Spanning TreeCCNA 200-301

Wrong Port Elected as STP Designated Port

Presenting Symptom

A switch port that should be in blocking state for STP is forwarding, causing a temporary loop and high CPU utilization on the root bridge.

Network Context

A small branch office network with three Cisco Catalyst 2960 switches running IOS 15.0. Switches are connected in a triangle topology (SwitchA connected to SwitchB and SwitchC, SwitchB connected to SwitchC). All ports are in VLAN 1. The network uses PVST+ as the STP variant. The problem occurs after a new switch was added and connected to the existing switches.

Diagnostic Steps

Identify the current STP topology and root bridge

show spanning-tree vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     0011.2233.4455
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0011.2233.4455
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi0/1            Desg FWD 4         128.1    P2p
Gi0/2            Desg FWD 4         128.2    P2p

If the output shows that all ports are in Desg FWD (Designated Forwarding) on the root bridge, it may be normal. However, if a non-root bridge shows a port that should be blocking (e.g., a redundant link) as Desg FWD, that indicates a problem. Look for ports in 'Altn BLK' (Alternate Blocking) or 'Root FWD' (Root Forwarding) on non-root bridges.

Check STP port roles on non-root switches

show spanning-tree vlan 1 detail

VLAN0001 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, sysid 1, address 0011.2233.6677
  Configured hello time 2, max age 20, forward delay 15
  Current root has priority 32769, address 0011.2233.4455
  Root port is 128.1 (GigabitEthernet0/1), cost of root path is 4
  Topology change flag not set, detected flag not set
  Number of topology changes 3 last change occurred 00:05:12 ago
          from GigabitEthernet0/2
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300

Port 128.2 (GigabitEthernet0/2) of VLAN0001 is designated forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.2.
   Designated root has priority 32769, address 0011.2233.4455
   Designated bridge has priority 32769, address 0011.2233.4455
   Designated port id is 128.2, designated path cost 4
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   BPDU: sent 123, received 0

The port is not in the blocking state, but it should be because it is a redundant link.

On a non-root switch, a port that is a redundant link should be in Alternate Blocking (Altn BLK) state. If it shows 'designated forwarding', it means the switch believes it is the designated port for that segment, which may be incorrect. This indicates a misconfiguration or a bridge priority issue.

Verify bridge priority and MAC address of the suspected switch

show spanning-tree vlan 1 bridge

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0011.2233.6677

Compare the bridge priority and MAC address with the root bridge. If the bridge priority is the same as the root (e.g., both 32769), the switch with the lower MAC address becomes root. If the non-root switch has a lower MAC address than the current root, it may become root and cause designated port election changes.

Check for BPDU guard or portfast misconfiguration

show running-config interface GigabitEthernet0/2

interface GigabitEthernet0/2
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard enable

If portfast is enabled on a trunk or inter-switch link, it can cause the port to skip listening/learning and go directly to forwarding, potentially causing a loop. BPDU guard will disable the port if a BPDU is received, but if not configured, the port may forward traffic incorrectly.

Root Cause

The newly added switch (SwitchC) has a lower MAC address than the existing root bridge (SwitchA) but the same bridge priority (32769). As a result, SwitchC becomes the new root bridge. However, the port connecting SwitchC to SwitchB is configured with PortFast, causing it to transition to forwarding state immediately without going through the STP listening/learning states. This leads to a temporary loop until BPDUs are exchanged, but the port remains designated forwarding because SwitchC thinks it is the root and the port is the designated port for the segment.

Resolution

1. Disable PortFast on inter-switch links: interface GigabitEthernet0/2 no spanning-tree portfast 2. Ensure consistent bridge priority to avoid root bridge changes: On the intended root bridge (SwitchA): spanning-tree vlan 1 priority 4096 On other switches, set higher priority: spanning-tree vlan 1 priority 8192 3. Optionally enable BPDU guard on access ports to prevent loops from unauthorized switches.

Verification

Run 'show spanning-tree vlan 1' on all switches. Verify that the root bridge is the intended one (SwitchA with priority 4096). On non-root switches, ensure redundant ports are in 'Altn BLK' state. For example, on SwitchC, port Gi0/2 should show 'Altn BLK' instead of 'Desg FWD'. Also check that no ports have PortFast enabled on inter-switch links.

Prevention

1. Always configure a lower bridge priority on the intended root bridge to prevent accidental root election. 2. Never enable PortFast on ports connecting to other switches; use it only on end-host ports. 3. Implement BPDU guard on all access ports to protect against rogue switches.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why a port is in forwarding state instead of blocking. The exam tests understanding of STP port roles (Root, Designated, Alternate) and the effect of bridge priority and MAC address on root election. A candidate must know that PortFast should only be used on access ports and that BPDU guard can prevent loops.

Exam Tips

Remember that the switch with the lowest bridge ID (priority + MAC) becomes the root bridge. If priorities are equal, the lowest MAC wins.

PortFast causes a port to skip listening and learning, going directly to forwarding. It should never be used on trunk or inter-switch links.

Use 'show spanning-tree' to quickly identify root bridge and port roles. Look for 'Altn BLK' on redundant links; if you see 'Desg FWD' on a redundant link, there is a problem.

Commands Used in This Scenario

show spanning-tree

Displays the Spanning Tree Protocol (STP) state and configuration for all VLANs or a specific VLAN, used to verify root bridge, port roles, and STP topology.

show spanning-tree detail

Displays detailed Spanning Tree Protocol (STP) information for all VLANs or a specific VLAN, including port roles, states, timers, and bridge IDs, used for troubleshooting STP convergence and topology changes.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions