Three-Layer Campus Architecture
A typical enterprise campus uses a three-layer model:
- Access Layer: Connects end devices (users, servers, printers). Typically 24-48 port switches per stack.
- Distribution Layer: Aggregates access layer switches and connects to core. Typically 48-port or line-card chassis.
- Core Layer: Provides high-speed backbone connectivity between buildings or data centers. Typically large chassis with 10+ Gbps ports.
Topology Example
Core Layer (STP Root)
├─ Dist1 (Root Secondary)
│ ├─ Acc1
│ ├─ Acc2
│ └─ Acc3
└─ Dist2 (Root Tertiary)
├─ Acc4
├─ Acc5
└─ Acc6
In this topology, STP must elect a root bridge from the core layer and ensure all traffic flows efficiently toward it.
Root Bridge Placement in Multi-Layer Designs
Primary Root in Core Layer
The primary root bridge should reside in the core layer because:
- Centralized reference point: All access and distribution layer switches calculate cost relative to the core.
- Highest redundancy: Core switches typically have dual power, redundant supervisors, and diverse uplinks.
- Least likely to fail: Core infrastructure is engineered for five 9s (99.999%) availability.
- Optimal traffic flow: Traffic naturally funnels through the core, which is dimensioned for it.
Core1# configure terminal
Core1(config)# spanning-tree vlan 10,20,30,99 root primary
Core1(config)# spanning-tree vlan 10,20,30,99 priority 4096
Core1(config)# end
Core1 is now the root for all VLANs. Its priority is 4096, the lowest globally.
Secondary Root at Distribution Layer
The secondary root bridge should be on a distribution layer switch, ideally in a different geographic location if the campus spans multiple buildings.
Dist1# configure terminal
Dist1(config)# spanning-tree vlan 10,20,30,99 root secondary
Dist1(config)# spanning-tree vlan 10,20,30,99 priority 8192
Dist1(config)# end
Dist1 is now the secondary root. If Core1 fails, Dist1 automatically becomes root with priority 8192.
Tertiary Root (Optional) at Another Distribution Switch
For even more resilience, designate a third backup root on another distribution switch in a different location:
Dist2# configure terminal
Dist2(config)# spanning-tree vlan 10,20,30,99 priority 16384
Dist2(config)# end
Dist2 is configured with priority 16384. If both Core1 and Dist1 fail, Dist2 becomes the root.
Verification: Show Root Election
Core1# show spanning-tree root
Root Hello Max Fwd
VLAN Root ID Cost Time Age Dly Protocol
VLAN0010 4096 aabb.cc00.5555 0 2 20 15 rstp
VLAN0020 4096 aabb.cc00.5555 0 2 20 15 rstp
VLAN0030 4096 aabb.cc00.5555 0 2 20 15 rstp
VLAN0099 4096 aabb.cc00.5555 0 2 20 15 rstp
Dist1# show spanning-tree root
Root Hello Max Fwd
VLAN Root ID Cost Time Age Dly Protocol
VLAN0010 4096 aabb.cc00.5555 20000 2 20 15 rstp
VLAN0020 4096 aabb.cc00.5555 20000 2 20 15 rstp
VLAN0030 4096 aabb.cc00.5555 20000 2 20 15 rstp
VLAN0099 4096 aabb.cc00.5555 20000 2 20 15 rstp
Acc1# show spanning-tree root
Root Hello Max Fwd
VLAN Root ID Cost Time Age Dly Protocol
VLAN0010 4096 aabb.cc00.5555 40000 2 20 15 rstp
VLAN0020 4096 aabb.cc00.5555 40000 2 20 15 rstp
VLAN0030 4096 aabb.cc00.5555 40000 2 20 15 rstp
VLAN0099 4096 aabb.cc00.5555 40000 2 20 15 rstp
All switches report Core1 (aabb.cc00.5555) as root. The cost increases as you move away from the root, which is correct.
Inter-Layer Redundancy and Link Aggregation
Between layers, use Port Channels (EtherChannel) to aggregate multiple links and provide redundancy without creating loops.
Access to Distribution Redundancy
Connect each access switch to at least two distribution switches via EtherChannels:
Acc1# configure terminal
Acc1(config)# interface range GigabitEthernet 1/0/1-2
Acc1(config-if-range)# channel-group 1 mode active
Acc1(config-if-range)# exit
Acc1(config)# interface Port-channel 1
Acc1(config-if)# switchport mode trunk
Acc1(config-if)# switchport trunk allowed vlan 10,20,30,99
Acc1(config-if)# description PO1 to Dist1 and Dist2
Acc1(config-if)# exit
Acc1(config)# interface range GigabitEthernet 1/0/3-4
Acc1(config-if-range)# channel-group 2 mode active
Acc1(config-if-range)# exit
Acc1(config)# interface Port-channel 2
Acc1(config-if)# switchport mode trunk
Acc1(config-if)# switchport trunk allowed vlan 10,20,30,99
Acc1(config-if)# description PO2 to Dist1 and Dist2
Acc1(config-if)# exit
Acc1 now has two Port Channels: Po1 (Gi1/0/1-2) and Po2 (Gi1/0/3-4). Both are trunks.
On Dist1:
Dist1# configure terminal
Dist1(config)# interface range GigabitEthernet 1/0/1-2
Dist1(config-if-range)# channel-group 101 mode active
Dist1(config-if-range)# exit
Dist1(config)# interface Port-channel 101
Dist1(config-if)# switchport mode trunk
Dist1(config-if)# switchport trunk allowed vlan 10,20,30,99
Dist1(config-if)# description PO101 to Acc1
Dist1(config-if)# exit
Dist1's Po101 is the receiving end of Acc1's Po1. They form a single logical link.
Verification: Show EtherChannel Status
Acc1# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone p - bundled in port-channel
i - stand-alone p - bundled in port-channel
s - suspended S - Suspended
r - Layer3 R - Layer3
u - unsuitable for bundling
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
m - not in use, port not aggregated
W - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Gi1/0/1(P) Gi1/0/2(P)
2 Po2(SU) LACP Gi1/0/3(P) Gi1/0/4(P)
Both port-channels are active (SU = switched, up). All member ports are bundled (P).
Topology Calculation Across Three Layers
How STP Calculates the Root Path
When Acc1 boots:
-
Receives BPDUs from Dist1 and Dist2
- Dist1's BPDU: Root = Core1, Cost = 20000 (10000 per Gigabit link)
- Dist2's BPDU: Root = Core1, Cost = 20000
-
Calculates local root port
- Both Po1 (to Dist1) and Po2 (to Dist2) offer equal cost (20000 + 4 = 20004)
- Port priority is a tiebreaker. Acc1 uses port priority settings to choose Po1 as root port
Acc1(config)# interface Port-channel 1
Acc1(config-if)# spanning-tree port-priority 0
Acc1(config-if)# exit
Acc1(config)# interface Port-channel 2
Acc1(config-if)# spanning-tree port-priority 32
- Po1 becomes root port, Po2 becomes blocked
- All downstream interfaces (connections to end devices) are designated
Acc1# show spanning-tree
VLAN0010
Root ID Priority 4096
Address aabb.cc00.5555
Bridge ID Priority 32768
Address aabb.cc00.1111
Interface Role PortPri.Nbr Status Cost PortCost Vlans
-------------- ---- ----------- ------ ----------- -------- ------
Po1 Root P2Se.0 FWD 20000 20000 10,20,30,99
Po2 Altn P2Se.32 BLK 20000 20000 10,20,30,99
Gi1/0/5 Desg P2Se.128 FWD 4 4 10,20,30,99
Gi1/0/6 Desg P2Se.129 FWD 4 4 10,20,30,99
Po1 is the root port (FWD). Po2 is blocked (BLK). Downstream interfaces are designated (Desg).
Anomalous Topologies: When Design Goes Wrong
Symptom: Access-layer switch claims to be root for some VLANs.
Acc1# show spanning-tree root
VLAN0010 32768 aabb.cc00.1111 (Acc1 is root!)
VLAN0020 4096 aabb.cc00.5555 (Core1 is root)
Acc1 is the root for VLAN 10, but Core1 is root for VLAN 20. This is an anomaly.
Root cause: Acc1's priority for VLAN 10 is 32768 (default), but Core1's priority is 4096. However, Acc1 has a lower MAC address than Core1, so for VLAN 10, Acc1 wins.
Core1: Priority 4096, MAC aabb.cc00.5555 → Bridge ID 1000.aabb.cc00.5555
Acc1: Priority 32768, MAC aabb.cc00.1111 → Bridge ID 8000.aabb.cc00.1111
For VLAN 10, if Core1 didn't explicitly set priority, it defaults to 32768:
Core1: Priority 32768, MAC aabb.cc00.5555 → Bridge ID 8000.aabb.cc00.5555
Acc1: Priority 32768, MAC aabb.cc00.1111 → Bridge ID 8000.aabb.cc00.1111
Both have priority 32768. The tiebreaker is MAC address. Acc1 (aabb.cc00.1111 < aabb.cc00.5555) wins. Acc1 becomes root.
Fix: Explicitly set Core1's priority for ALL VLANs:
Core1(config)# spanning-tree vlan 1-4094 root primary
Core1(config)# spanning-tree vlan 1-4094 priority 4096
Core1(config)# end
Core1# copy running-config startup-config
Now Core1 is explicitly root for all VLANs. Verify:
Acc1# show spanning-tree vlan 10 | include Root
Root ID Priority 4096
Address aabb.cc00.5555
Core1 is now the root for VLAN 10 as well.
Designing Blocked Ports for Resilience
In a multi-layer design, some inter-switch links must be blocked to prevent loops. Use STP design to ensure the right links are blocked.
Distribution-to-Distribution Links
If Dist1 and Dist2 are connected directly (for redundancy at the distribution layer):
Dist1 ←→ Dist2 (Trunk)
One of these links must be blocked. Which one? Set port priorities to control it:
Dist1(config)# interface GigabitEthernet 1/0/47
Dist1(config-if)# spanning-tree port-priority 0
Dist1(config-if)# description Link to Dist2 (Preferred)
Dist1(config-if)# exit
Dist2(config)# interface GigabitEthernet 1/0/47
Dist2(config-if)# spanning-tree port-priority 32
Dist2(config-if)# description Link to Dist1 (Backup)
Dist2(config-if)# exit
Dist1's port has priority 0 (preferred). Dist2's port has priority 32. When STP calculates the topology, Dist1's port becomes the designated port (forwarding), and Dist2's port becomes blocked.
Multi-VLAN Load Balancing
To optimize traffic distribution across redundant links, use different root bridges for different VLAN groups:
### VLAN Group 1: Root at Dist1
VLANs 10-19, 100-109, 200-209, 300-309
### VLAN Group 2: Root at Dist2
VLANs 20-29, 110-119, 210-219, 310-319
Configuration:
Dist1(config)# spanning-tree vlan 10-19,100-109,200-209,300-309 root primary
Dist1(config)# spanning-tree vlan 10-19,100-109,200-209,300-309 priority 4096
Dist1(config)# end
Dist2(config)# spanning-tree vlan 20-29,110-119,210-219,310-319 root primary
Dist2(config)# spanning-tree vlan 20-29,110-119,210-219,310-319 priority 4096
Dist2(config)# end
Now, VLANs in group 1 prefer paths through Dist1, while group 2 VLANs prefer Dist2. Traffic is balanced across the distribution layer.
Verification Across Three Layers
Use show spanning-tree on each layer to confirm convergence:
Core:
Core1# show spanning-tree brief
VLAN0010
Root ID Priority 4096
Address aabb.cc00.5555
This bridge is the root
Bridge ID Priority 4096
Address aabb.cc00.5555
Aging Time 300 sec
Distribution:
Dist1# show spanning-tree brief
VLAN0010
Root ID Priority 4096
Address aabb.cc00.5555
Bridge ID Priority 8192
Address aabb.cc00.2222
...
Interface Role PortPri Type Cost Status
Po1 Root -- P2p 10000 FWD
Po2 Altn -- P2p 10000 BLK
Dist1 sees Core1 as root and has Po1 as root port, Po2 as blocked.
Access:
Acc1# show spanning-tree brief
VLAN0010
Root ID Priority 4096
Address aabb.cc00.5555
Bridge ID Priority 32768
Address aabb.cc00.1111
...
Interface Role PortPri Type Cost Status
Po1 Root -- P2p 20000 FWD
Po2 Altn -- P2p 20000 BLK
Acc1 sees Core1 as root and has Po1 as root port, Po2 as blocked.
What's Next
With STP topology spanning three layers, the next challenge is ensuring that STP's root bridge aligns with your HSRP/VRRP active gateway. In Article 23 (STP and FHRP Alignment), we'll show how to synchronize STP and First-Hop Redundancy Protocol so traffic flows optimally through both layers.