STP and RSTP - spanning trees in Ethernet networks. How it works and how it is attacked
Spanning Tree Protocol (IEEE 802.1D) and Rapid STP (IEEE 802.1w) - the loop prevention mechanism in layer 2 networks. BPDU, port roles, attacks and BPDU Guard.
Spanning Tree Protocol (STP) solves one of the fundamental problems of Ethernet networks - loops. Switches learn MAC addresses based on the ports on which frames arrive. In a topology with a loop a broadcast frame returns on a different port, the switch changes its MAC assignment, and the result is a broadcast storm that paralyses the network within seconds.
STP was developed by Radia Perlman at Digital Equipment Corporation and standardised as IEEE 802.1D (1990). Rapid STP (RSTP, IEEE 802.1w from 2001) replaced classic STP in most deployments thanks to much faster convergence. Since the 2004 edition RSTP is part of the 802.1D standard itself.
How it works
The STP algorithm selects from any layer 2 topology a spanning tree in which exactly one active path exists between every two switches. The remaining links are blocked but remain ready to activate if a failure occurs.
The selection process:
- Root Bridge election - the switch with the lowest Bridge ID (16-bit priority + 48-bit MAC). The default priority is 32,768, adjustable in steps of 4,096.
- Root Port selection - on each non-root switch the port with the lowest path cost to the Root Bridge is chosen.
- Designated Port selection - on each segment one port is chosen as responsible for forwarding traffic.
- Blocking of remaining ports - all other ports move to the blocking state.
BPDU - Bridge Protocol Data Unit
Switches exchange information using BPDUs sent to the reserved multicast address 01:80:C2:00:00:00. A typical Configuration BPDU contains:
| Field | Purpose |
|---|---|
| Root Bridge ID | ID of the switch currently considered Root |
| Root Path Cost | Cost of the path to the Root Bridge |
| Sender Bridge ID | ID of the switch sending the BPDU |
| Port ID | Port from which the BPDU was sent |
| Message Age | Time elapsed since generated by the Root |
| Max Age | Maximum validity period (default 20 s) |
| Hello Time | BPDU interval (default 2 s) |
| Forward Delay | Time in Listening/Learning state (default 15 s) |
Port states and roles
In classic STP a port can be in one of these states: Disabled, Blocking, Listening, Learning or Forwarding. The transition from Blocking to Forwarding takes 30-50 seconds - unacceptable in modern networks.
RSTP simplifies this to three states - Discarding, Learning, Forwarding - and introduces port roles:
| Role | Function |
|---|---|
| Root Port | Best path to the Root Bridge (active) |
| Designated Port | Port responsible for the segment (active) |
| Alternate Port | Alternative path to the Root (blocked, standby) |
| Backup Port | Redundancy on the same segment (blocked) |
| Edge Port | Access port (to hosts, immediately Forwarding) |
RSTP typically converges in 1-2 seconds thanks to direct negotiation between switches instead of waiting for Max Age.
STP variants
| Standard | Name | Purpose |
|---|---|---|
| IEEE 802.1D | STP / RSTP | Single tree for the entire network |
| IEEE 802.1s / 802.1Q-2005 | MSTP | Multiple trees for different VLANs |
| Cisco PVST+ | Per-VLAN Spanning Tree | Separate tree per VLAN (proprietary) |
| Cisco Rapid PVST+ | RPVST+ | PVST+ with RSTP speed |
MSTP allows VLANs to be grouped into instances (MSTI) - different VLANs can use different links as active, enabling load balancing in a redundant topology.
Attacks on STP
WARNING
STP was designed in the era of trusted corporate networks. BPDUs are not authenticated - any device connected to the network can send BPDUs and attempt to become the Root Bridge.
Root Bridge takeover - the attacker sends BPDUs with a priority lower than the current Root (e.g. 0). Switches accept the new Root and the topology reconverges. Result: all inter-segment traffic flows through the attacker’s device - an ideal MITM.
BPDU flooding / DoS - massive BPDUs cause topology instability. Every change triggers a Topology Change Notification, clearing of MAC tables and waves of flooding.
TCN injection - a single BPDU with the TCN (Topology Change Notification) flag causes CAM tables to be flushed, making MAC flooding easier.
Dual-homed attack - a device with two interfaces connected to two switches can propagate BPDUs and manipulate the topology.
Yersinia - an open source tool implementing all of the above attacks against STP, DTP, CDP, HSRP and other layer 2 protocols.
Defensive mechanisms
| Mechanism | Function |
|---|---|
| BPDU Guard | Port moves to err-disable on receiving a BPDU (protects edge ports) |
| Root Guard | Blocks BPDUs announcing a better Root than the current one |
| Loop Guard | Blocks a port that has stopped receiving BPDUs, protecting against loops |
| TCN Guard / Filter | Filters spurious TCNs on edge ports |
| PortFast / EdgePort | Immediate Forwarding on access ports, skipping Listening/Learning |
| UDLD | Detects unidirectional links (Cisco proprietary) |
For critical networks (SCADA, electrical substations) the recommendation is radical: do not use STP on the OT backbone. Instead, use layer 2 redundancy protocols designed for zero recovery time - PRP or HSR according to IEC 62439-3.
TIP
On every access port (to a laptop, VoIP phone, printer) enable BPDU Guard and PortFast. It takes five minutes of configuration and blocks the entire STP attack vector. Missing BPDU Guard in 2026 is not a trade-off - it is negligence.
Analysis in practice
# Cisco - show STP topology
show spanning-tree
show spanning-tree vlan 10 detail
# Wireshark filter
stp
# Yersinia - layer 2 penetration testing
yersinia -GSTP and L2 attack traffic samples:
- automayt/ICS-pcap - PCAPs with L2 traffic from industrial networks
- Yersinia GitHub - tool for STP/DTP/CDP/HSRP testing
Summary
STP/RSTP solves the loop problem in redundant networks, but in its default configuration it is an attack vector. In a modern enterprise network the administrator’s duty is to enable BPDU Guard on access ports and Root Guard on ports facing trusted switches. In OT networks with a requirement for deterministic redundancy, STP should be replaced by PRP/HSR.
Sources
- IEEE 802.1D - Media Access Control (MAC) Bridges - official standard
- IEEE 802.1Q - VLANs (includes MSTP) - standard containing MSTP
- Cisco - Spanning Tree Protocol Configuration - deployment documentation
- Yersinia - open source layer 2 testing tool
Need help in this area?
Our experts will help you assess the risk and plan next steps.