Spanning Tree Protocol (STP) Explained: Preventing Loops for CCNA

Why STP Exists: The Broadcast Storm Problem
How STP Works: The Big Picture
Bridge Protocol Data Units (BPDUs)
Root Bridge Election
STP Port Roles
STP Port States
STP Path Cost
RSTP: Rapid Spanning Tree Protocol (802.1w)
Per-VLAN Spanning Tree (PVST+ and Rapid PVST+)
Cisco STP Configuration and Verification
CCNA Exam Tips for STP

1. Why STP Exists: The Broadcast Storm Problem

Every network engineer knows that redundancy is essential. If a single switch fails or a cable breaks, you want a backup path to keep traffic flowing. The natural solution is to install multiple physical links between switches. But this immediately creates a problem: without some mechanism to control those redundant paths, Ethernet switches will plunge the entire network into chaos within seconds. That mechanism is the Spanning Tree Protocol.

The Three Devastating Effects of Layer 2 Loops

When you connect switches in a ring or mesh topology without STP, three catastrophic problems occur simultaneously:

1. Broadcast Storms

A broadcast storm is the most immediately destructive consequence of a Layer 2 loop. Here is precisely what happens: Switch A receives a broadcast frame (such as an ARP request) on port 1. Since broadcasts must be forwarded out all other active ports, Switch A floods it out ports 2 and 3. The copy that goes out port 2 reaches Switch B, which floods it to Switch C. The copy from Switch C arrives back at Switch A on port 3 — and Switch A floods it again. Meanwhile, the original copy from Switch A to Switch C came back through Switch B. Now Switch A is receiving the same broadcast from two directions and forwarding both copies again. This doubles with every loop iteration. Within milliseconds, the switches are processing millions of copies of the same frame, consuming 100% of CPU and link bandwidth. The network becomes completely unusable.

THREE-SWITCH RING: BROADCAST STORM IN ACTION ============================================= +----------+ | Switch A | <--- Original broadcast frame arrives here +----+--+--+ | | | +---------------------------+ | | [port1] [port3] | | +------+---+ +-------+--+ | Switch B |---[port2]------>| Switch C | +----------+ +----------+ Step 1: SW-A receives broadcast on port1, floods to port2 and port3 Step 2: SW-B receives copy, floods to SW-C Step 3: SW-C receives copy, floods back to SW-A on port3 Step 4: SW-A receives it AGAIN and floods it AGAIN Step 5: ALSO SW-A's original flood to port3 reached SW-C which sent it back via SW-B to SW-A on port2 Result: SW-A is now receiving 2 copies per cycle. Each copy generates 2 more copies. Frames multiply EXPONENTIALLY until: - 100% CPU utilization on all switches - 100% link utilization on all segments - Network completely non-functional - Usually within 1-2 SECONDS of loop forming

2. MAC Address Table Instability

Switches build their MAC address tables by recording the source MAC address of each frame and the port it arrived on. In a looped topology, the same frame arrives from multiple directions. Switch A sees Host X's MAC arriving on port 2, then on port 3 a moment later, then on port 2 again. The MAC table entry for Host X keeps flipping between ports. Switches can never stabilize their MAC tables, so they resort to flooding unknown unicast traffic out all ports — which further worsens the storm. This condition is called MAC table flapping or thrashing.

3. Duplicate Frame Delivery

Even in lower-traffic situations before a full storm develops, hosts receive multiple identical copies of the same frame. While TCP can usually discard duplicates, many applications and protocols are not designed to handle duplicate frames at Layer 2. This causes application errors, protocol failures, and unpredictable behavior that is extremely difficult to diagnose without understanding Layer 2 loops.

The Core Challenge: Redundancy vs. Loop Prevention

Redundant physical links are absolutely necessary for enterprise network availability. If you only have one link between switches and it fails, network access is lost. The challenge is providing redundancy at the physical level while preventing loops at the logical level. Spanning Tree Protocol solves this by keeping redundant links physically connected but logically blocking them — and then activating them automatically if the primary link fails.

