Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term STP TCN

Training Camp • Cybersecurity Glossary

What is STP TCN?

A Spanning Tree Protocol message a switch sends to signal a topology change, forcing fast MAC table aging so traffic re-paths around failures.

Glossary > Network Security > STP TCN

Understanding STP TCN

STP TCN (Spanning Tree Protocol Topology Change Notification) is a small BPDU a switch generates when it detects a topology change, such as a port moving to or from the forwarding state. It is flooded toward the root bridge so switches can age out stale MAC address entries quickly and re-learn forwarding paths, preventing black-holed traffic and loops.

When a port transitions, the switch sends a TCN BPDU out its root port every hello interval until an upstream switch acknowledges it by setting the Topology Change Acknowledgment (TCA) flag in its configuration BPDU. The root bridge then sets the Topology Change (TC) flag in BPDUs for a defined period (max age plus forward delay, roughly 35 seconds in classic 802.1D). During this window, every switch shortens its MAC table aging timer from the default 300 seconds to the forward-delay value (15 seconds), flushing entries that may now point to wrong ports. Rapid STP (802.1w) replaces this slow flood with an explicit TC mechanism that flushes tables immediately and converges in milliseconds.

For security and availability, TCN behavior matters because excessive topology changes are both a stability problem and an attack indicator. A flapping link, a misconfigured edge port, or an attacker injecting BPDUs can trigger constant TCNs, causing repeated MAC table flushing, unicast flooding, and degraded performance that aids sniffing. This is why BPDU Guard, PortFast, and Root Guard are deployed on access ports: they suppress unnecessary TCNs and block rogue switches from manipulating the spanning tree.

For example, an analyst troubleshooting intermittent slowness on a campus LAN runs "show spanning-tree detail" and sees a high "number of topology changes" counter incrementing on a specific port. Tracing it reveals a user's unmanaged desk switch flapping as a workstation powers on and off. Enabling PortFast and BPDU Guard on that access port stops the TCN storm, restores stable MAC learning, and removes both the performance hit and the opening an attacker could have used to force traffic flooding.

Learn More About STP TCN:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →