How to Detect STP/RSTP/MSTP Network Loop Issues: Monitoring and Alerting Techniques for Network Engineers


2 views

When you enable STP/RSTP/MSTP in your network infrastructure, it works silently in the background to prevent broadcast storms caused by switching loops. Unlike other network protocols that generate visible traffic, spanning tree operates through Bridge Protocol Data Units (BPDUs) exchanged between switches.

Here are several technical methods to identify when STP is actively blocking potential loops:

// Sample Python script to check STP status via SNMP
from pysnmp.hlapi import *

def check_stp_blocked_ports(ip, community):
    errorIndication, errorStatus, errorIndex, varBinds = next(
        getCmd(SnmpEngine(),
               CommunityData(community),
               UdpTransportTarget((ip, 161)),
               ContextData(),
               ObjectType(ObjectIdentity('BRIDGE-MIB', 'dot1dStpPortState')))
    )
    
    if errorIndication:
        print(errorIndication)
    elif errorStatus:
        print('%s at %s' % (errorStatus.prettyPrint(),
                            errorIndex and varBinds[int(errorIndex)-1][0] or '?'))
    else:
        for varBind in varBinds:
            print(' = '.join([x.prettyPrint() for x in varBind]))
            if 'blocking' in varBind[1].prettyPrint():
                print(f"ALERT: Blocked port detected on {ip}")

Effective STP monitoring requires multiple techniques:

  • SNMP Traps: Configure switches to send SNMP traps when topology changes occur
  • Syslog Monitoring: Parse logs for STP state change messages
  • Network Management Systems: Solutions like SolarWinds or PRTG can visualize STP topology
  • Custom Scripts: Regularly poll switch MIBs for STP-related counters

For Linux-based networks, you can create a simple monitoring script:

#!/bin/bash
# STP Monitoring Script

SWITCHES="192.168.1.1 192.168.1.2"
COMMUNITY="public"

for switch in $SWITCHES; do
    blocked=$(snmpwalk -v2c -c $COMMUNITY $switch BRIDGE-MIB::dot1dStpPortState | grep -c blocking)
    if [ $blocked -gt 0 ]; then
        echo "STP Alert: $blocked blocked ports on $switch" | mail -s "STP Alert" admin@example.com
        # Alternatively trigger webhook
        curl -X POST -H "Content-Type: application/json" -d '{"switch":"'$switch'","blocked_ports":'$blocked'}' https://alert.example.com/api/stp
    fi
done

For more sophisticated environments:

// JavaScript example using Node.js and Net-SNMP
const snmp = require('net-snmp');

const session = snmp.createSession("10.0.0.1", "public", {
    timeouts: [5000, 5000, 5000]
});

const oids = [
    "1.3.6.1.2.1.17.2.15.1.3", // dot1dStpPortState
    "1.3.6.1.2.1.17.2.15.1.4"  // dot1dStpPortEnable
];

session.get(oids, (error, varbinds) => {
    if (error) {
        console.error(error);
    } else {
        varbinds.forEach((vb) => {
            if (vb.oid.includes('1.3.6.1.2.1.17.2.15.1.3')) {
                if (vb.value === 3) { // 3 = blocking state
                    triggerAlert();
                }
            }
        });
    }
    session.close();
});

function triggerAlert() {
    // Implementation for your alerting system
    console.log("STP blocking state detected");
}

When Spanning Tree Protocol (STP, RSTP, or MSTP) is enabled on your network, it actively prevents loops by blocking redundant paths. However, you still need mechanisms to detect when a loop condition occurs, even if the protocol successfully blocks it. Here are key indicators:

  • STP topology change notifications (TCNs) in logs
  • Port state fluctuations (frequent blocking/forwarding transitions)
  • Unexpected root bridge changes
  • Increased CPU utilization on switches

For Cisco devices, you can check STP events with:

show spanning-tree detail
show spanning-tree inconsistentports
show logging | include STP

For Linux bridges:

brctl showstp [bridge-name]
cat /sys/class/net/[interface]/brport/state

Configure SNMP traps for critical STP events. Example OIDs to monitor:

1.3.6.1.2.1.17.0.1 (Bridge MIB)
1.3.6.1.2.1.17.2.0.1 (STP topology change)

Sample Python script to check STP status:

import pysnmp.hlapi as snmp

def check_stp_status(ip, community):
    iterator = snmp.getCmd(
        snmp.SnmpEngine(),
        snmp.CommunityData(community),
        snmp.UdpTransportTarget((ip, 161)),
        snmp.ContextData(),
        snmp.ObjectType(snmp.ObjectIdentity('1.3.6.1.2.1.17.2.15.1.3'))
    )
    
    errorIndication, errorStatus, errorIndex, varBinds = next(iterator)
    
    if errorIndication:
        print(f"Error: {errorIndication}")
    elif errorStatus:
        print(f"Error: {errorStatus}")
    else:
        for varBind in varBinds:
            print(f"STP Root Port: {varBind[1]}")

Key log entries to watch for:

  • "STP: VLANxxxx heard root ..." (potential duplicate root)
  • "%SPANTREE-2-ROOTGUARD_BLOCK..." (root guard activation)
  • "%SPANTREE-2-BLOCK_PVID_INCONSIST..." (port VLAN mismatch)

Consider using network monitoring tools that can map STP topology:

  • SolarWinds Network Topology Mapper
  • PRTG Network Monitor with STP sensors
  • LibreNMS with STP support