Pre-Deployment STP Hardening Checklist
This checklist guides you through configuring and verifying a production-grade STP topology. Follow it section by section during a maintenance window, testing at each step.
1. Planning Phase
Before any configuration, plan the topology carefully. Document:
- Physical network topology (access, distribution, core layers)
- Root bridge placement (primary and secondary)
- Port priorities (primary uplinks vs backups)
- Guard configuration (BPDU Guard on access, Root Guard on distribution downlinks, Loop Guard on inter-switch trunks)
2. Core Switch Configuration
2.1 Set STP Mode
spanning-tree mode rapid-pvst
2.2 Configure Root Bridge
spanning-tree vlan 1-4094 root primary
spanning-tree vlan 1-4094 priority 4096
2.3 Enable PortFast
spanning-tree portfast default
2.4 Enable BPDU Guard
spanning-tree portfast bpdu-guard default
errdisable recovery cause bpduguard
errdisable recovery interval 30
2.5 Enable Root Guard on Downlinks
interface range Gi1/0/3-24
spanning-tree guard root
exit
2.6 Enable Loop Guard on Trunks
interface range Gi1/0/1-2
spanning-tree guard loop
exit
3. Distribution/Access Switch Configuration
Repeat steps 2.1-2.6 on all distribution and access switches.
3.1 Secondary Root (if applicable)
spanning-tree vlan 1-4094 root secondary
spanning-tree vlan 1-4094 priority 8192
3.2 Configure Uplink Port Priorities
interface Gi1/0/1
spanning-tree port-priority 0
exit
interface Gi1/0/2
spanning-tree port-priority 32
exit
4. Verification Commands
Check Root Election
show spanning-tree root
All switches should report the same root bridge.
Check Port Roles
show spanning-tree
Expected:
- One root port per switch (to root bridge)
- Alternate ports (blocked backups)
- Designated ports (to downstream switches)
Check for Inconsistent Ports
show spanning-tree inconsistentports
Should be empty (no Root Guard or Loop Guard blocks in steady state).
Check MAC Stability
show mac address-table dynamic
MAC addresses should be stable (not flapping between ports).
5. Failover Testing
Test Root Failover
Shutdown the primary root's uplink. Verify:
- Secondary root assumes root role within 2-3 seconds
- All switches converge to new root within 5 seconds
- No topology oscillations
Test Access Port Failover
Shutdown an access switch's primary uplink. Verify:
- Alternate port becomes root port within 1-2 seconds (Rapid PVST+)
- User devices reconnect automatically
- No loops form
Test BPDU Guard
Connect a switch to an access port. Verify:
- Port goes errdisable within 1-2 seconds
show interfaces status err-disabled
Port should show "err-disabled bpduguard".
6. Production Sign-Off
- [ ] Document final STP topology
- [ ] Verify convergence tests pass
- [ ] Set up monitoring and alerts for STP events
- [ ] Create rollback plan
- [ ] Schedule maintenance window
- [ ] Deploy and monitor for 30 minutes post-deployment
7. Long-Term Operations
- Monthly: Review STP logs for anomalies
- Quarterly: Simulate failover scenarios
- Annually: Audit STP configuration against this checklist
- When adding switches: Repeat full checklist
- When adding VLANs: Explicitly configure their root priority
Summary: STP Best Practices
- Explicit configuration: Don't rely on defaults.
- Rapid PVST+ only: Never use legacy 802.1D or PVST+.
- Root bridge in core: Primary at core, secondary at distribution.
- Deterministic topology: Use port priorities for predictability.
- Guards on every port: BPDU Guard (access), Root Guard (distribution downlinks), Loop Guard (trunks).
- Monitor relentlessly: Keep logs, alert on errdisable events.
- Document everything: Topology documentation is critical.
- Test failover: Verify convergence before production deployment.
Related STP Articles
- STP Design Best Practices for Enterprise Campus Networks
- BPDU Guard Configuration: Protecting Your STP Topology
- Root Guard and Loop Guard: STP Stability Features Explained and Configured
- PortFast Configuration on Cisco Switches: When and How to Use It
- STP Toolkit Reference: Every show and debug Command You Need