Spanning Tree Protocol (STP) is one of the most misunderstood topics on the CCNA 200-301 exam. Candidates often confuse port states, timers, and the election process, leading to wrong answers on scenario questions. In real networks, a single STP misconfiguration can cause broadcast storms that bring down an entire campus. This chapter covers the most common STP traps, clarifying exactly how STP works and what the exam expects. This chapter aligns with Exam Objective 2.5: Spanning Tree Protocol.
Jump to a section
Imagine a large office building with multiple wings connected by corridors. During an emergency drill, the fire marshal needs to ensure that everyone can exit without creating gridlock. The marshal designates one corridor as the primary exit (Root Bridge). For each wing, the marshal selects the best door to reach that primary exit (Root Port). In every intersection, the marshal picks one corridor that stays open (Designated Port) and blocks all others (Alternate/Blocking Ports) to prevent people from running in circles. This is exactly how STP works: it elects a single Root Bridge, then every non-root switch selects one Root Port (best path to root), each collision domain gets one Designated Port, and all other ports are blocked to eliminate loops. The marshal sends periodic announcements (BPDUs) to confirm the plan is still valid. If a corridor collapses (link failure), the marshal recalculates and unblocks a previously blocked corridor, but only after a delay (50 seconds with default timers) to ensure no temporary loops occur. The drill ensures that at any moment, there is exactly one active path between any two points, just as STP guarantees a loop-free topology.
What STP Is and Why It Exists
STP (802.1D) is a Layer 2 protocol that prevents loops in redundant Ethernet networks. Without STP, broadcast frames would circulate forever, consuming bandwidth and CPU, ultimately causing a broadcast storm that brings down the network. STP creates a loop-free logical topology by placing some ports in a blocking state while keeping others forwarding. The protocol is defined in IEEE 802.1D and runs on bridges and switches.
How STP Works Step by Step
STP uses Bridge Protocol Data Units (BPDUs) exchanged every 2 seconds (Hello Time). The process follows three steps:
Root Bridge Election: Every switch starts by claiming to be the root. Switches compare Bridge IDs (8 bytes: 2-byte priority + 6-byte MAC address). The switch with the lowest Bridge ID wins. By default, all switches have priority 32768, so the lowest MAC address becomes root.
Root Port Selection: Every non-root switch selects one port with the lowest Root Path Cost to reach the root. Cost is based on link speed: 10 Mbps = 100, 100 Mbps = 19, 1 Gbps = 4, 10 Gbps = 2. If costs are equal, the lowest neighbor Bridge ID breaks the tie, then lowest neighbor Port ID.
Designated Port Selection: On each segment (collision domain), the switch with the lowest Root Path Cost becomes the Designated Port for that segment. The root bridge has all ports as Designated Ports. Ports that are neither Root nor Designated are placed in Blocking state.
Key STP States and Timers
Ports transition through states: - Blocking: 20 seconds (Max Age timer) – listens for BPDUs, does not forward frames. - Listening: 15 seconds (Forward Delay) – listens for BPDUs, does not forward. - Learning: 15 seconds (Forward Delay) – learns MAC addresses, does not forward. - Forwarding: Normal operation. - Disabled: Administratively down.
Default timers (all in seconds):
Hello Time: 2
Forward Delay: 15
Max Age: 20
Total convergence time: 50 seconds (20 + 15 + 15).
Verification Commands
Use the following IOS commands to verify STP:
Switch# show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0001.1111.1111
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0001.1111.1111
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi0/0 Desg FWD 4 128.1 Shr
Gi0/1 Desg FWD 4 128.2 ShrSwitch# show spanning-tree detail
VLAN0001 is executing the ieee compatible Spanning Tree protocol
Bridge Identifier has priority 32768, sysid 1, address 0001.1111.1111
Configured hello time 2, max age 20, forward delay 15
Current root has priority 32769, address 0001.1111.1111
Root port is 0 (this bridge is root)
Topology change flag not set, detected flag not set
Number of topology changes 3 last change occurred 00:00:30 ago
from GigabitEthernet0/0
Timers: holds 2, topology change 35, notification 2
hello 2, max age 20, forward delay 15Interaction with Related Protocols
Rapid PVST+ (802.1w): Replaces 802.1D with faster convergence (sub-second). Uses port roles: Root, Designated, Alternate, Backup. States: Discarding, Learning, Forwarding.
MST (802.1s): Maps multiple VLANs to a single STP instance, reducing overhead.
