Blocking: Port remains here until it needs to transition.

If it needs to, it will wait 20 seconds by default (max

age). If a new BPDU is not received before the max age time expires, the former BPDU is considered stale, and
the port transitions to “Listening.”
Listening: Port remains here for 15 seconds by default (forward delay). Port sends BPDUs to inform adjacent
switches of its intent to forward data. Also receives BPDUs from other switches to help build the STP topology,
determine the root path cost, and determine designated ports.
Learning: Port remains here an additional 15 seconds (forward delay). Adds entries to the MAC address table,
while also sending/receiving BPDUs to ensure that the decisions made in relation to the STP topology are still
accurate.
Forwarding: Port moves here and begins forwarding frames while continuing to learn MAC addresses as well as
send/receive BPDUs. Root ports and designated ports are in this state.
RSTP and MST use a handshaking mechanism, rather than timers, as their primary method of convergence; usually
in 5 seconds or less. If handshaking fails, they rely on the same timers as CST for backup. If a neighboring switch
is using CST, timers are used with them for backwards compatibility. Blocking and Listening modes are merged
into a single discarding mode.
sh span (vlan [#]) !!! root bridge id & current bridge ids/timers, ports’
roles/states/costs/priorities/etc.
sh span int [fx/x] detail !!! bpdus tx/rx, port id, designated/root bridges priorities and
macs. root ports should only receive bpdus and designated ports should only send bpdus.
MST: Region, revision number, and MSTI ↔ VLAN mapping must match between all switches. Preceding info is
sent as a hash.
sh span mst config !!! shows region name, revision number, and mapping.
Corruption of MAC Address Table: An STP failure may cause duplicate frames to be sent around a network,
confusing a switch as to where a frame is sourced from. As a MAC flaps between different ports on different
segments, the switch will display the message “%SW_MATM-4-MACFLAP_NOTIF: host [MAC] in vlan [#] is
flapping between port [fx/x] and port [fx/x].”
Broadcast Storms: During an STP failure, since L2 frame do not have TTL fields, broadcast frames endlessly
circulate through the L2 topology, consuming resources on both switches and attached devices.
PortFast: If using PVST+, RPVST+, or MST, when a BPDU is received on a PortFast interface, it will revert to normal
behavior.
if) spanning-tree portfast (trunk) !!! (trunk) can cause a temporary loop.
sh run int [fx/x] !!! to check if enabled.
sh span int [fx/x] portfast !!! will show if enabled and on which vlan.
sh span int [fx/x] detail !!! will show “this port is in the portfast mode” as well as many
other details.
sh spanning-tree (summary) !!! under type, will say “edge.” (summary) will show if enabled
globally.
BPDU Guard: Used to enforce domain borders by not allowing BPDUs to be received. If a BPDU is received, the
port is placed in the “err-disabled” state. Revert with err-disable recovery or bounce the port.
if) span bpduguard enable !!! per interface.
config) span portfast bpduguard default !!! globally.
sh int status !!! to find err-disabled ports.
sh span summary !!! shows if globally enabled.
sh span int [fx/x] detail !!! will show “bpdu guard is enabled (by default)” as well as many
other details.
“%spantree-2-block_bpduguard: received bpdu on port [fx/x] with bpdu guard enabled. disabling
port.”
“%pm-4-err_disable: bpduguard error detected on [fx/x], putting [fx/x] in err-disable state.”
BPDU Filter: Suppresses the sending and receiving of BPDUs on an interface, for security reasons. No need to send
BPDUs to an end station or a router.
 config) span portfast bpdufilter default !!! enables globally on all portfast interfaces. if
a bpdu is received, interface will transition through the stp states.
if) span bpdufilter enable !!! per interface, received bpdus are ignored.
sh span summary !!! shows if enabled globally.
sh span int [fx/x] detail !!! will show “bpdu filter is enabled (by default)” as well as many
other details.
