Spanning Tree Protocol – Concepts & Operation
1. What Is STP and Why Does It Exist?
Spanning Tree Protocol (STP) is a Layer 2 network protocol defined in IEEE 802.1D that prevents switching loops in Ethernet networks with redundant paths. Without STP, a broadcast frame entering a looped topology would circulate indefinitely — a condition called a broadcast storm — consuming all available bandwidth and crashing connected devices within seconds.
Redundant switch links are desirable for high availability, but they create loops at Layer 2. Unlike Layer 3 (where the IP TTL field prevents infinite loops), Layer 2 Ethernet frames have no TTL equivalent. STP solves this by logically blocking one or more redundant ports while keeping them available for failover if the active path fails.
| Problem Without STP | How STP Solves It |
|---|---|
| Broadcast storms — frames loop endlessly | Blocks redundant ports so only one active path exists per VLAN |
| MAC address table instability — same MAC seen on multiple ports | Single active topology prevents conflicting MAC learning |
| Duplicate frames delivered to hosts | One logical path ensures frames arrive only once |
| Network outage from a single link failure with no redundancy | Blocked ports automatically unblock when active path fails (convergence) |
Related pages: How Switches Work | VLANs Overview | MAC Address Table | Root Bridge Election (Detail) | STP Port Roles / PortFast | RSTP – Rapid Spanning Tree Lab | PVST+ / Root Bridge Lab | Root Bridge Config Lab | PortFast & BPDU Guard Lab
2. STP Versions at a Glance
Before diving into how STP works, it helps to know which version you are studying. All versions share the same core concepts (BPDUs, root bridge, port states/roles) but differ in convergence speed and per-VLAN support.
| Version | Standard | Convergence Time | VLAN Support | Notes |
|---|---|---|---|---|
| STP (Classic) | IEEE 802.1D-1998 | 30–50 seconds | Single instance (CST) | Original standard; slow convergence |
| PVST+ | Cisco proprietary | 30–50 seconds | One instance per VLAN | Allows per-VLAN root bridge tuning |
| RSTP | IEEE 802.1W (merged into 802.1D-2004) | 1–2 seconds | Single instance | Rapid convergence; replaces classic STP |
| Rapid PVST+ | Cisco proprietary (RSTP per VLAN) | 1–2 seconds | One instance per VLAN | Default on modern Cisco switches |
| MSTP | IEEE 802.1S | 1–2 seconds | Multiple VLANs mapped to instances | Scales better than per-VLAN STP |
This page focuses on classic 802.1D STP concepts that underpin all versions. See RSTP and PVST+ for the enhancements.
3. Bridge Protocol Data Units (BPDUs)
STP switches communicate using special Layer 2 frames called Bridge Protocol Data Units (BPDUs). BPDUs carry the information switches need to elect the root bridge, calculate path costs, and determine port roles and states.
3.1 BPDU Types
| BPDU Type | Purpose | Sent By |
|---|---|---|
| Configuration BPDU | Used during normal STP operation — carries root bridge info, path costs, port states, and timers | Root bridge (every Hello interval); other switches relay them |
| Topology Change Notification (TCN) BPDU | Sent upstream toward the root bridge when a port transitions state (e.g., a link goes down) | Non-root switch detecting a topology change |
| Topology Change Acknowledgment (TCA) BPDU | Sent back to acknowledge receipt of a TCN | Switch receiving the TCN |
3.2 Key BPDU Fields
| Field | Size | Description |
|---|---|---|
| Protocol ID | 2 bytes | Always 0x0000 for STP |
| Version | 1 byte | 0 = STP, 2 = RSTP, 3 = MSTP |
| Flags | 1 byte | Topology Change (TC) and TC Acknowledgment bits |
| Root Bridge ID | 8 bytes | Bridge priority (2 bytes) + MAC address (6 bytes) of the elected root |
| Root Path Cost | 4 bytes | Cumulative cost from the sending switch to the root bridge |
| Sender Bridge ID | 8 bytes | Bridge priority + MAC address of the switch sending this BPDU |
| Port ID | 2 bytes | Port priority + port number of the port sending this BPDU |
| Message Age | 2 bytes | Age of the BPDU since it was originated at the root; used for Max Age timer |
| Max Age | 2 bytes | Default 20 seconds — how long a switch stores a BPDU before discarding it |
| Hello Time | 2 bytes | Default 2 seconds — interval between Configuration BPDUs sent by the root |
| Forward Delay | 2 bytes | Default 15 seconds — time spent in Listening and Learning states each |
3.3 STP Timers Summary
| Timer | Default Value | Purpose |
|---|---|---|
| Hello Time | 2 seconds | How often the root bridge sends Configuration BPDUs |
| Forward Delay | 15 seconds | Time a port spends in each of the Listening and Learning states |
| Max Age | 20 seconds | How long a switch retains a BPDU before declaring the root unreachable |
Total worst-case convergence time for classic STP:
Max Age + 2 × Forward Delay = 20 + 15 + 15 = 50 seconds
4. Root Bridge Election
The root bridge is the logical centre of the STP topology. All path cost calculations are made relative to the root bridge. Every switch starts up believing it is the root and advertises its own Bridge ID in BPDUs. Through BPDU exchange, switches agree on one root bridge — the switch with the lowest Bridge ID.
4.1 Bridge ID Structure
The Bridge ID (BID) is 8 bytes total:
| Component | Size | Default / Range | Notes |
|---|---|---|---|
| Bridge Priority | 2 bytes (16 bits) | Default: 32768 (0x8000) | Must be a multiple of 4096 in PVST+ (extended system ID uses lower 12 bits for VLAN ID) |
| MAC Address | 6 bytes (48 bits) | Switch's burned-in MAC | Tiebreaker when priorities are equal — lower MAC wins |
4.2 Election Process Step by Step
| Step | Action |
|---|---|
| 1 | Every switch sends Configuration BPDUs advertising itself as root (its own Bridge ID as the Root Bridge ID field) |
| 2 | Each switch compares received BPDUs to its own. If the received BPDU has a lower Root Bridge ID, the switch updates its stored root information and stops advertising itself as root |
| 3 | The switch with the lowest priority wins. If priorities are equal, the switch with the lowest MAC address becomes root |
| 4 | Once elected, only the root bridge originates Configuration BPDUs every Hello interval. All other switches relay them downstream |
4.3 Influencing the Root Bridge Election
In production networks, you should manually control which switch becomes root rather than relying on the lowest MAC address (which is unpredictable and may not be the most capable switch).
| Method | Command (Cisco IOS) | Result |
|---|---|---|
| Set priority manually | spanning-tree vlan 1 priority 4096 |
Lower value (e.g., 4096) beats default 32768 — switch becomes root |
| Use root primary macro | spanning-tree vlan 1 root primary |
Automatically sets priority to 24576 (or lower if needed to win) |
| Use root secondary macro | spanning-tree vlan 1 root secondary |
Sets priority to 28672 — becomes root if primary fails |
See Root Bridge Election (Detailed) and the Spanning Tree Root Bridge Lab for full configuration walkthrough.
5. STP Port Roles
After the root bridge is elected, each switch determines the role of every port. Port roles define a port's function in the STP topology.
| Port Role | Description | State |
|---|---|---|
| Root Port (RP) | The single port on each non-root switch that has the lowest-cost path to the root bridge. Every non-root switch has exactly one root port. | Forwarding |
| Designated Port (DP) | The port on each network segment (link) that has the best path toward the root bridge for that segment. All ports on the root bridge are designated. One designated port exists per segment. | Forwarding |
| Non-Designated Port (Blocked) | Any port that is neither a root port nor a designated port. These ports are placed in Blocking state to break the loop. They still receive BPDUs but do not forward data frames. | Blocking |
| Disabled Port | An administratively shut-down port. It participates in no STP activity. | Disabled |
5.1 Path Cost Values
The path cost is the metric STP uses to determine the best path to the root bridge. Lower cost = better path. Cisco uses these standard cost values:
| Link Speed | IEEE Short-Mode Cost | IEEE Long-Mode Cost |
|---|---|---|
| 10 Mbps | 100 | 2,000,000 |
| 100 Mbps | 19 | 200,000 |
| 1 Gbps | 4 | 20,000 |
| 10 Gbps | 2 | 2,000 |
The root path cost is accumulated as BPDUs travel from the root bridge. Each switch adds the cost of its incoming port to the root path cost field before forwarding the BPDU. The port with the lowest accumulated root path cost to the root bridge becomes the root port.
