Implementing VLANs
and STP
Spanning Tree Protocol Concepts
and RSTP Basics
Without some mechanism like Spanning Tree Protocol (STP)
or Rapid STP (RSTP), a LAN with redundant links would
cause Ethernet frames to loop for an indefinite period of
time. With STP or RSTP enabled, some switches block ports
so that these ports do not forward frames. STP and RSTP
intelligently choose which ports block, with two goals in
■ All devices in a VLAN can send frames to all other
mind:
devices. In other
words, STP or RSTP does not block too many ports,
cutting off some
parts of the LAN from other parts.
■ Frames have a short life and do not loop around the
network
STP/RSTP prevents looping frames by adding an additional
check on each interface before a switch uses it to send or
receive user traffic. That check: If the port is in STP/RSTP
forwarding state in that VLAN, use it as normal; if it is in
STP/RSTP blocking state, however, block all user traffic
and do not send or receive user traffic on that interface in
that VLAN.
The Need for Spanning
Tree
TP/RSTP prevents three common problems in Ethernet LANs.
Just one looping frame causes what is called a broadcast
storm. Broadcast storms happen when any kind of
Ethernet frames—broadcast frames, multicast frames, or
unknown-destination unicast frames—loop around a LAN
indefinitely. Broadcast storms can saturate all the links
with
copies of that one single frame, crowding out good frames,
as well as significantly impacting end-user device
performance by making the PCs process too many
broadcast frames.
Broadcast Storm
Three Classes of Problems Caused by Not Using STP in
Redundant LANs
What Spanning Tree
Does prevents loops by placing each switch port in
STP/RSTP
either a forwarding state or a blocking state. Interfaces in
the forwarding state act as normal, forwarding and
receiving frames. However, interfaces in a blocking state
do not process any frames except STP/RSTP messages
(and some other overhead messages). Interfaces that
block do not forward user frames, do not learn MAC
addresses of received frames, and do not process
received user frames.
What STP/RSTP Does: Blocks a Port to Break the Loop
Now when Bob sends a broadcast frame, the frame does
not loop. As shown in the steps in the figure:
Step 1. Bob sends the frame to SW3.
Step 2. SW3 forwards the frame only to SW1, but not out
Gi0/2 to SW2,
Step 3. SW1 floods
because the frame
SW3’s out both Fa0/11
Gi0/2 interface and
is in a blocking
Gi0/1.
state.
Step 4. SW2 floods the frame out Fa0/12 and Gi0/1.
Step 5. SW3 physically receives the frame, but it
ignores the frame
received from SW2 because SW3’s Gi0/2
interface is in a
blocking state.
How Spanning Tree
Works
The STP/RSTP algorithm creates a spanning tree of
interfaces that forward frames. The tree structure of
forwarding interfaces creates a single path to and from
each Ethernet link, just like you can trace a single path in
a living, growing tree from the base of the tree to each
leaf.
The process used by STP, sometimes called the spanning-
tree algorithm (STA), chooses the interfaces that should be
placed into a forwarding state. For any interfaces not
chosen to be in a forwarding state, STP/RSTP places the
interfaces in blocking state.
STP/RSTP uses three criteria to choose whether to put an
interface in forwarding state:
■ STP/RSTP elects a root switch. STP puts all
working interfaces on
the root switch in forwarding state.
■ Each nonroot switch considers one of its ports
to have the
least administrative cost between itself and the
root switch.
The cost is called that switch’s root cost.
STP/RSTP places its
port that is part of the least root cost path,
called that
■ Many switches can attach to the same Ethernet
segment, but due to the fact that links connect two
devices, a link would have at most two switches. With
two switches on a link, the switch with the lowest root
cost, as compared with the other switches attached to
the same link, is placed in forwarding state. That switch
is the designated switch, and that switch’s interface,
attached to that segment, is called the designated port
(DP).
STP/RSTP: Reasons for Forwarding or Blocking
The STP Bridge ID and Hello BPDU
The STP/RSTP bridge ID (BID) is an 8-byte value unique to
each switch. The bridge ID consists of a 2-byte priority field
and a 6-byte system ID, with the system ID being based on
a universal (burned-in) MAC address in each switch. Using
a burned-in MAC address ensures that each switch’s bridge
ID will be unique.
STP/RSTP defines messages called bridge protocol data
units (BPDU), also called configuration BPDUs, which
switches use to exchange information with each other.
The most common BPDU, called a Hello BPDU, lists many
details, including the sending switch’s BID. By listing its
own unique BID, switches can tell which switch sent which
Hello BPDU.
