Set the Root Bridge manually
With default priority, the oldest switch becomes Root Bridge. Set priority to 4096 on the intended Root Bridge. Verify the Root Bridge after every switch replacement.
4.1 STP and RSTP
Chapters 1 to 3 covered how data moves through a network under normal conditions. Chapter 4 covers what happens when a link becomes inoperable. Redundancy is essential in industrial networks. A single cable outage that halts a production line costs thousands of euros per minute. STP is the first redundancy mechanism: STP blocks loops while keeping a backup path ready.
Why Loops Are Catastrophic
Section titled “Why Loops Are Catastrophic”A switch has no TTL mechanism. When a network has a physical loop, frames circulate indefinitely. A single broadcast frame enters the loop, and both switches flood the frame. Each switch receives the frame from the other switch and floods the frame again. The frame count doubles every microsecond. Within 50 ms, the link is saturated and every device on the network becomes unreachable.
STP (Spanning Tree Protocol) blocks redundant paths logically. Only 1 active path exists between any 2 points. When the active path becomes inoperable, STP unblocks a redundant path. To accomplish this, STP first elects a central reference point for the topology.
How STP Works
Section titled “How STP Works”STP elects 1 switch as the Root Bridge: the logical center of the spanning tree. The remaining switches calculate their shortest path to the Root Bridge and block any ports that create a loop.
Key terms:
- Root Bridge — the switch elected as the center of the spanning tree. The network calculates paths relative to the Root Bridge.
- Bridge ID — an 8-byte value used in the election: Priority (2 bytes) + MAC address (6 bytes). The switch with the lowest Bridge ID wins.
- BPDU (Bridge Protocol Data Unit) — the control frame STP uses to exchange topology information. STP sends BPDUs to multicast
01:80:C2:00:00:00. - Root Port — the port with the best path to the Root Bridge (1 per non-root switch).
- Blocked Port — a redundant port that STP blocks to stop loops.
The Root Bridge election has a flaw that requires manual correction.
Root Bridge Election
Section titled “Root Bridge Election”With default priority (32768), the switch with the lowest MAC address becomes Root Bridge. Manufacturers assign MAC addresses in sequence. The oldest switch in the network often wins. This outcome is undesirable.
Set the Root Bridge manually by lowering the priority on the intended Root Bridge:
Switching → L2-Redundancy → Spanning Tree → BridgeBridge Priority: 4096 (lower = more likely to be root)Beyond the election, the convergence time of classic STP is a fundamental concern for OT networks.
STP Convergence Time
Section titled “STP Convergence Time”Classic STP converges in 30 to 50 seconds. This duration is unacceptable for OT. A 30-second outage after a cable outage causes PLCs to fault and production to stop.
| Protocol | Convergence | Suitable for OT? |
|---|---|---|
| STP (802.1D) | 30 to 50 s | No |
| RSTP (802.1w) | 1 to 2 s | Marginal |
| MRP (IEC 62439-2) | less than 200 ms | Yes |
RSTP solves the convergence issue through a fundamentally different negotiation mechanism.
RSTP: Why RSTP Is Faster
Section titled “RSTP: Why RSTP Is Faster”RSTP (Rapid Spanning Tree Protocol) (IEEE 802.1w) converges in 1 to 2 seconds. RSTP achieves this speed through the Proposal/Agreement mechanism. Instead of waiting for timers, switches negotiate directly.
The downstream switch blocks its other ports (stopping loops) and immediately agrees. The upstream port goes to Forwarding without waiting for any timer. Ports connected to end devices need special treatment to eliminate unnecessary delays.
Edge Ports
Section titled “Edge Ports”Configure ports connected to end devices (PLCs, HMIs, PCs) as Edge Ports. Edge Ports skip the Learning state and go directly to Forwarding when the link comes up. This configuration eliminates the 15-second delay that otherwise occurs every time a device reboots.
Enable BPDU Guard on Edge Ports. When a BPDU arrives on an Edge Port (indicating someone connected a switch), the port is immediately disabled. BPDU Guard stops accidental loops from unauthorized switches.
Switching → L2-Redundancy → Spanning Tree → PortAdmin Edge Port: EnabledBPDU Guard: EnabledWith STP configured correctly, the next step is to monitor STP for signs of instability.
Monitoring STP Topology Changes
Section titled “Monitoring STP Topology Changes”A high rate of STP topology change events indicates a loop or a flapping link. Each topology change causes the switches to flush their MAC tables, which temporarily floods traffic. The following script monitors BPDU traffic and alerts when topology changes occur too frequently:
from scapy.all import sniff, Etherfrom scapy.contrib.spanning_tree import STPimport time
tc_times: list[float] = []last_root: str = ""
def monitor_stp(pkt): global last_root if not pkt.haslayer(STP): return stp = pkt[STP] now = time.time()
if stp.tc: tc_times.append(now) recent = [t for t in tc_times if now - t < 60] tc_times.clear() tc_times.extend(recent) print(f"Topology change from {pkt[Ether].src} — {len(tc_times)} TCs in last 60s") if len(tc_times) > 5: print(" WARNING: high TC rate — check for loop or flapping link")
root = f"{stp.rootprio}:{stp.rootid}" if last_root and last_root != root: print(f"Root bridge changed: {last_root} -> {root}") last_root = root
sniff(iface="eth0", filter="ether dst 01:80:c2:00:00:00", prn=monitor_stp, store=False)More than 5 topology changes per minute indicates an issue. Check for unauthorized switches connected to Edge Ports, or for a cable that is intermittently losing link. A root bridge change indicates that the manually configured Root Bridge has lost its role. The Root Bridge is offline or its priority was changed.
Key Takeaways
Section titled “Key Takeaways”Use RSTP instead of classic STP
RSTP converges in 1 to 2 seconds. Classic STP takes 30 to 50 seconds. For ring topologies, use MRP instead of RSTP.
Enable Edge Ports on access ports
Edge Ports skip STP learning states. Enable BPDU Guard to stop unauthorized switches from creating loops.
What Comes Next
Section titled “What Comes Next”STP and RSTP work on arbitrary mesh topologies. The next section covers ring topologies — the dominant redundancy architecture in industrial networks. Ring-specific protocols like MRP converge much faster than RSTP on a ring.
References
Section titled “References”- IEEE 802.1D-2004 — Media Access Control (MAC) Bridges (includes RSTP)
- Perlman, R. (1985). An Algorithm for Distributed Computation of a Spanning Tree in an Extended LAN. ACM SIGCOMM.
- Hirschmann. (2023). User Manual — HiOS: Spanning Tree. Belden/Hirschmann.