Spanning Tree Protocol (STP) helps prevent Layer 2 loops, but misconfigurations and failures can still cause network outages. Here’s how to troubleshoot common STP issues effectively.

---

🔍 1️⃣ Issue: Network Loop / Broadcast Storm

🚨 Symptoms:
✅ High CPU utilization on switches.
✅ MAC address table fluctuates rapidly.
✅ End devices lose connectivity intermittently.
✅ Excessive broadcast/multicast traffic in the network.

🔧 Troubleshooting Steps:

🔹 Step 1: Check STP Topology & Root Bridge

Switch# show spanning-tree

• Verify that the correct switch is the Root Bridge.
• Check Root Bridge ID and priority.
• If an unauthorized switch became Root, use Root Guard.

🔹 Step 2: Look for Redundant Links Without Blocking Ports

Switch# show spanning-tree blockedports

• STP should block at least one redundant port to prevent loops.
• If all links are Forwarding, a loop is present.

🔹 Step 3: Identify the Source of Excessive Traffic

Switch# show mac address-table dynamic | count

• If MAC addresses are flapping between ports, a loop exists.

🔹 Step 4: Enable BPDU Guard on Access Ports

Switch(config-if)# spanning-tree bpduguard enable

• Prevents rogue switches from joining STP.

✅ Solution: Ensure that only one active path exists between switches, and use BPDU Guard to prevent rogue switches from participating in STP.

---

🔍 2️⃣ Issue: Slow Convergence After a Link Failure

🚨 Symptoms:
✅ Connectivity drops for 30-50 seconds after a link failure.
✅ Devices unable to communicate during STP re-convergence.
✅ STP topology changes frequently.

🔧 Troubleshooting Steps:

🔹 Step 1: Check STP Timers and Mode

Switch# show spanning-tree detail

• If the mode is 802.1D (classic STP), convergence takes ~50 sec.
• Use Rapid PVST+ (802.1w) for faster failover.

🔹 Step 2: Verify Redundant Links & Active Ports

Switch# show spanning-tree interface Gi0/1

• Ensure that redundant links can take over quickly after failure.

🔹 Step 3: Enable UplinkFast & BackboneFast for Faster Recovery

Switch(config)# spanning-tree uplinkfast
Switch(config)# spanning-tree backbonefast

• UplinkFast speeds up failover for direct link failures.
• BackboneFast reduces downtime for indirect link failures.

✅ Solution: Upgrade to Rapid PVST+, and enable UplinkFast & BackboneFast for quick failover.

---

🔍 3️⃣ Issue: Unexpected Root Bridge Change

🚨 Symptoms:
✅ Sudden network instability.
✅ Traffic is rerouted inefficiently.
✅ Running show spanning-tree shows a different Root Bridge.

🔧 Troubleshooting Steps:

🔹 Step 1: Identify the Current Root Bridge

Switch# show spanning-tree root

• Compare the Root Bridge ID with the intended Root switch.
• If an unauthorized switch is Root, check its priority.

🔹 Step 2: Set the Correct Root Bridge Priority

Switch(config)# spanning-tree vlan 10 priority 4096

• Use a lower priority (default is 32768) on the intended Root Bridge.

🔹 Step 3: Enable Root Guard on Access Layer Uplinks

Switch(config-if)# spanning-tree guard root

• Prevents unauthorized switches from becoming the Root Bridge.

✅ Solution: Ensure correct Root Bridge configuration and apply Root Guard on uplinks.

---

🔍 4️⃣ Issue: Blocked Port Not Recovering (Loop Guard Issue)

🚨 Symptoms:
✅ Some ports remain in Loop-Inconsistent State indefinitely.
✅ Network outage on affected VLANs.
✅ No STP loops detected, but traffic is disrupted.

🔧 Troubleshooting Steps:

🔹 Step 1: Check the Blocked Ports

Switch# show spanning-tree inconsistentports

• If ports are in Loop-Inconsistent State, Loop Guard is blocking them.

🔹 Step 2: Verify BPDU Reception

Switch# debug spanning-tree bpdu

• If no BPDUs are received, the upstream switch may have failed or is misconfigured.

🔹 Step 3: Temporarily Disable Loop Guard & Re-enable STP

Switch(config-if)# no spanning-tree guard loop
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

• This resets STP and allows it to re-converge.

✅ Solution: Fix the BPDU reception issue and ensure the upstream switch is sending BPDUs correctly.

---

🔍 5️⃣ Issue: Fiber Link Failure Not Detected (UDLD Issue)

🚨 Symptoms:
✅ STP shows the link as active, but traffic fails.
✅ Network flapping when fiber links are in use.
✅ Half-duplex issues on fiber links.

🔧 Troubleshooting Steps:

🔹 Step 1: Check the Fiber Link State

Switch# show interfaces status
Switch# show udld neighbors

• If UDLD shows an error, the link may be unidirectional.

🔹 Step 2: Enable UDLD Aggressive Mode

Switch(config-if)# udld aggressive

• Automatically disables unidirectional links, preventing loops.

🔹 Step 3: Reset the Affected Port

Switch(config-if)# shutdown
Switch(config-if)# no shutdown

✅ Solution: Always enable UDLD Aggressive Mode on fiber links to prevent silent failures.

---

🛠 Summary of STP Troubleshooting Issues & Fixes

Issue	Symptoms	Troubleshooting Commands	Fix
Network Loop / Broadcast Storm	High CPU, MAC flapping, excessive broadcasts	show spanning-tree show mac address-table	Ensure blocked ports exist Enable BPDU Guard
Slow Convergence After Link Failure	30-50 sec downtime	show spanning-tree detail	Use Rapid PVST+ Enable UplinkFast & BackboneFast
Unexpected Root Bridge Change	Traffic rerouted, different Root ID	show spanning-tree root	Set correct Root Bridge priority Enable Root Guard
Blocked Port Not Recovering	Ports in Loop-Inconsistent State	show spanning-tree inconsistentports debug spanning-tree bpdu	Ensure BPDUs are received Reset Loop Guard
Fiber Link Failure Not Detected	No traffic, STP still active	show udld neighbors show interfaces status	Enable UDLD Aggressive Mode

---

🚀 Pro Tips for STP Troubleshooting

✅ Document your STP topology → Know the expected Root Bridge & blocked ports.
✅ Use Rapid PVST+ for faster convergence (Avoid legacy 802.1D).
✅ Enable BPDU Guard & Root Guard to prevent rogue switches.
✅ Monitor STP logs (show spanning-tree summary) to detect topology changes.
✅ Use UDLD Aggressive Mode on fiber links to prevent silent failures.

To prevent switching loops, unauthorized topology changes, and misconfigurations, Cisco offers several Spanning Tree Protocol (STP) protection mechanisms:

---

1️⃣ BPDU Guard (Prevents Unauthorized Switches)

✅ Purpose: Disables a port if it receives a BPDU.
✅ Use Case: Prevents unauthorized switches from connecting to PortFast-enabled ports.
🚨 Applies to: Access ports (where only end devices should be connected).

How BPDU Guard Works:

• If an attacker or unauthorized switch is connected to an access port running PortFast, it could participate in STP and cause loops.
• BPDU Guard immediately shuts down the port when a BPDU is received.

Configuration:

Enable on an interface:

Switch(config-if)# spanning-tree bpduguard enable

Enable globally for all PortFast ports:

Switch(config)# spanning-tree portfast bpduguard default

✅ Best Practice: Always enable BPDU Guard on end-user ports.

---

2️⃣ BPDU Filter (Stops BPDU Transmission & Reception)

✅ Purpose: Blocks BPDUs from being sent or received.
✅ Use Case: Prevents STP participation on specific ports (e.g., ISP uplinks).
🚨 Risky: Can cause loops if misused.

How BPDU Filter Works:

🔹 Interface-Level (Risky, Stops BPDUs Completely)

• If enabled, the port does not send or receive BPDUs.
• If a switch is mistakenly connected, a loop can form.

Switch(config-if)# spanning-tree bpdufilter enable

🔹 Global-Level (Safer, Works with PortFast)

• BPDUs are filtered unless a BPDU is received.
• If a BPDU is detected, STP reactivates on the port.

Switch(config)# spanning-tree portfast bpdufilter default

✅ Best Practice: Avoid using BPDU Filter unless absolutely necessary.

---

3️⃣ Root Guard (Prevents Unauthorized Root Bridges)

✅ Purpose: Blocks a port if it receives superior BPDUs (which could change the Root Bridge).
✅ Use Case: Prevents unauthorized switches from becoming the Root Bridge.
🚨 Applies to: Access layer uplinks (toward distribution/core switches).

How Root Guard Works:

• Normally, the lowest Bridge ID becomes the Root Bridge.
• If a misconfigured or malicious switch tries to take over as Root, Root Guard blocks the port.
• The port enters Root-Inconsistent State instead of forwarding.

Configuration:

Switch(config-if)# spanning-tree guard root

✅ Best Practice: Enable Root Guard on all access layer uplinks toward the Root Bridge.

---

4️⃣ Loop Guard (Prevents STP Loop Due to Unidirectional Links)

✅ Purpose: Stops STP from transitioning a blocking port to forwarding if BPDUs stop being received.
✅ Use Case: Prevents unidirectional link failures from causing loops.
🚨 Applies to: Non-designated (blocking) ports in STP.

How Loop Guard Works:

• If a port stops receiving BPDUs (e.g., due to fiber failure or misconfiguration),
  STP assumes the link is down and may transition the port to Forwarding → This causes loops!
• Loop Guard keeps the port in Loop-Inconsistent State until BPDUs are received again.

Configuration:

Switch(config-if)# spanning-tree guard loop

✅ Best Practice: Use Loop Guard on non-designated (blocking) ports in core/distribution switches.

---

5️⃣ UDLD (Unidirectional Link Detection – Prevents Silent Failures)

✅ Purpose: Detects and disables unidirectional fiber or Ethernet links.
✅ Use Case: Prevents hidden link failures that can cause STP loops.
🚨 Applies to: Fiber links and EtherChannel links.

How UDLD Works:

• If one direction of a fiber link fails (e.g., a bad fiber cable or transceiver issue),
  STP may not detect the failure and keep the link active, causing loops.
• UDLD detects unidirectional links and disables the port.

UDLD Modes:

🔹 Normal Mode – Detects issue, but STP still determines the state.

Switch(config-if)# udld enable

🔹 Aggressive Mode – Detects issue and automatically disables the port if no response.

Switch(config-if)# udld aggressive

✅ Best Practice: Use UDLD Aggressive Mode on all fiber uplinks and critical links.

---

📝 Feature Comparison Table

Feature	Purpose	Prevents	Applies To	Recovery
BPDU Guard	Blocks unauthorized switches	Unauthorized switches connecting to edge ports	End-user access ports	Manual (Shutdown state)
BPDU Filter	Stops BPDU transmission/reception	STP participation on specific ports	Trunk ports (use with caution)	Manual (Interface)
Root Guard	Prevents unauthorized Root Bridge election	A switch taking over as Root	Uplinks from access to distribution	Auto (Resumes if BPDU stops)
Loop Guard	Stops loops due to unidirectional failures	Blocking ports becoming forwarding	Blocking ports (non-designated ports)	Auto (Recovers if BPDUs resume)
UDLD	Detects & disables unidirectional links	Silent failures on fiber links	Fiber & EtherChannel links	Normal (STP decides) or Aggressive (Port shutdown)

---

🛠 Best Practices for a Secure STP Network

✅ Enable BPDU Guard on all end-user access ports to prevent rogue switches.
✅ Enable Root Guard on distribution uplinks to enforce a stable Root Bridge.
✅ Enable Loop Guard on blocking ports to prevent loops caused by link failures.
✅ Enable UDLD (Aggressive Mode) on fiber and EtherChannel links to prevent silent failures.

---

🔍 Real-World Scenario: Preventing a Rogue Switch Attack

Problem:

A junior admin accidentally connects a low-priority switch to an access port, making it the new Root Bridge. This changes the STP topology, causing massive network disruption.

Solution:

• Enable Root Guard on all uplinks.
• Enable BPDU Guard on all access ports.
• Enable BPDU Filter (Global) to prevent unnecessary BPDU processing.

✅ Result: The rogue switch is blocked immediately, preventing downtime!

Cisco introduced these STP enhancements to speed up convergence and improve network reliability. Let’s break them down!

---

1️⃣ PortFast (Edge Port)

✅ Purpose: Bypasses STP states (Listening & Learning) to immediately forward traffic.
✅ Use Case: For end-user devices (PCs, printers, servers) to reduce boot time delays.
🚨 Warning: DO NOT enable on switch-to-switch links! It can cause loops.

How PortFast Works:

Normally, when a port comes up, it transitions through:
🔸 Listening (15 sec) → Learning (15 sec) → Forwarding (Total: 30 sec delay)

With PortFast, the port immediately goes to Forwarding State.

Configuration:

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# spanning-tree portfast

✅ Best Practice: Combine with BPDU Guard to protect against accidental loops.

Switch(config-if)# spanning-tree bpduguard enable

---

2️⃣ UplinkFast (Fast Root Port Recovery)

✅ Purpose: Speeds up failover when a primary root port fails.
✅ Use Case: Used on access switches with multiple uplinks to a distribution switch.
🚨 Applies to: Non-Root Switches with redundant uplinks.

How UplinkFast Works:

• Without UplinkFast, if the Root Port fails, STP needs ~50 seconds to transition a backup port.
• With UplinkFast, the backup port immediately takes over (~1-3 sec).

Configuration:

Switch(config)# spanning-tree uplinkfast

🔹 Automatically increases STP Bridge Priority (49152) to prevent it from becoming the Root Bridge.

---

3️⃣ BackboneFast (Fast Convergence for Indirect Failures)

✅ Purpose: Speeds up recovery for indirect link failures (failures not directly connected to the switch).
✅ Use Case: Used in core and distribution layers for rapid convergence.
🚨 Applies to: All switches in the network.

How BackboneFast Works:

• Normally, STP waits for Max Age (20 sec) before reconverging after an indirect failure.
• With BackboneFast, the switch skips Max Age and immediately starts re-converging (~5 sec).

Configuration (Enable on All Switches):

Switch(config)# spanning-tree backbonefast

---

Comparison Table: PortFast vs UplinkFast vs BackboneFast

Feature	PortFast	UplinkFast	BackboneFast
Purpose	Instant forwarding for end devices	Fast root port failover	Fast recovery from indirect failures
Where to Use?	Access ports (PCs, printers)	Access switches with redundant uplinks	Core/distribution switches
Enabled on?	Edge ports	Non-root switches	All switches
Failure Detection?	No failure detection	Detects direct link failure	Detects indirect failure
Recovery Time	0 sec	~1-3 sec	~5 sec

---

Best Practices

✅ Enable PortFast on all end-user ports (with BPDU Guard).
✅ Enable UplinkFast on access switches with redundant uplinks.
✅ Enable BackboneFast on all switches in the core/distribution layer.

Cisco switches support Per-VLAN Spanning Tree (PVST) and Rapid Per-VLAN Spanning Tree (Rapid PVST) to prevent Layer 2 loops. Let’s compare them!

---

1️⃣ What is PVST? (Per-VLAN Spanning Tree)

✅ Cisco proprietary version of STP.
✅ Runs one STP instance per VLAN.
✅ Based on IEEE 802.1D (classic STP) → Slow (50 sec convergence).
✅ Each VLAN can have a different Root Bridge, optimizing traffic flow.

How PVST Works:

• Each VLAN has its own STP topology.
• If there are 100 VLANs, the switch runs 100 STP instances.
• Can lead to high CPU usage on large networks.

Example Command to Enable PVST:

Switch(config)# spanning-tree mode pvst

---

2️⃣ What is Rapid PVST? (Rapid Per-VLAN Spanning Tree)

✅ Cisco enhancement of Rapid Spanning Tree (RSTP – 802.1w).
✅ Runs one RSTP instance per VLAN.
✅ Faster convergence (<6 seconds) than PVST.
✅ Uses Port Roles & Link Types for quick transitions.

Key Features of Rapid PVST:

• Alternate & Backup Ports speed up recovery.
• Discards Listening State → Faster transition to Forwarding State.
• Works best with Point-to-Point links (Full-Duplex).

Example Command to Enable Rapid PVST:

Switch(config)# spanning-tree mode rapid-pvst

---

3️⃣ PVST vs. Rapid PVST – Feature Comparison

Feature	PVST (802.1D)	Rapid PVST (802.1w)
Convergence Time	50 sec (Slow)	<6 sec (Fast)
Per-VLAN STP?	✅ Yes	✅ Yes
BPDU Exchange	Every 2 sec	Every 2 sec
Port Roles	Root, Designated, Blocking	Root, Designated, Alternate, Backup
Listening State?	✅ Yes	❌ No (Removed)
Loop Prevention	✅ Yes	✅ Yes (Faster Recovery)
CPU/Memory Usage	High (Multiple STP Instances)	High (Multiple RSTP Instances)

---

4️⃣ When to Use PVST or Rapid PVST?

