Spanning Tree Protocol (STP) is the protocol that keeps Layer 2 networks loop-free. It is also the protocol that takes networks down when it goes wrong. Every Cisco campus switch you touch runs some variant of it (PVST+, Rapid PVST+, MST), and a 30-second STP convergence at 11 AM on a workday will end your week. If you understand STP cold, you become the engineer the rest of the team calls when the network has flatlined.
This is the cluster overview for the full PingLabz Spanning Tree series: 25 articles covering fundamentals, the variants, configuration, hardening features, troubleshooting, and enterprise design, all built on Cisco Catalyst switches. We will work through what STP solves, how the algorithm picks a root and elects ports, the variants you need to know in 2026, and the hardening features (PortFast, BPDU Guard, Root Guard, Loop Guard) that turn STP from a footgun into a stable foundation.
What STP Solves
Ethernet has no TTL. A frame placed onto a Layer 2 loop circulates forever, multiplying every time it hits a flooding decision. Within seconds a single loop saturates every link in the broadcast domain, MAC address tables thrash, CPUs pin, and the network is unusable. This is the broadcast storm.
The bridge loop problem is unavoidable in any redundant Layer 2 design: if you have two paths between two switches for redundancy, you have a loop. STP's job is to detect those loops and put exactly one port per loop into a Blocking state, while keeping the other links available for instant failover if the active path dies.
The trade-off STP makes: classic 802.1D takes 30-50 seconds to converge after a topology change. That was acceptable in 1998. It is not acceptable today, which is why every modern network runs Rapid PVST+ or MST. Detail in What Is Spanning Tree Protocol (STP)? The Bridge Loop Problem Explained.
How STP Works (the 10,000-Foot View)
STP runs through three phases that repeat whenever the topology changes:
- Elect a Root Bridge. Every switch starts believing it is the root and sends BPDUs (Bridge Protocol Data Units) advertising its bridge ID. The switch with the lowest bridge ID wins. Bridge ID = priority (16-bit, default 32768) + system ID extension (the VLAN number) + base MAC address. Lower priority wins; if priorities tie (default everywhere), the switch with the lowest MAC wins, which is rarely what you want.
- Elect a Root Port on every non-root switch. The Root Port is the one with the lowest cost path to the Root Bridge. Cost is bandwidth-derived (4 for 1 Gbps, 2 for 10 Gbps, etc., on the new long-cost scale).
- Elect a Designated Port on every segment. The Designated Port forwards on a given segment; the others on that segment are blocked. Tiebreakers walk a list: lowest sender root path cost, then lowest sender bridge ID, then lowest sender port priority, then lowest sender port ID.
Once the dust settles you have exactly one path from every switch to the root, with one Designated Port per segment, and any other ports either Root, Alternate, or Blocking. How STP Works: Root Bridge Election, BPDUs, and the Spanning Tree Algorithm walks through it with diagrams.
STP Port Roles
| Role | What it does | Forwards data? |
|---|---|---|
| Root Port (RP) | Best path to the Root Bridge from a non-root switch | Yes |
| Designated Port (DP) | Best path onto a segment; one per segment | Yes |
| Alternate Port | Backup path to the Root Bridge (RSTP only) | No, but ready to take over |
| Backup Port | Backup Designated Port on the same segment (RSTP only, rare) | No |
| Disabled | Manually shut down or otherwise inactive | No |
The PingLabz STP Reference Lab makes the roles visible on a real switch. SW3 is a leaf in an L2 triangle (SW1 + SW2 + SW3); SW1 was set as the explicit Root Bridge for VLAN 10 with spanning-tree vlan 10 priority 4096. From SW3's perspective the three port roles appear at once - the lab is small enough that the algorithm output is unambiguous:
SW3#show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 4106
Address 5254.008b.e4d6
Cost 4
Port 1 (GigabitEthernet0/0)
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address 5254.008c.a6e0
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0 Root FWD 4 128.1 P2p
Gi0/1 Altn BLK 4 128.2 P2p
Gi0/2 Desg FWD 4 128.3 P2p EdgeGi0/0 is the Root Port toward SW1 in Forwarding state with cost 4 (the IEEE 802.1D default for a Gigabit link). Gi0/1 is the Alternate Port toward SW2, blocked because the direct path to SW1 wins. Gi0/2 is a Designated edge port - the host-facing access port that has PortFast enabled, marked Type "P2p Edge". The Bridge ID Priority 32778 = 32768 default + sys-id-ext 10 (the VLAN ID) - the PVST+ encoding that keeps each VLAN's bridge ID unique even when the configured priority is identical.
Full reference in STP Port Roles Explained.
STP Port States
A port walks through several states before it forwards data, and these are where the famous 30-second convergence comes from. Classic 802.1D port states:
| State | Time | Forwards data? | Learns MACs? | Sends BPDUs? |
|---|---|---|---|---|
| Disabled | n/a | No | No | No |
| Blocking | 20s (Max Age) | No | No | Listens only |
| Listening | 15s (Forward Delay) | No | No | Yes |
| Learning | 15s (Forward Delay) | No | Yes | Yes |
| Forwarding | indefinite | Yes | Yes | Yes |
Add it up: 20 + 15 + 15 = 50 seconds for a Blocking port to start forwarding. That is the 802.1D convergence time. RSTP collapses it to 1-3 typical states (Discarding, Learning, Forwarding) and uses proposal/agreement handshakes to skip the timers entirely on point-to-point links, achieving sub-second failover.
The lab shows per-port state in show spanning-tree interface ... detail - and on a trunked link, the same physical port has independent state per VLAN. On SW3's Gi0/0 we see VLAN 10 in root forwarding and VLAN 99 in alternate blocking on the same wire:
SW3#show spanning-tree interface Gi0/0 detail
Port 1 (GigabitEthernet0/0) of VLAN0010 is root forwarding
Port path cost 4, Port priority 128, Port Identifier 128.1.
Designated root has priority 4106, address 5254.008b.e4d6
Designated bridge has priority 4106, address 5254.008b.e4d6
Designated port id is 128.2, designated path cost 0
Timers: message age 15, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 2, received 94
Port 1 (GigabitEthernet0/0) of VLAN0099 is alternate blocking
Port path cost 4, Port priority 128, Port Identifier 128.1.
Designated root has priority 32867, address 5254.0019.72a1
Designated bridge has priority 32867, address 5254.008b.e4d6
Designated port id is 128.2, designated path cost 4
Timers: message age 16, forward delay 0, hold 0
Number of transitions to forwarding state: 0
Link type is point-to-point by default
BPDU: sent 4, received 88Two things to read in that output. Number of transitions to forwarding state tells you how many topology events the port has been through; a stable port has 1 (initial) or 0 (never transitioned). BPDU: sent N, received M shows BPDU exchange asymmetry - the upstream root is sending most of the BPDUs. This is the canonical capture for diagnosing one-way BPDU flow (a common cause of Loop Guard fires). Detail in STP Port States: Blocking, Listening, Learning, Forwarding, and Disabled.
STP Variants: Which One Are You Running?
| Variant | Standard | Per-VLAN? | Convergence | Status in 2026 |
|---|---|---|---|---|
| 802.1D STP | IEEE 1990 | No (CST) | 30-50s | Legacy; do not deploy |
| PVST+ | Cisco | Yes | 30-50s | Legacy; do not deploy |
| Rapid PVST+ | Cisco (based on 802.1w) | Yes | Sub-second | Default Cisco choice for typical campus |
| MST (802.1s) | IEEE | Multiple instances, mapped to VLANs | Sub-second | Best for large campus / many VLANs |
The decision is usually between Rapid PVST+ and MST. Rapid PVST+ runs an STP instance per VLAN (so 100 VLANs = 100 STP instances and 100 sets of BPDUs every 2 seconds). MST runs a small number of instances (1-16) and maps multiple VLANs to each, scaling much better. If your network has more than ~50 VLANs, MST is worth the configuration effort. The dedicated comparisons are in RSTP: What Changed from 802.1D STP and STP vs RSTP: Convergence, Port Roles, and When to Switch. 802.1D vs PVST+ vs Rapid PVST+ vs MST goes deeper. Configuration walkthroughs in Configuring Rapid PVST+ on Cisco Catalyst Switches and Configuring Multiple Spanning Tree (MST) on Cisco Switches.
