to forwarding
- No listening state: The listening state is eliminated (combined into discarding)
Rapid PVST+ (Per-VLAN Rapid Spanning Tree)
Rapid PVST+ runs a separate RSTP instance for each VLAN. This allows:
- Different root bridges for different VLANs (load balancing)
- Per-VLAN topology optimization
- VLAN-specific tuning
Switch(config)# spanning-tree mode rapid-pvst ! Enable Rapid PVST+
Example: Load balancing across two switches
! On Switch A — root for VLANs 10-20
Switch-A(config)# spanning-tree vlan 10-20 root primary
! On Switch B — root for VLANs 21-30
Switch-B(config)# spanning-tree vlan 21-30 root primary
STP Protection Mechanisms (v1.1 additions)
PortFast
Allows access ports to skip listening and learning, transitioning directly to forwarding.
Switch(config-if)# spanning-tree portfast ! Per-interface
Switch(config)# spanning-tree portfast default ! All access ports globally
Warning: Only enable PortFast on ports connected to end devices, never on switch-to-switch links.
BPDU Guard
Shuts down a port if it receives a BPDU. Used with PortFast to prevent accidental loops.
Switch(config-if)# spanning-tree bpduguard enable ! Per-interface
Switch(config)# spanning-tree portfast bpduguard default ! Globally on PortFast ports
BPDU Filter
Suppresses BPDU sending and receiving on a port. Effectively disables STP on the port.
Switch(config-if)# spanning-tree bpdufilter enable
Caution: BPDU Filter is dangerous—it removes STP protection. Use with extreme care and only in specific scenarios (e.g., service provider connections).
Root Guard
Prevents a port from becoming a root port. If a superior BPDU is received, the port is placed in root-inconsistent (blocking) state.
Switch(config-if)# spanning-tree guard root
Use case: Apply on distribution switch ports facing access switches to prevent an access switch from ever becoming root.
Loop Guard
Prevents a port from transitioning to forwarding if BPDUs stop being received (which could indicate a unidirectional link failure).
Switch(config-if)# spanning-tree guard loop
| Protection | Purpose | Trigger |
|---|---|---|
| PortFast | Skip STP states on access ports | Manual config |
| BPDU Guard | Shut down port if BPDU received | BPDU received on PortFast port |
| BPDU Filter | Suppress BPDUs on a port | Manual config |
| Root Guard | Prevent port from becoming root port | Superior BPDU received |
| Loop Guard | Prevent forwarding if BPDUs stop | BPDUs stop arriving on non-designated port |
STP Verification Commands
Switch# show spanning-tree ! All VLANs
Switch# show spanning-tree vlan 10 ! Specific VLAN
Switch# show spanning-tree interface Gi0/1 ! Specific port
Switch# show spanning-tree summary ! Summary with root status
Switch# show spanning-tree root ! Root bridge info for all VLANs
On the Exam: STP is heavily tested. Know root bridge election (lowest priority + MAC wins), port roles (root, designated, alternate), RSTP convergence (proposal/agreement), and the protection mechanisms (PortFast, BPDU Guard, root guard, loop guard) added in v1.1.
What is the default STP bridge priority on a Cisco switch?
Which STP protection mechanism should be enabled on access ports to prevent accidental loops from unauthorized switches?
How quickly does RSTP (Rapid Spanning Tree Protocol) typically converge compared to classic STP?