✅ Use PVST if:

• You have legacy Cisco switches that do not support RSTP.
• Your network is small, and convergence speed isn’t critical.

✅ Use Rapid PVST if:

• You need faster convergence to reduce downtime.
• You have a modern Cisco network with full RSTP support.
• Your network has high availability requirements.

🚀 Recommendation: Always use Rapid PVST for better performance and quick recovery.

Scenario: Network Loop and High CPU Usage

Company ABC has a redundant Layer 2 network using Rapid Spanning Tree Protocol (RSTP). Users report network slowdowns, high latency, and intermittent connectivity. The network administrator notices that CPU usage on the core switch is spiking to 90%.

Symptoms Observed:

✅ High CPU usage on switches.
✅ Excessive broadcast traffic flooding the network.
✅ Some switches show MAC address table instability.
✅ Some ports frequently transition between forwarding and blocking.

---

Step 1: Verify STP Status

🔍 First, check the spanning-tree topology:

Switch# show spanning-tree

🚨 Key Issues to Look For:

• Multiple Root Bridges (should be only one).
• Ports frequently changing state.
• Unexpected Root Port (RP) or Designated Port (DP) assignments.

---

Step 2: Check the Root Bridge

✅ Find the Root Bridge by running:

Switch# show spanning-tree root

🔍 Expected Output: The same switch should be the Root Bridge across all switches.
🚨 Issue? If multiple Root Bridges exist, STP isn’t working properly.

✅ Fix: Set priority manually on the intended Root Bridge:

Switch(config)# spanning-tree vlan 1 priority 4096

(Default priority is 32768; lower value wins.)

---

Step 3: Check Port Roles & Path Cost

🔍 Verify if incorrect ports are blocking or forwarding:

Switch# show spanning-tree interface GigabitEthernet0/1

🚨 Issue? If a port has unexpectedly high path cost, traffic may be taking the wrong path.

✅ Fix: Manually adjust the STP cost to prefer the desired path:

Switch(config-if)# spanning-tree cost 2

---

Step 4: Look for Erroneous Trunking & VLAN Mismatches

🔍 Check trunk configuration:

Switch# show interfaces trunk

🚨 Issue? If Native VLAN mismatches exist on trunk links, STP can behave unexpectedly.

✅ Fix: Ensure both ends of the trunk have the same Native VLAN:

Switch(config-if)# switchport trunk native vlan 10

---

Step 5: Identify Redundant Links & Loops

🔍 Look for physical loops by checking MAC address flapping:

Switch# show mac address-table dynamic | include (flapping|changing)

🚨 Issue? MAC addresses rapidly appearing on different interfaces indicate a loop.

✅ Fix: Shut down suspected interfaces and check if the issue resolves:

Switch(config-if)# shutdown

If confirmed, check BPDU Guard, Root Guard, and Loop Guard settings.

---

Step 6: Enable STP Protection Features

✅ Enable BPDU Guard to prevent unauthorized switches from participating:

Switch(config-if)# spanning-tree bpduguard enable

✅ Enable Root Guard to prevent unintended Root Bridges:

Switch(config-if)# spanning-tree guard root

✅ Enable Loop Guard to protect against unidirectional link failures:

Switch(config-if)# spanning-tree guard loop

---

Step 7: Monitor & Confirm Fixes

After making changes, verify STP stability:

Switch# show spanning-tree summary

✅ Ensure:
✔ Only one Root Bridge exists.
✔ Ports remain stable (not continuously changing states).
✔ No unexpected blocked ports or loops.

---

🎯 Conclusion: How We Fixed the Issue

✅ We verified and corrected the Root Bridge.
✅ We fixed VLAN mismatches on trunk links.
✅ We identified and shut down a looping redundant link.
✅ We enabled STP protection features to prevent future issues.

🚀 Result: Network performance improved, CPU usage dropped, and users experienced normal connectivity again!

1️⃣ The Problem: Why Do We Need STP?

In a redundant Layer 2 network, multiple paths exist between switches to improve reliability. However, this can cause switching loops, leading to:

🚨 Broadcast Storms – Frames endlessly circulate, consuming bandwidth.
🚨 MAC Table Instability – Switches receive frames on multiple interfaces, confusing MAC address learning.
🚨 Multiple Frame Copies – The same frame reaches the destination multiple times.

