The Spanning Tree Protocol

By /


We know already that the bulk of the TCP/IP protocol suite resides at the application layer. What about some of the other protocols though? Are there any that interact with hardware? In this article we will discuss the Spanning Tree Protocol and what it does for you.


Spanning Tree Protocol


We are familiar with most protocols and how they are used. Further to that we also know that the bulk of protocols in the TCP/IP suite reside at the application layer. There are also other key protocols such as IP which is used for routing purposed as it contains the IP addresses field. You can map this IP protocol to the networking layer, and that in turn is associated with routers. Are there any other protocols associated with hardware devices? Indeed there is and an example would be the Spanning Tree Protocol. This protocol is a layer two (layer two = data link layer) protocol that is associated with switches and bridges. Predominantly switches really as bridges have fallen by the wayside in terms of usage.


Most protocols and standards associated with the Internet have been standardized by the IEEE. This governing body has given the Spanning Tree Protocol the designation 802.1d or aka IEEE 802.1d. This type of jargon is important to remember in case you are trying to state a question clearly in order to get a response. Being able to talk in the industry lingo is quite important. What makes sense to you may not make sense to someone else, hence the need for industry terms. With that said let’s get on with the STP itself.


Digging deeper


In order to better understand what STP does, we need to know how it does it, and why it does it. A high level explanation of what STP does is ensure that there are no loops on your network. At any given time there should only be one path to a destination available. What STP does is ensure that there is only ever one given path at any one time, and should that path fail then another one takes over.


It is always helpful to visualize something rather then simply talk about it. To that end I have included an STP packet below. Should you wish to also collect some STP packets from your home router (routers such as Linksys or DLink) for example you can do so. You will need to install windump and winpcap. Once installed you will need to enter the following BPF filter;



-nXvSs 0


What the above noted filter will do is collect everything seen by your computer. Note that I have not put IP in the above noted filter as STP does not use IP for routing. Were you to include the IP in the filter you would not see any STP packets. That said take a look at the below noted STP packet.



11:21:22.923375 802.1d config 8000.00:0f:66:46:17:8a.8001 root 8000.00:0f:66:46:17:8a pathcost 0 age 0 max 20 hello 2 fdelay 0
0x0000:  4242 0300 0000 0000 8000 000f 6646 178a      BB……….fF..
0x0010:  0000 0000 8000 000f 6646 178a 8001 0000       ……..fF……
0x0020:  1400 0200 0000 a5a5 a5a5 a5a5 a5a5                  …………..


We can see in the above that the packet starts with the timestamp and the actual protocol identifier of “802.1d”. Following that are the destination and source MAC addresses respectively. Next up is the “pathcost” as underlined above which in this case is zero. Pathcost relates to the cumulative cost for all of the links leading to the root bridge. The next value is that of “age”. Both the “age” and “max” values seen in the above noted packet metrics relate to the age value. The first “age” value relates to the time that the root bridge originally generated information from which the BPDU was figured out from. The fdelay value stands for forward delay and is the time amount spent in the “listening” and “learning” states. You will have noted if you collected some STP traffic that the STP packets themselves are indeed sent every two seconds as indicated in the “hello2” value seen in the above packet. To confirm this we simply collect out packets and look at the timestamps as seen below.



11:57:00.017125 802.1d config 8000.00:0f:66:46:17:8a.8001 root 8000.00:0f:66:46:17:8a pathcost 0 age 0 max 20 hello 2 fdelay 0
0x0000:  4242 0300 0000 0000 8000 000f 6646 178a  BB……….fF..
0x0010:  0000 0000 8000 000f 6646 178a 8001 0000  ……..fF……
0x0020:  1400 0200 0000 a5a5 a5a5 a5a5 a5a5            …………..
11:57:02.017125 802.1d config 8000.00:0f:66:46:17:8a.8001 root 8000.00:0f:66:46:17:8a pathcost 0 age 0 max 20 hello 2 fdelay 0
0x0000:  4242 0300 0000 0000 8000 000f 6646 178a  BB……….fF..
0x0010:  0000 0000 8000 000f 6646 178a 8001 0000  ……..fF……
0x0020:  1400 0200 0000 a5a5 a5a5 a5a5 a5a5             …………..
11:57:04.017125 802.1d config 8000.00:0f:66:46:17:8a.8001 root 8000.00:0f:66:46:17:8a pathcost 0 age 0 max 20 hello 2 fdelay 0
0x0000:  4242 0300 0000 0000 8000 000f 6646 178a  BB……….fF..
0x0010:  0000 0000 8000 000f 6646 178a 8001 0000  ……..fF……
0x0020:  1400 0200 0000 a5a5 a5a5 a5a5 a5a5             …………..


Bridge protocol data units


Spanning Tree Protocol information is carried within special data frames that are called Bridge Protocol Data Units or aka BPDU. These BPDUs are sent every two seconds, and allow switches to stay abreast of network changes. There are also various types of STP switch port modes.



  • Learning: this is when the switch creates a switching table that will map MAC addresses to port number.

  • Listening: this is when the switch processes BPDU’s that allow it to determine the network topology.

  • Forwarding: when a port receives or sends data. In other words operating normally.

  • Disabled: this is when the network administrator has disabled the port.

  • Blocking: this means the port was blocked to stop a looping condition.

Summing up


So far we have seen that the Spanning Tree Protocol plays a rather key role when it comes to preventing loops on the network. Also we have seen that it resides and does its business at Layer Two of the OSI Reference Model. It is at this layer that we will find switches. Much like routers are associated with Layer Three. Hopefully you will have installed windump to sniff your connection as I mentioned above. Doing so will have allowed you to see the STP packets being sent every two seconds.


It is based on these regular STP packets that the switches are themselves able to avoid loops. Were it not for this protocol your network would quickly become inundated by frames being sent around endlessly. Not a good thing I assure you. There are also different ways that STP can be employed in a switched environment. One good example is when you configure your switch for VLAN usage. You would then need to use PVST or Per VLAN Spanning Tree. If you thought STP was complex you might then not be surprised to learn that PVST is even more complex.


When it comes to learning and playing with protocols such as STP you are pretty much obliged to have a managed switched. What that means is you have a switch which you can program. Much like Cisco’s Catalyst line of switches. Reading about STP theory is dry at the best of times, and that is why actually configuring it helps greatly in learning more about it. This brings us to the end of the article, and as always I welcome your feedback. Till next time!

About The Author

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top