spanning tree clarification

Unanswered Question
May 13th, 2010

I had an incident where one of the staff plug in his switch and brought down the whole network. This was due to spanning tree running on my network

I want to disable spanning-tree on my network and stop users plugging the switch that could may bring down the whole network.

I've made the following changes on my switch configs:

1. Change vtp mode to 'transparent'

2. Each switch has a unique 'vtp mode'

3. All switch ports for PCs have bpdufilter enable and all switchports for uplinks ( switch to switch, switch to router, etc) have bpdu guard enable.

ALso, are there any difference between 'spanning-tree guard root' and spanning-tree bpdu filter'?

What are the best practices for configuring switchports?

Is it enough to prevent network loop? What else can I do to avoid the switching loop?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (2 ratings)
burleyman Thu, 05/13/2010 - 11:02

I am still learning the finer details of Spanning-Tree but I do know that Disabling Spanning-Tree would not be a very good idea, and I don't think that Spanning-tree is what brought down your network. Let's go over your changes you want to make.....Can you explain what happened and what you needed to do to get your network back up and running.

1. Changing the VTP mode to transparent does nothing with Spanning-tree, it is for VLAN database  updates and effect on loops

2. Each switch having a unique name again will not do anything for loop prevention but is still a good idea.

3. All switch ports for PC's having bpdu filter will disable STP on that port and based on what happened by someone connecting a switch to a port this would not be a good idea because if that happens on a port that has bpdu filter on it can cause a loop. Switch to switch should have Root guard not bpdu guard to prevent the new switch from being the root bridge.

What should you do? well I would post a little diagram of your network and I am we can help.


Peter Paluch Thu, 05/13/2010 - 11:46


I agree with you completely. The STP itself should not make a network crash. It would be actually very good to know in more detail what exactly was meant by saying that the "network was brought down".

Regarding the difference between a BPDU Filter and a BPDU Guard, the BPDU Filter feature configured on a port simply disables the STP on that port: no BPDUs are sent out and all received BPDUs are ignored. In fact, an improper use of BPDU Filter feature can easily lead to switching loops so unless there is a good reason to disable STP on a port, I would avoid using the BPDU Filter.

The BPDU Guard is used to put a port into err-disabled state should it ever receive a BPDU. Essentially, a BPDU Guard can be a fine thing to activate on edge ports (towards PCs). PCs do not generate BPDUs on their own, and should an STP-enabled switch be connected to an edge port, or a Layer1 loop created between two ports, the BPDU Guard will - upon receiving a BPDU on a port - deactivate that port.

There are also other "guards" - BPDU Loop Guard, BPDU Root Guard - they are different from the BPDU Guard just described.

Best regards,


narendrakumar1987in Thu, 05/13/2010 - 12:24

Hi Mate,

             I understand ur issue.. Some one on ur network had plugged in a switch and brought ur network down. But there is no point in turning off spanning tree here. Because it is irrelevant.

              Moreover if u do so, u r more vulnerable to loops now. Say for example, a broadcast strom could bring your whole network down. Network doesnt just mean ur routers and switches. I include Workstations in to that too.. The processor utilization will shoot up very high in that case. So, You will have to turn on Spanning tree first.

             The problem is with the VTP. VTP is great (unless u configure it well). Yes, what had happend in your case is that, the new switch which the user had plugged in should have had lot of vlan changes in it, resulting in a higher VTP revision number. Therefore when your switch got synchronized with that, you could have lost you vlans.. I  guess you have manually recreated the deleted vlans and solved the issue.

              So, Speaking about the solution for your issue, you should have not let ur switch to get sync with that switch. And how could you have done that? By having more control on ur switch.

               More on that,

1) Always make sure you have shut all the unused ports.

2) You should have a clear idea about your network, meaning : u should know which ports connect to what?

     By default, all the switch ports will be in dynamic desirable mode. Meaning : it will form a trunk automatically if u plug a switch in to that.

     Even if it is in Dynamic Auto mode, it forms a trunk if negotiation is initiated by the remote host. So, If your switch port connects to a host,

     then simply make it an access port. to see what mode your switch is in, just use "sh int fa0/0 switchport" command. you will find your mode            classified under "Administrative Mode".

3)  Optionally configure "Port Security", a good one to use.

4) I dont understand why you have used Bpdu guard in ports connecting to a switch, Because it is different. You use it on ports connected to PCs, most likely, when you have port fast running on that port. You use Portfast when your switchport is getting connected to  an end device (Pc, workstation). And you add BPDU Guard to that, which essentially looks for BPDUs on that port, and if it detects any BPDUs, it disables that port. Because BPDUs are only generated by other switches. In more simple terms, a switch has been connected to the port where a PC should be connected.

I hope this helps

Happy Networking !!!!

Narendrakumar B

Remember to rate the helpful post


This Discussion