Example: A Loop Without STP

• PC1 sends a broadcast frame.
• SW1 and SW2 forward the frame to each other endlessly.
• The network becomes unusable due to excessive traffic.

---

2️⃣ STP: The Solution to Prevent Loops

Spanning Tree Protocol (STP) ensures a loop-free topology by:
✅ Electing a Root Bridge.
✅ Assigning Port Roles (Root, Designated, Blocking).
✅ Blocking redundant paths while keeping a backup route ready.

---

3️⃣ Step-by-Step: How STP Works

Step 1: Root Bridge Election

• All switches send Bridge Protocol Data Units (BPDUs) to elect a Root Bridge.
• The switch with the lowest Bridge ID (Priority + MAC) becomes the Root Bridge.

📝 Bridge ID = Priority (Default: 32768) + MAC Address
✅ Lower priority wins (MAC address used as a tiebreaker).

---

Step 2: Assigning Port Roles

Once the Root Bridge is chosen, all switches determine the best path to reach it.

🔹 Root Port (RP) – The best path to the Root Bridge (lowest cost).
🔹 Designated Port (DP) – The forwarding port on each segment.
🔹 Blocking Port (BP) – Redundant path, blocked to prevent loops.

STP Path Cost (Default IEEE 802.1D)

Link Speed	STP Cost
10 Mbps	100
100 Mbps	19
1 Gbps	4
10 Gbps	2

✅ The lower the cost, the better the path!

---

Step 3: Ports Transition Through STP States

To prevent loops, STP gradually transitions ports through different states:

1️⃣ Blocking – Listens for BPDUs but does NOT forward traffic.
2️⃣ Listening – Processes BPDUs, but still no forwarding.
3️⃣ Learning – Starts learning MAC addresses.
4️⃣ Forwarding – Fully operational, forwarding traffic.

🚨 Total Convergence Time: 50 sec (STP), <6 sec (RSTP)!

---

Step 4: Handling Network Changes

If a link fails, STP automatically reconfigures by:

• Unblocking a previously blocked port to restore connectivity.
• Sending new BPDUs to update switch topology.

✅ This prevents downtime while maintaining a loop-free network.

---

4️⃣ STP Variants for Faster Convergence

STP Type	Features	Convergence Time
STP (802.1D)	Standard, slow (50 sec)	50 sec
RSTP (802.1w)	Rapid recovery, new port roles	<6 sec
MSTP (802.1s)	Optimized for multiple VLANs	<6 sec
PVST+ (Cisco)	Per-VLAN STP instance	50 sec (STP) / Fast (PVST+)

---

5️⃣ STP Troubleshooting Commands

🔍 Check STP Status

Switch# show spanning-tree

🔍 Check Root Bridge

Switch# show spanning-tree root

🔍 Check Active Ports

Switch# show spanning-tree interface GigabitEthernet0/1

---

Conclusion

Spanning Tree Protocol (STP) prevents loops in a redundant Layer 2 network by selecting a Root Bridge, assigning port roles, and blocking unnecessary paths.

STP operates by transitioning ports through different states to avoid loops while still allowing network connectivity. Each port in STP can be in one of the following states:

---

1️⃣ Disabled State

🔴 Not part of STP operation

• The port is administratively shut down or physically disconnected.
• No BPDU (Bridge Protocol Data Unit) frames are sent or received.

🔹 Command to Disable a Port:

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# shutdown

---

2️⃣ Blocking State

🟡 Prevents network loops

• The port listens for BPDUs but does NOT forward traffic.
• The switch does not learn MAC addresses on this port.
• Used for backup links that will only be activated if needed.

🔹 When does a port stay in Blocking?

• When a redundant link exists and a better path is available.
• If the port receives a superior BPDU from another switch.

🔹 Verification Command:

Switch# show spanning-tree

---

3️⃣ Listening State (15 sec, STP only)

🟠 Preparing to forward

• The port is evaluating BPDUs to determine its role (Root, Designated, or Blocking).
• The port is NOT forwarding frames yet.

🔹 Why does it exist?

• To prevent temporary loops before full STP convergence.

---

4️⃣ Learning State (15 sec, STP only)

🔵 Learning MAC addresses

• The switch starts learning MAC addresses but does NOT forward traffic yet.
• The port continues to process BPDUs.

🔹 Why does it exist?

• Helps build the MAC address table before forwarding starts.

---

5️⃣ Forwarding State

🟢 Port is fully operational

• The port forwards traffic normally.
• It learns MAC addresses and processes BPDUs.

🔹 Conditions for Forwarding:

• The port is a Root Port (RP) or Designated Port (DP).
• No superior BPDUs are received.

🔹 Verification Command:

Switch# show spanning-tree interface GigabitEthernet0/1

---

Port State Transition Diagram (STP – 802.1D)

   Blocking → Listening → Learning → Forwarding
         |                                  ↑
         |——> (If better path found) ——→ |

🚨 Total Convergence Time in Classic STP: ~50 sec

---

STP vs RSTP Port States

RSTP (802.1w) removes Listening State and introduces new roles:

STP (802.1D)	RSTP (802.1w)	Function
Blocking	Discarding	Blocks traffic, prevents loops
Listening	(Removed)	Not needed in RSTP
Learning	Learning	Learns MAC addresses
Forwarding	Forwarding	Normal data forwarding

🚀 RSTP Converges in <6 seconds!

Spanning Tree Protocol (STP) is a Layer 2 protocol designed to prevent loops in a switched network. It ensures there is only one active path between switches, preventing broadcast storms, MAC table instability, and duplicate frames.

Why is STP Needed?

In a redundant network, loops can form because switches forward Ethernet frames without a TTL (Time-to-Live) like routers do. Without STP:
🔴 Broadcast storms overwhelm the network.
🔴 MAC table flapping occurs as switches receive the same frame from multiple paths.
🔴 Multiple frame copies reach the destination, causing confusion.

How STP Works

STP builds a loop-free logical topology by:
✅ Electing a Root Bridge (central switch for path calculations).
✅ Blocking redundant paths to prevent loops.
✅ Allowing backup paths to become active if the primary fails.

---

STP Election and Port Roles

1️⃣ Root Bridge Election

• Switch with the lowest Bridge ID (BID) becomes the Root Bridge.
• Bridge ID = Priority (default: 32768) + MAC address.
• The Root Bridge acts as the reference point in the network.

2️⃣ STP Port Roles

Once the Root Bridge is elected, STP assigns roles to switch ports:

Port Role	Description
Root Port (RP)	The best path to the Root Bridge (only one per switch).
Designated Port (DP)	Forwarding port on each segment (best path to Root).
Blocking Port (BP)	A backup path that does not forward traffic (to prevent loops).

---

STP Timers & Convergence

STP takes 50 seconds to converge (transition to a loop-free state).

• Hello Timer: 2 seconds (BPDU exchange interval).
• Listening (15s) → Learning (15s) → Forwarding.

✅ Fast Convergence? Use Rapid Spanning Tree Protocol (RSTP)!

---

Types of STP

Type	Features	Convergence Time
Classic STP (802.1D)	Standard version, slow convergence	50 sec
Rapid STP (802.1w)	Faster convergence, uses alternate ports	<6 sec
Multiple STP (802.1s)	Supports multiple VLANs in one instance	<6 sec
Per VLAN STP (PVST/PVST+)	Separate STP instance for each VLAN (Cisco)	50 sec (STP) / Fast (PVST+)

---

Basic STP Configuration (Cisco)

1️⃣ Set STP Mode

bashCopyEditSwitch(config)# spanning-tree mode rapid-pvst  # Use RSTP for fast convergence

2️⃣ Manually Set Root Bridge Priority

bashCopyEditSwitch(config)# spanning-tree vlan 10 priority 4096

📌 Lower priority wins! Default is 32768.

3️⃣ Verify STP Status

bashCopyEditSwitch# show spanning-tree

---

Troubleshooting STP Issues

Issue	Possible Cause	Solution
Switch not Root Bridge	Another switch has lower priority	Manually configure spanning-tree vlan X priority Y
Network loops	STP disabled/misconfigured	Ensure STP is enabled (show spanning-tree)
Slow convergence	Using classic STP (802.1D)	Use RSTP (802.1w) for faster recovery

---

Conclusion

STP is essential for loop prevention in Layer 2 networks. By selecting a Root Bridge, defining port roles, and blocking redundant links, it ensures a stable network. 🚀

Scenario:

A network administrator configures EtherChannel between two Cisco switches using LACP, but the link is not forming, and some VLANs are not passing traffic.

Network Setup:

• Two switches: SW1 and SW2
• Ports Gi0/1 and Gi0/2 are used for EtherChannel.
• VLANs 10, 20, and 30 should be allowed on the trunk.

---

Step 1: Verify EtherChannel Status

Check the current EtherChannel summary on SW1

SW1# show etherchannel summary

Output:

Group  Port-channel  Protocol  Ports
------  ------------  --------  ------------------------
1      Po1(SD)       LACP      Gi0/1(P) Gi0/2(D)

🚨 Problem Detected:

• “SD” (Layer 2, Down): The EtherChannel is configured but not operational.
• “D” (Down): Gi0/2 is not active in the group.

---

Step 2: Check Interface Configurations

Check Gi0/1 and Gi0/2 settings

SW1# show running-config interface Gi0/1
SW1# show running-config interface Gi0/2

Output (SW1):

interface GigabitEthernet0/1
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  channel-group 1 mode passive  # LACP mode
!
interface GigabitEthernet0/2
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  channel-group 1 mode passive  # LACP mode

Check the same on SW2

bashCopyEditSW2# show running-config interface Gi0/1
SW2# show running-config interface Gi0/2

Output (SW2):

interface GigabitEthernet0/1
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  channel-group 1 mode passive  # LACP mode
!
interface GigabitEthernet0/2
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  channel-group 1 mode passive  # LACP mode

🚨 Problem Detected:

• Both sides are set to “passive” in LACP.
• LACP requires at least one side to be “active” to initiate EtherChannel.

✅ Fix: Change SW1 to “active”

SW1(config)# interface range Gi0/1 - 2
SW1(config-if-range)# channel-group 1 mode active
SW1(config-if-range)# exit

👉 Expected Result: LACP will now negotiate the EtherChannel.

---

Step 3: Verify if the EtherChannel is Now Up

SW1# show etherchannel summary

Output (Expected):

cssCopyEditGroup  Port-channel  Protocol  Ports
------  ------------  --------  ------------------------
1      Po1(SU)       LACP      Gi0/1(P) Gi0/2(P)

✅ “SU” (Layer 2, Up) means EtherChannel is working!
✅ “P” (Port is active in EtherChannel) shows both interfaces are bundled.

---

Step 4: Verify VLANs on the Trunk

If VLAN traffic is still not passing, check allowed VLANs on the trunk:

SW1# show interfaces trunk

Output:

Port      Mode         Encapsulation  Status        Allowed VLANs
Po1       on          802.1q         trunking      1,10,20,30

🚨 Problem Detected:

• VLAN 1 is allowed by default but is not needed.

✅ Fix: Explicitly allow VLANs

SW1(config)# interface Port-channel 1
SW1(config-if)# switchport trunk allowed vlan 10,20,30
SW1(config-if)# exit

👉 Now, only the necessary VLANs are allowed.

---

Step 5: Final Verification

Check VLANs Allowed on Trunk

SW1# show interfaces trunk

✅ Expected Output:

Port      Mode         Encapsulation  Status        Allowed VLANs
Po1       on          802.1q         trunking      10,20,30

Check Spanning Tree

# show spanning-tree active

✅ Ensure Port-Channel 1 is forwarding traffic.

---

Summary of Troubleshooting Steps

Issue	Cause	Solution
EtherChannel is down (SD)	Both sides set to passive in LACP	Change one side to active.
One port is down (D)	Speed/duplex mismatch	Set speed/duplex manually.
VLAN traffic not passing	VLANs not allowed on the trunk	Use switchport trunk allowed vlan X.
STP blocking the EtherChannel	Spanning Tree treating Port-Channel as a loop	Check show spanning-tree and adjust priority.

---

Best Practices for EtherChannel Configuration

✅ Use LACP instead of PAgP (open standard, more stable).
✅ Manually set trunk mode on Port-Channel interfaces (switchport mode trunk).
✅ Ensure the same speed, duplex, and VLAN settings on both sides.
✅ Check for STP blocking with show spanning-tree.
✅ Use show etherchannel summary to monitor link status.

---

Conclusion

In this real-world case, the EtherChannel was down due to LACP passive mode on both switches. Changing one side to active resolved the issue. Additionally, VLAN traffic issues were fixed by explicitly allowing the required VLANs.