See STP Port Roles / PortFast for tiebreaker rules when path costs are equal.
6. STP Port States
After determining port roles, STP places each port through a series of port states. Port states control whether a port can send or receive BPDUs, learn MAC addresses, and forward data frames. Classic 802.1D STP defines five port states.
| Port State | Receives BPDUs? | Sends BPDUs? | Learns MACs? | Forwards Data? | Duration |
|---|---|---|---|---|---|
| Blocking | ✔ Yes | ✘ No | ✘ No | ✘ No | Up to 20 s (Max Age) — if no BPDU received |
| Listening | ✔ Yes | ✔ Yes | ✘ No | ✘ No | 15 s (Forward Delay) |
| Learning | ✔ Yes | ✔ Yes | ✔ Yes | ✘ No | 15 s (Forward Delay) |
| Forwarding | ✔ Yes | ✔ Yes | ✔ Yes | ✔ Yes | Normal operation (indefinite) |
| Disabled | ✘ No | ✘ No | ✘ No | ✘ No | Administratively shut down |
6.1 State Transition Flow
When a switch port is first activated, it moves through the states in order:
Blocking → Listening → Learning → Forwarding
A port jumps directly to Blocking if it is a non-designated port (to prevent a loop) or skips to Forwarding if it is configured with PortFast (edge ports only — never use PortFast on switch-to-switch links).
6.2 State Descriptions
Blocking
The initial state of all ports when STP starts, and the steady state for non-designated ports. A port in Blocking discards all incoming data frames and does not learn MAC addresses. It does receive BPDUs so it can monitor the network for topology changes. If the Max Age timer expires (no BPDU received for 20 seconds), the port moves to Listening.
Listening
The port participates in the STP election — sending and receiving BPDUs — but still does not forward data or learn MAC addresses. The purpose is to allow the switch to confirm its port role (root port or designated port) before opening the port for traffic. Duration: 15 seconds (Forward Delay).
Learning
The port now begins populating the MAC address table from incoming frames but still does not forward data. This pre-loading of the MAC table prevents a flood of unknown unicast frames the moment the port starts forwarding. Duration: 15 seconds (Forward Delay).
Forwarding
The port fully participates in the network — receiving and sending data frames, learning MAC addresses, and processing BPDUs. Only root ports and designated ports reach Forwarding state.
Disabled
The port has been administratively shut down using the shutdown
command. It does not participate in STP at all and cannot receive or send
any frames.
7. STP Convergence
Convergence is the process by which all switches in the network agree on a single loop-free topology. During convergence, no data forwarding occurs on ports that are transitioning states. Classic 802.1D STP has slow convergence — up to 50 seconds — which is why RSTP was developed.
