Spanning Tree Protocol questions appear consistently on the CCNA exam and follow a recognisable pattern once you understand what STP is actually deciding. The key insight is that STP makes a series of sequential elections, and the exam tests whether you can follow that logic correctly.
How the Root Bridge Is Elected
Every switch starts by assuming it is the root bridge and sends Bridge Protocol Data Units (BPDUs) out all ports. BPDUs contain the bridge ID — an 8-byte value made up of:
- 2 bytes: priority (default 32768, in multiples of 4096)
- 6 bytes: MAC address
The switch with the lowest bridge ID wins. Priority is compared first. If priorities are equal, the lower MAC address wins.
Exam trap: SW1 has priority 32768, MAC 0000.0000.AAAA. SW2 has priority 32768, MAC 0000.0000.BBBB. Which becomes root bridge?
SW1 wins because AAAA < BBBB in hexadecimal. Many candidates pick the switch with the "higher" MAC, assuming higher means better. In STP, lowest always wins.
How to Make a Specific Switch the Root Bridge
Reduce the priority below the current root bridge:
SW1(config)# spanning-tree vlan 1 priority 4096
Or use the macro that sets priority automatically:
SW1(config)# spanning-tree vlan 1 root primary
This sets priority to 24576 (or lower if needed). The secondary macro sets priority to 28672.
Port Roles After Root Bridge Election
Once the root bridge is elected, STP assigns roles to every port:
Root Port — On every non-root switch, the port with the best (lowest cost) path to the root bridge. One per switch.
Designated Port — One per segment. The port on the segment that is closest to the root bridge. The root bridge has all designated ports.
Non-designated Port (Blocked) — Ports that are neither the root port nor a designated port. These enter blocking state to prevent loops.
How to Find Which Port Gets Blocked
This is the most common exam question type. Given a triangle topology with SW1 (root), SW2, and SW3:
- Identify the root bridge (lowest bridge ID)
- On each non-root switch, find the root port (lowest cost path to root)
- For the segment between the two non-root switches, compare their path costs to root — the switch with the lower cost has the designated port; the other blocks its port
Example: SW2 and SW3 both connect to SW1 via Gigabit (cost 4). SW2 has a lower bridge ID than SW3.
- SW2 root port: toward SW1
- SW3 root port: toward SW1
- Segment SW2↔SW3: both have equal path cost (4). Tiebreaker = lower bridge ID. SW2 wins → SW2's port toward SW3 is designated. SW3's port toward SW2 is blocked.
STP Port States
| State | Learns MACs | Forwards Frames |
|---|---|---|
| Blocking | No | No |
| Listening | No | No |
| Learning | Yes | No |
| Forwarding | Yes | Yes |
| Disabled | No | No |
Blocking and Forwarding are the steady states. Listening and Learning are transitional (15 seconds each by default). Total time from blocking to forwarding is 30 seconds.
Exam trap: candidates confuse Learning (learns MACs, does not forward) with Forwarding (forwards frames). A port in Learning state will not forward user traffic even though it is actively building its MAC table.
PortFast and BPDU Guard
PortFast skips Listening and Learning and moves a port directly to Forwarding. It is intended for access ports connected to end devices only — never on inter-switch links.
BPDU Guard protects PortFast ports. If a BPDU is received on a PortFast port, BPDU Guard shuts the port down (err-disabled state). This prevents a rogue switch from disrupting STP.
The CCNA exam regularly asks which feature reduces convergence time for access layer ports — the answer is PortFast. And which feature protects against rogue switches on those ports — the answer is BPDU Guard.
Practice CCNA STP and switching questions with topology diagrams to build the habit of working through the election steps in order.
Full Worked STP Topology — 4-Switch Ring
Let's take a topology with four switches: SW1, SW2, SW3, and SW4. They are connected in a ring: SW1—SW2, SW2—SW3, SW3—SW4, SW4—SW1, and SW1—SW3. Five links total. Every link is Gigabit Ethernet (cost 4).
Bridge IDs:
- SW1: priority 32768, MAC 0000.0000.1111 → Bridge ID: 32768.1111
- SW2: priority 32768, MAC 0000.0000.2222 → Bridge ID: 32768.2222
- SW3: priority 32768, MAC 0000.0000.3333 → Bridge ID: 32768.3333
- SW4: priority 32768, MAC 0000.0000.4444 → Bridge ID: 32768.4444
Step 1: Elect the root bridge. All priorities are equal, so the lowest MAC wins. SW1 (0000.0000.1111) has the lowest MAC address. SW1 is the root bridge.
Step 2: All root bridge ports are Designated Ports. SW1's three ports (toward SW2, toward SW4, and toward SW3) are all designated. They are the best connection to the root on each of those segments.
Step 3: Find the root port on each non-root switch. Each non-root switch picks its single best path to the root.
SW2: Two paths to SW1. Direct link to SW1 costs 4. Path via SW3 then SW1 costs 4+4=8, or via SW4 then SW1 costs 4+4=8. Direct is best. SW2 root port: the port facing SW1.
SW3: Two direct paths to SW1 and indirect paths. Direct link to SW1 costs 4. Path via SW2 then SW1 costs 4+4=8. Path via SW4 then SW1 costs 4+4=8. Direct wins. SW3 root port: the port facing SW1.
SW4: Direct link to SW1 costs 4. Path via SW3 then SW1 costs 4+4=8. Path via SW2 then SW1 costs 4+4=8. Direct wins. SW4 root port: the port facing SW1.
Step 4: Find designated ports on each segment. On each link not involving SW1's ports, the switch with the lower path cost to the root gets the designated port. The other gets a non-designated (blocked) port.
