Configure and verify Spanning Tree Protocols (RSTP, MST) and enhancements (root guard, BPDU guard)

3.1 Layer 2

📘CCNP Encore (350-401-ENCORE-v1.1)

Spanning Tree Protocol (STP) is a Layer 2 protocol used in switched networks to prevent loops. Loops can happen when multiple switches are connected in a way that creates circular paths. Loops are dangerous because:

They flood the network with broadcast frames endlessly.
They can crash switches or slow down network traffic.
They cause MAC address table instability.

STP helps by blocking redundant paths and leaving only one active path between switches, while keeping the backup path ready if the active one fails.

2. Rapid Spanning Tree Protocol (RSTP – IEEE 802.1w)

RSTP is an improved version of STP that converges faster (30–50 times faster than classic STP).

Key Concepts of RSTP:

Port Roles:
- Root Port (RP): The port on a switch that leads to the root bridge. Only one per switch.
- Designated Port (DP): The port on a switch that forwards traffic toward a segment. Only one per segment.
- Alternate Port: Backup port to the root bridge. Becomes active if the root port fails.
- Backup Port: Backup for a designated port on the same switch segment. Rarely used.
Port States (simplified for RSTP):
- Discarding: Port does not forward frames (used for backup/loop prevention).
- Learning: Port learns MAC addresses but does not forward frames yet.
- Forwarding: Port forwards frames and learns MAC addresses.
Convergence Speed:
RSTP quickly transitions ports to forwarding or blocking without waiting for the STP timers.

RSTP IT Example:

In a data center, multiple switches are connected to ensure redundancy. If one switch fails, RSTP immediately activates an alternate port, keeping server connectivity without noticeable downtime.

3. Multiple Spanning Tree (MST – IEEE 802.1s)

MST allows multiple VLANs to share the same Spanning Tree instance or have different instances for different VLAN groups.

Why MST is useful:

Classic STP or RSTP runs one STP instance per VLAN (PVST+), which can be heavy in large networks.
MST reduces CPU and memory usage by grouping VLANs into MST instances.

Key MST Concepts:

MST Region: A group of switches with the same configuration (name, revision, VLAN-to-instance mapping).
MST Instance (MSTI): Each instance runs its own spanning tree, affecting only its assigned VLANs.
Internal Spanning Tree (IST): MSTI 0, connects MST regions.

MST IT Example:

In an enterprise network with 100 VLANs, MST can group VLANs into 10 MSTIs. This reduces CPU load and allows more efficient traffic management.

4. STP Enhancements

4.1 Root Guard

Purpose: Prevent unauthorized switches from becoming the root bridge.
How it works:
- If a switch port receives a superior BPDU (suggesting another switch wants to be root), Root Guard blocks that port.
- The port goes into “root-inconsistent” state until the superior BPDU disappears.

4.2 BPDU Guard

Purpose: Protect the network from accidental or malicious devices sending BPDUs on access ports.
How it works:
- If BPDU is received on a port configured with BPDU Guard (typically an access port for end devices), the port shuts down (err-disabled).
- Prevents accidental loops or rogue switches from influencing the spanning tree.

IT Examples:

Root Guard: Ensures a critical core switch remains the root in a corporate network.
BPDU Guard: Prevents someone from plugging an unmanaged switch in a server closet that could disrupt the network.

5. Configuring RSTP, MST, and Enhancements

5.1 Enable RSTP

# Globally on the switch
spanning-tree mode rapid-pvst

5.2 Enable MST

# Enable MST globally
spanning-tree mode mst

# Configure MST region
spanning-tree mst configuration
 name MST-Region1
 revision 1
 instance 1 vlan 10-20
 instance 2 vlan 21-30

5.3 Configure Root Guard

# On interface connecting to potential rogue switches
interface gigabitEthernet 1/1
 spanning-tree guard root

5.4 Configure BPDU Guard

# On access ports for end devices
interface range gigabitEthernet 1/2 - 1/10
 spanning-tree bpduguard enable

6. Verification Commands

Command	Purpose
`show spanning-tree`	Displays STP/RSTP/MST status, port roles, and states
`show spanning-tree mst`	Shows MST instance mapping and status
`show spanning-tree root`	Shows root bridge info
`show spanning-tree interface [int] detail`	Checks per-port STP info and enhancements
`show errdisable recovery`	Checks if BPDU Guard ports can recover automatically

7. Exam Tips

Know RSTP vs MST differences:
- RSTP = fast convergence.
- MST = multiple instances for VLAN efficiency.
Port roles and states: Be able to identify root, designated, alternate, and backup ports.
Enhancements:
- Root Guard protects root bridge placement.
- BPDU Guard protects edge ports.
Configuration flow:
- Enable STP mode → Configure MST regions/instances → Apply enhancements → Verify.
Common traps in the exam:
- Misconfigured MST region name or revision number can cause MST misalignment.
- BPDU Guard shuts down the port, so you may need errdisable recovery in lab scenarios.

✅ Summary:

RSTP: Faster convergence than classic STP.
MST: Allows multiple VLANs to share STP instances for efficiency.
Root Guard: Stops rogue switches from becoming root.
BPDU Guard: Protects edge ports from receiving unexpected BPDUs.

Understanding these features, how to configure them, and how to verify them is crucial for passing the CCNP exam.