In real-world networks, the Spanning Tree Protocol (STP) prevents loops, but its default root bridge election often places the root in a suboptimal location, leading to inefficient traffic flows. On the CCNA 200-301 exam (objective 2.5), you must know how to manipulate the root bridge election to ensure predictable, optimal STP topology. This lab walks you through configuring a specific switch as the root bridge using both primary/secondary commands and manual priority changes.
Jump to a section
Imagine a large company with multiple regional offices. To ensure efficient communication, one office must be designated as the 'headquarters' (root bridge) that all other offices report to. The default election is like letting each office draw a random number from a hat—the lowest number wins. But what if the office with the lowest number is a small branch with a slow internet connection? That would be inefficient.
To fix this, the CEO (network administrator) can manually assign the headquarters role to the main corporate office by giving it a very low 'priority number' (like 0). If that office fails, the CEO wants the backup headquarters to be the regional hub, which gets a slightly higher priority (like 4096). This is exactly how STP root bridge manipulation works: you set the bridge priority to a low value (e.g., 0 or 4096) on the desired root switch, and a slightly higher value on the backup root.
In the analog world, each office also has a unique serial number (MAC address) used as a tiebreaker if two offices have the same priority. By setting priorities deliberately, the CEO ensures that traffic always flows through the most capable offices, avoiding bottlenecks. If the CEO fails to configure this, the network might pick a random switch as root, causing traffic to traverse slow links—like routing all company calls through the smallest branch office.
What is STP Root Bridge Manipulation?
Spanning Tree Protocol (STP) elects a single root bridge per VLAN to provide a loop-free logical topology. By default, the switch with the lowest bridge ID (priority + MAC address) becomes the root. Cisco switches use a default priority of 32768. In a network with multiple switches, the root bridge election is unpredictable and often results in a suboptimal root location. Root bridge manipulation allows the network engineer to force a specific switch to become the root (or backup root) by configuring its bridge priority.
How Root Bridge Election Works
STP uses Bridge Protocol Data Units (BPDUs) to exchange bridge information. Each BPDU contains the bridge ID of the sender and the root bridge ID the sender believes is the root. The election process:
Initially, every switch assumes it is the root bridge and sends BPDUs claiming itself as root.
Switches compare received BPDUs: if a BPDU contains a lower root bridge ID (lower priority, or same priority but lower MAC), the switch updates its root bridge and propagates the superior BPDU.
After convergence, the switch with the lowest bridge ID becomes the root.
Manipulating the Root Bridge
Cisco IOS provides two methods to influence the election:
`spanning-tree vlan <vlan> root primary`: Sets the local switch priority to 24576 if the current root has a priority higher than 24576; otherwise, it sets the priority to 4096 less than the current root's priority. This ensures the local switch becomes root.
`spanning-tree vlan <vlan> root secondary`: Sets the local switch priority to 28672, making it the backup root if the primary fails.
Manual priority configuration: spanning-tree vlan <vlan> priority <0-61440> (in increments of 4096). For example, setting priority to 0 guarantees the switch becomes the root.
Key Defaults and Timers
Default bridge priority: 32768
Priority values must be multiples of 4096: 0, 4096, 8192, ..., 61440
Root bridge sends BPDUs every 2 seconds (Hello timer)
Max Age timer: 20 seconds (default)
Forward Delay timer: 15 seconds (default)
Verification Commands
Use the following commands to verify root bridge status:
show spanning-tree vlan 10
show spanning-tree root
show spanning-tree vlan 10 briefExample output for show spanning-tree vlan 10:
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24576
Address 00:1C:58:9A:BC:01
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24576 (priority 24576 sys-id-ext 10)
Address 00:1C:58:9A:BC:01
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.1 P2p
Gi0/2 Desg FWD 4 128.2 P2pInteraction with Related Protocols
PVST+: Cisco's per-VLAN STP. Root bridge can be different per VLAN.
RSTP (802.1w): Faster convergence; root bridge election is the same, but port roles and states differ.
MSTP (802.1s): Groups VLANs into instances; root bridge per instance.
Access the switch CLI
Connect to the switch via console or SSH and enter privileged EXEC mode. Use `enable` (default password: cisco or configured). Then enter global configuration mode with `configure terminal`. This is the starting point for all configuration changes.
