Spanning Tree Protocol is one of the oldest safeguards in switched Ethernet, and one of the most consistently misunderstood. Most engineers don't think about it at all until the day a redundant uplink takes the whole site down in under a minute. This post covers what STP actually does, the handful of misconfigurations responsible for most STP incidents, and the settings that make it a non-event.
Why layer 2 loops kill networks so fast
IP packets carry a TTL field: a routing loop degrades performance, but packets eventually die. Ethernet frames have no equivalent. A frame caught in a switching loop circulates forever, and because switches flood broadcast and unknown-unicast frames out every port, one looped frame becomes many. The result:
- Broadcast storms: frames multiply exponentially until they consume all available bandwidth
- MAC table instability: the same source MAC appears on multiple ports in rapid succession, so switches thrash their forwarding tables
- CPU saturation: switch control planes max out processing the flood
- Total outage: ARP fails, DNS fails, everything above layer 2 collapses, typically within seconds
The MAC table thrashing is a distinctive signature: if you see the same address flapping between ports in your switch logs, you're looking at a loop. (A MAC address lookup on the flapping address tells you whose device is involved, which speeds up finding the offending cable.)
What STP does about it
STP discovers the loops in your topology and logically blocks the redundant links, leaving exactly one active forwarding path between any two points. The redundancy isn't wasted: if an active link fails, STP recalculates and brings a blocked link into forwarding. You get loop-free operation and failover from the same physical topology.
The switches negotiate all of this by exchanging Bridge Protocol Data Units (BPDUs). They elect a root bridge, compute each switch's cheapest path to it, and block everything else.
The STP family
- STP (802.1D): the original. Convergence takes 30-50 seconds, which is an eternity during a failover.
- RSTP (802.1w): Rapid Spanning Tree. Convergence in roughly 1-2 seconds. The default choice for almost everyone.
- MSTP (802.1s): Multiple Spanning Tree. Maps groups of VLANs onto separate spanning tree instances. Worth the complexity only in large, deliberately engineered VLAN topologies.
- PVST+ / Rapid PVST+: Cisco proprietary, one spanning tree per VLAN. The default mode on most Cisco switches.
Unless you have a specific reason for MSTP, run RSTP (or Rapid PVST+ in a Cisco shop) and move on.
The four misconfigurations behind most STP incidents
1. No BPDU Guard on access ports
Access ports, the ones facing laptops, printers, phones, should never receive BPDUs. If one does, it means someone plugged in a switch, and that device now participates in your spanning tree. Worst case it wins the root bridge election. BPDU Guard shuts a port down the moment a BPDU arrives on it. Enable it on every access port.
2. No root bridge control
Left to the default priorities, STP elects the root bridge by lowest MAC address, which in practice means the oldest switch in the building. Your topology then converges around a ten-year-old access switch in a cupboard. Set the priority explicitly on your core:
# Cisco - make this switch the root for VLAN 1
spanning-tree vlan 1 priority 4096
Set a secondary root (priority 8192) on the backup core while you're at it.
3. Mixed STP modes across switches
Legacy STP on one switch and RSTP on another technically interoperates (RSTP falls back to 802.1D behaviour on those links), but you inherit the slow convergence of the oldest protocol in the path, and the failure modes get hard to reason about. Standardise the mode across the estate unless you've explicitly planned otherwise.
4. Redundant links with STP disabled
Redundant uplinks are only safe because STP blocks one of them. If STP is disabled, or the ports bypass it, those links are a loop waiting to happen. A healthy redundant topology should show blocked ports when you inspect it. If you have physical redundancy and see no blocked ports anywhere, find out why before the network does it for you.
How the failure actually plays out
The canonical incident: an engineer installs an access switch and, doing the diligent thing, uplinks it to two distribution switches for redundancy. STP is disabled on the new switch, or BPDU Guard isn't protecting the ports it plugged into. The loop forms instantly. Broadcasts multiply, CPU spikes across every switch in the domain, MAC tables thrash, ARP and DNS stop working, and the entire site is down, typically in well under a minute, and frequently taking the management plane with it so you can't even SSH in to fix it.
From the outside, this looks like everything failing at once: a website uptime monitor on internally hosted services flatlines, and external ping tests against anything behind the affected switches time out together. Simultaneous total failure of an entire site is a layer 2 signature; partial or gradual degradation usually points elsewhere.
Inspecting STP state
# Cisco
show spanning-tree vlan 1
show spanning-tree summary
# Linux bridges
bridge link show
bridge vlan show
Things worth verifying: the root bridge is the switch you intended, the blocked ports are where you expect them, and no port is cycling through STP states (a flapping port forces repeated topology changes, which flush MAC tables network-wide and cause intermittent weirdness that's miserable to diagnose).
The checklist
- Run RSTP (or Rapid PVST+) everywhere, consistently
- Set root bridge priority manually on the core, and a secondary on the backup
- Enable BPDU Guard and PortFast on all access ports
- Document the topology, including which ports should be blocked
- Test failover during maintenance windows, not during outages
- Keep switch firmware current; STP edge-case bugs are real
When STP isn't the answer
Modern data centres mostly design STP out of the picture: leaf-spine fabrics with layer 3 links, VXLAN/EVPN overlays, and routed access all give you loop-free redundancy without blocking any links. If you're building a data centre network today, that's the direction to go.
But the typical enterprise LAN (campus, school, hospital, multi-site office) still runs switched layer 2 at the edge, and there STP remains the safety net between "someone plugged a cable in the wrong place" and "the whole site is down." Configured properly, it's invisible. Which is exactly what you want from it.