BPDUs and Path Cost
STP communicates via BPDUs sent every 2 seconds (Hello timer) by all switches. Two main types: Configuration BPDU (carries root, cost, sender bridge ID) and TCN BPDU (Topology Change Notification). The arrival of a TCN tells every switch in the network "something changed, age out old MAC entries faster than usual."
Path cost on Cisco's modern long-cost scale:
| Link speed | Cost (long) | Cost (short, legacy) |
|---|---|---|
| 10 Mbps | 2,000,000 | 100 |
| 100 Mbps | 200,000 | 19 |
| 1 Gbps | 20,000 | 4 |
| 10 Gbps | 2,000 | 2 |
| 100 Gbps | 200 | 1 |
| 1 Tbps | 20 | 1 (clamps) |
Modern catalysts default to long-cost in software 16+. The short scale clamps at 10 Gbps, which means 10 Gbps and 100 Gbps look identical to STP, which can cause unexpected blocking. Always use long-cost. STP Path Cost and How Cisco Switches Calculate the Best Path explains.
Configuring the Root Bridge: Don't Let the Default Win
If you do not set bridge priorities explicitly, the switch with the oldest MAC address becomes the root. That is almost certainly the wrong switch (it is probably an access switch in a closet). Always pick the root deliberately.
The correct pattern: pick your two strongest distribution switches. Make one of them the primary root and the other the secondary root, both for every VLAN you care about:
DistA(config)# spanning-tree vlan 1-4094 root primary
DistB(config)# spanning-tree vlan 1-4094 root secondaryCisco's root primary macro sets the bridge priority to 24576 (or 4096 less than the current root if there is already a primary). root secondary sets it to 28672. Both are well below the default 32768, so they win the election and the rest of the network does not have to care. How to Configure the STP Root Bridge on Cisco Switches has the full walkthrough.
Verification:
SW3#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0010 4106 5254.008b.e4d6 4 2 20 15 Gi0/0
VLAN0020 4116 5254.008b.e4d6 4 2 20 15 Gi0/0
VLAN0099 32867 5254.0019.72a1 4 2 20 15 Gi0/1One line per VLAN. SW1 (5254.008b.e4d6) is root for VLAN 10 (priority 4106) and VLAN 20 (4116) because of the explicit configuration. For VLAN 99 no priority was configured, so the election fell to the lowest MAC (SW2). This per-VLAN priority is the PVST+ feature that classic 802.1D did not have - you can engineer root placement separately per VLAN so the same physical trunk can be Forwarding for half your VLANs and Blocking for the other half, distributing load over the redundant links.
STP Hardening Features
STP without hardening is dangerous in a way most engineers underestimate. Five features take it from a default that anyone can disrupt to a controlled, predictable protocol:
| Feature | Goes on | What it does | What it prevents |
|---|---|---|---|
| PortFast | Host ports (access) | Skips listening/learning, port forwards immediately | 30-second DHCP delays for end hosts |
| BPDU Guard | Host ports (with PortFast) | Errdisables port if any BPDU is received | Rogue switches plugged into user ports |
| BPDU Filter | Host ports (sometimes) | Suppresses BPDU sending and receiving | Use sparingly; can mask loops if misconfigured |
| Root Guard | Designated ports facing access switches | Errdisables port if a superior BPDU is received | An access switch becoming the root |
| Loop Guard | Root and Alternate ports on point-to-point links | Blocks port if BPDUs stop arriving | Unidirectional link failures that would silently transition Blocking to Forwarding |
The PingLabz default: every host port gets PortFast + BPDU Guard. Every distribution-to-access link gets Root Guard on the distribution side. Every point-to-point trunk gets Loop Guard. Verify the hardening posture and STP mode on any switch with show spanning-tree summary:
SW1#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0010, VLAN0020
Extended system ID is enabled
Portfast Default is disabled
Portfast Edge BPDU Guard Default is disabled
Portfast Edge BPDU Filter Default is disabled
Loopguard Default is disabled
PVST Simulation Default is enabled but inactive in rapid-pvst mode
Bridge Assurance is enabled
EtherChannel misconfig guard is enabled
Configured Pathcost method used is short
UplinkFast is disabled
BackboneFast is disabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0010 0 0 0 4 4
VLAN0020 0 0 0 4 4
VLAN0099 1 0 0 2 3
3 vlans 1 0 0 10 11Three things this output tells you in five seconds. The mode is rapid-pvst (good). This switch is the Root bridge for VLAN 10 and VLAN 20, which matches the design - that's the diagnostic line a troubleshooting flow asks first. The Blocking column shows VLAN 99 has one blocked port and VLAN 10 / 20 have zero, which proves the loop is being broken correctly. The hardening defaults at the top are all disabled here because the lab is minimal - in production you would expect to see Portfast Edge BPDU Guard Default is enabled after running spanning-tree portfast bpduguard default globally. Detail in PortFast Configuration, BPDU Guard Configuration, Root Guard and Loop Guard, and the careful-use article Configuring BPDU Filter on Cisco Switches.
STP and Other Layer 2 Protocols
STP does not exist in isolation. Three interactions trip people up:
- STP and EtherChannel. STP sees a port-channel as a single logical link. If you bundle two physical links, STP treats them as one and does not block either. STP and EtherChannel: Spanning Tree Behavior with Port Channels.
- STP and Trunking. Each VLAN has its own STP instance under PVST+ / Rapid PVST+, so the same physical trunk can be Forwarding for VLAN 10 and Blocking for VLAN 20 (load distribution by manipulating per-VLAN priority). STP and VLAN Trunking.
- STP and HSRP/VRRP. The active first-hop redundancy gateway should be aligned with the primary root. Otherwise traffic from access switches climbs to the secondary root and crosses the inter-distribution trunk to reach the active HSRP. Spanning Tree and First-Hop Redundancy.
Troubleshooting: When STP Goes Wrong
STP failure modes split into three buckets:
- Troubleshooting STP Loops and Broadcast Storms - the catastrophic mode. CPU pinned, every interface light flickering, links saturated. Apply Storm Control as a defense-in-depth and find the root cause.
- Troubleshooting STP Root Bridge Issues - the wrong switch is root, or the topology has unexpectedly converged in a way you did not design. Almost always a missed Root Guard.
- Troubleshooting Errdisable and STP Guard Features - a port has been shut down by BPDU Guard or Root Guard. The symptom looks like a dead host; the cause is correct protection working as designed.
- Troubleshooting STP Convergence Problems and Slow Failover - failover is taking too long. Almost always means classic STP / PVST+ instead of Rapid PVST+, or a misconfigured port type (link-type point-to-point not set on a P2P link).
Universal first commands when STP looks wrong:
Switch# show spanning-tree vlan 10
Switch# show spanning-tree summary
Switch# show spanning-tree inconsistentports
Switch# show interfaces status err-disabledThe lab reproduces a controlled topology change so you can watch RSTP fail over before-and-after. Starting from the steady state (SW3 uses Gi0/0 as the Root Port toward SW1 with cost 4, Gi0/1 sits as the Alternate Port), shutting down SW3's Gi0/0 forces RSTP to promote the Alternate to Root - and because RSTP keeps the alternate already in a ready-to-forward state, the switch never goes through Listening or Learning:
SW3(config)#interface GigabitEthernet0/0
SW3(config-if)#shutdown ! kill the current Root Port
SW3#show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 4106
Address 5254.008b.e4d6
Cost 8 <-- was 4, now 8 (2-hop path)
Port 2 (GigabitEthernet0/1) <-- was Gi0/0, now Gi0/1
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Root FWD 4 128.2 P2p <-- was Altn BLK
Gi0/2 Desg FWD 4 128.3 P2p EdgeGi0/1 went from Alternate Blocking to Root Forwarding without passing through Listening or Learning - the RSTP shortcut on point-to-point links. The total path cost to root rose from 4 to 8 because the new path is SW3 -> SW2 -> SW1 (two hops) instead of SW3 -> SW1 directly. The Root Bridge identity is unchanged (still SW1, MAC 5254.008b.e4d6); only the path changed. no shutdown on Gi0/0 reverses the failover within seconds because the direct path has cost 4 and wins the next election. Reference of every show/debug you need is in STP Toolkit Reference.
Design and the Hardening Checklist
- STP Design Best Practices for Enterprise Campus Networks
- STP in Multi-Layer Campus Designs
- STP Configuration Checklist: Hardening Spanning Tree Before Go-Live
The Full STP Cluster, in Reading Order
Fundamentals
1. What Is Spanning Tree Protocol (STP)?
2. How STP Works: Root Bridge Election, BPDUs, and the Spanning Tree Algorithm
3. STP Port Roles Explained
4. STP Port States
5. Understanding STP Timers
6. STP Path Cost
STP Variants
7. 802.1D vs PVST+ vs Rapid PVST+ vs MST
Configuration
8. How to Configure the STP Root Bridge on Cisco Switches
9. Configuring Rapid PVST+ on Cisco Catalyst Switches
10. PortFast Configuration on Cisco Switches
11. BPDU Guard Configuration
12. Root Guard and Loop Guard
13. Configuring BPDU Filter on Cisco Switches
14. Configuring Multiple Spanning Tree (MST)
STP with Other Technologies
15. STP and EtherChannel
16. STP and VLAN Trunking
17. Spanning Tree and First-Hop Redundancy
Troubleshooting
18. Troubleshooting STP Loops and Broadcast Storms
19. Troubleshooting STP Root Bridge Issues
20. Troubleshooting Errdisable and STP Guard Features
21. Troubleshooting STP Convergence Problems and Slow Failover
Design and Best Practices
22. STP Design Best Practices for Enterprise Campus Networks
23. STP in Multi-Layer Campus Designs
Reference and Checklists
24. STP Toolkit Reference
25. STP Configuration Checklist
Hands-on STP - Rapid-PVST, PortFast + BPDU Guard, Root Guard
Configure Rapid-PVST root election on three IOSvL2 switches, then layer in PortFast + BPDU Guard on access ports and Root Guard on uplinks. Real captures of port roles and BPDU Guard err-disable events. Open the PingLabz CCNA Labs library.
Frequently Asked Questions
What does STP stand for?
STP stands for Spanning Tree Protocol, originally defined in IEEE 802.1D (1990). It is named after the graph-theory concept of a spanning tree: a subset of edges that connects every vertex without forming a cycle. STP runs that algorithm at switch level to keep Layer 2 networks loop-free.
How many STP port states are there?
Five in classic 802.1D: Disabled, Blocking, Listening, Learning, Forwarding. RSTP collapses to three: Discarding, Learning, Forwarding. The Disabled state is administrative only.
What is RSTP and why does it matter?
RSTP (Rapid Spanning Tree Protocol, 802.1w) is the 2001 update to STP that achieves sub-second convergence by replacing the classic timer-based state machine with proposal/agreement handshakes on point-to-point links. Cisco's Rapid PVST+ is RSTP run per-VLAN. Every modern campus should run Rapid PVST+ or MST, not classic 802.1D / PVST+.
When should I use MST instead of Rapid PVST+?
When you have more than about 50 VLANs and want to reduce control-plane overhead and switch CPU. MST runs a small number of STP instances (typically 1-16) and maps groups of VLANs to each, instead of running one instance per VLAN. The trade-off is configuration complexity (every switch in an MST region must have identical region config) and load-balancing granularity.
What is the default Cisco bridge priority?
32768. Plus the system ID extension (the VLAN number for PVST+/Rapid PVST+, the instance number for MST). You should never leave it at default on a switch you want to be root or want to keep from being root; set it explicitly with spanning-tree vlan X root primary or spanning-tree vlan X priority N.
Should I enable PortFast on every port?
On host (access) ports, yes. PortFast lets the port skip listening/learning so DHCP works in seconds rather than half a minute. On trunk ports, no. PortFast on a trunk that connects to another switch can cause loops during convergence. Always pair PortFast with BPDU Guard so the port is protected if someone connects a switch to it.
Key Takeaways
If you take one thing away from this guide, make it this: STP is one of the few protocols where defaults will hurt you. Pick your roots deliberately, run Rapid PVST+ or MST (not classic STP), and apply the hardening features uniformly. PortFast plus BPDU Guard on host ports. Root Guard at distribution-facing-access. Loop Guard on point-to-point trunks. Bookmark this page, work through the cluster articles in order, and lab every change. Spanning Tree is unforgiving, but it is also predictable once you understand it.