The Five Port States
In IEEE 802.1D (original STP), every port progresses through five possible states:
- Disabled: Port is administratively shut down or has no link
- Blocking: Port is enabled but doesn't forward user traffic (only processes BPDUs)
- Listening: Port is preparing to forward; listens for BPDUs to ensure no loops exist
- Learning: Port learns MAC addresses but doesn't forward frames yet
- Forwarding: Port forwards all traffic and learns MAC addresses
Rapid STP (802.1w) reduces this to three states (Discarding, Learning, Forwarding) by eliminating the separate Listening state, but the underlying timers and logic remain the same.
Port State Definitions and Behaviors
Disabled State
A port enters the disabled state when:
- The port is administratively shut down (
shutdowncommand) - The physical link is down (no carrier signal)
- STP is disabled globally on the switch
In disabled state:
BPDU Processing: No
MAC Address Learning: No
Frame Forwarding: No
User Traffic: Blocked
A disabled port plays no role in the spanning tree. It's not counted in the root port selection, not designated, not blocked—it's simply offline.
Blocking State
Blocking is the default state for ports that:
- Are part of the spanning tree but are not root ports or designated ports
- Are waiting to transition toward the forwarding state
- Have just been enabled and haven't yet stabilized
In blocking state:
BPDU Processing: Yes (receives and processes)
MAC Address Learning: No
Frame Forwarding: No
User Traffic: Blocked
Timers: Max Age (20 seconds by default)
A blocked port listens for BPDUs from upstream switches to ensure the spanning tree is stable. If the port receives a BPDU indicating it should become a root port or designated port, it transitions to listening.
Why Not Forward Immediately?
If a blocked port were to immediately transition to forwarding, it might create a loop during convergence. The blocking state gives the network time to propagate BPDU changes and ensures all switches agree on the topology before traffic flows.
Listening State
A port transitions from blocking to listening when it's identified as either a root port or designated port. In listening state:
BPDU Processing: Yes (sends and receives)
MAC Address Learning: No
Frame Forwarding: No
User Traffic: Blocked
Timers: Forward Delay (15 seconds by default)
The port sends and receives BPDUs for one forward delay period (default 15 seconds). This is the critical window where all switches in the network exchange topology information and confirm there are no loops.
BPDU Exchange During Listening
During listening state, the port:
- Receives BPDUs from upstream switches confirming the root election
- Sends BPDUs to downstream switches advertising its role
- Verifies no contradictory information about root bridge or costs arrives
- Ensures all switches agree on port roles before forwarding starts
If a BPDU indicates this port should return to blocking (for example, another switch advertises a lower cost to the root), the port reverses to blocking immediately.
Learning State
After listening for one forward delay period, the port transitions to learning:
BPDU Processing: Yes
MAC Address Learning: Yes
Frame Forwarding: No
User Traffic: Blocked
Timers: Forward Delay (15 seconds by default)
In learning state, the port:
- Continues to monitor BPDUs (still verifying topology)
- Learns MAC addresses from frames arriving on the port
- Populates the MAC address table
- Waits one more forward delay period before forwarding
Why Not Forward During Learning?
The port waits to forward because frame propagation delay could cause duplicate frames. Consider this scenario:
[PC1] sends frame to [PC2]
Frame travels: PC1 → SW1 Eth0/0 (just transitioned to learning)
If Eth0/0 forwards immediately:
Frame hits SW2 Eth0/0 (designated)
SW2 floods frame out Eth0/1
But if there's a still-converging path, the frame could loop back
Multiple copies of the same frame arrive at PC2
MAC table shows PC1 on multiple ports
By waiting two forward delay periods (30 seconds total for two transitions), the network ensures:
- All topology information has propagated
- Multiple copies of the same frame don't loop
- MAC tables are stable
Forwarding State
After learning for one forward delay period, the port transitions to forwarding:
BPDU Processing: Yes
MAC Address Learning: Yes
Frame Forwarding: Yes
User Traffic: Allowed
In forwarding state:
- All user traffic passes through the port
- MAC addresses are learned from arriving frames
- BPDUs continue to be processed (to detect topology changes)
- Port stays in forwarding as long as BPDUs arrive from upstream
If BPDUs stop arriving (link failure), the port transitions back through listening and learning, eventually blocking or becoming root port.
Port State Transition Timers
Two timers control STP state transitions in 802.1D:
Forward Delay Timer (default: 15 seconds)
The forward delay determines how long a port spends in listening state and how long it spends in learning state.
Blocking → Listening (waits for forward delay)
Listening → Learning (waits for forward delay)
Learning → Forwarding (waits for forward delay)
Wait—that's three state transitions, each taking 15 seconds? Actually, no:
Blocking → Listening: Wait 15 seconds
Listening → Learning: Transition immediately (after 15 seconds)
Learning → Forwarding: Wait 15 seconds more
Total time from blocking to forwarding = 30 seconds (two forward delay periods)
The specification says:
- When entering listening state, wait one forward delay before entering learning
- When entering learning state, wait one forward delay before entering forwarding
Max Age Timer (default: 20 seconds)
The max age timer controls how long a blocked port waits for BPDUs before assuming the topology has changed.
Blocking port doesn't receive BPDU for 20 seconds
→ Max age expires
→ Port transitions to listening
→ Waiting for either:
a) New BPDU from new root path
b) Promotion to root port
This timer ensures that if the root bridge or a link fails, blocked ports eventually transition and re-converge.
The 30-50 Second Convergence Problem
Total convergence time in 802.1D when a link fails:
Link failure detected
→ Switch detects BPDU timeout (up to 20 seconds)
→ Port transitions: Blocking → Listening (up to 15 seconds)
→ Port transitions: Listening → Learning (up to 15 seconds)
→ Port transitions: Learning → Forwarding (up to 5 seconds for last port)
Total: 20 + 15 + 15 = 50 seconds (worst case)
Why this matters:
- VoIP calls drop: Signaling fails after 3-5 seconds of silence
- Database replication fails: Transactions timeout
- DHCP discovery stalls: DHCP servers timeout after 10 seconds
- Routing protocols converge faster: OSPF reconverges in 10 seconds, but STP is still waiting
This is why Rapid STP (RSTP) was invented. It reduces convergence to 2-6 seconds by:
- Eliminating the separate listening state
- Using "proposal and agreement" mechanism instead of waiting timers
- Allowing transition to forwarding within 1 second on some ports
Verifying Port States in IOS XE
Show Spanning-Tree Interface Status
SW2# show spanning-tree vlan 1
Interface Role Sts Cost Prio.Nbr Type
─────────────────────────────────────────────────────
Eth0/0 Root FWD 4 128.1 P2p
Eth0/1 Desg FWD 4 128.2 P2p
Eth0/2 Altn BLK 4 128.3 P2p
Eth0/3 Desg FWD 19 128.4 P2p
Eth1/0 Desg LRN 19 128.5 P2p
Eth1/1 Desg LIS 19 128.6 P2p
Eth1/2 Desg BLK 19 128.7 P2p
Columns:
- Role: Root, Desg (Designated), Altn (Alternate/Blocked), Backup
- Sts: FWD (Forwarding), BLK (Blocked), LIS (Listening), LRN (Learning)
- Cost: Link cost to root
- Prio.Nbr: Port priority and number
Reading this output:
- Eth0/0: Root port, forwarding (stable)
- Eth0/1, Eth0/3: Designated ports, forwarding (stable)
- Eth0/2: Alternate port, blocked (backup for root port)
- Eth1/0: Designated port, learning (transitioning from listening)
- Eth1/1: Designated port, listening (just became designated)
- Eth1/2: Designated port, blocked (not needed in tree)
Show Spanning-Tree Detailed Output
SW2# show spanning-tree vlan 1 detail
VLAN0001 is executing the ieee compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 1, address aabb.cc00.2200
Configured hello time 2, forward delay 15, max age 20
Current root has priority 4096, address aabb.cc00.1100
Port 1 (Ethernet0/0)
Port path cost 4
Port priority 128
Port Identifier 128.1
Designated root has priority 4096, address aabb.cc00.1100
Designated bridge has priority 32768, address aabb.cc00.1100
Designated port id is 128.1
Timers: message age 2, forward delay 0
Number of transitions to forwarding state: 1
BPDU: sent 5062, received 8234
Port 2 (Ethernet0/1)
Port path cost 4
Port priority 128
Port Identifier 128.2
Designated root has priority 4096, address aabb.cc00.1100
Designated bridge has priority 32768, address aabb.cc00.2200
Designated port id is 128.2
Timers: message age 0, forward delay 0
Number of transitions to forwarding state: 1
BPDU: sent 1234, received 0
Key fields:
- Message age: How old the last BPDU is (in seconds). Should be close to 0; if it's increasing toward max age (20), the link is about to timeout
- Forward delay: Remaining time in listening or learning state (0 = none, port is stable)
- Number of transitions to forwarding state: Count of how many times this port has entered forwarding (useful for detecting instability)
- BPDU sent/received: Traffic statistics
State Transitions During Link Failure
Lab example: SW3 loses connection to root (SW1) via SW2.
Before failure:
SW3 Eth0/0: Root FWD (cost 4, upstream SW2)
BPDU timeout on Eth0/0:
→ Max age starts counting (up to 20 seconds)
→ After 20 seconds, max age expires
→ Port transitions: FWD → BLK
Next blocking period:
→ Port is now blocked, waits for BPDU from root
→ No BPDU arrives on Eth0/0
→ Port transitions: BLK → LIS (due to max age expiry promoting alternate port)
Actually, if SW3 has an alternate port to root (say Eth0/1):
→ Eth0/1 was blocked (alternate)
→ When Eth0/0 fails, Eth0/1 becomes new root port
→ Eth0/1 transitions: BLK → LIS → LRN → FWD
Timeline:
t=0: Eth0/0 loses BPDU
t=20s: Max age expires, Eth0/1 becomes root port (LIS state)
t=35s: Eth0/1 transitions to LRN state
t=50s: Eth0/1 transitions to FWD state (traffic reroutes)
This is why 802.1D is too slow for modern networks. Rapid STP improves this significantly.
Tuning Timers (Caution Required)
Changing Forward Delay
SW1(config)# spanning-tree vlan 1 forward-time 10
Reduces forwence but increases risk of temporary loops if topology has multiple hops. Cisco recommends against changing this unless absolutely necessary.
Changing Max Age
SW1(config)# spanning-tree vlan 1 max-age 10
This detects failures faster but may cause unnecessary transitions if BPDUs are delayed. Keep it 2-3x the hello timer.
Recommended Approach
Use Rapid STP (RSTP) or Rapid PVST+ instead of modifying 802.1D timers. Convergence is much faster and more reliable.
What's Next
Read Article 5: Understanding STP Timers—Hello, Forward Delay, and Max Age to master the complete timer system, including the diameter formula and how to interpret detailed show output.