2.1.f Implement and troubleshoot spanning-tree

2.1.f Implement and troubleshoot spanning-tree
2.1.f (i) PVST+/RPVST+/MST
2.1.f (ii) Switch priority, port priority, path cost, STP timers
2.1.f (iii) port fast, BPDUguard, BPDUfilter
2.1.f (iv) loopguard, rootguard


802.1D Spanning-tree is the premier loop prevention mechanism at L2. It is an IEEE standard protocol. Because frames have no ttl field, unlike packets, L2 is susceptible to broadcast storms, MAC table corruption, and multiple frame copies.


In order to facilitate a loop free topology a root switch is elected as a reference point for the entire tree. This is accomplished by establishing a BID (bridge id) for every switch in the diameter. A bridge ID is an 8 byte construct composed of 2 bytes of priority, and 6 bytes MAC address. Further, the priority is segmented into 4 bits priority and 12 bits extended system id, where the extended system id is the VLAN ID. This enables each VLAN to have a unique bridge ID. see below.


Spanning tree enabled protocol rstp

Root ID Priority 32778

Address 0009.b73f.ce80

Cost 12

Port 64 (Port-channel2)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)

Switch Priority Value

Extended System ID (Set Equal to the VLAN ID)

Bit 16 Bit 15 Bit 14 Bit 13 Bit 12 Bit 11 Bit 10 Bit 9 Bit 8 Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1

32768 16384 8192 4096 2048 1024 512 256 128 64 32 16 8 4 2 1

here is the binary math with the example vlan 101000 0000 0000 1010

32768 + 8 + 2

Path cost is the measure of distance between switches. Links are assigned this cost by STP, which is based upon bandwidth. Higher bandwidth equals lower cost; STP prefers lower cost paths.

For STP to operate properly, a root switch is elected for the tree. A root switch is easily identified as the only switch in the tree with all ports designated forwarding. There is one root switch elected in the tree. During the election, BPDU’s are sent between switches for each port to compare BID’s.

The lowest priority wins the election; in case of a tie the lower MAC is then the decider.

The election and resultant STP topology occurs in three stages:

1. Elect root. The lowest BID is elected root

2. Elect root ports. Every non-root switch selects a root port (lowest path cost to the root switch)

3. Elect designated ports. Each segment has one designated port. The switch with this designated port becomes the designated switch for that segment.

Remember; the root switch’s ports are all designated forwarding; no root port on the root switch.

After this convergence has been achieved, BPDU’s will then be disseminated out of the root switch over loop free paths.

Ports transition through states one to the other in specific order and for lengths of time, as needed in the topology.

1. Disabled: adminstratively down

2. Blocking: BPDU reception only (20 sec)

3. Listening: BPDU’s sent and received (15 sec)

4. Learning: BPDU’s sent/received and added to table (15 sec)

5. Forwarding: Sends and receives data

STP timers

Hello: 2 sec between BPDU dissemination from the root switch

Forward delay: 15 sec each Listening and Learning (forward delay 30 sec)

Max age: 20 sec (blocking state duration; BPDU aging time)

Convergence time is between 30 and 50 seconds. Timers may be modified at the root switch but it is not recommended.

Topology Changes

A TCN (Topology Change Notification) BPDU is used to alert the root switch to a topology change in the tree. The BPDU type field signifies it is a TCN: 0x80. TCN BPDU’s improve convergence time for network failures because they cause speedier updates to the MAC tables.

802.1d TCN process:

TCN’s are sent out root ports of non-root devices to the root switch each hello interval until an acknowledgement.

1. A switch sends a TCN when:

a) it has at least one DP and moves a port to forwarding

b) a port goes from fowarding/learning to blocking

2. Upstream switches process TCN’s on DP’s

3. The upstream switch sets the Topology Change Acknowledgement field of the next BPDU received and sends it downstream, causing the downstream switch to cease sending TCN BPDU’s

4. The upstream switch sends the TCN further upstream;

5. Until the root switch receives the TCN

6. The root switch sets the TCA and Topology Change flags in the next configuration BPDU it sends downstream

7. The root switch then sets the TC flag in all BPDU’s it sends for Forward Delay + Max Age which instructs all switches to age Mac table entries faster

Root Bridge Placement

Manually place the root switch at or close to the logical center of the tree using IOS commands. Set the priority directly or select a root primary, and root secondary in case of primary failure.

A priority value can be set on a VLAN in global configuration mode to directly impact root election.

dsw1(config)#spanning-tree vlan 10 priority 4096

dsw1#sh spanning-tree vlan 10


Spanning tree enabled protocol ieee

Root ID Priority 4106

Address 0016.479e.4500

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4106 (priority 4096 sys-id-ext 10)

Address 0016.479e.4500

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Use increments of 4096 when setting the priority thus, ie, manually setting the secondary root.

dsw2(config)#spanning-tree vlan 10 priority 8192

dsw2(config)#do sh spann vlan 10


Spanning tree enabled protocol ieee

Root ID Priority 4106

Address 0016.479e.4500

Cost 24

Port 56 (Port-channel1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8202 (priority 8192 sys-id-ext 10)

Address a8b1.d4d3.a900

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

There is also a macro command that can accomplish this. This macro is designed to examine the priority of the existing root, and set the new root accordingly.

dsw2#sh spann vlan 20


Spanning tree enabled protocol ieee

Root ID Priority 32788

Address 0009.b73f.ce80

Cost 12

Port 56 (Port-channel1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32788 (priority 32768 sys-id-ext 20)

Address a8b1.d4d3.a900

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Notice the tie breaker lower MAC above when priority is equal, or default 32768 in this case.

dsw2(config)#spanning-tree vlan 20 root primary

dsw2(config)#do sh spann vlan 20


Spanning tree enabled protocol ieee

Root ID Priority 24596

Address a8b1.d4d3.a900

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24596 (priority 24576 sys-id-ext 20)

Address a8b1.d4d3.a900

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

PVST+ is per vlan, the Cisco implementation of 802.1D.

Cisco enhancements to 802.1d to improve convergence.

Port Fast

Port Fast should be configured on host ports only to speed convergence. Enabling Port Fast does not preclude the port from participating in STP, it simply improves convergence on the port because:

Ports are put directly into forwading mode upon coming up

A TCN is not generated in the event the port goes down/up or up/down

Hosts are often reliant on services for proper behavior on the network, ie, DHCP. Port Fast insures speedy acquisition of addressing parameters.

Uplink Fast

Uplink Fast will detect a directly connected failure and enable a new root port almost immediately. Uplink Fast is most effective on wiring closet switches.


Similar to uplink fast however it works when indirect failures are detected in the topology. Backbone fast is configured on all switches in the topology.

802.1W Rapid Spanning Tree

A feature rich improvement over 802.1D (incorporating Cisco enhancements discussed above) that speeds convergence greatly. It is fully functional with 802.1D and is configured almost identically. Naturally to benefit from RSTP a topology should have all switches in the diameter using it.

Full duplex, point-to-point adjacencies between switches are required.

RSTP identifies edge ports (hosts) as those not needing to participate in Spanning Tree, either manually configured, or recognized with Port Fast configuration.

RSTP Port States/Roles

Below, note distinct differencesfrom 802.1D:

RSTP States




RSTP Roles

Root Port: same as 802.1D, exists on all non-root switches, least cost path to the root

Designated Port: same as 802.1D, all segments must have a DP, the root switch only has DP’s

Alternate Port: introduced in 802.1W, fast converging backup to root port

Backup Port: introduced in 802.1W, fast converging backup to current DP on a segment


All switches now send BPDU’s every time period (2 sec default). BPDU’s are aged out if not received for 3 time periods and act as keepalive’s.

Proposal and Agreement


Convergence occurs on a link-by-link basis in 802.1w. No longer does a reliance on timers for convergence exist as in 802.1D. A proposal and agreement process replaces the timer methodology of STP and flows downstream from the root device.

In RSTP, only nonedge ports moving to the Forwarding state cause a topology change (TC). The originator of a TC is now responsible for flooding it through the network.

Implementing RSTP

On most Cisco switches, configuring 802.1s (Multiple Spanning Tree, MST) automatically enables RSTP. Cisco did invent a mode of operation, PVST+ mode, that enables you to use RSTP without the implementation of MST. You can enable PVST+ mode on a switch with the following command:

spanning-tree mode rapid-pvst

see also:



IEEE Standard developed to allow for multiple vlan’s to be grouped to one, or more instances, versus a tree for every vlan. With fewer trees, resources are conserved. Other advantages are load sharing and path optimization. The primary disadvantage is involved configuration.

MST is backwardly compatible due to it’s implementation of a common tree.


Globally enable

spanning-tree mode mst

Enter MST configuration mode

spanning-tree mst configuration

Create the region name

name name

Create a revision number

revision number

Map vlans to instances

instance x vlan range


show spanning-tree mst configurations

show spanning-tree mst vlan_id

see also:


Loop Guard

Loop guard is, naturally, a loop prevention mechanism. It’s role is to detect the lack of BPDU reception on a Loop Guard enabled port. BPDU’s may suddenly go missing on a port that has been rendered unidirectional or that is experiencing congestion, for instance.

Loop Guard is functionally equivalent to UDLD with the primary difference being Loop Guard is per vlan whereas UDLD is per port. Loop Guard must be configured on a p2p port that is currently bidirectional.

Loop Guard, if enabled, will place an alternate or backup port into loop-inconsistent state upon the loss of BPDU’s instead of the port progressing to the other STP states (Listening/Learning/Forwarding)

Loop Guard is enabled globally with:

spanning-tree loopguard default

see also:



Unidirectional Link Detection. As its name states UDLD identifies ports that have become unidirectional. In plain language, when traffic sent by a local device is received, but not returned, the port is shut down if in aggressive mode, and considered undetermined if in normal mode. By default on fiber interfaces, UDLD is enabled and for UDLD to be effective both sides of the link have to be supported. UDLD can be enabled globally or on a port basis.

see also: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_55_se/configuration/guide/swudld.html


The primary purpose of Root Guard is to protect the placement of the root switch in a topology. If a switch receives superior bpdu’s on a root guard enabled port that port is placed into root-inconsistent state, equal to the listening state. Root guard is typically placed on Service Provider switches to avoid a customer’s switch becoming the root switch in its topology.

dsw1(config-if)#spanning-tree guard root

see also:



Bpdu guard typically works in conjunction with port fast to prevent bpdu’s from being received on a port fast enabled port. The reception of bpdu’s ona a port fast port indicates misconfiguration or security problems. As it is a guard, not a filter, it will errdisable port fast ports upon receipt of bdu’s. It may be configured globally for port fast enabled ports, or at the interface with or without port fast.

dsw1(config)#spanning-tree portfast bpduguard

dsw1(config-if)#spanning-tree bpduguard enable

see also:



Storm control is a prevention mechanism in the event of unicast, multicast and/or broadcast storms.