Chapter 4: Spanning Tree Protocol and Loop Prevention on AOS-CX

Learning Objectives

Layer 2 networks built with Ethernet have a wonderful property — broadcast domains scale gracefully because every switch learns MAC addresses dynamically. They also have a terrible property: a single redundant cable can collapse the entire network in seconds. Spanning Tree Protocol (STP) and its successors are the antidote. On AOS-CX, the modern incarnation is Multiple Spanning Tree Protocol (MSTP).

Section 1: STP/RSTP/MSTP Fundamentals

Pre-reading Check — Section 1

1. What is the primary purpose of Spanning Tree Protocol?

A. Encrypt Layer 2 traffic between switches.
B. Prevent Layer 2 loops while preserving redundant paths for failover.
C. Replace VLANs with a single broadcast domain.
D. Discover MAC addresses faster than dynamic learning.

2. Which switch becomes the root bridge in a spanning-tree topology?

A. The switch with the highest Bridge ID.
B. The switch with the most physical ports.
C. The switch with the lowest Bridge ID (priority + MAC).
D. The switch elected by an administrator at runtime.

3. By default, spanning tree on AOS-CX switches is:

A. Enabled in PVST+ mode.
B. Enabled in RSTP mode.
C. Disabled — you must enable it explicitly.
D. Enabled only on uplink ports.

4. Which RSTP port state replaces classic STP's Disabled, Blocking, and Listening states?

A. Forwarding
B. Learning
C. Discarding
D. Designated

Why a Spanning Tree?

Imagine three switches cabled in a triangle. When a single broadcast frame leaves a host, every switch floods it out every port. The frame travels around the triangle and returns. Within seconds, the network has billions of copies of one frame circulating, and Ethernet has no Time-to-Live field to stop them.

Spanning tree's job is to elect a root bridge and have every other switch select a single best path back to that root, blocking all other paths. The result is a tree topology — loop-free by construction — that can be re-computed if any link fails.

Animation: Root Bridge Election via BPDU Exchange
SW1 BID 32768:AAAA priority hi SW2 BID 32768:BBBB priority hi SW3 BID 4096:CCCC lowest BID ROOT BRIDGE DP DP RP RP BLOCK
SW3 has the lowest Bridge ID (priority 4096) and wins the root election. SW1 and SW2 each select a root port toward SW3, and the redundant link between them gets blocked to break the loop.

Bridge ID, Root Election, and Path Cost

Every switch participating in spanning tree has a Bridge ID (BID) composed of two parts: a 16-bit priority (default 32768, multiples of 4096) and the switch's MAC address used as a tiebreaker. The switch with the lowest Bridge ID wins the root election. Once a root is chosen, every other switch calculates the cost of reaching the root over each link and selects the lowest-cost path — that becomes the root port.

Link SpeedIEEE 802.1D-2004 (Long)Original 802.1D (Short)
10 Mbps2,000,000100
100 Mbps200,00019
1 Gbps20,0004
10 Gbps2,0002
100 Gbps2001

BPDUs: How Switches Talk Spanning Tree

Switches exchange information using Bridge Protocol Data Units (BPDUs) — small frames sent every 2 seconds (default Hello time) to the multicast address 01:80:C2:00:00:00. Configuration BPDUs carry root ID, sender BID, root path cost, and timers. Topology Change Notification (TCN) BPDUs are sent toward the root when a link goes up/down, telling the root to flush MAC tables network-wide.

Port Roles and States

State (RSTP/MSTP)Forwards Data?Learns MACs?Sends BPDUs?
DiscardingNoNoSends/receives
LearningNoYesYes
ForwardingYesYesYes
Animation: Port State Transitions with Forward-Delay Timers
DISCARDING no fwd / no learn BPDUs only LISTENING classic STP 15s fwd-delay LEARNING MAC learning on no data fwd FORWARDING full data plane MAC + BPDUs fwd-delay fwd-delay fwd-delay RSTP: edge ports skip listening/learning — straight to FORWARDING (sub-second) RSTP collapses Disabled / Blocking / Listening → DISCARDING
Each forward-delay timer is 15 seconds in classic STP. RSTP replaces these with sub-second proposal/agreement handshakes on point-to-point links.

Port roles in RSTP/MSTP: Root (best path to the root, one per non-root switch), Designated (best path on a segment), Alternate (backup root port), Backup (backup designated port).

RSTP Convergence

Classic 802.1D took 30–50 seconds. RSTP (802.1w) adds proposal/agreement handshakes on point-to-point links, edge ports that skip listen/learn, and pre-computed alternate ports for near-instant failover. Result: convergence in under a second.

MSTP Regions and Instances

Per-VLAN spanning tree (PVST+) runs one tree per VLAN — doesn't scale. MSTP (802.1s) groups VLANs into a small number of Multiple Spanning Tree Instances (MSTIs). A group of switches with identical config-name + revision + VLAN-to-instance map forms an MST region. Outside the region, the entire region looks like a single bridge in the Common and Internal Spanning Tree (CIST / Instance 0).

graph TD subgraph CIST [CIST / Instance 0 - VLANs 1, 99 default] Root[Root Bridge
DIST-A priority 0] end subgraph MSTI1 [MSTI 1 - VLANs 10-20] Root1[Root: DIST-A priority 4096] end subgraph MSTI2 [MSTI 2 - VLANs 30-40] Root2[Root: DIST-B priority 4096] end

Default AOS-CX Behavior

Spanning tree is disabled by default on AOS-CX switches. If you cable two AOS-CX switches together with redundant links and forget to enable spanning tree, you will create an instant Layer 2 loop. When enabled, AOS-CX defaults to MSTP mode.

Key Takeaways — Section 1

Post-reading Check — Section 1

1. What is the primary purpose of Spanning Tree Protocol?

A. Encrypt Layer 2 traffic between switches.
B. Prevent Layer 2 loops while preserving redundant paths for failover.
C. Replace VLANs with a single broadcast domain.
D. Discover MAC addresses faster than dynamic learning.

2. Which switch becomes the root bridge in a spanning-tree topology?

A. The switch with the highest Bridge ID.
B. The switch with the most physical ports.
C. The switch with the lowest Bridge ID (priority + MAC).
D. The switch elected by an administrator at runtime.

3. By default, spanning tree on AOS-CX switches is:

A. Enabled in PVST+ mode.
B. Enabled in RSTP mode.
C. Disabled — you must enable it explicitly.
D. Enabled only on uplink ports.

4. Which RSTP port state replaces classic STP's Disabled, Blocking, and Listening states?

A. Forwarding
B. Learning
C. Discarding
D. Designated

Section 2: MSTP Configuration on AOS-CX

Pre-reading Check — Section 2

1. Which three settings define an MST region?

A. Bridge priority, hello time, and forward delay.
B. Config-name, config-revision, and VLAN-to-instance mapping.
C. Hostname, MAC address, and VLAN list.
D. Port role, port state, and path cost.

2. What value must MSTP bridge priority be a multiple of?

A. 1024
B. 2048
C. 4096
D. 8192

3. If a VLAN is not explicitly mapped to a numbered MSTI, where does it live?

A. It is dropped silently.
B. Instance 0 (CIST/IST).
C. The highest-numbered instance.
D. A floating instance auto-allocated per switch.

4. Which command verifies the MST region config-name, revision, and digest?

A. show vlan
B. show spanning-tree mst-config
C. show running-config interface
D. show mac-address-table

Enabling MSTP and the Region

Three settings define an MST region: config-name (32-character string), config-revision (0–65535), and the VLAN-to-instance mapping. AOS-CX hashes these into a 16-byte config digest; if two switches compute different digests, they treat each other as separate regions.

switch(config)# spanning-tree
switch(config)# spanning-tree mode mstp
switch(config)# spanning-tree config-name CAMPUS-CORE
switch(config)# spanning-tree config-revision 1

VLAN-to-Instance Mapping

By default, all VLANs map to Instance 0 (CIST/IST). Create additional instances and explicitly map VLANs to balance load:

switch(config)# spanning-tree instance 1 vlan 10-20,30
switch(config)# spanning-tree instance 2 vlan 40-50,99

Tuning Bridge Priority

Priority is set per instance and must be a multiple of 4096. Lower wins.

switch(config)# spanning-tree instance 0 priority 0          # CIST root
switch(config)# spanning-tree instance 1 priority 4096        # MSTI 1 root
switch(config)# spanning-tree instance 2 priority 8192        # MSTI 2 secondary

Reserve priority 0 for the intentional root and priority 4096 for the secondary root. Leaving priorities at 32768 means whichever switch boots first with the lowest MAC becomes root.

Two-Switch Active/Active Example

DIST-A roots MSTI 1 (VLANs 10–20); DIST-B roots MSTI 2 (VLANs 40–50). Each is the secondary for the other:

# DIST-A
spanning-tree instance 1 priority 0          ! root for MSTI 1
spanning-tree instance 2 priority 4096        ! secondary for MSTI 2

# DIST-B
spanning-tree instance 1 priority 4096        ! secondary for MSTI 1
spanning-tree instance 2 priority 0          ! root for MSTI 2

Per-Port Cost and Priority

switch(config)# interface 1/1/49
switch(config-if)# spanning-tree instance 1 cost 1000
switch(config-if)# spanning-tree instance 1 port-priority 16

Verification

switch# show spanning-tree
switch# show spanning-tree mst-config
switch# show spanning-tree mst 1
switch# show spanning-tree detail

show spanning-tree mst-config echoes the config-name, revision, and digest hash — the easiest way to spot a region mismatch.

Key Takeaways — Section 2

Post-reading Check — Section 2

1. Which three settings define an MST region?

A. Bridge priority, hello time, and forward delay.
B. Config-name, config-revision, and VLAN-to-instance mapping.
C. Hostname, MAC address, and VLAN list.
D. Port role, port state, and path cost.

2. What value must MSTP bridge priority be a multiple of?

A. 1024
B. 2048
C. 4096
D. 8192

3. If a VLAN is not explicitly mapped to a numbered MSTI, where does it live?

A. It is dropped silently.
B. Instance 0 (CIST/IST).
C. The highest-numbered instance.
D. A floating instance auto-allocated per switch.

4. Which command verifies the MST region config-name, revision, and digest?

A. show vlan
B. show spanning-tree mst-config
C. show running-config interface
D. show mac-address-table

Section 3: STP Edge Protection Features

Pre-reading Check — Section 3

1. What does BPDU guard do when a BPDU arrives on an edge port?

A. Forwards the BPDU and ignores the event.
B. Floods the BPDU to all other edge ports.
C. Err-disables the port (BpduError state).
D. Promotes the port to designated.

2. Which guard prevents a downstream switch from becoming the root bridge?

A. Loop guard
B. Root guard
C. BPDU filter
D. Storm control

3. Which feature is best suited to protect against unidirectional fiber failures on access uplinks?

A. BPDU guard
B. Loop guard
C. Edge-port declaration
D. Root guard

4. How does BPDU filter differ from BPDU guard?

A. BPDU filter err-disables; BPDU guard logs only.
B. BPDU filter silently drops BPDUs; BPDU guard err-disables the port.
C. They are identical synonyms.
D. BPDU filter only applies to trunks.