PortFast: Bypasses Listening and Learning on access ports, immediate transition to Forwarding. Used only on ports connected to end hosts.
BPDU Guard: Shuts down a PortFast-enabled port if a BPDU is received, preventing accidental loops.
Root Guard: Prevents a port from becoming a root port, enforcing the current root bridge location.
Loop Guard: Prevents alternate/root ports from transitioning to Forwarding if BPDUs stop, avoiding loops due to unidirectional link failures.
Common Exam Traps
Root bridge election: Candidates think the switch with the lowest MAC address always wins. Actually, the lowest Bridge ID wins; priority is compared first. If priorities are equal (default 32768), then MAC breaks the tie. But if a switch has priority 4096, it will beat all default switches regardless of MAC.
Port cost: Many think higher bandwidth = lower cost, but they forget the exact values. For Gigabit Ethernet, cost is 4 (not 1). For 10 GbE, cost is 2. For Fast Ethernet, cost is 19. For Ethernet, cost is 100.
Root port vs. designated port: Root port is on the non-root switch, best path to root. Designated port is on the segment, the one that forwards BPDUs. The root bridge has all ports designated.
Convergence time: Default 50 seconds. But if a root bridge fails, the Max Age timer (20 sec) must expire before a new root is elected. Candidates often forget the Max Age timer and think convergence is 30 seconds (15+15).
BPDU types: Configuration BPDUs are sent every 2 seconds from the root. TCN (Topology Change Notification) BPDUs are sent when a topology change occurs, causing MAC address table flushing.
PVST+: Cisco's per-VLAN STP runs a separate instance for each VLAN. This is important for load balancing but uses more CPU. The exam may ask about the number of STP instances or the effect of VLANs on root bridge placement.
RSTP edge ports: Equivalent to PortFast. Candidates think RSTP doesn't have PortFast, but it does, called edge port. RSTP also has link types (point-to-point, shared) that affect convergence.
Calculation Traps
Path cost calculation: Sum of costs along the path to root. If a switch has two paths: one with two gigabit links (cost 4+4=8) and another with one 100 Mbps link (cost 19), the 8-cost path is preferred. But candidates might add costs incorrectly or use wrong cost values.
Bridge ID priority: Must be a multiple of 4096. The priority field is 4 bits, so valid values are 0, 4096, 8192, ..., 61440. The extended system ID (VLAN ID) is added to the priority. So for VLAN 1, priority 32768 becomes 32769 (32768+1). The exam may show a priority like 32769 and ask if it's configurable; it is, but the config uses 32768 and the switch adds the VLAN ID.
Decision Rule for Scenario Questions
Identify the root bridge: lowest Bridge ID.
For each non-root switch, find the root port: lowest path cost to root, then lowest neighbor Bridge ID, then lowest neighbor port ID.
For each segment, find the designated port: lowest path cost to root on the switch; if equal, switch with lower Bridge ID wins.
All other ports block.
Trace the path step by step. Draw the topology if needed. Remember that the root bridge has all ports designated.
Summary of Key Values
Default priority: 32768
Cost: 10M=100, 100M=19, 1G=4, 10G=2
Timers: Hello 2, Forward Delay 15, Max Age 20
Convergence: 50 seconds (802.1D)
RSTP convergence: sub-second (typically 6-10 seconds)
PortFast bypasses Listening/Learning (immediate forwarding)
BPDU Guard err-disables port on BPDU reception
Exam Focus: Topology Change
When a topology change occurs (e.g., a link goes down), the switch detecting the change sends a TCN BPDU toward the root. The root then sets a TC flag in its configuration BPDUs for 35 seconds (Forward Delay + Max Age). All switches receiving these BPDUs flush their MAC address tables except for the port that received the TC. This prevents stale MAC entries from causing loops. Candidates often forget that the TC bit is set for 35 seconds, not 50, and that only the root's BPDUs carry the TC flag.
BPDU Guard and Root Guard
BPDU Guard: Configured on PortFast ports. If a BPDU is received, the port goes into err-disable state. Common exam scenario: an access port connected to a switch that accidentally becomes a root bridge. BPDU Guard prevents that.
Root Guard: Configured on ports that should not become root ports. If the port receives a superior BPDU (lower bridge ID), it goes into root-inconsistent state (blocked). This enforces the root bridge location.
UplinkFast and BackboneFast (Cisco proprietary, legacy)
UplinkFast: Improves convergence after a direct link failure on access switches. Bypasses Listening/Learning for an alternate root port.
BackboneFast: Improves convergence after an indirect link failure. Uses RLQ (Root Link Query) to detect root port failure.
These are not on the CCNA exam but may appear in legacy network discussions. Focus on RSTP.
Common Misconfigurations
Setting priority to a non-multiple of 4096: IOS rejects the command.
Using PortFast on trunk ports: can cause loops. PortFast should only be on access ports.
Forgetting to configure BPDU Guard on PortFast ports: a misconnected switch can become root.
Changing timers globally: can cause instability. Use only when necessary.
Final Exam Tips
Always read the question carefully: is it asking about 802.1D or RSTP? Default timers differ.
For root bridge election, compare priority first, then MAC. If priorities are equal, the lowest MAC wins.
For port role questions, remember that root ports are on non-root switches; designated ports are on segments.
For cost calculations, use the standard values; don't confuse with older cost values (e.g., 1 Gbps used to be 1 in earlier versions).
For convergence time, know the default 50 seconds and the role of each timer.
Practice with show spanning-tree output to identify root, roles, and states.
Identify the Root Bridge
The first step in STP is electing a root bridge. Each switch sends BPDUs with its own Bridge ID (priority + MAC). The switch with the lowest Bridge ID becomes root. If priorities are equal (default 32768), the lowest MAC address wins. To force a specific switch as root, set its priority to a lower value, e.g., 4096. Use the command 'spanning-tree vlan 1 priority 4096' on the desired root. Verify with 'show spanning-tree' and look for 'This bridge is the root' or note the Root ID.
Determine Root Ports on Non-Root Switches
Every non-root switch selects exactly one root port (RP) – the port with the lowest path cost to the root bridge. Path cost is the sum of costs from the switch to the root. If multiple paths have equal cost, the switch chooses the port connected to the neighbor with the lowest Bridge ID. If still tied, the lowest neighbor port ID (priority + port number) is used. Use 'show spanning-tree' on the non-root switch; the root port is listed as 'Root' in the Role column.
Select Designated Ports on Each Segment
On each network segment (collision domain), one port is elected as the designated port (DP). The switch with the lowest root path cost on that segment wins. If costs are equal, the switch with the lower Bridge ID becomes designated. The root bridge has all its ports as designated because its path cost to itself is zero. All other ports on the segment become non-designated (blocking). Verify with 'show spanning-tree' – designated ports show 'Desg' role.
Block Remaining Ports
Any port that is not a root port or designated port is placed in blocking state. Blocking ports do not forward user traffic but still listen for BPDUs. They remain in blocking until a topology change occurs (e.g., link failure) that triggers recalculation. Use 'show spanning-tree' to confirm blocked ports show 'Altn' (alternate) or 'Back' (backup) role, with state 'BLK' or 'DSC' (discarding in RSTP).
Verify STP Topology and Timers
After convergence, verify the STP topology using 'show spanning-tree' and 'show spanning-tree detail'. Check that the root bridge is correct, port roles and states are as expected, and timers are default (Hello 2, Forward Delay 15, Max Age 20). Also verify that no unexpected ports are forwarding. For RSTP, use 'show spanning-tree' and note that states are discarding/learning/forwarding and roles include alternate and backup.
Troubleshoot Common STP Issues
If a loop occurs, check for: (1) a switch with lower priority than intended root – use 'show spanning-tree' to see root ID; (2) a port with PortFast enabled on a trunk – use 'show spanning-tree interface <int> portfast'; (3) BPDU filter or guard misconfiguration – check 'show running-config | include bpdu'. Also verify that all switches run the same STP version (PVST+ or Rapid-PVST). Use 'debug spanning-tree events' with caution in production.