Fields in the STP Hello BPDU
cting the Root Switch
In a nutshell, the Spanning Tree Protocol (STP) elects a
root bridge to be the central point of the network's
logical loop-free topology. Here's a summary of how it
works:
1. Everyone thinks they're the root: When switches
power on, they all initially assume they are the root bridge
and start sending out special messages called Bridge
Protocol Data Units (BPDUs). These BPDUs contain
information about the sending switch, most importantly its
Bridge ID (BID).
2. Bridge ID (BID): Each switch has a unique 8-byte BID,
which is a
combination of:
Bridge Priority (2 bytes): This is a configurable
value, with a
default of 32768.
MAC Address (6 bytes): The unique physical address
of the switch.
3. The Election Process (Lowest BID Wins):
Switches exchange BPDUs and compare BIDs.
The switch with the lowest Bridge Priority wins the
election.
If there's a tie in Bridge Priority (which is common, as all
switches often start with the default), the switch with the
lowest MAC address acts as the tie breaker and becomes
the root bridge.
4. Root Bridge's Role: Once a root bridge is elected, it
becomes the reference point for all other switches in the
network. All of its ports are in a forwarding state
(designated ports). Other switches will then calculate the
best path (lowest cost) to reach the root bridge and block
redundant paths to prevent loops.
Figure 9-3 shows the beginning of the root election
process. In this case, SW1 has advertised itself as root, as
have SW2 and SW3. However, SW2 now believes that SW1
is a better root, so SW2 is now forwarding the Hello
originating at SW1. So, at this point, the figure shows SW1
is saying Hello, claiming to be root; SW2 agrees and is
forwarding SW1’s Hello that
lists SW1 as root; but SW3 is still claiming to be best,
sending its own Hello BPDUs, listing SW3’s BID as the root.
Figure 9- Beginnings of the Root Election Process
3
Two candidates still exist in Figure 9-3: SW1 and SW3.
So, who wins? Well, from the BID, the lower-priority
switch wins; if a tie occurs, the lower MAC address wins.
As shown in the figure, SW1 has a lower BID
(32769:0200.0001.0001) than SW3
(32769:0200.0003.0003), so
SW1 wins, and SW3 now also believes that SW1 is the
better switch. Figure 9-4 shows the resulting Hello
messages sent by the switches.
Summarizing, the root election happens through each
switch claiming to be root, with the best switch being
elected based on the numerically lowest BID. Breaking
down the BID into its components, the comparisons can
be made
■ The as priority
lowest
■ If that ties, the lowest switch MAC address
Figure 9-4 SW1 Wins the Election
Choosing Each Switch’s
Root
The Port part of the STP/RSTP process occurs when each
second
nonroot switch chooses its one and only root port. A
switch’s RP is its interface through which it has the least
STP/RSTP cost to reach the root switch (least root cost).
The idea of a switch’s cost to reach the root switch can be
easily seen for humans. Just look at a network diagram that
shows the root switch, lists the STP/RSTP cost associated
with each switch port, and identifies the nonroot switch in
question. Switches use a different process
than looking at a network diagram, of course, but using a
diagram can make it easier to learn the idea.
Figure 9-5 How a Human Might Calculate
STP/RSTP Cost from SW3 to the Root (SW1)
Switches come to the same conclusion but using a
different process. Instead, they add their local interface
STP/RSTP cost to the root cost listed in each received
Hello BPDU. The STP/RSTP port cost is simply an integer
value assigned to each interface, per VLAN, for the
purpose of providing an objective measurement that
allows STP/RSTP to choose which interfaces to add to
the STP/RSTP topology. The switches also look at their
neighbor’s root cost, as announced in Hello BPDUs
received from each neighbor.
Figure 9-6 How STP/RSTP Actually Calculates the Cost from
SW3 to the Root
Switches need a tiebreaker to use in case the best root cost
ties for two or more paths. If a tie occurs, the switch applies
these three tiebreakers to the paths that tie, in order, as
follows:
1. Choose based on the lowest neighbor bridge ID.
2. Choose based on the lowest neighbor port priority.
3. Choose based on the lowest neighbor internal port
number.
Choosing the Designated
Port on Each LAN
Segment
STP/RSTP’s final step to choose the STP/RSTP topology is to
choose the designated port on each LAN segment. The
designated port (DP) on each LAN segment is the switch
port that advertises the lowest-cost Hello onto a LAN
segment. When a nonroot switch forwards a Hello, the
nonroot switch sets the root cost field in the Hello to that
switch’s cost to reach
the root. In effect, the switch with the lower cost to reach
the root, among all switches connected to a segment,
becomes the DP on that segment.
Table 9-5 State of Each
Interface
Note that the examples in this section focus on the links
between the switches, but switch ports connected to
endpoint devices should become DPs and settle into a
forwarding state. Working through the logic, each switch
will forward BPDUs on each port as part of the
process to determine the DP on that LAN. Endpoints
should ignore those messages because they do not run
STP/RSTP, so the switch will win and become DP on
every access port.
Configuring to Influence the STP
Topology
STP/RSTP works by default on Cisco switches, so all the
settings needed by a switch have a useful default.
Switches have a default BID, based on a default priority
value and adding a universal MAC address that comes
with the switch hardware. Additionally, switch interfaces
have default STP/RSTP costs based on the current
operating speedthe
First, to change of the
BID,switch interfaces.
the engineer can set the priority
used by the switch, while continuing to use the universal
MAC address as the final 48 bits of the BID. For instance,
giving a switch the lowest priority value among all switches
will cause that switch to win the root election.
Table 9-6 Default Port Costs
According to IEEE
Of note in regards to these defaults, the cost defaults
based on the operating speed of the link, not the
maximum speed. That is, if a 10/100/1000 port runs at
10 Mbps for some reason, its default STP cost on a
Cisco switch is 100, the default cost for an interface
running at 10 Mbps.
Details Specific to STP (and
Not RSTP)
Once the engineer has finished all STP configuration, the
STP topology should settle into a stable state and not
change, at least until the network topology changes. This
section examines the ongoing operation of STP while the
network is stable, and then it covers how STP
converges to a new topology when something changes.
Note that almost all the differences between STP and RSTP
revolve around the activities of waiting for and reacting to
changes in the topology. STP performed well for the era
and circumstances in which it was created. The “rapid” in
RSTP refers to the improvements to
how fast RSTP could react when changes occur—so
understanding how STP reacts will be useful to understand
STP Activity When the Network
Remains
An Stable
STP root switch sends a new Hello BPDU every 2
seconds by default. Each nonroot switch forwards the Hello
on all DPs, but only after changing items listed in the Hello.
(As a result, the Hello flows once over every working link in
the LAN.)
Assuming a default Hello timer of 2 seconds on the root
switch, each switch will forward the received (and changed)
Hellos out all DPs so that all switches continue to receive
Hellos every 2 seconds. The following steps summarize the
steady-state operation when nothing is currently changing
in the STP topology:
Step 1. The root creates and sends a Hello BPDU, with
a root cost of
0, out all its working interfaces (those in a
forwarding state).
Step 2. The nonroot switches receive the Hello on their
root ports.
After changing the Hello to list their own BID as
the sender’s
BID and listing that switch’s root cost, the
switch forwards the
Hello out all designated ports.
Step 3. Steps 1 and 2 repeat until something changes.
STP Timers That Manage STP
Convergence
For various reasons, the STP convergence process
requires the use of three timers, listed in Table 9-7. Note
that all switches use the timers as dictated by the root
switch, which the root lists in its periodic Hello BPDU
messages.
Table 9-7 STP
Timers
If a switch does not get an expected Hello BPDU within
the Hello time, the switch continues as normal. However,
if the Hellos do not show up again within MaxAge time,
the switch reacts by taking steps to change the STP
topology. With default settings, MaxAge is 20 seconds
(10 times the default Hello timer of 2 seconds).
The best way to describe STP convergence is to show
an example using the same familiar topology. Figure 9-
7 shows the same familiar figure, with SW3’s Gi0/2 in a
blocking state, but SW1’s Gi0/2 interface has just
failed.
Figure 9-7 Initial STP State Before SW1-SW3
Link Fails In
Changing Interface States
with STP
Switches using STP can simply move immediately from
forwarding to blocking state, but they must take extra
time to transition from blocking state to forwarding state.
For instance, when switch SW3 in Figure 9-7 formerly used
port G0/1 as its RP (a role), that port was in
a forwarding state. After convergence, G0/1 might be
neither an RP nor DP; the switch can immediately move
However, when
that port to a port that
a blocking formerly blocked needs to
state.
transition to forwarding, the switch first puts the port
through two intermediate interface states. These
temporary STP states help prevent temporary loops:
■ Listening: Like the blocking state, the interface does
not forward
frames. The switch removes old stale (unused) MAC
table entries for
which no frames are received from each MAC address
during this
period. These stale MAC table entries could be the
cause of the
temporary loops.
■ Learning: Interfaces in this state still do not forward
frames, but the
switch begins to learn the MAC addresses of frames
received on the
interface.
