STP limits where a switch chooses to forward frames, for the purpose of preventing problems with loops. These problems happen because, in some cases, the core LAN switch logic would literally forward a frame around the LAN forever without some external method like STP to prevent it. So, to understand STP, you need a good recall of the core logic of a LAN switch, particularly the switch forwarding logic. Then you can understand why frames would loop without STP, and then how STP prevents the loop.


Broadcast storm

MAC Table instability

The continual updating of a switch’s MAC address table with incorrect entries, in reaction to looping frames, resulting in frames being sent to the wrong locations.

Multiple frame transmission

A side effect of looping frames in which multiple copies of one frame are delivered to the intended host, confusing the host.

How does it work


Bridge ID




Root Election

Summarizing, the root election happens through each switch claiming to be root, with the best switch being elected based on the numerically lowest BID. Breaking down the BID into its components, the comparisons can be made as:

Root Port

Has the least STP cost to reach the root switch.

STP/root cost
The STP port cost is simply an integer value assigned to each interface, per VLAN,

for the purpose of providing an objective measurement that allows STP to choose which interfaces to add to the STP topology.

Designated Port

The designated port on each LAN segment is the switch that advertises the lowest-cost hello onto a LAN segment.

How Switches react to changes with STP

There are some timers:


allows a switch to immediately transition from blocking to forwarding, bypassing listening and learning states. However, the only ports on which you can safely enable are ports on which you know that no bridges, switches, or other STP-speaking devices are connected. Otherwise, using risks creating loops, the very thing that the listening and learning states are intended to avoid.

is most appropriate for connections to end-user devices. If you turn on on ports connected to end-user devices, when an end-user PC boots, the switch port can move to an STP forwarding state and forward traffic as soon as the PC NIC is active. Without , each port must wait while the switch confirms that the port is a DP, and then wait while the interface sits in the temporary listening and learning states before settling into the forwarding state.

BPDU Guard

STP has some attack vectores. For example:

The Cisco BPDU Guard feature helps defeat these kinds of problems by disabling a port if any BPDUs are received on the port.

So, this feature is particularly useful on ports that should be used only as an access port and never connected to another switch.

In addition, the BPDU Guard feature helps prevent problems with . should be enabled only on access ports that connect to user devices, not to other LAN switches. Using BPDU Guard on these same ports makes sense because if another switch connects to such a port, the local switch can disable the port before a loop is created.

Rapid STP (IEEE 802.1W)

RSTP works like STP. Main improvement: convergence. STP takes a relatively long time to converge (50 seconds with the default settings). RSTP improves network convergence when topology changes occur, usually converging within a few seconds, or in poor conditions, in about 10 seconds.

Advanced topics

Campus LAN





STP System ID Extension

Port cost

Influencing the root election


Cisco supports:

How to use it properly: