Introduction to Spanning Tree Protocol (STP)

Leave a Comment / Cisco, Networking Tutorials

Switches are simple devices at heart — they forward frames based on MAC addresses and keep everything connected. Add a second cable between two switches for redundancy, and suddenly you have a problem that can bring down your entire network in seconds. Spanning Tree Protocol exists precisely to solve this problem, and understanding it is essential for both the CCNA exam and real-world network engineering.

Key Takeaways

Before diving in, here’s what you’ll walk away understanding:

  • STP prevents Layer 2 loops by selectively blocking redundant switch ports while keeping backup paths available
  • A root bridge is elected based on the lowest bridge ID, which is a combination of priority and MAC address
  • Every switch port gets assigned one of three roles: root port, designated port, or alternate (blocked) port
  • Ports transition through a listening and learning phase before they forward traffic — each phase lasts 15 seconds by default
  • The default STP priority is 32768, making the MAC address the tiebreaker in root bridge elections
  • STP runs automatically on Cisco switches and operates independently per VLAN using PVST (Per VLAN Spanning Tree)

Prerequisites

To get the most out of this lesson, you should already be comfortable with how switches work and how they learn MAC addresses. A basic understanding of VLANs and trunking will also help, especially when we look at how STP runs per-VLAN. If you’re not yet familiar with how trunks negotiate, it’s worth reviewing (Internal link suggestion: “Dynamic Trunking Protocol”) before continuing.

Why Spanning Tree Exists

Picture two switches connected by a single cable. That single cable is a single point of failure — if it dies, those switches can no longer communicate, and neither can any devices connected to them.

The natural solution is to add a second cable. Now if one link fails, the other keeps traffic flowing. Redundancy problem solved — but a new problem appears: loops.

Here’s what actually happens when you have two cables between two switches and one host sends a broadcast frame (like an ARP request):

  1. Host H1 broadcasts an ARP frame looking for H2’s MAC address.
  2. SW1 receives the frame and floods it out every port except the one it arrived on — including both cables going to SW2.
  3. SW2 receives two copies of the same broadcast frame, one on each of its ports connected to SW1.
  4. SW2 then floods each of those frames back out — including the port that leads back to SW1.
  5. SW1 receives those frames and floods them again.

This cycle never stops. Ethernet frames have no TTL field like IP packets do, so there’s nothing built into the protocol to kill a looping frame. The result is a broadcast storm — an exponential flood of frames that consumes all available bandwidth and CPU resources on every switch in the loop. Networks can collapse within seconds.

This is the problem Spanning Tree Protocol was designed to solve.

How Spanning Tree Solves Loops

STP creates a loop-free logical topology by placing certain switch ports into a blocked state. The blocked ports don’t forward traffic, which breaks the loop — but they stay active enough to monitor the network and take over if an active link fails.

To understand how STP decides which ports to block, let’s walk through the process step by step.

Step 1 — Switches Exchange BPDUs

As soon as STP is enabled, every switch begins sending a special frame called a BPDU (Bridge Protocol Data Unit). BPDUs are sent between switches on all active ports and contain two critical pieces of information:

  • MAC address of the sending switch
  • Priority value configured on the switch

These two values together form the Bridge ID. The Bridge ID is what STP uses to make all of its decisions.

Step 2 — Root Bridge Election

From all the switches exchanging BPDUs, STP elects one as the root bridge. Think of the root bridge as the reference point for the entire network — every other switch calculates its best path relative to the root.

The election rule is straightforward: the switch with the lowest bridge ID wins.

Since priority is compared first, a switch with a lower priority wins immediately. If two switches share the same priority (which is the default situation, since all switches ship with a priority of 32768), then the MAC address becomes the tiebreaker — and the lower MAC address wins.

This has an important real-world implication. If you let STP elect the root bridge automatically, the winner will likely be whichever switch has the oldest MAC address — typically your oldest, most outdated switch. That’s not where you want the STP reference point to be. That’s why network engineers manually set the priority on the switch they want to become root bridge.

Once elected, all ports on the root bridge are placed in a designated (forwarding) state.

Step 3 — Root Port Selection on Non-Root Switches

Every switch that is not the root bridge needs to figure out which of its ports offers the shortest path to the root bridge. That port becomes the switch’s root port.

“Shortest” in STP terms doesn’t mean fewest hops — it means lowest path cost, and cost is determined by interface speed:

Interface SpeedSTP Cost
10 Mbps100
100 Mbps19
1000 Mbps (1G)4

Each non-root switch selects exactly one root port — the port with the lowest cost path back to the root bridge. That port forwards traffic.

Step 4 — Designated and Alternate Port Assignment

With root ports sorted out, STP then looks at every network segment (link between switches) and selects one designated port per segment. The designated port is responsible for forwarding traffic on that segment. The switch with the better bridge ID (lower value) wins the designated port role.

Any port that ends up being neither a root port nor a designated port becomes an alternate port — it’s placed in a blocking state. This is how the loop is broken.

In a triangle of three switches, for example, the link between the two non-root switches will always have one blocked alternate port. Traffic cannot loop through a blocked port, so the topology is loop-free. If the active path fails, the alternate port can transition to forwarding to restore connectivity.

(Internal link suggestion: “EtherChannels”) — worth noting that bundling multiple physical links using EtherChannel is another technique to add bandwidth redundancy while presenting a single logical link to STP, avoiding the blocked port scenario entirely.

STP Port States

If you’ve ever plugged a cable into a Cisco switch and watched the port LED sit orange for roughly 30 seconds before turning green, you’ve already seen STP port states in action.