Table 9-8 summarizes spanning tree’s various interface
states for easier review.
Table 9-8 IEEE STP (Not
RSTP) States
Rapid STP
Concepts
Over the years, other meaningful changes happened in the
standards as well, although those changes probably do not
impact most networkers’ thinking when it comes to
working with STP or RSTP. But to be complete, the IEEE
replaced STP with RSTP in the revised 802.1D standard in
2004. In another move, in 2011 the IEEE moved all the
RSTP details into a
revised 802.1Q standard.
Comparing STP
and works
RSTP RSTP just like STP in several ways, as discussed in
the first major section of the chapter. To review:
■ RSTP and STP elect the root switch using the same
rules and
tiebreakers.
■ RSTP and STP switches select their root ports with the
same rules.
■ RSTP and STP elect designated ports on each LAN
segment with the
same rules and tiebreakers.
■ RSTP and STP place each port in either forwarding or
blocking state,
although RSTP calls the blocking state the discarding
With all these similarities, you might be wondering why
the IEEE bothered to create RSTP in the first place. The
overriding reason is convergence. STP takes a relatively
long time to converge (50 seconds with the default
settings when all the wait times must be followed).
RSTP improves network convergence when topology
changes occur, usually converging within a few seconds
(or in slow conditions, in about 10 seconds).
How the RSTP alternate port andthe backup port both
work. RSTP uses the term alternate port to refer to a
switch’s otherports that could be used as the root port if
the root port ever fails. The backup port concept provides
a backup port on the local switch for a designated port.
(Note that backup portsapply only to designs that use
hubs, so they are unlikely to be useful today.) However,
bothare instructive about how RSTP works. Table 9-9 lists
these RSTP port roles.
Table 9-9 Port Roles in RSTP
RSTP and the Alternate
(Root)
With STP, Port Role switch places one port in the STP
each nonroot
root port (RP) role. RSTP follows that same convention,
with the same exact rules for choosing the RP. RSTP then
takes another step beyond STP, naming other possible
RPs, identifying them as alternate ports.
Figure 9-8 Example of SW3 Making G0/2 Become an
Alternate Port
Figure 9-9 shows an example of RSTP convergence. SW3’s
root port before the failure shown in this figure is SW3’s
G0/1, the link connected directly to SW1 (the root switch).
Then SW3’s link to SW1 fails as shown in Step 1 of the
figure.
Figure 9-9 Convergence Events with SW3 G0/1 Failure
Step 1. The link between SW1 and SW3 fails, so SW3’s
current root
port (Gi0/1) fails.
Step 2. SW3 and SW2 exchange RSTP messages to
confirm that SW3
will now transition its former alternate port
(Gi0/2) to be the
root port. This action causes SW2 to flush the
required MAC
table entries.
Step 3. SW3 transitions Gi0/1 to the disabled role and
Gi0/2 to the
root port role.
Step 4. SW3 transitions Gi0/2 to a forwarding state
immediately,
RSTP States and
Processes
RSTP uses the discarding state for what STP defines as
two states: disabled state and blocking state. Blocking
should be somewhat obvious by now: the interface can
work physically, but STP/RSTP chooses to not forward
traffic to avoid loops. STP’s disabled state
simply meant that the interface was administratively
disabled. RSTP just combines those into a single
discarding state. Table 9-10 shows the list of STP and
RSTP states for comparison purposes.
Table 9-10 Port States Compared: STP and RSTP
RSTP, to converge more quickly, avoids relying on
timers. RSTP switches tell each other (using messages)
that the topology has changed. Those messages also
direct neighboring switches to flush the contents of their
MAC tables in a way that removes all the potentially
loop-causing entries, without a wait.
RSTP and the Backup
(Designated)
The Port
RSTP backup port role Role
acts as yet another new RSTP
port role as compared to STP. As a reminder, the RSTP
alternate port role creates a way for RSTP to quickly
replace a switch’s root port. Similarly, the RSTP backup
port role creates a way for RSTP to quickly replace a
switch’s designated port on some LAN.
Figure 9-10 shows an example. SW3 and SW4 both
connect to the same hub. SW4’s port F0/1 happens to win
the election as designated port (DP). The other port on
SW4 that connects to the same collision domain, F0/2,
acts as a backup port.
Figure 9-10 RSTP Backup Port Example
RSTP Port
Types
To begin, consider the basic image in Figure 9-11. It
shows several links between two switches. RSTP
considers these links to be point-to-point links and the
ports connected to them to be point-to-point ports
because the link connects exactly two devices (points).
RSTP further classifies point-to-point ports into two
categories. Point-to-point ports that connect two
switches are not at the edge of the network and are
simply called point-to-point ports. Ports that instead
connect to a single endpoint device at the edge of the
network,
like a PC or server, are called point-to-point edge ports,
or simply edge ports. In Figure 9-11, SW3’s switch port
Figure 9-11 RSTP Link Types
Optional STP Features
To close out the chapter, the last few topics introduce a
few optional features that make STP work even better or
be more secure: EtherChannel, PortFast, and BPDU Guard.
EtherChannel
EtherChannel combines multiple parallel segments of
equal speed (up to eight) between the same pair of
switches, bundled into an EtherChannel. The switches
treat the EtherChannel as a single interface with regard to
STP. As a result, if one of the links fails, but at least one of
the links is up, STP convergence does not have to occur.
For example, Figure 9-12 shows the familiar three-switch
network, but now with two Gigabit Ethernet connections
between each pair of switches.
Figure 9-12 Two-Segment EtherChannels Between Switches
PortFast
Cisco's PortFast is a valuable feature in Spanning Tree
Protocol (STP) that significantly reduces the time it
takes for a port to become active and start forwarding
traffic. Here's a breakdown of its benefits and when to
use it:
Reduced Convergence Time: This is the primary
benefit. Without PortFast, a switch port goes through
several STP states (blocking, listening, learning) before
transitioning to the forwarding state. This process can
take 30-50 seconds. With PortFast, the port immediately
transitions to the forwarding state, allowing connected
devices to transmit and receive data almost instantly.
Improved User Experience: For end-user devices like
computers, printers, or IP phones, the delay caused by
STP convergence can be frustrating. PortFast eliminates
this delay, providing a much smoother and faster
connection experience.
PortFast should ONLY be enabled on access ports
connected to end devices that are NOT switches or
hubs. This is crucial to prevent spanning-tree loops,
which can bring down your entire network.
BPDU Guard
STP and RSTP open up the LAN to several different types
of possible security exposures. For example:
■ An attacker could connect a switch to one of these
ports, one with a
low STP/RSTP priority value, and become the root
switch. The new
STP/RSTP topology could have worse performance than
the desired
topology.
■ The attacker could plug into multiple ports, into
multiple switches,
become root, and actually forward much of the traffic in
the LAN.
■ Users could innocently harm the LAN when they buy
and connect
an inexpensive consumer LAN switch (one that does
not use
STP/RSTP).
The Such
Cisco BPDU a switch,
Guard without
feature helps any STP/RSTP
defeat these kinds
function, would
of problems by disabling a port if any BPDUs are
not choose
received to block
on the anythis
port. So, ports and could
feature cause a loop.
is particularly
useful on ports that should be used only as an access
port and never connected to another switch.
Lesson Check
1. Which of the following port states are stable states used
when STP has completed convergence? (Choose two
answers.)
a. Blocking
b. Forwarding
c. Listening
d. Learning
e. Discarding
2. Which of the following bridge IDs wins election as root,
assuming that the switches with these bridge IDs are in the
same network?
a. 32769:0200.1111.1111
b. 32769:0200.2222.2222
c. 4097:0200.1111.1111
d. 4097:0200.2222.2222
e. 40961:0200.1111.1111
3. Which of the following are transitory port states used
only during
the process of STP convergence? (Choose two
answers.)
a. Blocking
b. Forwarding
c. Listening
d. Learning
e. Discarding
4. Which of the following facts determines how often a
nonroot bridge or switch sends an STP Hello BPDU
message?
a. The Hello timer as configured on that switch.
b. The Hello timer as configured on the root switch.
c. It is always every 2 seconds.
d. The switch reacts to BPDUs received from the root
switch by sending another BPDU 2 seconds after
receiving the root BPDU.
5. Which of the following RSTP port states have the same
name and purpose as a port state in traditional STP? (Choose
two answers.)
a. Blocking
b. Forwarding
c. Listening
d. Learning
e. Discarding
6. RSTP adds features beyond STP that enable ports to be
used for a role if another port on the same switch fails. Which
of the following statements correctly describe a port role that
is waiting to take over for another port role? (Choose two
answers.)
a. An alternate port waits to become a root port.
b. A backup port waits to become a root port.
c. An alternate port waits to become a designated port.
d. A backup port waits to become a designated port.
7. What STP feature causes an interface to be placed in the
forwarding
state as soon as the interface is physically active?
a. STP
b. EtherChannel
c. Root Guard
d. PortFast