trace·warrior
  • Tools
  • Monitoring
  • Pricing
  • Resources
  • About
Sign inGet started
trace·warrior

Network diagnostics for IT professionals. Built for speed, accuracy, and the long tail of the Friday afternoon outage.

ALL SYSTEMS NOMINAL
Tools
  • DNS Lookup
  • Ping Test
  • Port Checker
  • WHOIS
  • See all
Product
  • Monitors
  • Pricing
  • How-to guides
  • Compare
Resources
  • Blog
  • API docs
  • Tool index
  • Contact
Company
  • About
  • Privacy
  • Terms
  • Cookie policy
© 2026 Trace Warrior · made for engineers, by engineersnetwork forensics, quietly
/
Green tree diagram with a ROOT oval atop switch boxes of up arrows, links labeled STP, BPDU and DRO, and one dashed path marked blocked with an X
blog/spanning-tree-simplified
published · 2025-06-21

Spanning tree simplified, preventing layer 2 loops

How Spanning Tree Protocol stops layer 2 loops, the misconfigurations that cause network meltdowns, and the settings that make STP boring again.

networking
Trace Warrior Team
5 min read

Spanning Tree Protocol is one of the oldest safeguards in switched Ethernet, and one of the most consistently misunderstood. Most engineers don't think about it at all until the day a redundant uplink takes the whole site down in under a minute. This post covers what STP actually does, the handful of misconfigurations responsible for most STP incidents, and the settings that make it a non-event.

Why layer 2 loops kill networks so fast

IP packets carry a TTL field: a routing loop degrades performance, but packets eventually die. Ethernet frames have no equivalent. A frame caught in a switching loop circulates forever, and because switches flood broadcast and unknown-unicast frames out every port, one looped frame becomes many. The result:

  • Broadcast storms: frames multiply exponentially until they consume all available bandwidth
  • MAC table instability: the same source MAC appears on multiple ports in rapid succession, so switches thrash their forwarding tables
  • CPU saturation: switch control planes max out processing the flood
  • Total outage: ARP fails, DNS fails, everything above layer 2 collapses, typically within seconds

The MAC table thrashing is a distinctive signature: if you see the same address flapping between ports in your switch logs, you're looking at a loop. (A MAC address lookup on the flapping address tells you whose device is involved, which speeds up finding the offending cable.)

What STP does about it

STP discovers the loops in your topology and logically blocks the redundant links, leaving exactly one active forwarding path between any two points. The redundancy isn't wasted: if an active link fails, STP recalculates and brings a blocked link into forwarding. You get loop-free operation and failover from the same physical topology.

The switches negotiate all of this by exchanging Bridge Protocol Data Units (BPDUs). They elect a root bridge, compute each switch's cheapest path to it, and block everything else.

The STP family

  • STP (802.1D): the original. Convergence takes 30-50 seconds, which is an eternity during a failover.
  • RSTP (802.1w): Rapid Spanning Tree. Convergence in roughly 1-2 seconds. The default choice for almost everyone.
  • MSTP (802.1s): Multiple Spanning Tree. Maps groups of VLANs onto separate spanning tree instances. Worth the complexity only in large, deliberately engineered VLAN topologies.
  • PVST+ / Rapid PVST+: Cisco proprietary, one spanning tree per VLAN. The default mode on most Cisco switches.

Unless you have a specific reason for MSTP, run RSTP (or Rapid PVST+ in a Cisco shop) and move on.

The four misconfigurations behind most STP incidents

1. No BPDU Guard on access ports

Access ports, the ones facing laptops, printers, phones, should never receive BPDUs. If one does, it means someone plugged in a switch, and that device now participates in your spanning tree. Worst case it wins the root bridge election. BPDU Guard shuts a port down the moment a BPDU arrives on it. Enable it on every access port.

2. No root bridge control

Left to the default priorities, STP elects the root bridge by lowest MAC address, which in practice means the oldest switch in the building. Your topology then converges around a ten-year-old access switch in a cupboard. Set the priority explicitly on your core:

# Cisco - make this switch the root for VLAN 1
spanning-tree vlan 1 priority 4096

Set a secondary root (priority 8192) on the backup core while you're at it.

3. Mixed STP modes across switches

Legacy STP on one switch and RSTP on another technically interoperates (RSTP falls back to 802.1D behaviour on those links), but you inherit the slow convergence of the oldest protocol in the path, and the failure modes get hard to reason about. Standardise the mode across the estate unless you've explicitly planned otherwise.

4. Redundant links with STP disabled

Redundant uplinks are only safe because STP blocks one of them. If STP is disabled, or the ports bypass it, those links are a loop waiting to happen. A healthy redundant topology should show blocked ports when you inspect it. If you have physical redundancy and see no blocked ports anywhere, find out why before the network does it for you.

How the failure actually plays out

The canonical incident: an engineer installs an access switch and, doing the diligent thing, uplinks it to two distribution switches for redundancy. STP is disabled on the new switch, or BPDU Guard isn't protecting the ports it plugged into. The loop forms instantly. Broadcasts multiply, CPU spikes across every switch in the domain, MAC tables thrash, ARP and DNS stop working, and the entire site is down, typically in well under a minute, and frequently taking the management plane with it so you can't even SSH in to fix it.

From the outside, this looks like everything failing at once: a website uptime monitor on internally hosted services flatlines, and external ping tests against anything behind the affected switches time out together. Simultaneous total failure of an entire site is a layer 2 signature; partial or gradual degradation usually points elsewhere.

Inspecting STP state

# Cisco
show spanning-tree vlan 1
show spanning-tree summary

# Linux bridges
bridge link show
bridge vlan show

Things worth verifying: the root bridge is the switch you intended, the blocked ports are where you expect them, and no port is cycling through STP states (a flapping port forces repeated topology changes, which flush MAC tables network-wide and cause intermittent weirdness that's miserable to diagnose).

The checklist

  • Run RSTP (or Rapid PVST+) everywhere, consistently
  • Set root bridge priority manually on the core, and a secondary on the backup
  • Enable BPDU Guard and PortFast on all access ports
  • Document the topology, including which ports should be blocked
  • Test failover during maintenance windows, not during outages
  • Keep switch firmware current; STP edge-case bugs are real

When STP isn't the answer

Modern data centres mostly design STP out of the picture: leaf-spine fabrics with layer 3 links, VXLAN/EVPN overlays, and routed access all give you loop-free redundancy without blocking any links. If you're building a data centre network today, that's the direction to go.

But the typical enterprise LAN (campus, school, hospital, multi-site office) still runs switched layer 2 at the edge, and there STP remains the safety net between "someone plugged a cable in the wrong place" and "the whole site is down." Configured properly, it's invisible. Which is exactly what you want from it.

read next
  • Port security basics, the short version

    What ports to keep closed, what to monitor, what to do when something unexpected is listening, and the audits worth running quarterly.

  • Subnet mastery, the short version

    The four numbers worth memorising about IPv4 subnetting, how CIDR actually works, and how to spot common subnet mistakes in production.