When a port comes up, it doesn’t immediately start forwarding traffic. It moves through a sequence of states:

Listening (15 seconds) — The port participates in BPDU exchange and helps STP make its topology decisions. It does not learn MAC addresses, and it does not forward any data frames.

Learning (15 seconds) — The port continues sending and receiving BPDUs and now begins building the MAC address table. Still no data forwarding yet. This phase prevents traffic from being flooded unnecessarily once the port opens.

Forwarding — The port is fully active. It sends and receives BPDUs, learns MAC addresses, and forwards data frames normally.

The total convergence time for a new port is around 30 seconds (15 + 15). This is intentional — it gives STP enough time to ensure the topology is loop-free before any data flows. The 15-second timer is called the forward delay.

Configuration and Verification

Spanning Tree is enabled by default on all Cisco switches — you don’t need to configure anything to get it running. What matters is knowing how to read its output and understand what each field means.

Let’s walk through the show spanning-tree command on a three-switch topology where the switches form a triangle. This is the most important STP verification command you’ll use.

SW1 — Non-Root Switch

SW1#show spanning-tree

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     000f.34ca.1000
             Cost        19
             Port        19 (FastEthernet0/17)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0011.bb0b.3600
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/14              Desg FWD 19        128.16   P2p
Fa0/17              Root FWD 19        128.19   P2p

Breaking this down section by section:

VLAN0001
  Spanning tree enabled protocol ieee

This tells you STP is active on VLAN 1. Cisco’s default implementation is PVST (Per VLAN Spanning Tree), which runs a separate STP instance for each VLAN. This is why VLAN 1 is specified explicitly. (Internal link suggestion: “VLAN Trunking Protocol”) — VTP and STP work closely together in environments with many VLANs across multiple switches.

Root ID    Priority    32769
           Address     000f.34ca.1000
           Cost        19
           Port        19 (FastEthernet0/17)

This section describes the root bridge from SW1’s perspective. The root bridge has a priority of 32769 and MAC address 000f.34ca.1000. SW1’s cost to reach the root is 19 (one 100 Mbps link), and the port facing the root is Fa0/17 — SW1’s root port.

Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
           Address     0011.bb0b.3600

This section describes SW1 itself. The priority looks like 32769, but the parenthetical explanation reveals what’s happening: the base priority is 32768, and STP automatically adds the VLAN number (1) to create a unique bridge ID per VLAN. This is the sys-id-ext mechanism — you’ll see it on every Cisco switch running PVST.

Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

These three timers govern STP behavior:

  • Hello Time (2 sec): How often the root bridge sends BPDUs to all other switches. Non-root switches relay these BPDUs downstream.
  • Max Age (20 sec): If a switch stops receiving BPDUs for 20 seconds, it assumes the topology has changed and begins recalculating.
  • Forward Delay (15 sec): The time spent in each of the listening and learning states before a port moves to forwarding.
Interface           Role Sts Cost      Prio.Nbr Type
Fa0/14              Desg FWD 19        128.16   P2p
Fa0/17              Root FWD 19        128.19   P2p

SW1 has two active ports. Fa0/14 is a designated port in forwarding state, and Fa0/17 is the root port — also forwarding. Since SW1 has a root port, we know it is not the root bridge.

SW2 — Non-Root Switch with a Blocked Port

SW2#show spanning-tree

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     000f.34ca.1000
             Cost        19
             Port        18 (FastEthernet0/16)

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0019.569d.5700

Interface           Role Sts Cost      Prio.Nbr Type
Fa0/14              Altn BLK 19        128.16   P2p
Fa0/16              Root FWD 19        128.18   P2p

SW2’s root port is Fa0/16, pointing toward the root bridge. The interesting port here is Fa0/14, shown as Altn BLK — alternate port in blocking state. This is the port on the link between SW2 and the third switch. STP blocked this port to eliminate the loop in the triangle topology.

Why was SW2’s port blocked instead of the third switch’s port? Because STP compared the bridge IDs of both switches on that segment, and SW2 had the lower (better) MAC address — so SW2 won the designated port role on its side of that segment, forcing the other switch to block.

SW3 — The Root Bridge

SW3#show spanning-tree

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     000f.34ca.1000
             This bridge is the root

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     000f.34ca.1000

Interface        Role Sts Cost      Prio.Nbr Type
Fa0/14           Desg FWD 19        128.14   P2p
Fa0/16           Desg FWD 19        128.16   P2p

The key line here is “This bridge is the root” — it tells you immediately that SW3 is the root bridge. Notice that the Root ID and Bridge ID sections show the same MAC address. That’s because the root bridge is describing itself.

All of SW3’s ports are designated and forwarding. Root bridge ports are never blocked — which is exactly why you want your most capable, most centrally placed switch to be the root. If you’re deploying STP in a production environment, always configure the root bridge manually using the priority command rather than relying on MAC address lottery.

Summary

Spanning Tree Protocol solves a fundamental Layer 2 problem: how to provide link redundancy without creating traffic loops. It does this by electing a root bridge, calculating the shortest path from every switch to that root, and blocking any port that would otherwise create a loop.

The three port roles — designated, root, and alternate — define how each port participates in the topology. The three port states — listening, learning, and forwarding — control how ports transition when the network changes.

On Cisco switches, STP is always on and always working in the background. The show spanning-tree command gives you a complete view of the topology from any switch’s perspective, including the root bridge identity, port roles, port states, and the timers that drive convergence.

Leave a Comment

Your email address will not be published. Required fields are marked *

Download Your Cheat Sheet
Enter your email to get instant access to this cheat sheet. We'll also notify you when new cheat sheets are released.
No spam, ever. Your email is stored securely and never shared.