Root Guard: Protects the root bridge by ensuring that certain ports on non-root bridges are prevented from
becoming root ports. Ignores superior BPDUs and places port in the “Root Inconsistent” state. No need to
bounce, just remove device sending BPDUs.
if) span guard root !!! enable manually, per port, on device/port leading to bridge you don’t
want as root.
sh span int [fx/x] !!! to see if enabled.
sh span inconsistentports !!! lists inconsistent ports.
“%spantree-2-rootguard_block: root guard blocking port [fx/x] on vlan [x].”
Loop Guard: Prevents a nondesignated (blocking) port from transitioning to forwarding by placing it in the “Loop
Inconsistent” blocking state should it stop receiving BPDUs. May occur if a remote switch is still running but
stops sending BPDUs due to software failure, unidirectional link, etc. Transitioning the port to forwarding would
cause a loop.
if) spanning-tree guard loop !!! per interface.
config) spanning-tree loopguard default !!! globally, on all point-to-point links.
sh span inconsistent ports !!! see what ports are blocked.
“%spantree-2-loopguard_block: loop guard blocking port [fx/x] on vlan [x].”
Automatic Private IP Add. (APIPA) Address: Indicates a PC is not able to receive its own IP via DHCP. Uses the
169.254.x.x/16 range.
EtherChannels and Inter-VLAN Routing
L2 EtherChannels: Multiple ports combined into a single logical bundle, also known as a port channel. Can be L2 or
L3.
if) channel-group [x] mode [on|active|passive|auto|desirable] !!! to assign an interface to a
port channel.
Mismatched Port Configurations: Config of all ports making up an EtherChannel, on both ends, should be
identical. Speed, duplex, trunk mode, native VLAN, allowed VLANs, and L2/3 settings. Port channel inherits
config from the physical ports.
Mismatched EtherChannel Configurations: Both switches should be using compatible protocols and modes.
LACP, PAgP, or “on” are not compatible with one another. PAgP: auto/desirable, LACP: active/passive.
sh run int [fx/x] !!! compare configurations between ports and switches, must be identical.
sh etherchannel summary !!! flags, protocol, ports, group. r=l3, s=l2, u=in use, p=bundled,
i=stand alone.
Inappropriate Distribution: Hashing algorithm used to distribute traffic should be appropriate for the load. Use
powers of 2.
config) port-channel load-balance [ ? | method ] !!! to change, global per switch. (?) for
options.
sh etherchannel load-balance !!! shows configured method.
sh etherchannel (#) port-channel !!! to see how links are loaded, shows in hex.
L3 EtherChannels: No need to worry about trunk mode, native VLAN, or allowed VLANs. Port channel inherits
physical attributes (L2/L3) from interfaces when created. Either issue no switchport to the interfaces before
assigning a channel group, or create the port channel with interface port channel, issue no switchport to the port
channel, then assign interfaces.
Router-on-a-Stick: Common issues are: trunk encapsulation mismatch, incorrect VLAN assignments on router’s
subinterfaces, incorrect IP add, mask, or DG on PCs, switchport connected to router configured as an access
port, switchport connected to router configured to use DTP (which isn’t supported by the router), or switch
ports connected to PCs being in the wrong VLAN.
 config) interface [fx/x].[sub-if #] !!! on router. good practice to match vlan #.
if) encapsulation dot1q [vlan #]
if) ip add [ip] [mask]
sh vlans !!! use on router to confirm encapsulation type.
sh interfaces trunk !!! use on switch to confirm encapsulation type.
Switched Virtual Interfaces: Create an SVI with interface vlan [x], assign an IP to be the DG, and ensure ip routing
is globally enabled. The VLAN the SVI is created for needs to exist locally, the SVI must be enabled and not shut
down, and there must be a switchport (access or trunk) that is up/up and STP forwarding for that specific VLAN.
sh ip int brief !!! look for up/up state.
sh int vlan [#] !!! shows mac used and ip.
sh ip int vlan [#] !!! same as above plus more ip settings.
Routed Ports: Physical ports that act as L3 interfaces. No VLAN association, STP, DTP, nor subints. Use for uplinks,
enable ip routing!
if) no switchport !!! how to enable. assign an ip!
sh int [fx/x] switchport !!! will display “switchport: disabled.”