CCNA Lab 7: Loop Troubleshooting and STP Deep Dive

A Layer 2 loop is the fastest way to destroy a network. Broadcast frames circulate at wire speed, switches fill their CAM tables, and every port saturates. Spanning Tree Protocol (STP) prevents loops — when it fails, you have seconds to act.

How STP Works

STP elects a root bridge and blocks redundant ports to create a loop-free topology.

Port States

State	Purpose
Blocking	No data, no learning, no BPDU processing
Listening	No data, no learning, sending/receiving BPDUs
Learning	No data, learning MAC addresses
Forwarding	Full operation
Disabled	Administratively down

Port Roles

Role	Description
Root Port (RP)	Best path to root bridge (one per non-root switch)
Designated Port (DP)	Best path on a segment (one per segment)
Alternate Port (AP)	Backup path to root bridge

Detecting a Loop

Symptoms of a Layer 2 loop:

%SW_MATM-4-MACFLAP_NOTIF: Host 0050.7966.6800 in vlan 10 is flapping between port Gi0/1 and port Gi0/2

Immediate Actions

When you suspect a loop:

# 1. Identify the flapping MAC addresses
show mac address-table | include flapping
 
# 2. Check CPU utilization
show processes cpu sorted
 
# 3. Check port utilization
show interfaces | include rate|line
 
# 4. Look for high broadcast rates
show interfaces Gi0/1 | include broadcast

Emergency Loop Breaking

If the network is down and you need to break the loop right now:

! Disable all ports except the management uplink
interface range Gi0/1-24
 shutdown
 
! Re-enable one port at a time
no interface Gi0/1 shutdown
! Wait 30 seconds
no interface Gi0/2 shutdown
! Continue until the loop returns

When the loop returns, the last port you enabled is involved in the loop.

STP Troubleshooting Commands

show spanning-tree
show spanning-tree vlan 10
show spanning-tree detail
show spanning-tree root
show spanning-tree blockedports
show spanning-tree vlan 10 bridge

Check Root Bridge

show spanning-tree root
 
                  Root ID    Priority    Cost      Root Port
VLAN0001          32769      32769       19        Gi0/24
VLAN0010          32778      32778       19        Gi0/24
VLAN0020          32788      32788       19        Gi0/24

If a switch in the access layer is the root bridge instead of the core switch, the path is suboptimal.

Find Blocked Ports

show spanning-tree blockedports
 
Name                 Blocked Interfaces List
-------------------- --------------------------
VLAN0001             Gi0/3
VLAN0010             Gi0/3
VLAN0020             Gi0/3

A healthy network should have blocked ports (that means STP is working). If no ports are blocked in a redundant topology, a loop exists somewhere.

Topology Changes

When a port transitions to forwarding, STP sends a Topology Change Notification (TCN). Excessive TCNs destabilize the network:

show spanning-tree detail | include topology

Root Guard

Prevent an unauthorized switch from becoming root bridge:

interface Gi0/24
 spanning-tree guard root

If a superior BPDU is received on this port, it goes into root-inconsistent (blocking) state.

BPDU Guard

Shut down a port that receives BPDUs (useful on access ports where end users should not be connecting switches):

interface Gi0/1
 spanning-tree bpduguard enable

Or globally:

spanning-tree portfast bpduguard default

PortFast

Put access ports into forwarding state immediately:

interface Gi0/1
 spanning-tree portfast

Never enable PortFast on trunk ports.

LoopGuard and UDLD

LoopGuard

Prevents alternate/root ports from transitioning to forwarding when BPDUs stop:

interface Gi0/24
 spanning-tree guard loop

UDLD (Unidirectional Link Detection)

Detects fiber issues where one direction of a link fails:

udld enable
interface Gi0/24
 udld port aggressive

Real-World Loop Investigation

Scenario: “The network is slow”

1. ssh to core switch
2. show processes cpu | include CPU
   CPU utilization for five seconds: 95%, one minute: 90%, five minutes: 85%
3. show interfaces | include broadcast
   Gi0/1: Broadcast 452312 packets/sec
4. show mac address-table count
   Dynamic Address Count: 23000
   (Normal is ~500 on this network)

The high MAC count and broadcast rate confirm a loop. Break the loop by shutting down the port with the highest broadcast rate.

Scenario: “Random disconnects”

Intermittent disconnects with MACFLAP_NOTIF messages:

%SW_MATM-4-MACFLAP_NOTIF: Host aaaa.bbbb.cccc in vlan 10 is flapping between port Gi0/1 and port Gi0/2

Causes:

Actual loop (STP convergence issue)
Trunk carrying VLAN where it should not (native VLAN mismatch)
Wireless bridge looping back to wired network
Virtual machine with multiple NICs on same VLAN
Faulty NIC

Debugging STP Events

debug spanning-tree events
debug spanning-tree bpdu

Watch for unexpected TCNs:

STP: VLAN0010 new root port Gi0/24, cost 19
STP: VLAN0010 Gi0/24 -> listening
STP: VLAN0010 Gi0/24 -> learning
STP: VLAN0010 Gi0/24 -> forwarding

A healthy network should be quiet. Constant STP changes indicate a problem.

Best Practices

Root bridge placement — Core/distribution switches should be root
Secondary root — Set a backup root bridge
BPDU Guard on access ports — Default configuration on all edge ports
PortFast on access ports — Immediate forwarding for end devices
UDLD on fiber links — Detect unidirectional failures
VLAN pruning — Only carry necessary VLANs on trunks
Monitor MAC flap — Set up SNMP alerts for MACFLAP_NOTIF messages

Default STP Timers

Timer	Default	Recommendation
Hello	2 sec	Keep default
Forward Delay	15 sec	Keep default
Max Age	20 sec	Keep default

Convergence	~50 sec	Reduce with Rapid PVST+

Rapid PVST+ (RSTP)

Rapid PVST+ converges in 1-3 seconds vs 50 seconds for classic STP:

spanning-tree mode rapid-pvst

Compatible with classic STP — switches running RSTP fall back to 802.1D when connected to legacy STP switches.