The Problem: Misaligned STP and HSRP
In a redundant campus design, two distribution switches (SW2 and SW3) each connect to access clusters. Clients in the access layer use an HSRP virtual IP to reach destinations beyond the campus. The design should be:
- STP root bridge on SW2 → Determines blocked/active ports
- HSRP active on SW2 → Clients use SW2's gateway IP
When the two are aligned, all traffic flows through one switch (SW2), and return traffic comes back via the same path. The network is efficient.
But if misconfigured:
- STP root on SW2, HSRP active on SW3 → A loop where:
- Client packets reach SW3 (HSRP active)
- Return traffic traverses the STP tree back through SW2 (root)
- Bandwidth is wasted; latency increases
- Asymmetric paths cause packet reordering and TCP issues
Visual Example: Misalignment
Access Layer
Client (10.1.1.100)
Packet to 8.8.8.8
|
______ ______|______ ______
| |
SW2 (Root) SW3 (HSRP Active)
STP: Active HSRP: 10.1.1.1 (Virtual IP)
| |
\_________ ___________/
\/
Core
Client sends to 10.1.1.1 → hits SW3 (HSRP active).
Return traffic from Core → flows to SW2 (STP root) → then to SW3.
Inefficient and slow.
Why Alignment Matters
When STP root and HSRP active are on the same switch:
- Symmetric traffic paths: Outbound and return traffic use the same path
- Maximum throughput: No unnecessary link traversal
- Predictable latency: Clients always take the same path to their gateway
- Efficient convergence: When the active switch fails, STP and HSRP fail together, ensuring synchronized recovery
When misaligned:
- Asymmetric paths: Outbound and return paths differ, causing:
- TCP retransmit issues (packets arriving out of order)
- Load balancing confusion (traffic distribution appears uneven)
- Increased latency (extra hop for return traffic)
- Wasted bandwidth: Links are oversubscribed in one direction
- Difficult troubleshooting: Packet traces show traffic going different directions
Strategy: Place Root and HSRP Active on the Same Switch
The solution is deliberate configuration of both STP and HSRP to ensure they converge on the same switch.
Scenario: Two-Distribution Design with VLAN 10 (Users)
Topology:
SW2 SW3
(Preferred) (Backup)
Root: VLAN 10 Root: VLAN 10
HSRP: Active HSRP: Standby
/ \ / \
SW1 SW4 SW5 SW6
(Access)
Step 1: Configure HSRP on Both Distribution Switches
On SW2 (HSRP Active):
SW2# configure terminal
SW2(config)# interface Vlan 10
SW2(config-if)# ip address 10.1.1.2 255.255.255.0
SW2(config-if)# standby 10 ip 10.1.1.1
SW2(config-if)# standby 10 priority 150
SW2(config-if)# standby 10 preempt
SW2(config-if)# standby 10 track Gi1/0/25 decrement 20
SW2(config-if)# exit
The priority 150 on SW2 ensures it becomes HSRP active. The preempt command means if SW2 returns after a failure, it immediately reclaims the active role. The track command monitors the uplink to the core; if it fails, SW2 decrements its priority, allowing SW3 to take over.
On SW3 (HSRP Standby):
SW3# configure terminal
SW3(config)# interface Vlan 10
SW3(config-if)# ip address 10.1.1.3 255.255.255.0
SW3(config-if)# standby 10 ip 10.1.1.1
SW3(config-if)# standby 10 priority 100
SW3(config-if)# preempt
SW3(config-if)# exit
SW3 has a lower priority (100) and will assume the active role only if SW2 fails or its priority is decremented.
Step 2: Configure STP Root on the Same Switch (SW2)
SW2# configure terminal
SW2(config)# spanning-tree vlan 10 root primary
SW2(config)# spanning-tree vlan 10 priority 24576
SW2(config)# end
On SW3:
SW3# configure terminal
SW3(config)# spanning-tree vlan 10 root secondary
SW3(config)# spanning-tree vlan 10 priority 28672
SW3(config)# end
SW2 is both HSRP active and STP root. SW3 is both HSRP standby and STP secondary root.
Verification of Alignment
Check HSRP status:
SW2# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Vlan10 10 150 P Active local 10.1.1.3 10.1.1.1
SW3# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Vlan10 10 100 P Standby 10.1.1.2 local 10.1.1.1
SW2 is Active, SW3 is Standby. Both see the virtual IP as 10.1.1.1.
Check STP root:
SW2# show spanning-tree vlan 10 root
Root Hello Max Fwd
VLAN Root ID Cost Time Age Dly Protocol
VLAN0010 24576 aabb.cc00.1111 0 2 20 15 rstp
SW3# show spanning-tree vlan 10 root
Root Hello Max Fwd
VLAN Root ID Root Cost Time Age Dly Protocol
VLAN0010 24576 aabb.cc00.1111 Gi1/0/1 4000 2 20 15 rstp
SW2 is root (cost 0). SW3 knows SW2 is root via port Gi1/0/1 with non-zero cost. Both STP and HSRP converge on SW2.
Traffic Flow Verification
From an access device, verify traffic follows the same path in both directions:
Client (SW1)# traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
1 10.1.1.1 (SW2 HSRP) 0 msec 1 msec 1 msec
2 192.168.100.2 (Core L3) 2 msec 2 msec 2 msec
3 8.8.8.8 (ISP) 10 msec 11 msec 10 msec
Client (SW1)# traceroute 10.1.1.1
Type escape sequence to abort.
Tracing the route to 10.1.1.1
1 10.1.1.1 (SW2 HSRP, active) 0 msec 0 msec 0 msec
All traffic goes to SW2's HSRP virtual IP. No asymmetry.
Failover Behavior: STP and HSRP Failing Together
When SW2 fails (e.g., power loss), both STP and HSRP fail over to SW3 simultaneously:
HSRP failover:
SW3# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Vlan10 10 100 P Active local (empty) 10.1.1.1
SW3 becomes active within 3 seconds (HSRP dead timer).
STP failover:
SW3# show spanning-tree vlan 10 root
Root Hello Max Fwd
VLAN Root ID Root Cost Time Age Dly Protocol
VLAN0010 28672 aabb.cc00.3333 0 2 20 15 rstp
SW3 becomes root within 2 seconds (STP is already listening for absence of root BPDU, and Rapid PVST+ reconverges fast).
Both systems converge to SW3 in roughly the same timeframe, maintaining alignment.
Multi-VLAN Alignment
In a campus with multiple VLANs, each VLAN can have a different active gateway and different STP root. This is legitimate if intentional, but typically not recommended:
Scenario: VLAN 10 (Users) Active on SW2, VLAN 20 (Servers) Active on SW3
VLAN 10 (Users):
STP Root: SW2
HSRP Active: SW2
Gateway: 10.1.1.1
VLAN 20 (Servers):
STP Root: SW3
HSRP Active: SW3
Gateway: 10.2.1.1
This design load-balances traffic: user VLAN goes through SW2, server VLAN through SW3. It's intentional and correct IF:
- You have enough bandwidth on both distribution switches
- Traffic flows are balanced (roughly equal load on each VLAN)
- Failover is understood: If SW2 fails, both VLAN 10 users and their traffic to servers (VLAN 20) must reroute via SW3
Configuration for Load-Balanced Alignment:
On SW2 (VLAN 10 active, VLAN 20 standby):
SW2# configure terminal
SW2(config)# interface Vlan 10
SW2(config-if)# standby 10 priority 150
SW2(config-if)# exit
SW2(config)# interface Vlan 20
SW2(config-if)# standby 20 priority 100
SW2(config-if)# exit
SW2(config)# spanning-tree vlan 10 root primary priority 24576
SW2(config)# spanning-tree vlan 20 root secondary priority 28672
SW2(config)# end
On SW3 (VLAN 10 standby, VLAN 20 active):
SW3# configure terminal
SW3(config)# interface Vlan 10
SW3(config-if)# standby 10 priority 100
SW3(config-if)# exit
SW3(config)# interface Vlan 20
SW3(config-if)# standby 20 priority 150
SW3(config-if)# exit
SW3(config)# spanning-tree vlan 10 root secondary priority 28672
SW3(config)# spanning-tree vlan 20 root primary priority 24576
SW3(config)# end
VLAN 10 traffic goes via SW2 (root + HSRP active). VLAN 20 traffic goes via SW3 (root + HSRP active). Each distribution switch is utilized symmetrically.
Detecting Misalignment
If STP root and HSRP active are not on the same switch, look for these symptoms:
- Asymmetric traceroutes: Outbound path differs from return path
- Elevated latency: Extra hops in return traffic
- Uneven link utilization: One inter-distribution link heavily used, the other light
- TCP retransmits: Packet loss or reordering in traffic captures
Debugging Script: Check Alignment
Run on each distribution switch:
show standby brief | include Active
show spanning-tree summary | include root
If both show the same switch as active/root, alignment is correct. If different, misalignment exists.
Example of misalignment:
SW2# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Vlan10 10 150 P Standby 10.1.1.3 local 10.1.1.1
↑ SW3 is HSRP active
SW2# show spanning-tree summary
VLAN0010
Root ID Priority 24576
Address aabb.cc00.2222
This bridge is the root
↑ SW2 is STP root
Conclusion: STP root on SW2, HSRP active on SW3. Misaligned.
Migration: Fixing Misalignment
If your network is currently misaligned, fix it during a maintenance window:
Step 1: Verify current state
SW2# show standby brief
SW2# show spanning-tree summary
SW3# show standby brief
SW3# show spanning-tree summary
Step 2: Plan which switch should be primary
Typically, pick the switch with better uplink capacity or more access connectivity. Let's say SW2.
Step 3: Adjust HSRP priority on SW2
SW2# configure terminal
SW2(config)# interface Vlan 10
SW2(config-if)# standby 10 priority 150
SW2(config-if)# preempt
SW2(config-if)# exit
Step 4: Adjust HSRP priority on SW3
SW3# configure terminal
SW3(config)# interface Vlan 10
SW3(config-if)# standby 10 priority 100
SW3(config-if)# exit
Step 5: Verify HSRP converged to SW2
SW2# show standby brief
↑ Should show "Active local"
SW3# show standby brief
↑ Should show "Standby"
Step 6: Adjust STP root to match
If STP root is not on SW2, change it:
SW2# configure terminal
SW2(config)# spanning-tree vlan 10 root primary priority 24576
SW2(config)# exit
SW3# configure terminal
SW3(config)# spanning-tree vlan 10 root secondary priority 28672
SW3(config)# exit
Step 7: Monitor convergence (2–3 seconds)
show spanning-tree summary
show standby brief
Both should show SW2 as root/active within seconds.
What's Next
Now that you understand how to design STP topologies and align them with redundancy protocols, the next tool you need is a comprehensive reference guide. In Article 24: STP Toolkit Reference: Every show and debug Command You Need, we'll walk through every relevant verification command, from show spanning-tree variations to debug spanning-tree events, with annotated output for each.