STP Port Roles and States Exam Trap — Root vs Designated vs Blocking
Presenting Symptom
Hosts in VLAN 10 on switch SW3 cannot reach the default gateway (router) connected to switch SW1, but hosts in VLAN 20 can reach their gateway on the same router.
Network Context
A small branch office with three Cisco Catalyst 2960 switches (SW1, SW2, SW3) running IOS 15.0. SW1 is the root bridge for all VLANs. SW2 and SW3 are non-root. All switches run PVST+. The network has two VLANs: VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The router is connected to SW1 via a trunk. SW3 connects to SW1 and SW2 via trunk links. The issue is that VLAN 10 traffic from SW3 cannot reach the router, but VLAN 20 traffic works fine.
Diagnostic Steps
Check STP status on SW3 for VLAN 10
show spanning-tree vlan 10VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address 0011.2233.4455
This bridge is the root
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address 0055.6677.8899
Interface Role Sts Cost Prio.Nbr Type
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2pSW3 believes it is the root bridge for VLAN 10 (This bridge is the root). This is incorrect because SW1 should be the root. The output shows both ports are designated forwarding, which is abnormal for a non-root switch. This indicates a misconfiguration of bridge priority.
Check STP status on SW1 for VLAN 10
show spanning-tree vlan 10VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address 0011.2233.4455
This bridge is the root
Bridge ID Priority 24586 (priority 24576 sys-id-ext 10)
Address 0011.2233.4455
Interface Role Sts Cost Prio.Nbr Type
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2pSW1 also claims to be the root for VLAN 10. This is a conflict: two switches claim root. The root bridge MAC address is the same (0011.2233.4455) which is SW1's MAC. SW3's root ID shows the same MAC, meaning SW3 thinks it is the root. This suggests SW3 has a bridge priority equal to or lower than SW1's. The expected root should be SW1 with priority 24586 (24576+10). SW3's priority is 32778 (32768+10), which is higher, so SW3 should not be root. However, the output shows SW3 as root, indicating a possible misconfiguration of the root bridge election.
Check the root bridge election for VLAN 10 by comparing bridge priorities
show spanning-tree vlan 10 bridge Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address 0055.6677.8899SW3's bridge priority is 32778. The root bridge priority is 24586. Since 32778 > 24586, SW3 should not be root. The fact that SW3 shows itself as root indicates that it is not receiving BPDUs from SW1, or it is ignoring them. This could be due to a unidirectional link failure or a configuration issue like PortFast or BPDU filter on the uplink.
Check interface status and BPDU reception on SW3's uplink to SW1
show interfaces fa0/1 switchportName: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none
The interface is a trunk and should be passing BPDUs. However, we need to check if BPDU filter or PortFast is enabled, which could prevent BPDU processing. Also check for any error counters.
Check for BPDU filter or PortFast on SW3's uplink
show running-config interface fa0/1interface FastEthernet0/1 switchport mode trunk spanning-tree portfast spanning-tree bpdufilter enable
The interface has spanning-tree portfast and spanning-tree bpdufilter enable. PortFast should only be used on access ports, not trunk ports. BPDU filter prevents the switch from sending or receiving BPDUs on this port. This causes SW3 to not receive BPDUs from SW1, so SW3 assumes it is the root bridge for VLAN 10. This is the root cause.
Root Cause
On SW3, interface Fa0/1 (uplink to SW1) has spanning-tree portfast and spanning-tree bpdufilter enable configured. This prevents SW3 from receiving BPDUs from SW1, causing SW3 to believe it is the root bridge for VLAN 10. As a result, SW3's ports become designated forwarding, and it does not properly forward traffic toward the root bridge, breaking connectivity for VLAN 10 hosts to the router.
Resolution
Verification
Run show spanning-tree vlan 10 on SW3. Expected output: VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 24586 Address 0011.2233.4455 Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0055.6677.8899 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Altn BLK 19 128.2 P2p Now SW3 correctly identifies SW1 as the root (Root ID matches SW1's MAC and priority). Fa0/1 is the root port (forwarding), and Fa0/2 is alternate (blocking). VLAN 10 hosts should now reach the router.
Prevention
["Never enable spanning-tree portfast on trunk ports; PortFast is only for access ports connecting to end devices.","Avoid using spanning-tree bpdufilter enable on any port that connects to another switch; it disrupts STP convergence and can cause loops or loss of connectivity.","Use spanning-tree bpduguard enable only on access ports to protect against unauthorized switches, not on inter-switch links."]
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests understanding of STP port roles and states, and the impact of misconfigurations like PortFast and BPDU filter on trunk ports. The exam may present a troubleshooting scenario where a switch incorrectly assumes root bridge status, and candidates must identify the misconfiguration. Key facts: PortFast should only be used on access ports; BPDU filter prevents BPDU processing; a switch that does not receive BPDUs will consider itself root.
Exam Tips
Remember that PortFast is for access ports only; applying it to a trunk is a common exam trap.
BPDU filter on a trunk causes the switch to ignore BPDUs, leading to incorrect STP topology; the switch will assume it is the root.
Use show spanning-tree to verify root bridge and port roles; if a non-root switch shows itself as root, check for BPDU filter or unidirectional link.
Commands Used in This Scenario
show spanning-tree
Displays the Spanning Tree Protocol (STP) state and configuration for all VLANs or a specific VLAN, used to verify root bridge, port roles, and STP topology.
spanning-tree bpdufilter enable
The spanning-tree bpdufilter enable command disables BPDU transmission and reception on a specific interface, effectively preventing the interface from participating in STP, and is used to secure edge ports or reduce unnecessary BPDU traffic.
spanning-tree portfast
Enables PortFast on an interface to immediately transition from blocking to forwarding state, bypassing STP listening and learning phases, used on access ports connected to end devices to speed up convergence.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions