STP Across VLAN Trunks: Per-Instance Operation
VLAN trunks introduce complexity to STP because spanning tree doesn't run once—it runs once per VLAN. Each VLAN has its own root bridge, designated ports, and topology. This is PVST+ (Per-VLAN Spanning Tree Plus) on Cisco switches.
Understanding this architecture is essential because misconfiguration on a single VLAN can cascade across your entire trunk topology, causing loops or unexpected blocking. A trunk carries multiple spanning tree instances simultaneously, each unaware of the others.
Lab Topology: Multi-VLAN Trunk Setup
SW1 (Root for VLANs 10, 20, 30)
│
│ Po1 (Trunk: VLANs 10, 20, 30, 99)
│ Carries 4 BPDU streams, one per VLAN
│
SW2 (Backup)
│
│ Gi0/2 (Trunk: VLANs 10, 20, 30, 99)
│
SW3
VLAN 99 is the native VLAN (untagged on 802.1Q trunks).
Per-VLAN STP Instance Configuration
Initial Configuration on SW1
SW1(config)# spanning-tree mode rapid-pvst
SW1(config)# spanning-tree vlan 10,20,30 priority 4096
SW1(config)# spanning-tree vlan 99 priority 8192
Trunk Configuration
SW1(config)# interface Po1
SW1(config-if)# description Trunk to SW2
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 10,20,30,99
SW1(config-if)# switchport trunk native vlan 99
SW1(config-if)# spanning-tree vlan 10,20,30 cost 19000
SW1(config-if)# exit
Configuration on SW2 and SW3
SW2(config)# spanning-tree mode rapid-pvst
SW2(config)# spanning-tree vlan 10,20,30 priority 8192
SW2(config)# spanning-tree vlan 99 priority 16384
SW2(config)# interface Gi0/0
SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk allowed vlan 10,20,30,99
SW2(config-if)# switchport trunk native vlan 99
SW2(config-if)# exit
SW3(config)# spanning-tree mode rapid-pvst
SW3(config)# interface Gi0/0
SW3(config-if)# switchport mode trunk
SW3(config-if)# switchport trunk allowed vlan 10,20,30,99
SW3(config-if)# switchport trunk native vlan 99
SW3(config-if)# exit
Verification: Per-VLAN Root Bridge Identification
After configuration, verify each VLAN's root independently:
SW1# show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 4096
Address 0023.47a1.ef80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
SW1# show spanning-tree vlan 20
VLAN0020
Spanning tree enabled protocol rstp
Root ID Priority 4096
Address 0023.47a1.ef80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
SW1# show spanning-tree vlan 99
VLAN0099
Spanning tree enabled protocol rstp
Root ID Priority 8192
Address 0023.47a1.ef80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Key observation: SW1 is the root for VLANs 10 and 20 (priority 4096), but SW2 becomes root for VLAN 99 (priority 8192 < 16384 on SW3, and SW1 has 8192 set as backup).
Actually, let me correct this scenario. On SW1, VLAN 99 gets priority 8192 as a backup. On SW2, it gets 16384. So SW1 is still root for VLAN 99 with priority 8192. Let me show the actual output:
SW1# show spanning-tree vlan 99
VLAN0099
Spanning tree enabled protocol rstp
Root ID Priority 8192
Address 0023.47a1.ef80
This bridge is the root
SW2# show spanning-tree vlan 99
VLAN0099
Spanning tree enabled protocol rstp
Root ID Priority 8192
Address 0023.47a1.ef80
Bridge ID Priority 16384 (priority 16384 sys-id-ext 99)
Address aabb.cc00.2099
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role PortPri.Nbr Status Cost PortCost Vlans
------------- ---- ----------- ------ ----------- -------- ------
Po1 Root P2Se.128 FWD 19000 19000 99
SW2 sees SW1 as root for VLAN 99, and its own Po1 is the root port.
Show All Spanning Trees Simultaneously
Use this command to see the differences across VLANs at a glance:
SW1# show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0010, VLAN0020
Configured hello time 2, forward delay 15, backward compatible on
No spanning tree resets have occurred.
VLAN0010
Spanning Tree enabled protocol rstp
Root ID Priority 4096
Address 0023.47a1.ef80
Bridge ID Priority 4096 (priority 4096 sys-id-ext 10)
Address 0023.47a1.ef80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
VLAN0020
Spanning Tree enabled protocol rstp
Root ID Priority 4096
Address 0023.47a1.ef80
Bridge ID Priority 4096 (priority 4096 sys-id-ext 10)
Address 0023.47a1.ef80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
VLAN0030
Spanning Tree enabled protocol rstp
Root ID Priority 4096
Address 0023.47a1.ef80
Bridge ID Priority 4096 (priority 4096 sys-id-ext 10)
Address 0023.47a1.ef80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
VLAN0099
Spanning Tree enabled protocol rstp
Root ID Priority 8192
Address 0023.47a1.ef80
Bridge ID Priority 8192 (priority 8192 sys-id-ext 99)
Address 0023.47a1.ef80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Each VLAN runs independently. This is the essence of PVST+.
Native VLAN and BPDU Behavior on 802.1Q Trunks
The native VLAN is special on 802.1Q trunks. Unlike tagged VLANs, frames on the native VLAN traverse the trunk untagged.
How BPDUs Travel on the Native VLAN
BPDU encapsulation works differently for native vs. tagged VLANs:
- Tagged VLANs: BPDUs are encapsulated with an 802.1Q header and transmitted as tagged frames.
- Native VLAN: BPDUs are sent untagged. The receiving switch must determine which VLAN this frame belongs to.
Practical Impact: Native VLAN Mismatch
If SW1 and SW2 declare different native VLANs, BPDUs from the native VLAN on one side appear to belong to the other side's native VLAN. This breaks STP topology control.
Example misconfiguration:
SW1(config)# interface Po1
SW1(config-if)# switchport trunk native vlan 99
SW2(config)# interface Po1
SW2(config-if)# switchport trunk native vlan 100
Result: BPDUs from SW1 for VLAN 99 (sent untagged) arrive on SW2 and are interpreted as VLAN 100. STP topology is corrupted. SW2 sees stale BPDUs for an unexpected VLAN. This can lead to:
- Blocked ports unexpectedly transitioning to forwarding
- Root bridge elections that don't converge
- MAC address table instability
Verification: Check Native VLAN Configuration
SW1# show interfaces Po1 trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 99
Port Vlans allowed on trunk
Po1 10,20,30,99
Port Vlans allowed and active in management domain
Po1 10,20,30,99
Port Vlans in spanning tree forwarding state and not pruned
Po1 10,20,30,99
Ensure both ends of the trunk report the same native VLAN. If they differ, fix immediately:
SW2(config)# interface Po1
SW2(config-if)# switchport trunk native vlan 99
PVST+ BPDU Behavior on 802.1Q Trunks
How PVST+ Encodes VLAN Information
PVST+ (Per-VLAN Spanning Tree Plus) is Cisco-proprietary. It sends one BPDU stream per VLAN, and uses a special multicast destination address for each VLAN:
- VLAN 1 (default): Multicast address
01:00:0C:CC:CC:CD(standard 802.1D address) - Other VLANs: Cisco proprietary addresses derived from VLAN ID
PVST+ BPDUs are encapsulated in 802.1Q frames with a VLAN tag, even though each BPDU belongs to a specific VLAN. This allows all VLAN-specific BPDUs to traverse a single trunk link.
Interoperability with 802.1Q
PVST+ is compatible with standard 802.1Q (no STP), but you lose per-VLAN topology awareness if you mix PVST+ and 802.1Q switches. A 802.1Q-only switch can't parse PVST+ BPDUs and treats them as data frames. This breaks STP convergence.
Recommendation: Always use Rapid PVST+ on all trunk-connected switches for consistent topology control.
Trunk Pruning and STP Interaction
Trunk pruning removes unnecessary VLANs from a trunk to reduce BPDU overhead and improve convergence speed. A VLAN that's pruned from a trunk doesn't generate BPDUs on that link.
Configuring Trunk Pruning
By default, all VLANs are allowed on a trunk. You can restrict this with:
SW1(config)# interface Po1
SW1(config-if)# switchport trunk allowed vlan 10,20,30,99
This trunk only carries VLANs 10, 20, 30, and 99. VLAN 50, for example, is implicitly pruned.
Impact on STP Topology
When a VLAN is pruned from a trunk, STP ignores that link for that VLAN:
SW1# show spanning-tree vlan 50
VLAN0050
Root ID Priority 4096
Address 0023.47a1.ef80
Bridge ID Priority 4096 (priority 4096 sys-id-ext 50)
Address 0023.47a1.ef80
Interface Role PortPri.Nbr Status Cost PortCost Vlans
------------- ---- ----------- ------ ----------- -------- ------
Po1 Desg P2Se.128 - 19000 19000 -
Gi0/2 Desg P2Se.129 FWD 4 4 50
Po1 shows a dash under "Vlans" because VLAN 50 is pruned. It contributes no STP role for VLAN 50, even though the interface is forwarding for other VLANs. Traffic for VLAN 50 must use Gi0/2.
Dynamic VLAN Pruning (VTP)
In older networks, VLAN Trunking Protocol (VTP) automatically prunes VLANs that don't exist locally:
SW1# show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name : PINGLABZ
VTP Pruning Mode : Enabled
VTP Pruning Mode Oper : Enabled
Modern networks disable VTP (VTP mode off) and prune manually. VTP has security implications and adds complexity.
Common Trunk Misconfigurations Breaking STP
Misconfiguration 1: Allowed VLANs Don't Match Across Trunk
SW1:
SW1(config)# interface Po1
SW1(config-if)# switchport trunk allowed vlan 10,20,30
SW2:
SW2(config)# interface Po1
SW2(config-if)# switchport trunk allowed vlan 10,20,30,40
SW2 allows VLAN 40 on the trunk, but SW1 doesn't. For VLAN 40, the trunk is half-configured:
- Frames arriving on SW2's Po1 with VLAN 40 are rejected (due to pruning)
- STP for VLAN 40 doesn't establish proper topology across the trunk
Fix: Match the allowed VLAN lists:
SW1(config)# interface Po1
SW1(config-if)# switchport trunk allowed vlan 10,20,30,40
Misconfiguration 2: Trunk Mode Mismatch
SW1:
SW1(config)# interface Gi0/0
SW1(config-if)# switchport mode trunk
SW2:
SW2(config)# interface Gi0/0
SW2(config-if)# switchport mode access
SW2(config-if)# switchport access vlan 10
SW1 sends tagged frames, SW2 expects untagged (access mode). The link becomes unstable. STP BPDUs are lost or malformed.
Fix: Match the mode:
SW2(config)# interface Gi0/0
SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk allowed vlan 10,20,30,99
SW2(config-if)# switchport trunk native vlan 99
Misconfiguration 3: BPDU Guard on Trunk Interfaces
If you enable BPDU Guard on a trunk interface:
SW1(config)# interface Po1
SW1(config-if)# spanning-tree bpduguard enable
Any BPDU received on Po1 (from any VLAN) puts the interface into errdisable. This immediately blocks the trunk, disconnecting all VLANs. This is almost never correct on trunk interfaces.
Why? BPDU Guard is for access ports where BPDUs should never arrive. On a trunk, BPDUs are expected and normal.
Fix: Remove BPDU Guard from trunk interfaces:
SW1(config)# interface Po1
SW1(config-if)# no spanning-tree bpduguard enable
Or configure it only for specific access ports:
SW1(config)# interface Gi1/0
SW1(config-if)# spanning-tree portfast
SW1(config-if)# spanning-tree bpduguard enable
Verification: Show Trunk STP Details
Use these commands to diagnose trunk-related STP issues:
SW1# show spanning-tree detail
... (shows all VLANs and port roles in detail)
SW1# show interfaces Po1 trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 99
SW1# show spanning-tree vlan 10 | include Po1
Po1 Desg P2Se.128 FWD 19000 19000 10
SW1# show spanning-tree vlan 20 | include Po1
Po1 Desg P2Se.128 FWD 19000 19000 20
Each VLAN independently lists Po1's role and status. If a VLAN shows Po1 as blocked for unexpected reasons, check pruning or priority configuration.
Troubleshooting Symptom → Cause → Fix
Symptom: Single VLAN Is Blocked on a Trunk, but Others Forward
Cause: That VLAN's root bridge is on a different switch than the root for other VLANs, creating a different topology. Or the VLAN is pruned from a specific port.
Fix:
- Check which switch is the root for that VLAN:
SW1# show spanning-tree vlan 50 Root ID Priority 4096 Address 0023.47a1.ef80 (SW1's MAC) - Check if the VLAN is pruned:
Dash in "Vlans" = pruned. Fix:SW1# show spanning-tree vlan 50 Interface Role PortPri.Nbr Status Cost PortCost Vlans Po1 Desg P2Se.128 - 19000 19000 -SW1(config)# interface Po1 SW1(config-if)# switchport trunk allowed vlan add 50 - If not pruned but still blocked, check port priority and cost. Lower either:
SW1(config)# interface Po1 SW1(config-if)# spanning-tree vlan 50 cost 10000
Symptom: Asymmetric STP Topology for Same VLAN on Different Switches
Cause: One switch becomes root for VLAN 10, another becomes root for VLAN 20, creating a "load-balancing" scenario that doesn't align with physical topology. Or priority values are misconfigured.
Fix:
- Verify root placement:
show spanning-tree vlan 10 | include Root show spanning-tree vlan 20 | include Root - If different switches are root, align priorities. Use
root primarymacro:
This automatically sets SW1's priority to 4096 (lower than any other switch).SW1(config)# spanning-tree vlan 10,20 root primary
Symptom: Native VLAN Warning in Syslog
Cause: Native VLAN mismatch on a trunk interface.
Fix:
show interfaces trunk
Ensure both sides list the same native VLAN. Correct any mismatch:
SW2(config)# interface Po1
SW2(config-if)# switchport trunk native vlan 99
What's Next
In the next article, we'll move into troubleshooting territory. You'll learn to identify and diagnose STP loops using show commands, understand the root cause of broadcast storms, and apply containment strategies before the network collapses.