Introduction
Spanning Tree Protocol (STP) is the foundational Layer 2 loop-prevention mechanism in every Cisco switched network. A single misconfiguration can cause broadcast storms that take down an entire campus in seconds. This run book covers every STP variant you will encounter on Cisco Catalyst switches — Classic STP (IEEE 802.1D), Rapid STP (IEEE 802.1w / Rapid PVST+), and Multiple Spanning Tree (IEEE 802.1s / MST) — with real commands, production configs, hardening best practices, and troubleshooting procedures for IOS 15.x and IOS-XE 16.x/17.x.
1 — STP Fundamentals Refresher
1.1 Why STP Exists
Redundant Layer 2 links create switching loops. Without STP, a single broadcast frame is replicated endlessly, saturating bandwidth and crashing MAC address tables. STP builds a loop-free logical topology by electing a Root Bridge, calculating shortest paths, and placing redundant ports into a Blocking state.
1.2 Key Terminology
- Bridge ID (BID) — 2-byte priority + 48-bit MAC address. Lowest BID wins the Root Bridge election.
- Root Port (RP) — The port on every non-root switch with the lowest cost path to the Root Bridge.
- Designated Port (DP) — The port on each segment that forwards traffic toward the Root Bridge.
- Alternate Port / Backup Port — Redundant ports placed in Blocking (STP) or Discarding (RSTP) state.
- BPDU (Bridge Protocol Data Unit) — Frames exchanged between switches to build and maintain the tree.
- Path Cost — Cumulative cost of links to reach the Root Bridge (lower is better).
1.3 IEEE STP Path Cost Defaults (Short Mode)
Link Speed Short Cost Long Cost
--------------------------------------
10 Mbps 100 2,000,000
100 Mbps 19 200,000
1 Gbps 4 20,000
10 Gbps 2 2,000
25 Gbps — 800
40 Gbps — 500
100 Gbps — 200IOS uses short mode by default. IOS-XE 16.x+ and NX-OS use long mode. You can change this with
spanning-tree pathcost method long.
2 — STP Variants on Cisco Platforms
| Variant | Standard | Cisco Name | Per-VLAN? | Convergence |
|---|---|---|---|---|
| Classic STP | 802.1D-1998 | PVST+ | Yes | 30-50 sec |
| Rapid STP | 802.1w | Rapid PVST+ | Yes | 1-2 sec |
| Multiple STP | 802.1s | MST | Instances (groups of VLANs) | 1-2 sec |
Recommendation: Use Rapid PVST+ for campus access/distribution layers. Use MST when you have hundreds of VLANs and need to reduce STP instance overhead.
3 — Setting the STP Mode
3.1 Rapid PVST+ (Recommended Default)
Switch(config)# spanning-tree mode rapid-pvstThis is a global command that affects all VLANs. All ports begin using 802.1w BPDUs immediately. Rapid PVST+ is backward-compatible with legacy 802.1D switches on a per-port basis — if a port receives legacy BPDUs it falls back to classic STP on that port.
3.2 MST
Switch(config)# spanning-tree mode mst3.3 Classic PVST+ (Legacy)
Switch(config)# spanning-tree mode pvstAvoid classic PVST+ in new deployments. The 30-50 second convergence is unacceptable for modern networks.
4 — Root Bridge Election and Tuning
4.1 Designing Root Placement
The Root Bridge should always be your distribution or core switch — never an access switch. Configure a primary root on one distribution switch and a secondary root on the other.
4.2 Using the Macro Command
! Distribution Switch 1 — Primary Root
DS1(config)# spanning-tree vlan 1,10,20,30 root primary
! Distribution Switch 2 — Secondary Root
DS2(config)# spanning-tree vlan 1,10,20,30 root secondaryThe
root primarymacro sets the priority to 24576 (or 4096 less than the current root if it is already below 24576). The
root secondarymacro sets the priority to 28672.
4.3 Manual Priority Assignment
For deterministic control, set the priority manually. Priority must be a multiple of 4096 (0, 4096, 8192, … 61440).
! Make this switch the root for VLAN 10
DS1(config)# spanning-tree vlan 10 priority 4096
! Make this switch the backup root for VLAN 10
DS2(config)# spanning-tree vlan 10 priority 81924.4 Load Balancing Across Distribution Pair
Split VLANs across two root bridges to distribute traffic across uplinks:
! DS1 is root for odd VLANs
DS1(config)# spanning-tree vlan 1,11,13,15,17,19 priority 4096
DS1(config)# spanning-tree vlan 10,12,14,16,18,20 priority 8192
! DS2 is root for even VLANs
DS2(config)# spanning-tree vlan 10,12,14,16,18,20 priority 4096
DS2(config)# spanning-tree vlan 1,11,13,15,17,19 priority 81924.5 Tuning Port Cost and Port Priority
! Override port cost on a specific interface
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# spanning-tree vlan 10 cost 2
! Override port priority (lower = preferred)
Switch(config-if)# spanning-tree vlan 10 port-priority 645 — STP Timers
Default timers (set on the Root Bridge and propagated via BPDUs):
Hello Time: 2 seconds
Forward Delay: 15 seconds
Max Age: 20 secondsTo modify (only on the Root Bridge):
DS1(config)# spanning-tree vlan 10 hello-time 1
DS1(config)# spanning-tree vlan 10 forward-time 10
DS1(config)# spanning-tree vlan 10 max-age 14Warning: Reducing timers increases CPU/BPDU overhead. Only tune timers if you understand the diameter formula:Max Age >= 2 × (Hello Time + 1)andForward Delay >= (Max Age / 2) + 1. In most cases, leave timers at defaults and use Rapid PVST+ for fast convergence instead.
6 — PortFast and Edge Ports
6.1 PortFast on Access Ports
PortFast skips the Listening and Learning states, bringing the port to Forwarding immediately. Use it only on ports connected to end hosts — never on switch-to-switch links.
! Per-interface
Switch(config)# interface GigabitEthernet1/0/24
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# spanning-tree portfast
! Global default for all access ports
Switch(config)# spanning-tree portfast defaultWith
spanning-tree portfast default, every access port automatically gets PortFast. Trunk ports are excluded.
6.2 PortFast on Trunk Ports (Use with Caution)
Switch(config)# interface GigabitEthernet1/0/48
Switch(config-if)# switchport mode trunk
Switch(config-if)# spanning-tree portfast trunkThis is sometimes needed for servers with 802.1Q trunks (e.g., VMware ESXi hosts), but always pair it with BPDU Guard.
7 — STP Protection Mechanisms
7.1 BPDU Guard
If a PortFast-enabled port receives a BPDU, BPDU Guard immediately puts it into err-disabled state — preventing rogue switches from disrupting the topology.
! Global (recommended)
Switch(config)# spanning-tree portfast bpduguard default
! Per-interface
Switch(config-if)# spanning-tree bpduguard enableTo auto-recover err-disabled ports:
Switch(config)# errdisable recovery cause bpduguard
Switch(config)# errdisable recovery interval 3007.2 BPDU Filter
BPDU Filter suppresses BPDU transmission and reception on a port. Use with extreme caution — it effectively disables STP on that port.
! Per-interface only (global + portfast default has different behavior)
Switch(config-if)# spanning-tree bpdufilter enableBest Practice: Prefer BPDU Guard over BPDU Filter. BPDU Filter can create undetected loops.
7.3 Root Guard
Root Guard prevents a port from becoming a Root Port. If superior BPDUs are received, the port enters root-inconsistent (blocking) state. Deploy on distribution switch downlinks toward access switches.
Switch(config)# interface range GigabitEthernet1/0/1 - 24
Switch(config-if-range)# spanning-tree guard root7.4 Loop Guard
Loop Guard detects unidirectional link failures. If BPDUs stop arriving on a non-designated port, Loop Guard places the port into loop-inconsistent state instead of transitioning to Forwarding.
! Global (recommended)
Switch(config)# spanning-tree loopguard default
! Per-interface
Switch(config-if)# spanning-tree guard loopNote: Root Guard and Loop Guard are mutually exclusive on the same port. Use Root Guard on downlinks (distribution → access) and Loop Guard on interswitch links (redundant uplinks).
7.5 UDLD (Unidirectional Link Detection)
UDLD works alongside Loop Guard to detect unidirectional fiber failures:
! Enable aggressive UDLD globally on fiber ports
Switch(config)# udld aggressive
! Per-interface
Switch(config)# interface TenGigabitEthernet1/1/1
Switch(config-if)# udld port aggressive8 — Rapid PVST+ Deep Dive
8.1 Port Roles in RSTP
- Root Port — Best path to Root Bridge (same as classic STP).
- Designated Port — Forwards traffic on a segment (same as classic STP).
- Alternate Port — Backup path to the Root Bridge (replaces Blocking port). Provides fast failover for Root Port loss.
- Backup Port — Redundant path on the same switch to the same segment (rare).
8.2 Port States in RSTP
Classic STP RSTP
----------- --------
Disabled → Discarding
Blocking → Discarding
Listening → Discarding
Learning → Learning
Forwarding → Forwarding8.3 RSTP Convergence Mechanism
RSTP achieves sub-second convergence through the proposal/agreement mechanism on point-to-point links. When a switch detects a link coming up, it sends a proposal BPDU. The downstream switch blocks all other ports and responds with an agreement, allowing the proposing port to move immediately to Forwarding — no timer waits.
8.4 Link Type Configuration
! Force point-to-point (full-duplex links — usually auto-detected)
Switch(config-if)# spanning-tree link-type point-to-point
! Force shared (half-duplex hub segments)
Switch(config-if)# spanning-tree link-type sharedThe proposal/agreement mechanism only works on point-to-point links. Shared links fall back to classic timer-based convergence.
9 — MST (Multiple Spanning Tree) Configuration
9.1 When to Use MST
With hundreds of VLANs, Rapid PVST+ runs a separate STP instance per VLAN, consuming significant CPU and memory. MST maps multiple VLANs to a smaller number of instances, reducing overhead.
9.2 MST Region Configuration
All switches in the same MST region must have identical region name, revision number, and VLAN-to-instance mapping.
Switch(config)# spanning-tree mode mst
Switch(config)# spanning-tree mst configuration
Switch(config-mst)# name CAMPUS-MST
Switch(config-mst)# revision 1
Switch(config-mst)# instance 1 vlan 1-100
Switch(config-mst)# instance 2 vlan 101-200
Switch(config-mst)# instance 3 vlan 201-500
Switch(config-mst)# exitVLANs not explicitly mapped go to Instance 0 (IST — Internal Spanning Tree).
9.3 MST Root Bridge Election
! DS1 is root for Instance 1, backup for Instance 2
DS1(config)# spanning-tree mst 1 priority 4096
DS1(config)# spanning-tree mst 2 priority 8192
! DS2 is root for Instance 2, backup for Instance 1
DS2(config)# spanning-tree mst 2 priority 4096
DS2(config)# spanning-tree mst 1 priority 8192
! IST root (Instance 0)
DS1(config)# spanning-tree mst 0 priority 40969.4 Verifying MST Configuration
Switch# show spanning-tree mst configuration
Switch# show spanning-tree mst 1
Switch# show spanning-tree mst 0 detail10 — Complete Production Configuration Example
10.1 Distribution Switch 1 (DS1) — Rapid PVST+
! === Global STP Settings ===
spanning-tree mode rapid-pvst
spanning-tree pathcost method long
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree loopguard default
spanning-tree vlan 1,10,20 priority 4096
spanning-tree vlan 30,40,50 priority 8192
! === Uplinks to Core (Loop Guard via global default) ===
interface range TenGigabitEthernet1/1/1 - 2
description UPLINK-TO-CORE
switchport mode trunk
switchport trunk allowed vlan 1,10,20,30,40,50
spanning-tree link-type point-to-point
! === Downlinks to Access Switches (Root Guard) ===
interface range GigabitEthernet1/0/1 - 24
description DOWNLINK-TO-ACCESS
switchport mode trunk
switchport trunk allowed vlan 1,10,20,30,40,50
spanning-tree guard root
! === UDLD on Fiber Uplinks ===
udld aggressive
! === Err-disable Recovery ===
errdisable recovery cause bpduguard
errdisable recovery cause udld
errdisable recovery interval 30010.2 Access Switch Configuration
! === Global STP Settings ===
spanning-tree mode rapid-pvst
spanning-tree pathcost method long
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree loopguard default
! Leave priority at default (32768) — never root
! === Uplinks to Distribution ===
interface range GigabitEthernet1/0/49 - 50
description UPLINK-TO-DISTRIBUTION
switchport mode trunk
switchport trunk allowed vlan 1,10,20,30,40,50
spanning-tree link-type point-to-point
! === Access Ports (PortFast + BPDU Guard via global) ===
interface range GigabitEthernet1/0/1 - 48
description USER-ACCESS
switchport mode access
switchport access vlan 10
! === Err-disable Recovery ===
errdisable recovery cause bpduguard
errdisable recovery interval 30011 — Verification and Show Commands
11.1 STP Status Overview
Switch# show spanning-tree
Switch# show spanning-tree summary
Switch# show spanning-tree vlan 10
Switch# show spanning-tree vlan 10 detail11.2 Root Bridge Information
Switch# show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
------------------- -------------------- ------- ----- --- --- --------
VLAN0001 4097 aabb.cc00.0100 0 2 20 15
VLAN0010 4106 aabb.cc00.0100 0 2 20 15
VLAN0020 4116 aabb.cc00.0100 0 2 20 1511.3 Port Role and State
Switch# show spanning-tree interface GigabitEthernet1/0/1 detail
Port 1 (GigabitEthernet1/0/1) of VLAN0010 is designated forwarding
Port path cost 20000, Port priority 128, Port Identifier 128.1.
Designated root has priority 4106, address aabb.cc00.0100
Designated bridge has priority 32778, address aabb.cc00.0200
Number of transitions to forwarding state: 3
Link type is point-to-point by default
BPDU: sent 14523, received 011.4 PortFast and Guard Status
Switch# show spanning-tree summary totals
Switch is in rapid-pvst mode
Root bridge for: none
Portfast Default is enabled
Portfast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is enabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
6 vlans 2 0 0 50 5211.5 Inconsistent Ports
Switch# show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ---------------------- ------------------
VLAN0010 GigabitEthernet1/0/5 Root Inconsistent
Number of inconsistent ports (segments) in the system : 111.6 BPDU Counters
Switch# show spanning-tree interface GigabitEthernet1/0/1 portfast
Switch# show spanning-tree detail | include BPDU
Switch# show spanning-tree vlan 10 bridge12 — Troubleshooting STP Issues
12.1 Broadcast Storm / MAC Flapping
- Identify the symptom:
show interfaces counters errors
,show mac address-table count
— MAC table full. - Check for loops:
show spanning-tree blockedports
— if empty, STP may have converged incorrectly. - Check for err-disabled ports:
show interfaces status err-disabled
. - Inspect BPDUs:
show spanning-tree detail | include BPDU|from
. - Verify root bridge:
show spanning-tree root
— is an access switch the root?
12.2 Root Bridge on Wrong Switch
! Identify current root
Switch# show spanning-tree vlan 10 | include Root
! Fix: Lower priority on the correct switch
DS1(config)# spanning-tree vlan 10 priority 012.3 Port Stuck in Blocking
! Check port role and reason
Switch# show spanning-tree interface Gi1/0/1 detail
! If loop-inconsistent, check for unidirectional link
Switch# show udld interface Gi1/0/1
! Clear loop guard inconsistency (after fixing the link)
Switch(config)# interface Gi1/0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown12.4 Err-Disabled Recovery
! Check err-disabled status
Switch# show errdisable recovery
! Manually recover a port
Switch(config)# interface GigabitEthernet1/0/5
Switch(config-if)# shutdown
Switch(config-if)# no shutdown12.5 Debug Commands (Use Sparingly)
Switch# debug spanning-tree events
Switch# debug spanning-tree bpdu receive
Switch# debug spanning-tree bpdu transmit
! Always disable when done
Switch# undebug all13 — STP Hardening Checklist
- ☐ Set STP mode to Rapid PVST+ or MST on all switches.
- ☐ Manually assign Root Bridge priority on distribution/core switches.
- ☐ Enable PortFast on all access ports (
spanning-tree portfast default
). - ☐ Enable BPDU Guard globally (
spanning-tree portfast bpduguard default
). - ☐ Enable Root Guard on all distribution downlinks toward access switches.
- ☐ Enable Loop Guard globally (
spanning-tree loopguard default
). - ☐ Enable UDLD aggressive on all fiber uplinks.
- ☐ Configure errdisable recovery for bpduguard and udld with a 300-second interval.
- ☐ Use long pathcost method for 10G+ links.
- ☐ Document the Root Bridge for every VLAN in your network diagram.
- ☐ Never leave STP priority at default on distribution/core switches.
- ☐ Monitor STP topology changes via SNMP traps or syslog.
14 — STP and EtherChannel Interaction
When using EtherChannel (Port-Channel), STP treats the entire bundle as a single logical port. This is critical for proper load balancing and loop prevention.
! STP cost is based on the aggregate bandwidth
Switch# show spanning-tree interface Port-channel1 detail
Port 65 (Port-channel1) of VLAN0010 is designated forwarding
Port path cost 3, Port priority 128, Port Identifier 128.65.
Link type is point-to-pointImportant: If an EtherChannel misconfiguration causes individual links to come up without bundling, STP may see multiple individual links and block some — or worse, create a loop. Always verify channel status:
show etherchannel summary.
15 — Monitoring STP with SNMP and Syslog
15.1 Syslog Messages to Watch
%SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Gi1/0/5 on VLAN0010.
%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port Gi1/0/49 on VLAN0010.
%PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/24, putting Gi1/0/24 in err-disable state
%SPANTREE-2-BLOCK_PVID_LOCAL: Blocking port Gi1/0/1 on VLAN0001. Inconsistent local vlan.
%STP-6-TOPOLOGY_CHANGE: Topology change detected on port Gi1/0/1 VLAN 1015.2 SNMP Traps
Switch(config)# snmp-server enable traps bridge newroot topologychange
Switch(config)# snmp-server host 10.0.0.50 version 2c COMMUNITY bridgeMonitor
topologychangetraps — frequent TCN events indicate unstable ports (flapping links, rogue devices).
16 — Platform-Specific Notes
16.1 Catalyst 9000 (IOS-XE 17.x)
- Default STP mode is Rapid PVST+.
- Supports long pathcost method by default.
- Enhanced
show spanning-tree
with priority in decimal + VLAN system ID extension. - Use
spanning-tree extend system-id
(enabled by default, cannot be disabled).
16.2 Catalyst 3850/3650 (IOS-XE 16.x)
- Same Rapid PVST+ behavior as Cat 9000.
- Check hardware STP table:
show platform software fed active fwd-asic resource stp
.
16.3 Catalyst 2960-X/XR (IOS 15.2)
- Default mode is PVST+ (classic). Always change to
rapid-pvst
. - Short pathcost method by default.
- Extended system ID is always enabled.
17 — Quick Reference: Essential Commands
! View STP status
show spanning-tree
show spanning-tree summary
show spanning-tree vlan 10
show spanning-tree root
show spanning-tree blockedports
show spanning-tree inconsistentports
show spanning-tree interface Gi1/0/1 detail
show spanning-tree mst configuration
show spanning-tree mst 1
! Configuration
spanning-tree mode rapid-pvst
spanning-tree vlan 10 root primary
spanning-tree vlan 10 priority 4096
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree loopguard default
spanning-tree pathcost method long
spanning-tree guard root
spanning-tree bpduguard enable
udld aggressive
! Err-disable
show interfaces status err-disabled
errdisable recovery cause bpduguard
errdisable recovery interval 300Frequently Asked Questions
Q1: What is the difference between PVST+, Rapid PVST+, and MST?
PVST+ is Cisco's per-VLAN implementation of classic 802.1D with 30-50 second convergence. Rapid PVST+ is the per-VLAN implementation of 802.1w with sub-second convergence using proposal/agreement. MST (802.1s) maps multiple VLANs to fewer instances, reducing resource usage while maintaining rapid convergence.
Q2: How do I determine which switch is the current Root Bridge?
Run
show spanning-tree rooton any switch in the VLAN. The output shows the Root ID (priority + MAC) and the root cost. If the root cost is 0, that switch is the Root Bridge.
Q3: What STP priority value should I use for the Root Bridge?
Use 4096 for the primary root and 8192 for the secondary root. The default priority is 32768. Priority values must be multiples of 4096 due to the extended system-id adding the VLAN number to the priority field.
Q4: Should I enable PortFast on trunk ports connected to servers?
Yes, for servers running 802.1Q trunks (e.g., VMware ESXi with multiple VLANs), use
spanning-tree portfast trunk. Always pair this with BPDU Guard to prevent loops if someone connects a switch to that port.
Q5: What happens when BPDU Guard triggers on a port?
The port is immediately placed into err-disabled state and stops forwarding traffic. To recover, either manually shut/no shut the interface, or configure
errdisable recovery cause bpduguardwith a recovery interval for automatic recovery.
Q6: Can I use Root Guard and Loop Guard on the same port?
No, they are mutually exclusive on a per-port basis. Use Root Guard on distribution downlinks to access switches (to prevent access switches from becoming root). Use Loop Guard on interswitch uplinks where unidirectional link failure could cause a loop.
Q7: How does Rapid PVST+ achieve faster convergence than classic STP?
RSTP uses the proposal/agreement mechanism on point-to-point full-duplex links. When a new link comes up, the upstream switch proposes the port as designated. The downstream switch syncs (blocks all non-edge ports), then sends an agreement back. The port transitions to Forwarding immediately — no 30-second timer wait.
Q8: What is the maximum number of STP instances on a Cisco Catalyst switch?
With Rapid PVST+, each VLAN has its own instance. Most Catalyst platforms support up to 128 STP instances. If you have more than 128 VLANs, excess VLANs share instances or you should migrate to MST. MST supports up to 16 instances (0-15) on most Cisco platforms.
Q9: How do I troubleshoot frequent Topology Change Notifications (TCNs)?
Run
show spanning-tree detail | include topology|fromto identify which port is generating TCNs. Common causes include: flapping links, devices being powered on/off, and ports without PortFast connected to end hosts. Enable PortFast on access ports to suppress TCNs from host ports. Monitor syslog for
%STP-6-TOPOLOGY_CHANGEmessages.
Q10: Do all switches in an MST deployment need the same region configuration?
Yes, for switches to be in the same MST region, they must have identical region name, revision number, and VLAN-to-instance mapping. Switches with different configurations form separate regions and communicate via the IST (Instance 0) boundary, which treats the other region as a single virtual bridge.