2. How STP Works: The Big Picture

Spanning Tree Protocol was originally defined in IEEE standard 802.1D. It was developed by Radia Perlman in 1985 and has become one of the most fundamental protocols in Ethernet networking. The core concept is elegantly simple: STP creates a loop-free logical topology from a physically redundant network by selectively blocking certain ports.

STP operates by having switches exchange special Layer 2 frames called Bridge Protocol Data Units (BPDUs). Using information in these BPDUs, all switches in the network independently arrive at the same decisions about which ports should forward traffic and which should be blocked. This distributed decision-making process is what makes STP robust — no single point of management is required.

The Three-Step STP Process

STP accomplishes loop prevention through three sequential steps that every switch in the network follows:

Step 1: Elect One Root Bridge for the Entire Network

All switches agree on a single "root bridge" — the central reference point for the entire spanning tree. Every path cost and port role decision is made relative to this root bridge. The root bridge is selected based on the Bridge ID, which combines a configurable priority value and the switch's MAC address. The switch with the lowest Bridge ID wins the election.

Step 2: Each Non-Root Switch Determines Its Best Path to the Root

Every switch that is NOT the root bridge must find the single best path to the root bridge. The port on that best path becomes the switch's Root Port — it is always in a forwarding state. "Best" means lowest cumulative path cost, measured by adding up the port costs of each link traversed from the switch back to the root bridge.

Step 3: Block All Other Redundant Ports

For each network segment (each link between switches), one switch is designated as the "designated switch" for that segment — the one that provides the best path to the root from that segment. Its port toward the segment is the Designated Port (forwarding). All other switch ports connected to that same segment are Non-Designated Ports and are placed in a Blocking state. Blocked ports still receive BPDUs but do not forward any data traffic.

The result is a tree-shaped logical topology rooted at the root bridge, with all loops eliminated at the logical level while the physical redundancy remains intact. If the root bridge fails or a forwarding link goes down, STP reconverges by recalculating and unblocking previously blocked ports.

Exam Tip: STP Standard Numbers

The CCNA exam expects you to know that classic STP is defined in IEEE 802.1D, Rapid STP (RSTP) is IEEE 802.1w, and Multiple Spanning Tree Protocol (MSTP) is IEEE 802.1s. Cisco's proprietary per-VLAN implementations are PVST+ (based on 802.1D) and Rapid PVST+ (based on 802.1w). Cisco switches run Rapid PVST+ by default on most modern IOS versions.

3. Bridge Protocol Data Units (BPDUs)

BPDUs are the language of STP. They are special Layer 2 frames that switches exchange to share information about their identities, their costs to the root bridge, and their port decisions. Without BPDUs, switches could not coordinate to build a consistent loop-free topology.

Types of BPDUs

There are two types of BPDUs in classic 802.1D STP:

Configuration BPDUs: Sent by the root bridge every Hello Time interval (default: 2 seconds). Non-root switches relay these BPDUs toward the network edges. Configuration BPDUs contain all the information switches need to make port role and state decisions.
Topology Change Notification (TCN) BPDUs: Sent by a non-root switch toward the root bridge when it detects a topology change (a port going up or down). The root bridge then sets the Topology Change flag in its Configuration BPDUs, causing other switches to age out their MAC address tables faster (15 seconds instead of 300 seconds) to prevent stale entries.

Key BPDU Fields

Understanding the fields in a Configuration BPDU is essential for understanding how STP decisions are made:

BPDU Field	Size	Description	Default Value
Root Bridge ID	8 bytes	Bridge ID of the elected root bridge (priority + system-ID ext + MAC)	Sender's own Bridge ID initially
Root Path Cost	4 bytes	Cumulative cost of path from sender to root bridge	0 (root bridge sets this)
Sender Bridge ID	8 bytes	Bridge ID of the switch sending this BPDU	Sender's own Bridge ID
Sender Port ID	2 bytes	Port number on the sender that this BPDU was sent from	Sender's port number
Message Age	2 bytes	How many hops this BPDU has traveled from the root bridge	0 at root, incremented by each switch
Max Age	2 bytes	Maximum time a switch stores BPDU info without receiving an update	20 seconds
Hello Time	2 bytes	Interval between Configuration BPDUs sent by root	2 seconds
Forward Delay	2 bytes	Time spent in Listening and Learning states	15 seconds

How Switches Use BPDUs to Make Decisions

When a switch receives a BPDU on a port, it compares that BPDU to the best BPDU it has seen on that port. A switch considers a BPDU "superior" if it has a lower Root Bridge ID, or equal Root Bridge ID but lower Root Path Cost, or equal both but lower Sender Bridge ID, or equal all three but lower Sender Port ID. The switch always stores and propagates only the superior BPDU it has seen. This comparison mechanism is what drives every STP election decision.

