Skip to content
MikroTik RouterOS Docs

Spanning Tree Protocol

Spanning Tree Protocol

Section titled “Spanning Tree Protocol”

Summary

Section titled “Summary”

Spanning Tree Protocol (STP) is a network protocol that prevents loops in bridged networks by dynamically blocking redundant paths. RouterOS bridge interfaces support STP, RSTP, and MSTP to ensure a loop-free and redundant topology.

For small networks with just 2 bridges, STP does not bring many benefits. However, for larger networks, properly configured STP is crucial. To achieve a proper loop-free and redundant topology, you must properly set bridge priorities, port path costs, and port priorities.

RSTP (Rapid Spanning Tree Protocol) is enabled by default on new bridges in RouterOS v7. RSTP converges faster than classic STP and is recommended for most deployments.

STP and RSTP

Section titled “STP and RSTP”

Enabling STP/RSTP

Section titled “Enabling STP/RSTP”

To enable STP or RSTP on a bridge, set the protocol-mode parameter:

/interface bridge
add name=bridge1 protocol-mode=rstp

Available protocol modes:

  • none - STP disabled (default for legacy configurations)
  • stp - Classic Spanning Tree Protocol (slow convergence)
  • rstp - Rapid Spanning Tree Protocol (fast convergence, recommended)
  • mstp - Multiple Spanning Tree Protocol (VLAN-aware)

Default Values

Section titled “Default Values”

RouterOS uses the following default values for STP:

ParameterDefault Value
Bridge Priority32768 (0x8000)
Port Path CostAuto (depends on port speed)
Port Priority128
Forward Delay15 seconds
Max Age20 seconds
Hello Time2 seconds

The default bridge priority of 32768 means bridges with lower priority values will become root bridges.

Port Path Cost Defaults

Section titled “Port Path Cost Defaults”
Interface SpeedSTP CostRSTP Cost
10 Mbps1002,000,000
100 Mbps19200,000
1 Gbps420,000
10 Gbps22,000
20 Gbps11,000

Election Process

Section titled “Election Process”

When STP is enabled, bridges exchange BPDU (Bridge Protocol Data Unit) frames to elect:

  1. Root Bridge - The bridge with the lowest bridge ID (priority + MAC address)
  2. Root Ports - The port on each non-root bridge with the lowest path cost to the root
  3. Designated Ports - Ports on each segment that forward traffic toward the root
  4. Blocked Ports - Redundant ports that are blocked to prevent loops

Bridge ID Calculation

Section titled “Bridge ID Calculation”

The Bridge ID is composed of:

  • Priority: Configurable (default 32768), must be divisible by 4096
  • MAC Address: The bridge’s internal MAC

Lower priority values win the root bridge election. If priorities are equal, the lowest MAC address wins.

# Set bridge priority to make it the root bridge
/interface bridge
set [find name=bridge1] priority=4096

Path Cost Calculation

Section titled “Path Cost Calculation”

The root path cost is the sum of port path costs from a given port to the root bridge. Lower path costs are preferred.

# Set custom port path cost
/interface bridge port
set [find interface=ether1] path-cost=10

Configuration Examples

Section titled “Configuration Examples”

Basic RSTP Configuration

Section titled “Basic RSTP Configuration”

This example shows a simple RSTP setup with two MikroTik routers:

Router A (Root Bridge):

/interface bridge
add name=bridge1 protocol-mode=rstp priority=4096


/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

Router B (Secondary):

/interface bridge
add name=bridge1 protocol-mode=rstp


/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

Root Path Cost Example

Section titled “Root Path Cost Example”

In this topology, Router A is the root bridge. Router B has two paths to reach Router A:

  • Path 1: ether1 (1 Gbps) - cost 20,000
  • Path 2: ether2 (100 Mbps) - cost 200,000

RSTP automatically selects the lower-cost path (ether1) as the root port and blocks ether2.

[Router A - Root Bridge]
        |
   +----+----+
   |         |
 ether1   ether2
   |         |
   |    100Mbps
   |         |
[Router B]
Section titled “Loop Prevention with Redundant Links”

This configuration prevents loops in a network with redundant connections:

# On Router A
/interface bridge
add name=bridge1 protocol-mode=rstp priority=4096


/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3


# On Router B
/interface bridge
add name=bridge1 protocol-mode=rstp


/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

Per-Port STP

Section titled “Per-Port STP”

RouterOS supports per-port STP settings for advanced control.

Edge Ports

Section titled “Edge Ports”

Edge ports are ports that connect to end devices (computers, printers, etc.) and should never receive BPDUs. They transition to forwarding state immediately.

# Configure edge port
/interface bridge port
set [find interface=ether1] edge=yes

When edge is set to auto (default), the port becomes an edge port if it doesn’t receive BPDUs within 3 seconds of becoming active.

Drop Received BPDUs

Section titled “Drop Received BPDUs”

To prevent a port from receiving BPDUs (effectively making it a leaf node):

/interface bridge port
set [find interface=ether1] bpdu-guard=no drop-on-no-entry=no
set [find interface=ether1] receive-bpdu=no

BPDU Guard

Section titled “BPDU Guard”

BPDU Guard shuts down a port if it receives a BPDU, preventing unauthorized switches from affecting the STP topology:

# Enable BPDU Guard on a port
/interface bridge port
set [find interface=ether1] bpdu-guard=yes

When a port with BPDU Guard receives a BPDU, it enters the disabled state and must be manually re-enabled or use the port-bpdu-guard recovery timer:

/interface bridge
set [find name=bridge1] bpdu-guard-timeout=1m

Root Guard

Section titled “Root Guard”

Root Guard prevents a port from becoming the root port, protecting the current root bridge position:

# Enable Root Guard on a port
/interface bridge port
set [find interface=ether1] root-guard=yes

Root Guard should only be enabled on designated ports. Enabling it on a root port can cause the port to enter a disabled state if a better path to the root bridge is detected.

Multiple Spanning Tree Protocol (MSTP)

Section titled “Multiple Spanning Tree Protocol (MSTP)”

MSTP allows mapping multiple VLANs into different spanning tree instances, providing better utilization of redundant links.

MSTP Regions

Section titled “MSTP Regions”

All switches in an MSTP region must share the same:

  • Region Name
  • Revision Level
  • VLAN-to-Instance Mapping
# Enable MSTP
/interface bridge
add name=bridge1 protocol-mode=mstp


# Configure MSTP region
/interface bridge mst
add bridge=bridge1 region-name=CORP-REGION revision=1

MST Instance

Section titled “MST Instance”

Create MST instances and map VLANs to them:

# Create MST instance and map VLANs
/interface bridge mst
add bridge=bridge1 instance-id=1 vlan-mapping=10,20,30
add bridge=bridge1 instance-id=2 vlan-mapping=40,50

MST Override

Section titled “MST Override”

Use MST override to modify the bridge priority for specific instances:

# Set priority for MST instance
/interface bridge mst
add bridge=bridge1 instance-id=1 priority=4096

Monitoring

Section titled “Monitoring”

View STP Status

Section titled “View STP Status”

Check the current STP status on a bridge:

/interface bridge monitor [find]

Output example:

                name: bridge1
            bridge-id: 32768:AA:BB:CC:DD:EE:FF
        designated-root: 4096:AA:BB:CC:DD:EE:FF
           root-cost: 0
        root-port: none
       port-role: designated
        port-state: forwarding
    top-change-ack: False
   topology-change: False

View Port Status

Section titled “View Port Status”

Check STP state on individual ports:

/interface bridge port monitor [find]

Output example:

               interface: ether1
            port-number: 1
               role: designated
             state: forwarding
              edge-port: yes
    edge-port-discovery: yes
        bpdu-guard: no
         bpdu-guard-status: disabled
          root-guard: no
        root-guard-status: disabled
       auto-calc-cost: yes
            active: yes
         path-cost: 20000
         designated-bridge: 32768:AA:BB:CC:DD:EE:FF
     designated-cost: 0
    designated-port: 1

View MSTP Instances

Section titled “View MSTP Instances”
/interface bridge mst print detail

Troubleshooting

Section titled “Troubleshooting”

Port Stuck in Blocking State

Section titled “Port Stuck in Blocking State”

If a port is stuck in blocking state:

  1. Check for physical loop conditions
  2. Verify all bridges have STP enabled
  3. Check port path costs - lower costs should become root ports
  4. Ensure BPDUs are not being filtered by firewall

STP Not Preventing Loops

Section titled “STP Not Preventing Loops”

If STP is not preventing loops:

  1. Verify protocol-mode is set to rstp or mstp on all bridges
  2. Check that all switches in the network support RSTP/MSTP
  3. Verify no unmanaged switches are creating invisible loops
  4. Check for hardware offloading issues with STP

Common Issue: Cisco Interoperability

Section titled “Common Issue: Cisco Interoperability”

When connecting MikroTik routers to Cisco switches:

  • Both devices must use the same STP version
  • Cisco uses PVST (Per-VLAN STP) by default - configure MSTP for compatibility
  • Verify BPDU guard settings match on both sides
# Cisco config for MSTP compatibility
spanning-tree mode mstp

See Also

Section titled “See Also”