Configure VLAN 10 on all switches
Ensure VLAN 10 exists on all switches in the topology. Use `vlan 10` in global config, then name it (optional). Repeat on each switch. Without the VLAN, STP will not run for it. Example: ``` Switch(config)# vlan 10 Switch(config-vlan)# name Engineering Switch(config-vlan)# exit ```
Set SwitchA as primary root for VLAN 10
On SwitchA, use the command `spanning-tree vlan 10 root primary`. This sets the bridge priority to 24576 if the current root priority is higher than 24576, or to 4096 less than the current root if it is lower. This ensures SwitchA becomes the root. Verify with `show spanning-tree vlan 10`.
Set SwitchB as secondary root for VLAN 10
On SwitchB, use `spanning-tree vlan 10 root secondary`. This sets the bridge priority to 28672. If SwitchA fails, SwitchB will assume the root role because its priority (28672) is lower than the default 32768. Verify with `show spanning-tree vlan 10`.
Verify root bridge status
Use `show spanning-tree root` to see the root bridge for all VLANs. The output shows the root ID (priority and MAC) and the local bridge ID. On SwitchA, you should see 'This bridge is the root'. On SwitchB, the root should be SwitchA's MAC. Example: ``` SwitchA# show spanning-tree root VLAN Root ID Cost Time Age Bridge ID ------- -------------------- ----- ---- --- --------- 10 24576 001c.589a.bc01 0 2 20 24576 001c.589a.bc01 ```
Test failover by disabling root switch
Simulate a failure by shutting down the root switch's interfaces or powering it off. On SwitchA, `shutdown` the uplink ports. On SwitchB, after Max Age (20 sec) and Forward Delay (30 sec total), it should become the new root. Use `show spanning-tree vlan 10` on SwitchB to confirm it now claims to be the root.
Restore and clean up configuration
Re-enable interfaces on SwitchA and allow STP to reconverge. To remove the root configuration, use `no spanning-tree vlan 10 root primary` on SwitchA and `no spanning-tree vlan 10 root secondary` on SwitchB. Alternatively, reset priority to default with `spanning-tree vlan 10 priority 32768`.
In enterprise networks, root bridge manipulation is critical for traffic engineering and redundancy. Consider a campus network with a core layer (high-speed switches) and distribution layers. The default STP election might place the root on an access-layer switch with slower uplinks, causing all inter-VLAN traffic to traverse suboptimal paths. By configuring the core switch as the root bridge, traffic flows directly through the core, reducing latency and bandwidth waste.
Another scenario: a data center with two aggregation switches (A and B) connected to multiple top-of-rack (ToR) switches. The network engineer wants aggregation switch A to be the root for even VLANs and B for odd VLANs to load-balance traffic. This is achieved by setting spanning-tree vlan even root primary on A and spanning-tree vlan odd root primary on B, with secondary configurations on the opposite switch. This ensures deterministic failover: if A fails, B takes over even VLANs, and vice versa.
A common misconfiguration is setting the priority too low on multiple switches, causing a tie that is broken by MAC address. For example, if two switches both have priority 0, the one with the lower MAC becomes root. This can be unintended if the engineer assumes priority 0 guarantees root status on both. Always verify with show spanning-tree root.
Performance considerations: STP convergence after a root failure takes 30-50 seconds with classic STP (802.1D). RSTP reduces this to a few seconds. In large networks, root placement affects the diameter (maximum number of switches between any two endpoints). Cisco recommends keeping the root near the center of the network to minimize hop count and convergence time.
The 200-301 exam tests root bridge manipulation under objective 2.5 'Determine and configure spanning tree protocol features.' You need to know:
The exact commands spanning-tree vlan <vlan> root primary and root secondary and what priority they set (24576 and 28672 respectively).
The default priority (32768) and that priority must be a multiple of 4096.
How to verify root status with show spanning-tree and interpret output, especially 'This bridge is the root'.
Common wrong answers:
Choosing 'spanning-tree vlan 1 root primary' sets priority to 0: False, it sets to 24576 (or 4096 lower than current root if lower than 24576).
Believing that setting priority to 4096 on two switches will cause a tie and the one with lower MAC wins: Actually, both will be root candidates; the lower MAC becomes root. But the exam often tests that the root primary command ensures the switch becomes root regardless of current root.
Confusing 'root primary' with 'priority 0': The command does NOT set priority to 0; it uses 24576 or lower.