7.1 Initial Convergence (Network Startup)
| Phase | Time | What Happens |
|---|---|---|
| BPDU Exchange & Root Election | ~1–2 s | Switches exchange BPDUs; lowest Bridge ID wins root election |
| Root Port & Designated Port Selection | ~1–2 s | Each switch determines best port to reach root; one DP per segment chosen |
| Listening State | 15 s | Ports confirm roles; BPDUs sent/received; no data forwarded |
| Learning State | 15 s | Ports build MAC table; no data forwarded |
| Forwarding | — | Root ports and designated ports begin forwarding data traffic |
7.2 Topology Change Convergence (Link Failure)
When an active link fails, the downstream switch detects the loss and begins the convergence process:
| Step | Action |
|---|---|
| 1 | Switch detects link failure on its root port |
| 2 | Switch waits up to Max Age (20 s) for BPDUs before beginning transition on an alternate port |
| 3 | The previously Blocking port transitions: Blocking → Listening (15 s) → Learning (15 s) → Forwarding |
| 4 | A TCN BPDU is sent upstream to the root bridge to notify of the change |
| 5 | Root bridge sets the TC flag in Configuration BPDUs, causing all switches to shorten their MAC address table aging timer from 300 s to Forward Delay (15 s) to flush stale entries |
7.3 STP Enhancements That Speed Convergence
| Feature | Benefit | Learn More |
|---|---|---|
| PortFast | Skips Listening and Learning on access ports connected to end devices — port goes directly to Forwarding | PortFast & BPDU Guard | Lab |
| BPDU Guard | Shuts down a PortFast port if it receives a BPDU (protecting against rogue switches) | PortFast & BPDU Guard |
| RSTP (802.1W) | Redesigned negotiation mechanism reduces convergence to 1–2 seconds | RSTP Overview | RSTP Lab |
| UplinkFast | Immediately promotes a blocked uplink when the root port fails (Cisco proprietary) | RSTP Overview |
| BackboneFast | Detects indirect link failures and skips Max Age timer (Cisco proprietary) | RSTP Overview |
8. STP Topology Example
Consider three switches — SW1, SW2, SW3 — connected in a triangle (full mesh), each with the same default priority of 32768:
| Switch | Priority | MAC Address | Bridge ID | Elected Role |
|---|---|---|---|---|
| SW1 | 32768 | 00:0A:00:00:00:01 | 32768.00:0A:00:00:00:01 | Root Bridge (lowest MAC) |
| SW2 | 32768 | 00:0A:00:00:00:02 | 32768.00:0A:00:00:00:02 | Non-root |
| SW3 | 32768 | 00:0A:00:00:00:03 | 32768.00:0A:00:00:00:03 | Non-root |
Result after STP convergence (assuming equal link speeds — cost 19 each):
| Switch | Port | Connected To | Role | State |
|---|---|---|---|---|
| SW1 (Root) | Gi0/1 | SW2 | Designated | Forwarding |
| SW1 (Root) | Gi0/2 | SW3 | Designated | Forwarding |
| SW2 | Gi0/1 | SW1 | Root Port | Forwarding |
| SW2 | Gi0/2 | SW3 | Designated | Forwarding |
| SW3 | Gi0/1 | SW1 | Root Port | Forwarding |
| SW3 | Gi0/2 | SW2 | Non-Designated | Blocking |
SW3's Gi0/2 port is blocked because both SW2 (cost 19 to root) and SW3 (cost 19 to root) reach the root with equal cost on that segment. SW2 wins the designated port election because its Bridge ID (lower MAC) is lower than SW3's.
9. Key STP Verification Commands
| Command | Output / Purpose |
|---|---|
show spanning-tree |
Displays STP state for all VLANs — root bridge, local bridge ID, port roles, port states, and timers |
show spanning-tree vlan <id> |
STP details for a specific VLAN |
show spanning-tree detail |
Verbose output including port cost, port priority, BPDU counts, and topology change counters |
show spanning-tree summary |
Summary table of all STP instances — root bridge per VLAN, number of ports in each state |
show spanning-tree interface <int> |
Role and state of a specific interface in the STP topology |
debug spanning-tree events |
Real-time display of STP state changes — useful for troubleshooting flapping ports or loops |
10. STP Quick-Reference Summary
| STP Concept | Key Fact |
|---|---|
| Standard | IEEE 802.1D |
| Purpose | Prevent Layer 2 switching loops in redundant topologies |
| Root Bridge election | Lowest Bridge ID (Priority + MAC) wins |
| Default bridge priority | 32768 (must be a multiple of 4096 with extended system ID) |
| Hello Time | 2 seconds |
| Forward Delay | 15 seconds (per state: Listening and Learning) |
| Max Age | 20 seconds |
| Max convergence time | 50 seconds (20 + 15 + 15) |
| Port states (5 total) | Blocking, Listening, Learning, Forwarding, Disabled |
| Port roles (4 total) | Root Port, Designated Port, Non-Designated (Blocked), Disabled |
| Only state that forwards data | Forwarding |
| State that learns MACs but not forward data | Learning |
| Blocking port still does what? | Receives BPDUs (monitors topology) |
| Cisco default STP mode | Rapid PVST+ |