BPDU Destination Address

BPDUs are sent to the multicast MAC address 01:80:C2:00:00:00. This address is reserved and is never forwarded by switches — it is consumed by the switch itself. This is why BPDUs never propagate beyond a single switch hop; each switch generates its own BPDUs to forward downstream.

4. Root Bridge Election

The root bridge election is the foundation of everything STP does. Every other STP decision — port roles, path costs, blocking decisions — is made relative to the root bridge. Getting the root bridge election right is critical for network performance.

Bridge ID Structure

Each switch has a unique Bridge ID (BID) composed of three parts:

BRIDGE ID STRUCTURE (8 bytes total) ==================================== |<-- 2 bytes -->|<--- 2 bytes --->|<------- 6 bytes ------->| +----------------+----------------+-------------------------+ | Priority | System ID Ext | MAC Address | | (4 bits) | (12 bits) | (48 bits) | | 0-61440 | = VLAN ID | Lowest MAC = Tiebreaker| +----------------+----------------+-------------------------+ Priority values are multiples of 4096: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768 (DEFAULT), 36864, 40960, 45056, 49152, 53248, 57344, 61440 Full Bridge ID example for VLAN 1: Priority 32768 + VLAN 1 = 32769 MAC: 00:1A:2B:3C:4D:5E Bridge ID: 32769.001A.2B3C.4D5E

Election Rules

All switches start up believing they are the root bridge and advertise their own Bridge ID as the Root Bridge ID in their BPDUs. As switches exchange BPDUs, they compare Bridge IDs using a simple rule: lower is better.

Step 1: Compare the Priority field first. The switch with the lowest priority wins. Default priority is 32768.
Step 2: If priorities are equal, compare the MAC address. The switch with the lowest MAC address wins.
Result: Eventually all switches agree on who has the lowest Bridge ID and elect that switch as root bridge.

Exam Tip: Never Rely on MAC Address for Root Election

In a production network, never allow the root bridge to be determined by the lowest MAC address. MAC addresses are factory-assigned and the oldest switch (with the lowest MAC) may have the least capable hardware. Always manually configure the root bridge using the priority command. In the real world, your highest-capacity, most-central switch should be the root bridge.

Configuring the Root Bridge

Cisco provides two methods to control root bridge election:

! METHOD 1: Set priority directly (must be a multiple of 4096) Switch(config)# spanning-tree vlan 1 priority 4096 ! METHOD 2: Use the macro commands (Cisco shortcut) ! 'root primary' sets priority to 24576 Switch(config)# spanning-tree vlan 1 root primary ! 'root secondary' sets priority to 28672 (backup root) Switch(config)# spanning-tree vlan 1 root secondary ! Verify the root bridge and priorities Switch# show spanning-tree vlan 1 ! Example output snippet: ! VLAN0001 ! Spanning tree enabled protocol rstp ! Root ID Priority 24577 (24576 + VLAN1 = 24577) ! Address 001A.2B3C.4D5E ! This bridge is the root ! Bridge ID Priority 24577 ! Address 001A.2B3C.4D5E

Priority Values for Root Configuration

Command / Setting	Priority Value	Use Case
Default (no config)	32768	Default — do not rely on this
spanning-tree vlan X root secondary	28672	Backup root bridge
spanning-tree vlan X root primary	24576	Primary root bridge (macro)
spanning-tree vlan X priority 4096	4096	Explicit primary root configuration
spanning-tree vlan X priority 0	0	Guarantee root bridge election

5. STP Port Roles

Once the root bridge is elected, every switch port in the network is assigned one of four port roles. Port roles define the logical function of a port in the spanning tree topology. Understanding port roles is one of the most tested STP concepts on the CCNA exam.