Admin-Edge-Port and BPDU Guard

An edge port is connected to a host. Declaring it edge makes RSTP skip listening/learning and go straight to forwarding. BPDU guard (also called bpdu-protection) enforces the no-switch promise: if any BPDU arrives, the port is err-disabled into the BpduError state.

switch(config)# interface 1/1/1
switch(config-if)# spanning-tree bpdu-guard
switch(config-if)# spanning-tree port-type admin-edge
Animation: BPDU Guard Err-Disabling a Rogue Edge Port
ACCESS-1 (AOS-CX) port 1/1/1: admin-edge + bpdu-guard end-user laptop no BPDUs — legitimate ROGUE SWITCH plugged in! starts emitting BPDUs BPDU port 1/1/1 status: BpduError err-disabled — admin must "no shutdown" to restore
A rogue switch is plugged into a host port. The first BPDU it emits travels up the cable; BPDU guard immediately err-disables the port. The user gets no network until an administrator investigates.

Root Guard

Root guard prevents a downstream switch from becoming root. Apply it on aggregation/core downlinks toward access. If a superior BPDU arrives, the port enters root-inconsistent state and stops forwarding until offending BPDUs cease.

switch(config)# interface 1/1/47
switch(config-if)# spanning-tree root-guard

Loop Guard

Loop guard protects against unidirectional link failures. If a non-edge port stops receiving BPDUs, loop guard places it in loop-inconsistent state. Apply on access-to-aggregation uplinks.

switch(config)# interface 1/1/48
switch(config-if)# spanning-tree loop-guard

Loop-Protect (Aruba-specific)

loop-protect sends loop-detection probe frames; if they return, the port is disabled. Use it on access ports alongside BPDU guard to catch BPDU-silent loops.

Filtering vs Guarding — Comparison

FeatureTriggerActionWhere to Apply
Admin-edge-portdeclarationSkip listen/learnHost-facing access ports
BPDU GuardAny BPDU on edge portErr-disable (BpduError)Host-facing access ports
BPDU FilterAny BPDUDrop silentlyRare; specific cases only
Root GuardSuperior BPDURoot-inconsistent (block)Core/agg downlinks
Loop GuardBPDUs stop arrivingLoop-inconsistent (block)Access uplinks
Loop-ProtectProbe frame returnsDisable portAccess endpoint ports

Best-Practice Placement

graph TD Core[Core / Distribution] Agg[Aggregation Switch] Acc[Access Switch] Host[End Host / Phone] Core -- "root-guard" --> Agg Agg -- "root-guard" --> Acc Acc -- "loop-guard (uplink)" --> Agg Acc -- "admin-edge + bpdu-guard + loop-protect" --> Host

Key Takeaways — Section 3

Post-reading Check — Section 3

1. What does BPDU guard do when a BPDU arrives on an edge port?

A. Forwards the BPDU and ignores the event.
B. Floods the BPDU to all other edge ports.
C. Err-disables the port (BpduError state).
D. Promotes the port to designated.

2. Which guard prevents a downstream switch from becoming the root bridge?

A. Loop guard
B. Root guard
C. BPDU filter
D. Storm control

3. Which feature is best suited to protect against unidirectional fiber failures on access uplinks?

A. BPDU guard
B. Loop guard
C. Edge-port declaration
D. Root guard

4. How does BPDU filter differ from BPDU guard?

A. BPDU filter err-disables; BPDU guard logs only.
B. BPDU filter silently drops BPDUs; BPDU guard err-disables the port.
C. They are identical synonyms.
D. BPDU filter only applies to trunks.

Section 4: Troubleshooting Spanning Tree

Pre-reading Check — Section 4

1. A port shows status BpduError. Most likely cause?

A. Cable was unplugged for 30 seconds.
B. A BPDU was received on a port protected by BPDU guard.
C. The port was administratively shut down.
D. The port hit its bandwidth limit.

2. Two switches each show themselves as the root for MSTI 1. First diagnostic step?

A. Reboot both switches.
B. Run show spanning-tree mst 1 on each and compare priorities.
C. Replace SFPs on uplinks.
D. Disable spanning tree globally.

3. What happens when a flapping link generates frequent TCNs?

A. Routing table is recomputed.
B. MAC tables get aged out aggressively, causing brief outages.
C. BPDU guard fires on all access ports.
D. Spanning tree disables itself.

4. What does storm control do?

A. Replaces spanning tree.
B. Rate-limits broadcast/multicast/unknown-unicast traffic per interface.
C. Encrypts BPDU frames.
D. Forwards all storms to a sinkhole.

The Essential Show Commands

switch# show spanning-tree
switch# show spanning-tree mst 1
switch# show spanning-tree mst-config
switch# show spanning-tree detail
switch# show spanning-tree interface 1/1/49

Identifying Unstable Roots

Symptoms include conflicting "we are the root" answers, TC counters incrementing every few seconds, and "topology change detected" log entries. Diagnosis:

  1. Compare bridge priorities — ties at default 32768 mean lower MAC wins; reboots can swap roles.
  2. Check MAC tiebreakers when priorities accidentally match.
  3. Inspect for region mismatchesshow spanning-tree mst-config on each switch.
  4. Look for flapping uplinksshow interface 1/1/49 brief.

Reading Inconsistency States

MarkerMeaningLikely Cause
BpduErrorBPDU guard tripped on edge portSwitch plugged into host port
Root InconsistentRoot guard tripped — superior BPDU receivedMisconfigured downstream switch
Loop InconsistentLoop guard tripped — non-edge port stopped receiving BPDUsUnidirectional fiber, distant crash
DisputedConflicting BPDU info on designated portTwo switches each claim designated

Storm Control

switch(config)# interface 1/1/1
switch(config-if)# storm-control broadcast level pps 1000
switch(config-if)# storm-control multicast level pps 1000
switch(config-if)# storm-control unknown-unicast level pps 500

Storm control is defense-in-depth alongside spanning tree, not a replacement.

Common Loop Patterns

PatternSymptomFix
Two access switches with STP offBroadcast storm; CPU 100%Enable STP; consider MC-LAG
User loops two wall jacksRapid link flap; CPU highBPDU guard + loop-protect on host ports
MSTP region digest mismatchSwitches form separate regionsMatch config-name, revision, VLAN map
Rogue switch on user portRoot re-election; user dropsRoot guard on uplinks; BPDU guard on host ports
Unidirectional fiberSlow drift; periodic outagesLoop guard on access uplinks

Outage Post-Mortem Walkthrough

VLAN 30 (printers) drops every ~4 minutes. Steps: show spanning-tree mst 2 shows TC counter incrementing; show log | include spanning-tree reveals "Topology change received on interface 1/1/24"; show interface 1/1/24 transceiver reveals 7% optical receive level — failing optic. Replace SFP. TCs stop. The actual root never moved; a flapping link in MSTI 2 generated TCs that flushed the MAC table and printers (which cache poorly) lost connectivity.

Key Takeaways — Section 4

Post-reading Check — Section 4

1. A port shows status BpduError. Most likely cause?

A. Cable was unplugged for 30 seconds.
B. A BPDU was received on a port protected by BPDU guard.
C. The port was administratively shut down.
D. The port hit its bandwidth limit.

2. Two switches each show themselves as the root for MSTI 1. First diagnostic step?

A. Reboot both switches.
B. Run show spanning-tree mst 1 on each and compare priorities.
C. Replace SFPs on uplinks.
D. Disable spanning tree globally.

3. What happens when a flapping link generates frequent TCNs?

A. Routing table is recomputed.
B. MAC tables get aged out aggressively, causing brief outages.
C. BPDU guard fires on all access ports.
D. Spanning tree disables itself.

4. What does storm control do?

A. Replaces spanning tree.
B. Rate-limits broadcast/multicast/unknown-unicast traffic per interface.
C. Encrypts BPDU frames.
D. Forwards all storms to a sinkhole.

Your Progress

Answer Explanations