Home » STP Deep Dive: RSTP, MSTP, Loop Guard, Root Guard, BPDU Guard, Portfast และ STP Troubleshooting
STP Deep Dive: RSTP, MSTP, Loop Guard, Root Guard, BPDU Guard, Portfast และ STP Troubleshooting
STP Deep Dive: RSTP, MSTP, Loop Guard, Root Guard, BPDU Guard, Portfast และ STP Troubleshooting
STP (Spanning Tree Protocol) ป้องกัน Layer 2 loops ที่ทำให้ network ล่ม RSTP (Rapid Spanning Tree) ลดเวลา convergence จาก 50 วินาทีเหลือไม่กี่วินาที, MSTP (Multiple Spanning Tree) จัดกลุ่ม VLANs เข้า instances, Loop Guard ป้องกัน unidirectional link failures, Root Guard ป้องกัน unauthorized root bridge, BPDU Guard ป้องกัน rogue switches และ Portfast ให้ access ports ขึ้นทันที
STP เป็น protocol ที่ network engineers ต้องเข้าใจอย่างลึกซึ้ง แม้ว่า modern data centers จะย้ายไป EVPN-VXLAN แต่ enterprise campus networks ยังใช้ STP อยู่มาก Layer 2 loop เป็นหนึ่งในสาเหตุ outage ที่พบบ่อยที่สุด: broadcast storm → CPU 100% → switch ล่มทั้ง network ภายในวินาที การเข้าใจ STP protections (root guard, BPDU guard, loop guard) ป้องกัน outages ที่รุนแรง
STP vs RSTP vs MSTP
| Feature |
STP (802.1D) |
RSTP (802.1w) |
MSTP (802.1s) |
| Convergence |
30-50 seconds (listening → learning → forwarding) |
1-6 seconds (proposal/agreement) |
1-6 seconds (per instance) |
| Instances |
1 instance for all VLANs |
1 instance for all VLANs (or per-VLAN with RPVST+) |
Multiple instances — map VLANs to instances |
| Port States |
Disabled, Blocking, Listening, Learning, Forwarding |
Discarding, Learning, Forwarding |
Same as RSTP |
| Port Roles |
Root, Designated, Blocking |
Root, Designated, Alternate, Backup |
Same as RSTP (per instance) |
| CPU/BW |
Low |
Low |
Low (fewer instances than per-VLAN STP) |
| Use Case |
Legacy — not recommended |
Small-medium campus, Cisco RPVST+ |
Large campus with many VLANs — reduce STP instances |
STP Protection Mechanisms
| Feature |
Protects Against |
Action |
| Root Guard |
Unauthorized root bridge (rogue switch with lower priority) |
Port enters root-inconsistent state → blocks superior BPDUs → prevents root change |
| BPDU Guard |
Rogue switches connected to access ports |
Port receives BPDU → immediately err-disable port → prevents loops from unauthorized switches |
| BPDU Filter |
Stop sending/receiving BPDUs on port |
Suppress BPDUs — use carefully, can cause loops if misused (only on edge ports) |
| Loop Guard |
Unidirectional link failure (receive fiber broken) |
Port stops receiving BPDUs → enters loop-inconsistent state instead of transitioning to forwarding |
| Portfast |
Slow convergence on access ports |
Skip listening/learning → immediately forwarding — ONLY for end-host ports (not switch-to-switch) |
| Storm Control |
Broadcast/multicast/unknown unicast storms |
Rate-limit BUM traffic — if exceeds threshold → drop excess or shut port |
Root Bridge Election & Tuning
| Concept |
Detail |
| Bridge ID |
Priority (4 bits, multiples of 4096) + System ID Extension (VLAN ID) + MAC address |
| Root Bridge |
Lowest Bridge ID wins root election — default priority 32768, set to 4096 or 0 for root |
| Root Port |
Port on non-root switch with best path to root (lowest cost) — one root port per non-root switch |
| Designated Port |
Port on each segment closest to root — forwards traffic on that segment |
| Blocked Port |
Non-root, non-designated — blocks to prevent loop (alternate/backup in RSTP) |
| Best Practice |
Manually set root bridge (lowest priority) on core/distribution switches — don’t let election be random |
| Secondary Root |
Set backup root bridge with second-lowest priority — takeover if primary root fails |
RSTP Convergence
| Mechanism |
How |
| Proposal/Agreement |
Upstream switch proposes → downstream agrees → port transitions to forwarding immediately (no timers) |
| Edge Port |
Equivalent to Portfast — transitions to forwarding immediately, falls back to normal if BPDU received |
| Alternate Port |
Pre-computed backup root port — on root port failure, alternate takes over immediately |
| Backup Port |
Backup for designated port on same segment — rare in modern point-to-point links |
| Link Type |
Point-to-point (full duplex) = fast convergence | Shared (half duplex) = slower (legacy behavior) |
STP Troubleshooting
| Symptom |
Likely Cause |
Fix |
| Network loop / broadcast storm |
STP misconfiguration, BPDU not being processed, unidirectional link |
Check root bridge, enable loop/BPDU guard, verify STP on all switches |
| Root bridge changed unexpectedly |
New switch with lower priority/MAC connected |
Enable root guard on downstream ports, manually set root priority |
| Port stuck in blocking |
Normal STP behavior (loop prevention) or topology issue |
Verify topology, check if port should be forwarding, use RSTP for faster convergence |
| Port err-disabled |
BPDU guard triggered (BPDU received on portfast port) |
Remove rogue switch, recover port: shut/no shut or errdisable recovery |
| Slow convergence (30-50s) |
Using legacy STP (802.1D) instead of RSTP |
Migrate to RSTP/RPVST+, enable portfast on access ports |
| One VLAN affected, others OK |
Per-VLAN STP topology issue — different root per VLAN |
Check per-VLAN root bridge, verify VLAN pruning, check trunk allowed VLANs |
ทิ้งท้าย: STP = Essential L2 Loop Prevention (But Configure Protections!)
STP Deep Dive Versions: STP (30-50s convergence, legacy) → RSTP (1-6s, recommended) → MSTP (map VLANs to instances, large campus) Protections: root guard (prevent unauthorized root), BPDU guard (block rogue switches), loop guard (unidirectional link), portfast (fast access port) Root: manually set root bridge (lowest priority) on core switch + secondary root on backup — never let election be random RSTP: proposal/agreement (fast), alternate port (backup root port), edge port (instant forwarding) Troubleshooting: broadcast storm (check STP/guards), unexpected root (root guard), err-disabled (BPDU guard), slow convergence (use RSTP) Key: STP protections (root/BPDU/loop guard) prevent 90% of L2 outages — always enable them on every switch
อ่านเพิ่มเติมเกี่ยวกับ EVPN-VXLAN BGP EVPN VXLAN Overlay Data Center Fabric และ Network Troubleshooting Methodology Systematic Approach ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