The Four Port Roles

Root Port (RP)

Assignment: One per non-root switch. State: Forwarding.

The Root Port is the port that provides the best (lowest-cost) path from this switch to the root bridge. Every non-root switch has exactly one Root Port. The root bridge itself has no Root Ports — all of its ports are Designated Ports. Root Port selection uses the tiebreaker sequence: lowest root path cost → lowest sender Bridge ID → lowest sender Port ID.

Designated Port (DP)

Assignment: One per network segment (one per link). State: Forwarding.

The Designated Port is the port on the switch that provides the best path to the root bridge FOR that network segment. Every segment has exactly one Designated Port. All ports on the root bridge are Designated Ports by definition (since the root has a path cost of 0 to itself). On non-root switches, a port becomes Designated if it offers a better path to root than the switch on the other end of the link.

Non-Designated Port (NDP) / Alternate Port

Assignment: Any port that is not the Root Port or Designated Port. State: Blocking.

Non-Designated Ports are the blocked ports that prevent loops. A port becomes Non-Designated when the switch on the other end of the link has a better path to the root bridge. Even in Blocking state, these ports still receive BPDUs — they just do not forward data frames or learn MAC addresses. This allows them to detect topology changes and transition to Forwarding if needed.

Disabled Port

Assignment: Administratively shut down ports. State: Disabled.

Disabled ports do not participate in STP at all. They do not send or receive BPDUs and do not forward traffic. This is simply a port that has been shut down with the shutdown interface command.

Port Role Determination: The Tiebreaker Sequence

When a switch needs to determine which port gets which role, it uses this ordered list of tiebreakers (compare lowest value first):

Lowest Root Path Cost: The total accumulated cost of the path to the root bridge from this port.
Lowest Sender Bridge ID: The Bridge ID of the switch on the other end of the link.
Lowest Sender Port ID: The port number on the sending switch (if two ports connect to the same switch).

Mnemonic: "Real Designers Block" — Port Role Memory Aid

Root Port = one per switch, best path to Root (Forwarding)
Designated Port = one per segment, best path from segment to Root (Forwarding)
Blocked Port = everything else, Blocks to prevent loops

Remember: If a port is not the Root Port and not the Designated Port, it MUST be blocked. There is no other option in classic 802.1D STP. Every forwarding port is either Root or Designated — never both on the same switch for the same link.

Exam Tip: Root Bridge Port Roles

The root bridge has NO Root Ports — only Designated Ports. This makes sense because a Root Port is defined as the port pointing toward the root bridge, and the root bridge is already the root. Every single active port on the root bridge is a Designated Port. On the CCNA exam, if you see a question asking what role a port on the root bridge plays, the answer is always Designated Port (unless it is administratively disabled).

6. STP Port States

In addition to port roles, every STP port also has a port state. While port roles describe what function a port serves in the topology, port states describe what actions a port is currently performing. In classic 802.1D STP, there are five possible port states, and a port transitions through them sequentially when it is activated.

The Five 802.1D Port States

State	Receives BPDUs	Sends BPDUs	Learns MACs	Forwards Data	Duration
Blocking	Yes	No	No	No	Up to 20s (Max Age)
Listening	Yes	Yes	No	No	15s (Forward Delay)
Learning	Yes	Yes	Yes	No	15s (Forward Delay)
Forwarding	Yes	Yes	Yes	Yes	Indefinite (normal operation)
Disabled	No	No	No	No	Until administratively enabled

State Descriptions

Blocking: When a port first comes up, it enters Blocking state. In this state, the port receives BPDUs to learn about the topology but does not send BPDUs, does not learn MAC addresses, and does not forward any data frames. A port remains in Blocking state if it has been designated as a Non-Designated Port to prevent a loop. It also enters Blocking state when the switch is determining its role. The maximum time a port waits in Blocking state before taking action is the Max Age timer (20 seconds by default).

Listening: After the Blocking state, if a port is determined to be a Root Port or Designated Port, it transitions to Listening. During Listening, the switch actively participates in the root bridge election and port role determination by sending and receiving BPDUs. It still does not learn MAC addresses or forward data. This state lasts for the Forward Delay timer (15 seconds by default).

Learning: After Listening, the port moves to Learning state. The switch now begins populating its MAC address table from frames it receives, but still does not forward data frames. This prevents a flood of unknown unicast traffic when the port first starts forwarding. This state also lasts for the Forward Delay timer (15 seconds).

Forwarding: The port is now fully operational. It sends and receives BPDUs, learns MAC addresses, and forwards all data traffic normally. This is the desired steady-state for Root Ports and Designated Ports.

Disabled: The port has been administratively shut down. It plays no role in STP and carries no traffic.

STP State Transition Diagram

STP PORT STATE TRANSITIONS (802.1D Classic STP) ================================================ Port powered on | v +------------+ Port selected as Root/Designated +------------+ | BLOCKING | ------------------------------------> | LISTENING | | (Max Age) | (transition after Max Age or |(15s Fwd Dly| | 20 sec | immediately if port just came up) | | +------------+ +-----+------+ ^ | | After 15 sec | | | v | +------------+ | | LEARNING | | | (15s Fwd | | | Delay) | | +-----+------+ | | | After 15 sec | | | v | +------------+ | | FORWARDING | | | (Normal | | | Operation)| | +------------+ | | +------- Topology change / inferior BPDU received --+ Total time from Blocking to Forwarding: Listening (15s) + Learning (15s) = 30 seconds minimum If starting from Blocking with Max Age expiry: up to 50 seconds This is why classic STP convergence is SLOW.

Exam Tip: The 50-Second Convergence Problem

Classic 802.1D STP can take up to 50 seconds to converge: 20 seconds Max Age (waiting for BPDUs to expire) + 15 seconds Listening + 15 seconds Learning = 50 seconds. This is why RSTP (802.1w) was developed. Modern networks use Rapid PVST+ which can converge in 1-2 seconds. The CCNA exam tests both the 802.1D timers AND the RSTP improvements, so know both.

7. STP Path Cost

STP Path Cost is the metric used to determine which path from a non-root switch to the root bridge is "best." Unlike routing protocols that use bandwidth-based metrics calculated automatically, STP path cost is an integer value assigned to each port based on the port's link speed. Lower cost = better path.

Standard Port Cost Values

Link Speed	IEEE 802.1D Cost (Original)	IEEE 802.1t Cost (Revised)
10 Gbps	2	2
1 Gbps	4	4
100 Mbps	19	19
10 Mbps	100	100

How Path Cost Is Calculated

A critical concept: path cost is cumulative and is measured at the receiving port. When the root bridge sends a BPDU, it advertises a Root Path Cost of 0. When the next-hop switch receives that BPDU, it adds the cost of the port on which it received the BPDU, then advertises that accumulated cost in its own BPDUs. This continues hop by hop.

PATH COST CALCULATION EXAMPLE ============================== Root Bridge Switch B Switch C (SW-A) (1 Gbps) (100 Mbps) | | | +------[1 Gbps]-------+------[100 Mbps]-----+ cost=4 on SW-B cost=19 on SW-C (SW-B's Gi0/0) (SW-C's Fa0/0) SW-A sends BPDU with Root Path Cost = 0 SW-B receives on Gi0/0 (cost=4), advertises Root Path Cost = 0+4 = 4 SW-C receives on Fa0/0 (cost=19) from SW-B, Root Path Cost = 4+19 = 23 Now add a direct link: SW-A --- [1 Gbps] --- SW-C SW-C's cost via direct link = 0+4 = 4 RESULT: SW-C chooses the DIRECT link to SW-A as its ROOT PORT (cost 4 beats cost 23) The link via SW-B is the NON-DESIGNATED (blocked) path on SW-C SW-B has cost 4 to root (via its Gi0/0) SW-C has cost 4 to root (via direct link) The SW-B to SW-C link: SW-B's cost = 4, SW-C's cost = 4 (tie!) Tiebreaker: lower Sender Bridge ID wins Designated Port role

Modifying Port Cost Manually

You can manually override the automatic port cost to influence STP path selection. This is useful when you want to prefer one link over another for a specific VLAN. Use: interface GigabitEthernet0/1 then spanning-tree vlan 1 cost 2. Setting a lower cost makes that port more preferred; setting a higher cost makes it less preferred. This is a common technique in PVST+ to achieve per-VLAN load balancing.

8. RSTP: Rapid Spanning Tree Protocol (802.1w)

Rapid Spanning Tree Protocol (RSTP) was standardized in IEEE 802.1w and later incorporated into the 802.1D-2004 revision as the new standard. RSTP addresses the primary complaint about classic STP: the slow convergence time of 30-50 seconds. RSTP achieves convergence in 1-2 seconds in most topologies by replacing the timer-based approach with an active negotiation mechanism.

RSTP Port Roles

RSTP maintains the Root Port and Designated Port roles from 802.1D but introduces two new roles to handle redundant paths more intelligently:

Root Port: Same as 802.1D — the best path to the root bridge. One per non-root switch. Forwarding state.
Designated Port: Same as 802.1D — best path from segment to root. One per segment. Forwarding state.
Alternate Port: The port that provides the next-best path to the root bridge (backup for the Root Port). This replaces the Non-Designated (blocked) port concept. In Discarding state, but can transition to Forwarding immediately when the Root Port fails — no timer delays.
Backup Port: A redundant port on the same switch that connects to the same segment as another port on that switch (rare scenario, usually involves hubs). In Discarding state.

RSTP Port States

RSTP consolidates the five 802.1D states into just three states:

Discarding: Combines Blocking, Listening, and Disabled. Port does not forward data.
Learning: Port is learning MAC addresses but not forwarding data. Same as 802.1D Learning.
Forwarding: Port is fully operational. Same as 802.1D Forwarding.

The Proposal/Agreement Mechanism

The key innovation in RSTP is the Proposal/Agreement (PA) handshake mechanism, which replaces the passive timer-based approach of 802.1D:

When a switch has a new Designated Port, it sends a BPDU with the Proposal bit set, essentially asking: "I want to be your Designated Port — can I start forwarding?"
The downstream switch receives this proposal. If it agrees that the sending port should be Designated, it immediately sets all its non-edge ports to Discarding (to prevent loops), then sends a BPDU with the Agreement bit set back to the upstream switch.
Upon receiving the Agreement, the upstream switch immediately transitions its Designated Port to Forwarding — no 30-second wait required.
The downstream switch then sends Proposals to its own downstream neighbors, propagating the rapid convergence wave through the network.

Edge Ports (PortFast Equivalent)

RSTP introduces the concept of Edge Ports — ports connected directly to end devices (computers, servers, printers) rather than to other switches. Edge Ports skip all STP negotiation and immediately transition to Forwarding state when they come up. This is equivalent to Cisco's PortFast feature in PVST+. RSTP Edge Ports still participate in STP and will revert to normal STP behavior if they receive a BPDU (which would indicate another switch is connected).

Exam Tip: RSTP Is the Modern Standard

Most Cisco switches today run Rapid PVST+ by default, which is Cisco's per-VLAN implementation of RSTP (802.1w). When you see STP questions on the exam, they may refer to either 802.1D (classic) or 802.1w (rapid). Know the differences: 802.1D has 5 port states and slow convergence; 802.1w has 3 port states, 4 port roles including Alternate and Backup, and fast convergence via Proposal/Agreement. The exam number to remember: 802.1w = RSTP.

9. Per-VLAN Spanning Tree (PVST+ and Rapid PVST+)

Standard IEEE STP (802.1D and 802.1w) runs a single spanning tree instance for the entire network, regardless of how many VLANs exist. Cisco recognized that this creates a significant limitation: if you have 50 VLANs but only one STP instance, all 50 VLANs must use the same blocked ports and the same forwarding topology. You cannot load-balance traffic across redundant links on a per-VLAN basis.

Cisco's Per-VLAN Solution

Cisco's solution is PVST+ (Per-VLAN Spanning Tree Plus), which runs a separate, independent STP instance for each VLAN. Rapid PVST+ does the same thing but uses RSTP (802.1w) as the underlying protocol. This means:

Each VLAN can have a different root bridge
Each VLAN can have different port roles (a port blocked for VLAN 10 might be forwarding for VLAN 20)
Traffic can be load-balanced across redundant links by distributing VLANs across different active paths

Load Balancing with PVST+

PVST+ LOAD BALANCING EXAMPLE ============================= Distribution Switch A Distribution Switch B (Root for VLAN 10) (Root for VLAN 20) | | [Trunk] [Trunk] | | +------+------------------------------+------+ | Access Switch | +---------------------------------------------+ VLAN 10 Traffic: A <-- active -- Access SW (blocked toward B) VLAN 20 Traffic: B <-- active -- Access SW (blocked toward A) Result: Both uplinks carry traffic simultaneously, just for different VLANs. Without PVST+: One uplink carries ALL traffic, other uplink is completely idle. Configuration on Access Switch: ! Make SW-A root for VLAN 10 spanning-tree vlan 10 root primary (on Switch A) spanning-tree vlan 20 root secondary (on Switch A) ! Make SW-B root for VLAN 20 spanning-tree vlan 20 root primary (on Switch B) spanning-tree vlan 10 root secondary (on Switch B)

PVST+ Overhead Considerations

The cost of running per-VLAN STP is that each VLAN instance requires separate BPDU processing, memory for topology tables, and CPU for convergence calculations. In a network with hundreds of VLANs, this can add up significantly. Modern switches handle this well, but it is worth being aware of — particularly in large campus networks. This is one reason Multiple Spanning Tree Protocol (MSTP, 802.1s) was developed: it maps multiple VLANs to fewer STP instances to reduce overhead while still allowing some topology differentiation.

Default STP Mode on Cisco IOS

The default STP mode on Cisco Catalyst switches running current IOS versions is Rapid PVST+. You can verify this with show spanning-tree summary which will display "Switch is in rapid-pvst mode." Older IOS versions may default to PVST+ (classic 802.1D per VLAN). The command to explicitly set the mode is spanning-tree mode rapid-pvst (global config) or spanning-tree mode pvst for classic STP.

10. Cisco STP Configuration and Verification

This section covers the essential STP configuration commands you need for both the CCNA exam and real-world network management. All commands shown are for Cisco IOS switches running Rapid PVST+.

Setting the Root Bridge

! Set root bridge with explicit priority (multiple of 4096) Switch(config)# spanning-tree vlan 1 priority 4096 ! Or use the convenience macro (sets priority to 24576) Switch(config)# spanning-tree vlan 1 root primary ! Set backup root bridge (sets priority to 28672) Switch(config)# spanning-tree vlan 1 root secondary ! Set root for multiple VLANs at once Switch(config)# spanning-tree vlan 10,20,30 root primary

PortFast: Skipping STP States for End Devices

! Enable PortFast on a specific access port (end device only!) Switch(config)# interface GigabitEthernet0/1 Switch(config-if)# spanning-tree portfast ! Enable PortFast globally on all access ports Switch(config)# spanning-tree portfast default ! WARNING: NEVER enable PortFast on ports connected to other switches! ! A port with PortFast that receives a BPDU will cause a topology loop ! until BPDU Guard err-disables it.

BPDU Guard: Protecting PortFast Ports

! Enable BPDU Guard on specific PortFast interface ! If a BPDU is received, port is err-disabled immediately Switch(config)# interface GigabitEthernet0/1 Switch(config-if)# spanning-tree bpduguard enable ! Enable BPDU Guard globally on all PortFast-enabled ports Switch(config)# spanning-tree portfast bpduguard default ! To recover from err-disable state (manual or auto) Switch(config)# errdisable recovery cause bpduguard Switch(config)# errdisable recovery interval 300

Root Guard: Preventing Unauthorized Root Bridges

! Enable Root Guard on a port where you do NOT want ! a superior BPDU to cause a new root bridge election. ! If a superior BPDU arrives, the port goes to root-inconsistent state. Switch(config)# interface GigabitEthernet0/2 Switch(config-if)# spanning-tree guard root ! Root Guard is typically applied on Designated Ports ! that face customer or untrusted switch connections.

Modifying Port Cost and Priority

! Override port cost to influence root port selection Switch(config)# interface GigabitEthernet0/1 Switch(config-if)# spanning-tree vlan 1 cost 2 ! Override port priority (lower = more preferred) ! Default port priority is 128, values must be multiples of 16 Switch(config-if)# spanning-tree vlan 1 port-priority 64

Verification Commands

! Show spanning tree for ALL VLANs Switch# show spanning-tree ! Show spanning tree for a specific VLAN Switch# show spanning-tree vlan 1 ! Show STP state for a specific interface Switch# show spanning-tree interface GigabitEthernet0/1 ! Show brief summary of STP operation Switch# show spanning-tree summary ! Example output of 'show spanning-tree vlan 1': VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 24577 Address 001A.2B3C.4D5E This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24577 (priority 24576 sys-id-ext 1) Address 001A.2B3C.4D5E Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type Gi0/1 Desg FWD 4 128.1 P2p Gi0/2 Desg FWD 4 128.2 P2p Edge Gi0/3 Desg FWD 19 128.3 P2p

Exam Tip: Reading show spanning-tree Output

On the CCNA exam, you may be shown the output of show spanning-tree and asked to identify port roles and states. Key fields: Role = Desg (Designated), Root, Altn (Alternate), Back (Backup). Status = FWD (Forwarding), BLK (Blocking), LIS (Listening), LRN (Learning). The switch whose output shows "This bridge is the root" is the root bridge. If that line is absent, look at the Root ID section — the address there belongs to a different switch, which is the actual root bridge.

11. CCNA Exam Tips for STP

STP is consistently tested on the CCNA 200-301 exam. Here is a consolidated list of the most important facts and concepts to have memorized before exam day.

Exam Tip 1: Bridge ID Priority and Defaults

The default STP bridge priority is 32768. Priority values must be multiples of 4096. The full Bridge ID includes the VLAN ID added to the priority (called System ID Extension), so for VLAN 1, the default Bridge ID priority field displays as 32769 (32768 + 1). Lower Bridge ID wins root election. Lower MAC address is the tiebreaker when priorities are equal.

Exam Tip 2: Port States vs. Port Roles

Do not confuse Port Roles and Port States — they are different concepts. Port Roles (Root, Designated, Non-Designated, Disabled) define the logical function. Port States (Blocking, Listening, Learning, Forwarding, Disabled) define what the port is currently doing. RSTP uses 3 states (Discarding, Learning, Forwarding) and 4 roles (Root, Designated, Alternate, Backup). A port can be a Designated Port in Learning state — the role and state are independent attributes.

Exam Tip 3: PortFast Is for End Devices ONLY

PortFast should NEVER be configured on ports connected to other switches. If a switch is connected to a PortFast port and that port forwards immediately, a loop can form before STP has time to detect and block it. BPDU Guard is the safety mechanism — it err-disables the port if a BPDU is received. Always pair PortFast with BPDU Guard in production and on the exam.

Quick Reference: Key STP Facts for the CCNA Exam

Classic STP standard: IEEE 802.1D
Rapid STP standard: IEEE 802.1w
Cisco per-VLAN classic STP: PVST+
Cisco per-VLAN rapid STP: Rapid PVST+ (default on modern Cisco IOS)
Default bridge priority: 32768
Root bridge election: lowest Bridge ID wins
Root bridge ports: all ports are Designated Ports
Non-root switch: exactly one Root Port
Per segment: exactly one Designated Port
Hello Time: 2 seconds
Max Age: 20 seconds
Forward Delay: 15 seconds (each state: Listening AND Learning)
Classic STP convergence: up to 50 seconds
RSTP convergence: 1-2 seconds
PortFast: skips Listening and Learning, for end devices only
BPDU Guard: err-disables port if BPDU received (used with PortFast)
Root Guard: prevents external switch from becoming root
Cost: 1 Gbps = 4, 100 Mbps = 19, 10 Mbps = 100

Mnemonic: STP Timer Memory Aid

Remember the timers: "2-20-15"
Hello Time = 2 seconds (BPDUs sent every 2 seconds)
Max Age = 20 seconds (wait 20 seconds before changing topology)
Forward Delay = 15 seconds (spend 15 sec each in Listening AND Learning)

Total worst-case convergence: 20 + 15 + 15 = 50 seconds