Thinking that 'root secondary' sets priority to 0 as backup: No, it sets to 28672.
A typical scenario question: 'Which command configures SwitchA as the root bridge for VLAN 10, assuming the current root has priority 32768?' Answer: spanning-tree vlan 10 root primary. The distractor might be spanning-tree vlan 10 priority 32768 (that would keep it as non-root).
Elimination strategy: If the question asks for 'guaranteed root' regardless of current root, use priority 0. If it says 'without changing if already root', use root primary. For backup, use root secondary or priority 28672.
Default bridge priority is 32768; must be a multiple of 4096.
`spanning-tree vlan <vlan> root primary` sets priority to 24576 (or 4096 less than current root if current root priority < 24576).
`spanning-tree vlan <vlan> root secondary` sets priority to 28672.
Manual priority command: `spanning-tree vlan <vlan> priority <0-61440>`.
Use `show spanning-tree vlan <vlan>` to verify root bridge and port roles.
Root bridge sends BPDUs every 2 seconds (Hello timer).
In a tie (same priority), lower MAC address wins.
These come up on the exam all the time. Here's how to tell them apart.
`root primary` command
Sets priority to 24576 or 4096 less than current root
Does not guarantee root if current root has priority < 24576
Preferred for dynamic adjustment
Cannot set priority to 0
Used in most production networks
Manual priority 0
Sets priority to exactly 0
Guarantees root status regardless of current root
More aggressive; may cause unnecessary root changes
Must be configured explicitly
Used when absolute control is needed
Mistake
`spanning-tree vlan 10 root primary` sets the priority to 0.
Correct
It sets the priority to 24576, unless the current root has a priority lower than 24576, in which case it sets priority to 4096 less than that.
Candidates often confuse 'primary' with 'priority 0' because 0 is the lowest possible priority.
Mistake
Setting priority to 4096 on two switches will cause both to be root.
Correct
Only one switch can be root. The switch with the lower MAC address becomes root if priorities are equal.
Candidates forget that MAC address is the tiebreaker.
Mistake
`spanning-tree vlan 10 root secondary` sets priority to 24576.
Correct
It sets priority to 28672, making the switch the backup root.
Candidates think 'secondary' is similar to 'primary' but with a slightly higher number, but they guess 24576 instead of 28672.
Mistake
The root bridge is always the switch with the highest MAC address.
Correct
The root bridge is the switch with the lowest bridge ID (priority + MAC). If priorities are equal, the lowest MAC wins.
Candidates may confuse 'lowest' with 'highest' due to the concept of 'root' being superior.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Both can make the switch root, but `root primary` is dynamic: it adjusts the priority based on the current root. If the current root has a priority lower than 24576, `root primary` sets the priority to 4096 less than that, ensuring it becomes root. Manual `priority 24576` is static and may not override a root with priority 20480 (which is lower). Use `root primary` for simplicity and best practice.
Yes, but only one will be root. The command sets the priority to 24576 (or lower) on each. If two switches both have priority 24576, the one with the lower MAC becomes root. To avoid confusion, configure `root primary` only on the intended root and `root secondary` on the backup.
The switch will immediately become the root because 0 is the lowest possible priority. This may cause a temporary topology change and traffic disruption. It is a valid configuration but should be used with caution. The `root primary` command is preferred because it avoids priority 0 unless necessary.
Use `show spanning-tree root`. This displays the root bridge ID, cost, and timers for each VLAN. Example output: `VLAN10 Root ID Priority 24576 Address 001c.589a.bc01 Cost 0`. It also shows the local bridge ID.
Yes, the same commands work for RSTP (rapid-pvst) and MSTP. In MSTP, you specify the instance instead of VLAN: `spanning-tree mst <instance> root primary`. The priority values and behavior are identical.
The default is 32768. This is added to the VLAN ID (system ID extension) for PVST+ to form the bridge ID. For example, VLAN 10 gets a priority of 32768 + 10 = 32778 in the BPDU, but the configured priority is still 32768.
Changing the root bridge causes STP reconvergence, which may cause temporary loops or traffic loss (50 seconds for classic STP, a few seconds for RSTP). To minimize impact, schedule changes during maintenance windows or use RSTP if available.
You've just covered Lab: Manipulate STP Root Bridge — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?