Spanning Tree Protocol: understanding and deploying STP/MSTP

Introduction

If you have multiple switches, you’ve surely heard of the Spanning Tree Protocol. But there’s often a gap between theory and practice—especially when you encounter unusual hardware with unexpected interfaces.

This article details a real-world implementation of MSTP on three HP 1910 switches (based on Comware H3C), including the problems encountered and the solutions found. Spoiler: the GUI won’t be your friend.

Why STP?

The Loop Problem

In a network with multiple interconnected switches, physical loops can exist—whether intentional for redundancy or accidental. Without protection, a broadcast frame enters a loop and circulates indefinitely, duplicating itself with each pass. Within seconds, the network is 100% saturated: this is a broadcast storm, and it renders the infrastructure completely unusable.

STP solves this problem by detecting loops and automatically blocking redundant ports, while keeping them in standby mode for rapid failover if a link goes down.

Variants

Protocol	Standard	Convergence	Recommended Use
STP	802.1D	30–50 sec	Avoid, obsolete
RSTP	802.1w	1–2 sec	Small, simple network
MSTP	802.1s	1–2 sec	Network with multiple VLANs
PVST+	Cisco	1–2 sec	Cisco-specific

For a modern home lab with around ten VLANs, MSTP is the right choice — it natively integrates RSTP and allows you to manage multiple instances per VLAN group.

Key Concepts

Root Bridge

The Root Bridge is the "master" switch around which the spanning tree is built. All other switches calculate their optimal path to it.

Never let STP choose the Root Bridge automatically — it will select the switch with the oldest MAC address, which has nothing to do with your logical topology. Set it manually via Bridge Priority.

Bridge Priority

Value from 0 to 61440 (multiples of 4096). The lower the value, the higher the switch’s priority:

4096 → Designated Root Bridge
32768 → Default value (all other switches)

Port Roles

Root Port: the port closest to the Root Bridge on each non-root switch
Designated Port: active port on each network segment
Blocked Port: port put into standby mode to break a loop—it listens but does not forward

MSTP Region

MSTP introduces the concept of a region: a group of switches that share the same configuration (region name, revision, VLAN-to-instance mapping). Switches in the same region recognize each other via a cryptographic digest calculated from these parameters. If a single character differs, they cannot communicate properly.

Edge Port and BPDU Guard

On ports connected to end-devices (servers, NAS, workstations):

Edge Port: the port immediately switches to forwarding mode without waiting for STP negotiation
BPDU Guard: if a BPDU (STP packet) arrives on this port, it is automatically blocked — protection against a rogue switch accidentally connected

The Test Environment

Three HP 1910 switches (Comware H3C firmware) distributed across three locations:

SW-CORE: main switch, designated Root Bridge
SW-A: connected to SW-CORE via a 2 Gbps LACP link (2 aggregated ports)
SW-B: connected to SW-CORE via a direct Gigabit link

Topology with no active physical loops, but STP is essential for:

Protecting against accidental loops
Preparing for potential future redundancy
Protecting server ports with BPDU Guard

Setup — step by step

1. Configuring the MSTP Region

The region must be identical on all switches. On each switch, via the GUI: Network > MSTP > Region > Modify

Region Name    : MON-HOMELAB
Revision Level : 1
Instance 1     : VLANs 1-4094

> ⚠️ The HP 1910 GUI can be finicky. If you get a "VLAN ID Error," verify that the VLAN ID field for the instance is correctly set to 1-4094. Click Activate (not Apply) to confirm.

Verification via CLI:

display stp region-configuration

All three switches must display the same digest—this is proof that the region is consistent.

2. Define the Root Bridge

On SW-CORE only, via CLI (the GUI on the Global tab has a bug that unchecks the Instance box after Apply):

system-view
stp instance 1 priority 4096
stp instance 0 priority 4096
stp enable
save

On SW-A and SW-B, simply enable STP without changing the priority:

system-view
stp enable
save

3. Verifying the topology

display stp instance 0

On SW-CORE, you should see:

CIST Root/ERPC: 4096.XXXX-XXXX-XXXX / 0

On SW-A and SW-B:

CIST Root/ERPC: 4096.XXXX-XXXX-XXXX / 20   ← SW-CORE MAC
CIST RootPortId: 128.XXX                     ← uplink port to SW-CORE

Issues Encountered and Solutions

Issue 1: Switches Do Not Recognize Each Other as Root

Symptom: Each switch displays its own MAC address as the Root Bridge.

Cause: An uplink port was configured as an Edge Port, ignoring incoming BPDUs.

Solution:

interface GigabitEthernet 1/0/X
 undo stp edged-port

Issue 2: Legacy BPDU Format Instead of dot1s

Symptom: MST BPDU Format: Active=legacy on inter-switch ports.

Cause: A switch remained in RSTP mode instead of MSTP.

Solution:

system-view
stp mode mstp
save

Issue 3: Fortigate disrupts STP

Symptom: SW-CORE had its uplink port to the firewall set to ROOT role — the firewall was sending BPDUs and behaving as a Root Bridge.

Solution: Lower the priority of SW-CORE below that announced by the firewall (priority 4096 on instances 0 and 1).

Problem 4: GUI bug — the Instance checkbox unchecks itself

Symptom: In the Global tab, after checking Instance, entering the priority, and clicking Apply, the checkbox unchecks itself and the priority does not change.

Solution: Switch to CLI via SSH. Developer mode (_cmdline-mode on) may be required on some firmware versions to access all commands.

Edge Port Configuration

Once the STP topology is stable, protect your server ports.

Global BPDU Protection Enablement:

system-view
stp bpdu-protection

Configuration per Port/Aggregation (for each link to a server or NAS):

interface Bridge-Aggregation X
 stp edged-port enable

Never configure Edge Port on inter-switch ports — this would prevent BPDU propagation and break the STP topology.

Final verification:

display stp brief

The Protection column should display:

BPDU on end-device ports ✓
NONE on uplink ports ✓

Considerations with LACP

If you have aggregated links (LACP) between switches, good news: STP and LACP coexist perfectly. STP treats the aggregate as a single logical port. No special configuration is required—just make sure the BAGG (Bridge Aggregation Group) is properly configured in Hybrid mode with tagged VLANs, like the switch’s other trunk ports.

On HP 1910 Comware switches, the ports that are members of an aggregate must have the same port type as the aggregate itself. A mix of Hybrid and Trunk ports between the BAGG and its physical members will prevent LACP from negotiating correctly.

Final Result

display stp brief (SW-CORE)

MSTID  Port                  Role  State       Protection
  0    Bridge-Aggregation1   DESI  FORWARDING  NONE      ← uplink SW-A
  0    Bridge-Aggregation2   DESI  FORWARDING  BPDU      ← server
  0    Bridge-Aggregation3   DESI  FORWARDING  BPDU      ← server
  0    GigabitEthernet1/0/1  DESI  FORWARDING  NONE      ← uplink SW-B
  0    GigabitEthernet1/0/2  DESI  FORWARDING  NONE      ← PoE switch uplink

All switches recognize SW-CORE as the Root Bridge, the server ports are protected by BPDU Guard, and the inter-switch uplinks are left free to negotiate STP normally.

There you go!

Setting up STP/MSTP on HP 1910 switches is not complex in principle, but the hardware has its quirks:

The GUI is sometimes unreliable → use the CLI instead
The ports in an aggregate must match the BAGG type
The MSTP region must be exactly the same on all switches
Always check the BPDU mode (legacy vs. dot1s) on inter-switch ports

Once set up, you have a loop-protected network, secure server ports, and a solid foundation for adding physical redundancy if needed.