Segment SW2—SW3: SW2 path cost to root = 4 (direct). SW3 path cost to root = 4 (direct). Equal cost. Tiebreaker is lower bridge ID. SW2 (0000.0000.2222) < SW3 (0000.0000.3333). SW2's port toward SW3 is designated. SW3's port toward SW2 is non-designated (blocked).
Segment SW3—SW4: SW3 path cost = 4, SW4 path cost = 4. Equal. SW3 (3333) < SW4 (4444). SW3's port toward SW4 is designated. SW4's port toward SW3 is non-designated (blocked).
Segment SW2—SW4: SW2 path cost = 4, SW4 path cost = 4. Equal. SW2 (2222) < SW4 (4444). SW2's port toward SW4 is designated. SW4's port toward SW2 is non-designated (blocked).
Result summary:
- SW4 has three blocked ports (toward SW2, SW3, and SW1... wait). Recheck: SW4's root port is toward SW1. SW4's other two ports are toward SW2 and toward SW3 — both are non-designated (blocked). SW4 only forwards through its root port.
- The ring is broken in three places on SW4, eliminating all redundant loops while maintaining one path to every switch.
This step-by-step approach is exactly what the exam expects. Work from root bridge election → root ports → designated ports → everything else is blocked.
show spanning-tree Output — Reading It Under Pressure
**` SW2# show spanning-tree vlan 1
VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0000.0000.1111 Cost 4 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0000.0000.2222 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
Gi0/1 Root FWD 4 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Gi0/3 Desg FWD 4 128.3 P2p **`
What each section tells you:
Root ID section: address 0000.0000.1111 is not SW2's address — that is the root bridge's MAC. The "Cost 4" and "Port Gi0/1" tell you SW2 reaches the root via Gi0/1 at cost 4. This is SW2's root port.
Bridge ID section: address 0000.0000.2222 is SW2's own MAC. Priority 32769 looks odd — that is 32768 plus the VLAN number (1). Cisco adds the VLAN ID to the base priority. This is called extended system ID.
Interface table: Role column is the key. Root = root port, Desg = designated (forwarding toward non-root), Altn = alternate (blocking in RSTP), BLK = blocked.
The question everyone gets wrong: "What does the priority 32769 mean?" It is not a special priority — it is the base 32768 plus VLAN 1. If the VLAN were VLAN 10, you'd see 32778. This catches candidates who memorise "default priority is 32768" and then see 32769 and think something changed.
Rapid STP (RSTP) vs Classic STP
Classic 802.1D STP can take 30–50 seconds to converge after a topology change. RSTP (802.1w) typically converges in under 1 second. The mechanism is different.
Classic STP has three transitional states (Listening, Learning, Forwarding) and uses timers. Every state change waits for the timer to expire. RSTP eliminates the timers for most links and uses a negotiation process (the sync mechanism) instead.
RSTP introduces two new port roles that classic STP does not have:
Alternate Port — A port that has an alternative path to the root bridge but is not the root port. It is in discarding state (equivalent to blocking in STP). If the root port fails, the alternate port immediately takes over as the root port without waiting for timers. This is why RSTP converges so fast.
Backup Port — A port that provides a redundant path to the same segment that the designated port already covers. This only occurs when a switch has two ports connected to the same shared segment (uncommon in modern networks).
The exam comparison question: "Which port role is unique to RSTP and provides faster convergence than STP?" The answer is Alternate Port. Backup Port also exists only in RSTP but is less commonly tested.
RSTP also changes how edge ports work. Ports connected to end devices can be configured as edge ports (equivalent to PortFast) and move immediately to forwarding. If a BPDU arrives on an edge port, it loses its edge port status immediately and goes through normal RSTP negotiation — this prevents a rogue switch from causing issues while still getting the fast convergence for legitimate access ports.
The port states also consolidate in RSTP:
| Classic STP | RSTP Equivalent |
|---|---|
| Disabled | Discarding |
| Blocking | Discarding |
| Listening | Discarding |
| Learning | Learning |
| Forwarding | Forwarding |
Classic STP has five states, RSTP has three. The exam tests this directly: "How many port states does RSTP define?" The answer is three (discarding, learning, forwarding), not five.
The Loop Guard and Root Guard Trap
Two STP protection features the exam tests together because candidates confuse which one does what.
Root Guard — Prevents a port from becoming a root port. If a switch receives a superior BPDU on a Root Guard-enabled port (meaning something is trying to claim it should be the root bridge), the port is put into root-inconsistent state (blocking). This protects the intended root bridge position.
Apply Root Guard on ports facing switches that should never become root bridges — typically ports facing the distribution or access layer when the root is in the core.
**` SW1(config-if)# spanning-tree guard root **`
Loop Guard — Protects against unidirectional link failures. On a unidirectional link, BPDUs flow one way but not the other. A port that stops receiving BPDUs would normally transition to designated (forwarding) state and create a loop. Loop Guard prevents this by moving a port that stops receiving BPDUs to loop-inconsistent (blocking) state instead of forwarding.
**` SW1(config-if)# spanning-tree guard loop **`
The exam trap is asking which feature prevents a rogue switch from taking over as root bridge. The answer is Root Guard, not Loop Guard. Loop Guard is for unidirectional failures, not unauthorised root bridge elections.
You cannot enable both Root Guard and Loop Guard on the same port simultaneously — they are mutually exclusive. If you try, the switch generates an error.
Practice Question Sets
The best way to lock in STP is working through real exam questions with immediate feedback. Pick a session size that fits your schedule: