Spanning Tree Protocol

Spanning Tree Protocol variants (PVST+, Rapid-PVST+, MST), root bridge tuning, and portfast configuration.

STP Verification

Show spanning-tree state for all VLANs — root ID, bridge ID, port roles and states
show spanning-tree
show spanning-tree vlan 10
Show STP status for a specific interface — role (Root/Desg/Altn/Back), state (FWD/BLK/LRN/LIS)
show spanning-tree interface GigabitEthernet1/0/1
show spanning-tree interface GigabitEthernet1/0/1 detail
Show which switch is root bridge for each VLAN
show spanning-tree root

Rapid PVST+ (Default Mode)

Cisco default is RPVST+ — per-VLAN rapid spanning tree; confirm mode
show spanning-tree summary
Set STP mode explicitly — RPVST+ or MST
configure terminal
spanning-tree mode rapid-pvst
end

Root Bridge Election

Make this switch root bridge for VLAN 10 — sets priority to 24576 (or lower if needed)
configure terminal
spanning-tree vlan 10 root primary
end
Make this switch secondary root — sets priority to 28672; takes over if primary fails
configure terminal
spanning-tree vlan 10 root secondary
end
Set priority manually — must be multiple of 4096; lower wins; default is 32768
configure terminal
spanning-tree vlan 10 priority 4096
end
Extended system-id — adds VLAN ID to bridge priority; enabled by default on modern IOS
show spanning-tree bridge
! Bridge ID = Priority (4096) + VLAN ID (10) = 4106

PortFast

PortFast — skip listening/learning states; 30-second convergence to immediate forwarding; access ports only
configure terminal
interface GigabitEthernet1/0/1
 spanning-tree portfast
end
Enable PortFast globally on all access ports — does not affect trunk ports
configure terminal
spanning-tree portfast default
end
PortFast edge (RPVST+ terminology) — functionally identical to portfast
configure terminal
interface GigabitEthernet1/0/1
 spanning-tree portfast edge
end

BPDU Guard

BPDU Guard — err-disables port if BPDU received; protects against rogue switches on access ports
configure terminal
interface GigabitEthernet1/0/1
 spanning-tree bpduguard enable
end
Enable BPDU Guard globally on all PortFast ports
configure terminal
spanning-tree portfast bpduguard default
end
Recovery from err-disabled state — manually or with auto-recovery timer
! Manual recovery
configure terminal
interface GigabitEthernet1/0/1
 shutdown
 no shutdown
end

! Auto-recovery — re-enable after 300 seconds
configure terminal
errdisable recovery cause bpduguard
errdisable recovery interval 300
end
Verify err-disabled ports
show interfaces status err-disabled
show errdisable recovery

Root Guard

Root Guard — prevents a port from becoming root port; protects root bridge topology
configure terminal
interface GigabitEthernet1/0/24
 spanning-tree guard root
end
If superior BPDU arrives on root-guard port, port enters root-inconsistent state (blocking)
show spanning-tree inconsistentports

Loop Guard

Loop Guard — prevents alternate/root ports from transitioning to forwarding if BPDUs stop arriving (unidirectional link failure)
configure terminal
interface GigabitEthernet1/0/24
 spanning-tree guard loop
end
Enable Loop Guard globally
configure terminal
spanning-tree loopguard default
end

STP Cost Manipulation

Modify port cost to influence path selection — lower cost is preferred
configure terminal
interface GigabitEthernet1/0/1
 spanning-tree vlan 10 cost 10
end
Modify port priority — tiebreaker when cost is equal; lower wins; default 128; increments of 16
configure terminal
interface GigabitEthernet1/0/1
 spanning-tree vlan 10 port-priority 64
end

STP Timers

Default timers — hello 2s, forward-delay 15s, max-age 20s; only modify on root bridge
configure terminal
spanning-tree vlan 10 hello-time 2
spanning-tree vlan 10 forward-time 15
spanning-tree vlan 10 max-age 20
end

Verification Summary

Key show commands for STP troubleshooting
show spanning-tree
show spanning-tree vlan 10
show spanning-tree root
show spanning-tree summary
show spanning-tree interface GigabitEthernet1/0/1 detail
show spanning-tree inconsistentports
show interfaces status err-disabled