STP - Street-Level Ops

Real-world STP diagnosis and management workflows for network operations.

Remember: STP port states mnemonic: D-L-L-F-B — Disabled, Listening, Learning, Forwarding, Blocking. In RSTP (Rapid STP), this simplifies to three states: Discarding, Learning, Forwarding. Convergence drops from 30-50 seconds (classic STP) to under 6 seconds (RSTP). If your switches support it, always use RSTP (spanning-tree mode rapid-pvst).

Task: Identify the Root Bridge

# On Cisco switches
Switch# show spanning-tree
VLAN0001
  Root ID    Priority    4097
             Address     0011.2233.4455
             This bridge is the root

  Bridge ID  Priority    4097 (priority 4096 sys-id-ext 1)
             Address     0011.2233.4455

# If "This bridge is the root" does NOT appear:
Switch# show spanning-tree root
Vlan   Root ID          Cost  Time  Age Dly  Root Port
VLAN0001  4097 0011.2233.4455   4    2   20   15  Gi0/1

# Root is reached via Gi0/1 with cost 4 (1G link)

Task: Check STP Port States

# See which ports are forwarding, blocking, or learning
Switch# show spanning-tree vlan 1

Interface    Role Sts    Cost      Prio.Nbr Type
------------ ---- ---    --------- -------- ----
Gi0/1        Root FWD    4         128.1    P2p
Gi0/2        Desg FWD    4         128.2    P2p
Gi0/3        Altn BLK    4         128.3    P2p

# Gi0/3 is blocked — this is the redundant path preventing a loop

Task: Diagnose a Broadcast Storm

# Symptoms: all hosts on VLAN unreachable, switch CPU 100%
# Check interface counters for massive broadcast traffic
Switch# show interfaces counters | include Broadcast
Gi0/1    Broadcast:  4847291    (per second!)

# Check STP status — a loop means STP is not working
Switch# show spanning-tree
# If output shows inconsistent states or no root bridge,
# STP may be broken

# Check for topology changes (TC) — frequent TCs cause MAC table flushes
Switch# show spanning-tree detail | include change
Number of topology changes 847 last change occurred 00:00:02 ago

# 847 topology changes — something is flapping
# Find the port causing topology changes
Switch# show spanning-tree detail | include from
  from GigabitEthernet0/5

# Investigate Gi0/5 — likely a flapping link or rogue device

Under the hood: Every STP topology change (TC) flushes the MAC address table on all switches in the VLAN, forcing them to re-learn MAC-to-port mappings via flooding. A single flapping port can cause hundreds of TCs per minute, turning your switched network into a hub-like flood domain. This is why isolating the TC source port is the highest priority during a broadcast storm.

Task: Set a Deterministic Root Bridge

# Never let STP randomly elect a root — set it explicitly
# Primary root (lowest priority)
Switch-Core1(config)# spanning-tree vlan 1-100 priority 4096

# Backup root
Switch-Core2(config)# spanning-tree vlan 1-100 priority 8192

# Verify
Switch-Core1# show spanning-tree root
# Priority should be 4097 (4096 + sys-id-ext 1)

Task: Enable PortFast and BPDU Guard on Access Ports

# Access port connected to a server — skip STP convergence
Switch(config-if)# spanning-tree portfast
Switch(config-if)# spanning-tree bpduguard enable

# Enable globally for all access ports (safer approach)
Switch(config)# spanning-tree portfast default
Switch(config)# spanning-tree portfast bpduguard default

# If a rogue switch is plugged in, the port shuts down:
# %SPANTREE-2-BLOCK_BPDUGUARD: BPDU Guard disabling port Gi0/10
Switch# show interfaces Gi0/10 status
Gi0/10  disabled  err-disabled

# Recover the port after removing the rogue device
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

Gotcha: PortFast should only be enabled on access ports connected to end hosts (servers, workstations). Enabling PortFast on a port connected to another switch bypasses STP convergence and can create a loop instantly. BPDU Guard is the safety net — it shuts down the port if it receives a BPDU, which only switches send. Always pair PortFast with BPDU Guard.

Task: Check STP on a Linux Bridge

# Linux bridges have STP built in
$ cat /sys/class/net/br0/bridge/stp_state
0   # 0 = disabled, 1 = enabled

# Enable STP on the bridge
$ ip link set br0 type bridge stp_state 1

# Check port states
$ brctl showstp br0
br0
 bridge id          8000.aabbccddeeff
 designated root    8000.001122334455
 root port             1
 root path cost        4

eth0 (1)
 port id            8001  state           forwarding
eth1 (2)
 port id            8002  state           blocking

# Verify with bridge command
$ bridge -d link show
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 state forwarding
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 state blocking

Task: Investigate an err-disabled Port

# Port went err-disabled due to BPDU guard
Switch# show interfaces status err-disabled
Port    Name     Status       Reason
Gi0/10  Server5  err-disabled bpdu-guard

# Check what caused it
Switch# show spanning-tree interface Gi0/10 detail
# Port received BPDU from an unexpected source

# Recover: remove the rogue device, then bounce the port
Switch(config)# interface Gi0/10
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

# Enable automatic recovery (optional)
Switch(config)# errdisable recovery cause bpduguard
Switch(config)# errdisable recovery interval 300
# Port auto-recovers after 300 seconds

Task: Monitor Topology Changes

# Frequent topology changes cause MAC table flushes and brief outages
Switch# show spanning-tree detail | include topology
Number of topology changes 3 last change occurred 04:12:33 ago
# 3 changes in 4 hours — normal

# Problematic output:
# Number of topology changes 428 last change occurred 00:00:15 ago
# Hundreds of changes in seconds — active flapping

# Find the source port
Switch# show spanning-tree detail | include from
  from GigabitEthernet0/5

# Debug (temporarily):
Switch# debug spanning-tree events
# Watch for TCN (Topology Change Notification) messages

Task: Verify Root Guard Is Working

# Root guard prevents unauthorized switches from becoming root
Switch(config-if)# spanning-tree guard root

# If a higher-priority BPDU arrives:
# %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Gi0/3
Switch# show spanning-tree inconsistentports
Name         Interface     Inconsistency
VLAN0001     Gi0/3         Root Inconsistent

# Port is blocked — root placement is protected
# When the rogue BPDU source is removed, port auto-recovers

Emergency: Loop Detected — Immediate Response

# Network is down. Broadcast storm confirmed.
# Step 1: Identify and disable the looping port
Switch# show interfaces counters | include Broadcast
# Find the port with millions of broadcasts

# Step 2: Shut it down immediately
Switch(config-if)# shutdown

# Step 3: Verify network recovers
Switch# show processes cpu | include five
# CPU should drop from 100% back to normal within seconds

# Step 4: Investigate before re-enabling
# Was STP disabled on this port? Was a rogue device connected?
Switch# show spanning-tree interface Gi0/5 detail

Debug clue: During a broadcast storm, switch CPU hits 100% and management access (SSH/Telnet) becomes unresponsive. If you cannot reach the switch remotely, use the console cable. This is why every production network switch should have an out-of-band console server — it is your last resort when the network is a storm.

Pages that link here

• Anti-Primer: STP
• Stp