STP Case Study

Case Study: STP Loop in a Bank Branch Network

Background

Location: Bank Branch

Network Setup:

Core Switch: Cisco Catalyst 4500 (Root Bridge)

Access Switches: 3 × Cisco 2960

VLANs:

VLAN 10 → Staff PCs

VLAN 20 → CCTV Network

STP Type: Rapid PVST+

Redundant links between switches for failover.

Incident

One Monday morning, the branch reports:

Slow network performance.

High CPU usage on switches.

CCTV streams lagging and freezing.

Initial Observations

Ping latency to the core switch: jumping from 2 ms to 500+ ms.

CPU usage on all switches: ~90% constant.

MAC address table on Access Switch 2: entries constantly changing for the same IPs.

Broadcast storms detected on the trunk link between Access Switch 2 and Access Switch 3.

Investigation Steps

Check STP Topology

show spanning-tree

Found Access Switch 3 was unexpectedly elected as the Root Bridge for VLAN 20.

Priority on Access Switch 3 was default (32768), but due to MAC address, it became root for VLAN 20.

Check Port Roles & States

Two trunk ports between Access Switch 2 & 3 were both in Forwarding state for VLAN 20.

This created a Layer 2 loop.

Check STP Configurations

No Root Guard enabled.

No BPDU Guard on edge ports.

VLAN 20 was missing priority configuration on the Core Switch.

Root Cause

A newly installed unmanaged switch in the CCTV rack connected between Access Switch 2 and Access Switch 3 caused a temporary topology change.

Because STP priorities were not manually set for VLAN 20, the STP election favored Access Switch 3’s MAC, making it Root Bridge for VLAN 20. This allowed both trunk links to forward traffic → causing a loop.

Solution

Manually Set STP Root Priority

spanning-tree vlan 20 priority 4096

(on Core Switch to make it root for VLAN 20)

Enable STP Protection Features

Root Guard on trunk links:

spanning-tree guard root

BPDU Guard on edge ports:

spanning-tree bpduguard enable

Remove Unmanaged Switch that was bridging the loop.

Verify Topology

show spanning-tree vlan 20

Core Switch now Root Bridge for VLAN 20.

Only one active forwarding trunk per VLAN.

Post-Fix Results

Network latency returned to 2–5 ms.

CPU usage dropped to <15%.

No more broadcast storms.

Lessons Learned

Always manually set STP priorities for all VLANs.

Use Root Guard on access-layer trunks to prevent rogue root elections.

Avoid unmanaged switches in production VLAN paths.

Monitor STP topology changes with:

show spanning-tree detail | include change