In a campus network with dozens of access switches and a redundant core, STP is critical. For example, a university has two distribution switches and multiple access switches connected to both for redundancy. Without STP, a broadcast storm would crash the network. The network engineer configures one distribution switch as root (priority 4096) and the other as secondary root (priority 8192) using 'spanning-tree vlan 1 root primary' and 'spanning-tree vlan 1 root secondary'. This ensures deterministic failover. All access ports are configured with PortFast and BPDU Guard to prevent loops from misconnected devices. In one incident, a junior engineer connected a switch to an access port, causing a BPDU to be received, which triggered BPDU Guard and err-disabled the port. The senior engineer quickly identified the issue with 'show interfaces status' and corrected the configuration. In another scenario, a link failure between core switches caused STP reconvergence. Because RSTP was enabled, convergence took less than a second instead of 50 seconds, avoiding a major outage. The network uses Rapid PVST+ to reduce failover time. For large VLAN deployments, MST is used to map multiple VLANs to a single STP instance, reducing CPU load. Misconfigurations like setting an incorrect priority or forgetting to enable PortFast on access ports can cause slow convergence or loops. Regular audits with 'show spanning-tree' and 'show spanning-tree active' help maintain stability. The key lesson: always verify root bridge placement and use features like BPDU Guard and Root Guard to enforce topology.
The CCNA 200-301 exam tests STP under objective 2.5: Spanning Tree Protocol. You must understand the election process, port states, and timers. Expect scenario-based questions where you must identify the root bridge, root ports, and designated ports given a topology with Bridge IDs and link speeds. Common wrong answers:
Choosing the root based on lowest MAC only: Candidates forget that priority is compared first. If priorities differ, MAC is irrelevant. Example: Priority 4096 beats 32768 even if MAC is higher.
Mixing up root port and designated port: Root port is on the non-root switch; designated port is on the segment. The root bridge has all designated ports. In a tie for designated port, the switch with lower Bridge ID wins, not the lower port cost.
Wrong cost values: Many candidates use 1 for Gigabit (old standard). Current standard: 1 Gbps = 4, 10 Gbps = 2. For Fast Ethernet, cost is 19, not 10.
Convergence time miscalculation: Default 802.1D convergence is 50 seconds (20+15+15). Some think 30 seconds (only forward delay). Others forget Max Age when root fails.
RSTP confusion: RSTP uses discarding instead of blocking, and has alternate/backup roles. PortFast is called edge port in RSTP. The exam may ask about RSTP convergence (sub-second).
Decision rule for scenario questions: Draw the topology. Label bridge IDs and costs. Find root (lowest bridge ID). For each non-root switch, find root port (lowest cost to root, tie-break neighbor bridge ID, then port ID). For each segment, find designated port (lowest cost on segment; if equal, lower bridge ID). All other ports block. Always double-check that the root bridge has all ports designated.
Specific values to memorize: Default priority 32768; cost: 10M=100, 100M=19, 1G=4, 10G=2; timers: Hello 2, Forward Delay 15, Max Age 20; convergence: 50s. For RSTP: no timers, convergence <1s.
Calculation traps: Path cost sum: e.g., two 1G links = 4+4=8; one 100M link = 19; so the two 1G path wins. But if one path has a 1G and a 100M, cost = 4+19=23, so the 100M direct path (19) wins. Candidates often add costs incorrectly.
Elimination strategy: For multiple-choice, eliminate answers that show a non-root switch as root, or a port role that violates rules (e.g., two root ports on same switch, or a designated port on a segment where the other switch has lower cost).
STP elects a root bridge based on lowest Bridge ID (priority + MAC).
Default priority is 32768; valid priorities are multiples of 4096 (0, 4096, ..., 61440).
Port costs: 10M=100, 100M=19, 1G=4, 10G=2.
Root port is on non-root switch, best path to root; designated port is on each segment, one per collision domain.
Default timers: Hello 2s, Forward Delay 15s, Max Age 20s; convergence 50s.
RSTP (802.1w) converges in sub-second using alternate/backup roles and discarding state.
PortFast bypasses Listening/Learning; BPDU Guard err-disables on BPDU reception; Root Guard blocks superior BPDUs.
Verify STP with 'show spanning-tree' and 'show spanning-tree detail'.
These come up on the exam all the time. Here's how to tell them apart.
802.1D STP
Port states: Blocking, Listening, Learning, Forwarding, Disabled
Convergence: 50 seconds (default)
Port roles: Root, Designated, Blocking
Topology change: TCN BPDU, MAC flush for 35 seconds
No edge port concept; uses PortFast as proprietary extension
802.1w RSTP
Port states: Discarding, Learning, Forwarding
Convergence: sub-second (typically 6-10 seconds)
Port roles: Root, Designated, Alternate, Backup
Topology change: Proposal/agreement handshake, immediate MAC flush
Edge ports (equivalent to PortFast) are standard; link types (point-to-point, shared) affect convergence
Mistake
The switch with the lowest MAC address always becomes the root bridge.
Correct
The root bridge is elected based on the lowest Bridge ID, which compares priority first. Only if priorities are equal does the lowest MAC address break the tie. A switch with priority 4096 will beat all switches with default priority 32768 regardless of MAC.
Candidates often focus on MAC because it's the most visible part of the Bridge ID, forgetting that priority is the primary factor.
Mistake
A designated port is always in forwarding state and is the port that forwards traffic toward the root.
Correct
A designated port is the port on a segment that is responsible for forwarding BPDUs and user traffic. However, it is not necessarily toward the root; it is the single port on the segment that is in forwarding state. The root bridge has all ports as designated. The root port is the port on a non-root switch that faces the root.
The terms 'root port' and 'designated port' are easily confused because both are forwarding ports. The root port is always on a non-root switch and points to the root; designated ports are on each segment.
Mistake
STP convergence takes 30 seconds (15+15) regardless of the failure type.
Correct
Default 802.1D convergence takes 50 seconds when the root bridge fails: 20 seconds Max Age (to detect failure) + 15 seconds Listening + 15 seconds Learning. For a direct link failure, convergence can be faster (30 seconds) because the detecting switch immediately starts Listening. For RSTP, convergence is sub-second.
Candidates often only remember the Forward Delay timers (15+15) and forget the Max Age timer (20 seconds) that must expire before a new root is elected.
Mistake
PortFast should be enabled on all switch ports for faster convergence.
Correct
PortFast should only be enabled on access ports connected to end hosts. Enabling PortFast on trunk ports or ports connecting to other switches can cause loops because the port immediately transitions to forwarding without STP convergence. BPDU Guard should also be used on PortFast ports to protect against accidental loops.
PortFast sounds like a performance improvement, so candidates think it's always good. They overlook the danger of loops on switch-to-switch links.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
PortFast is a feature that allows a port to immediately transition to forwarding state, bypassing Listening and Learning. It is intended for access ports connected to end hosts. BPDU Guard is a security feature that shuts down (err-disables) a port if a BPDU is received. When configured together on a port, PortFast provides fast convergence, and BPDU Guard protects against accidental loops if a switch is connected to that port. On the exam, remember that PortFast does not prevent loops; BPDU Guard does.
No, a non-root switch can have only one root port. The root port is the single port that provides the best path to the root bridge. If a switch has multiple equal-cost paths, it selects one based on tie-breakers (lowest neighbor Bridge ID, then lowest neighbor port ID). The other ports become alternate (blocking) in RSTP or blocking in 802.1D. The root bridge itself has no root port.
The default STP mode on Cisco switches is PVST+ (Per-VLAN Spanning Tree Plus), which runs a separate 802.1D instance for each VLAN. On newer switches, the default may be Rapid PVST+ (based on 802.1w RSTP). Use 'show spanning-tree' to verify the mode. The exam often assumes PVST+ unless stated otherwise.
Use the global configuration command 'spanning-tree vlan <vlan-id> root primary'. This sets the priority to 24576 if the current root has priority 32768, or to 4096 less than the current root's priority otherwise. Alternatively, set the priority directly with 'spanning-tree vlan <vlan-id> priority <value>', ensuring the value is a multiple of 4096. To make a switch the secondary root, use 'spanning-tree vlan <vlan-id> root secondary', which sets priority to 28672.
Max Age (default 20 seconds) determines how long a switch waits to receive a BPDU from the root before declaring the root as failed. If no BPDU is received within Max Age, the switch initiates a new root election. This timer is crucial for convergence when the root bridge fails. On the exam, remember that Max Age is 20 seconds, and it is part of the 50-second convergence (20+15+15).
An alternate port is a port that provides an alternative path to the root bridge; it is a backup for the root port. A backup port is a port that provides a redundant connection to the same segment (collision domain) as the designated port; it is a backup for the designated port. Both are in discarding state. Alternate ports are more common (e.g., in a triangle topology). Backup ports occur only when a switch has two ports on the same segment (e.g., using hubs).
Cisco's PVST+ runs a separate STP instance per VLAN, allowing different root bridges for different VLANs for load balancing. This means BPDUs are sent untagged for VLAN 1 and tagged for other VLANs. Rapid PVST+ is the rapid version. MST (Multiple Spanning Tree) maps multiple VLANs to a single STP instance, reducing overhead. The exam may ask about the number of STP instances or the effect of VLANs on STP topology.
You've just covered Exam Trap: STP Misunderstandings — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?