CCNA (ICND-2) STP (Spanning Tree Protocol) key points.

More notes from the CCNA ICND2 Official Exam Certification Guide, by Wendell Odem. This time the focus is on Spanning Tree Protocol, including RSTP Rapid Spanning Tree Protocol.


The most common problem that can be avoided by using STP is broadcast storms.

3 Classes of Problems caused by not using STP in redundant LANs

  1. Broadcast storms – The forwarding of a frame repeatedly on the same links, consuming significant parts of the links’ capabilities.
  2. MAC table instability – The continual updating of a switch’s MAC address table with incorrect entries, in reaction to looping frames, resulting in frames being sent to the wrong locations.
  3. Multiple frame transmission – A side effect of looping frames in which multiple copies of one frame are delivered to the intended host, confusing the host.

STP prevents loops by placing each bridge/switch port in either a Forwarding state or a Blocking state. Interfaces in the Forwarding state act as normal, forwarding and receiving frames, but interfaces in Blocking state do not process any frames except STP messages.

How spanning tree works

The process used by STP, sometimes called the Spanning Tree Algorithm (STA), chooses the interfaces that should be placed into a forwarding state. STP uses tree criteria to choose whether to put an interface in Forwarding State:

  • STP elects a root switch. STP puts all working interfaces on the root switch in Forwarding State.
  • Each nonroot switch considers one of its ports to have the least administrative cost between itself and the root switch. STP places this least-root-cost interface, called that switch’s root port (RP), in Forwarding State.
  • Many switches can attach to the same Ethernet segment. The switch with the lowest administrative cost from itself to the root bridge, as compared with the other switches attached to the same segment, is placed in Forwarding State. The lowest-cost switch on each segment is called the designated bridge, and that bridge’s interface, attached to that segment, is called the designated port (DP).

STP: Reasons for Forwarding or Blocking

  • All the root switch’s ports – Forwarding – The root switch is always the designated switch on all connected segments.
  • Each nonroot switch’s root port – Forwarding – The port through which the switch has the least cost to reach the root switch.
  • Each LAN’s designated port – Forwarding – The switch forwarding the lowest-cost BPDU onto the segment is the designated switch for that segment.
  • All other working ports –  Blocking – The port is not used for forwarding frames, nor are any frames received on these interfaces considered for forwarding.

the STP Bridge ID and Hello BPDU

The Spanning Tree Algorithm begins with an election of one switch to be the root switch. The STP bridge ID (BID) is an 8-byte value unique to each switch. The BID consists of a 2-byte priority field and a 6-byte system ID. The system ID is based on a burned-in MAC address in each switch. STP defines messages called bridge protocol data units (BPDU), which bridges and switches use to exchange information with each other. The most common of these messages is called a Hello BPDU. The Hello BPDU lists the sending switch’s BID.

Fields in the STP Hello BPDU

  • Root bridge ID – The bridge ID of the bridge/switch that the sender of this Hello currently believes to be the root switch
  • Sender’s bridge ID – The bridge ID of the bridge/switch sending this Hello BPDU
  • Cost to reach root – The STP cost between this switch and the current root
  • Timer values on the root switch – Includes the Hello timer, MaxAge timer, and Forward Delay timer

electing the Root Switch

Switches elect a root switch based on the BID in the BPDUs. The root switch is the switch with the lowest numeric value for the BID. Because the two-part bridge ID starts with the priority value, essentially the switch with the lowest priority becomes the root. If a tie occurs based on the priority of the BID, the switch with the lowest MAC address portion of the BID is the root. STP elects a root with a process that begins with all switches claiming to be the root by sending Hello BPDUs listing their BIDs. If a switch hears a Hello that lists a better (lower) BID–called a Superior Hello– that switch stops advertising itself as root and starts forwarding the superior Hello. Eventually everyone agrees with the switch that has the best (lowest) BID.

Choosing Each Switch’s Root Port

The second part of the STP process occurs when each nonroot switch chooses its one and only root port. A switch’s root port (RP) is it’s interface through which it has the least STP cost to reach the root switch.  To calculate the cost, a switch adds the cost listed in a received Hello to the STP port cost assigned to that same interface. The STP port cost is simply an integer value assigned to each interface for the purpose of providing an objective measurement that allows STP to choose which interfaces to add to the STP topology.

Choosing the Designated Port on each LAN segment

STP’s final step in choosing the STP topology, is to choose the designated port on each LAN segment. The designated port on each LAN segment is the switch port that advertises the lowest-cost Hello onto a LAN segment. When a nonroot switch forwards a Hello, the nonroot switch sets the cost field in the Hello to that switch’s cost to reach the root.

port costs

port costs can be configured or you can use the default values.

Ethernet speed — Original IEEE cost — Revised IEEE Cost
10Mbps — 100 — 100
100Mbps — 10 — 19
1Gbps — 1 — 4
10Gbps — 1 — 2

Reacting to Changes in the Network

The root switch sends a new Hello BPDU every 2 seconds by default. Each switch forwards the Hello on all DPs, but only after changing two items. The cost is changed to reflect that switch’s cost to reach the root, and the sender’s bridge ID field is also changed. (The root’s bridge ID field is not changed.) By forwarding the received (and changed) Hellos out all DPs, all switches continue to receive Hellos about every 2 seconds.

  1. The root creates and sends a Hello BPDU, with a cost of 0, out all its working interfaces (those in a Forwarding State).
  2. The nonroot switches receive the Hello on their root ports. After changing the Hello to list their own bridge ID as the sender’s BID, and listing that switch’s root cost, the switch forwards the Hello out all designated ports.
  3. Steps 1 and 2 repeat until something changes.

stp timers

timer — description — default value

  • Hello — the time period between Hellos created by the root. — 2 sec
  • Max Age — How long any switch should wait, after ceasing to hear Hellos, before trying to change the STP topology. — 10 times Hello
  • Forward Delay — Delay that affects the process that occurs when an interface changes from Blocking State to Forwarding State. A port stays in an interim Listening State, and then an interim Learning State, for the number of seconds defined by the forward delay timer. — 15 sec

When STP converges, a switch chooses transition interfaces from one state to another. However, a transition from blocking to forwarding cannot be done immediately because an immediate change to forwarding could temporarily cause frames to loop. To prevent this, STP transitions an interface through two intermediate interface states.

  • listening: Like the Blocking State, the interface does not forward frames. Old, now-incorrect MAC table entries are trimmed out during this state, because the old incorrect MAC table entries would be the root cause of the temporary loops.
  • learning: Interfaces in this state still do not forward frames, but the switch begins to learn the MAC addresses of frames received on the interface.

spanning tree states

State — Forwards Data Frames? — Learns MACs based on Received Frames? — Transitory or Stable State?
Blocking — no — no — Stable
Listening — no — no — Transitory
Learning — no — yes — Transitory
Forwarding — yes — yes — Stable
Disabled — no — no — stable

Optional STP Features

3 proprietary additions to STP. EtherChannel, PortFast, and BPDU Guard


etherchannel provides a way to prevent STP convergence from being needed when only a single port or cable failure occurs. EtherChannel combines multiple parallel segments of equal speed (up to eight) between the same pair of switches, bundled into EtherChannel. The switches treat the EtherChannel as a single interface with regard to the frame-forwarding process as well as for STP.


PortFast allows a switch to immediately place a port in Forwarding State when the port becomes physically active, bypassing any choices about the STP topology and bypassing the Listening and Learning States. However, the only ports on which you can safely enable PortFast are ports on which you know that no bridges, switches, or other STP-speaking devices are connected. PortFast is most appropriate for connections to end-user devices.

STP Security

the Cisco BPDU Guard helps defeat security problems by disabling a port if any BPDUs are received on the port. This feature is particularly useful on ports that should only be used as an access port and never connected to another switch. BPDU Guard is often used on the same interface that has PortFast enabled, because a PortFast-enabled port will already be in a Forwarding State. Cisco Root Guard helps defeat the problem where the new rogue switch tries to become the root switch. The Root Guard feature allows another switch to be connected to the interface, and participate in STP by sending and receiving BPDUs.

Rapid STP (IEEE 802.1W)

RSTP (802.1w) works just like STP (802.1d) in several ways:

  • It elects the root switch using the same parameters and tiebreakers
  • It elects the root port on nonroot switches with the same rules.
  • It elects designated ports on each LAN segment with the same rules.
  • It places each port in either Forwarding or Blocking State, although RSTP calls the Blocking State the Discarding State.

RSTP can be deployed alongside traditional 802.1d STP switches, with RSTP features working in switches that support it.

RSTP Link and Edge Types

  • Link-type point-to-point
  • Link-type shared
  • Edge-type

RSTP calls Ethernet connections between switches links and calls Ethernet connections to end-user devices edges. RSTP reduces convergence time for link-type point-to-point and edge-type connections. It does not improve convergence over link-type shared connections.

RSTP Port States

Operational state — STP state (802.1d) — RSTP state (802.1w) — forwards data frames in this state?
enabled — blocking — discarding — no
enabled — listening — discarding — no
enabled — learning — learning — no
enabled — forwarding — forwarding — yes
disabled — disabled — discarding — no

the RSTP alternate port role identifies a switch’s best alternative to its current RP. The RSTP backup port type, applies only when a single switch has two links to the same segment (collision domain).

RSTP and STP Port Roles

RSTP Role — STP Role — Definition
Root port — Root port — a single port on each nonroot switch in which the switch hears the best BPDU out of all the received BPDUs
Designated port — Designated port — Of all switch ports on all switches attached to the same segment / collision domain, the port that advertises the “best” BPDU
Alternate port — ** — A port on a switch that receives a suboptimal BPDU
Backup port — ** — A nondesignated port on a switch that is attached to the same segment/collision domain as another port on the same switch.
Disabled — ** — A port that is administratively disabled or is not capable of working for other reasons

the main reason for RSTP vs STP is RSTP has a faster convergence time.  RSTP acts differently on some interfaces based on RSTP’s characterization of the interface based on what is connected to the interface.

edge-type behavior and portfast

RSTP improves convergence for edge-type connections by immediately placing the port in forwarding state when the link is physically active. This is effectively the same as PortFast.

link-type shared

RSTP doesn’t do anything differently from STP on link-type shared links.

link-type point-to-point

RSTP improves convergence over full-duplex links between switches. instead of waiting the default 20 seconds for the MaxAge timer in STP to expire, RSTP recognizes the loss of the path to the root bridge, through the root port, in 3 times the Hello timer, or 6 seconds with a default Hello timer value of 2 seconds. RSTP removes the need for Listening State and reduces the time required for Learning State by actively discovering the network’s new state. RSTP negotiate with the neighboring switches by sending RSTP messages. These messages enable the switches to quickly determine whether an interface can be immediately transitioned to a forwarding state.

PVST+ gives engineers a load-balancing tool. By chaining some STP configuration parameters in different VLANs, the engineer could cause switches to pick different TPs and DPs in different VLANs, the engineer could cause switches to pick different RPs and DPs in different VLANs. As a result, some traffic in some VLANs can be forwarded over one trunk, and traffic for other VLANs to be forwarded over a different trunk.

comparing 3 options for multiple spanning trees

Option — Supports STP — Supports RSTP — Configuration effort — Only one instance required for each redundant path
PVST+ — Yes — No — small — no
PVRST — no — Yes — small — no
MIST — no — yes — medium — Yes

configuration options that influence the spanning tree topology

  • The bridge IDs influence the choice of root switch, and for nonroot switches, their choice of root port.
  • Each interface’s (per-VLAN) STP cost to reach the root, which influences the choice of designated port on each LAN segment.

The bridge ID and system ID extension

A switch’s BID is formed by combining the switch’s 2-byte priority and 6-byte MAC address. To build a switch’s BID for a particular per-VLAN STP instance, the switch must use a base priority setting of a multiple of 4096. (These multiples of 4096, when converted to binary, all end with 12 binary 0’s). To create the first 16 bits of the BID for a particular VLAN, the switch starts with a 16-bit version of the base priority value, which has all binary 0’s in the last 12 digits. The switch then adds its base priority value to the VLAN ID. The result is that the low-order 12 bits in the original priority field then list the VLAN ID.

per-vlan port costs

The STP cost is based on the actual speed of the interface, so if an interface negotiates to use a lower speed, the default STP cost reflects that lower speed. If the interface negotiates to use a different speed, the switch dynamically changes the STP port cost as well. Alternately, a switchs port cost can be configured manually.

STP defaults and Configuration options

Setting — Default — Command(s) to change default
BridgeID — Priority:32,768+VLAN ID / System: A burned-in MAC on the switch — spanning-tree vlan vlan-id root {primary | secondary}  /  spanning-tree vlan vlan-id priority priority
Interface cost — 100 for 10Mbps, 19 for 100 Mbps, 4 for 1 Gbps, 2 for 10 Gbps — spanning-tree vlan vlan-id cost cost
PortFast — not enabled — spanning-tree portfast
BPDU Guard — not enabled — spanning-tree bpduguard enable

The spanning-tree vlan vlan-id root primary command tells a switch to use a particular priority value in that VLAN only, with the switch choosing a value that will cause the switch to become the root switch in that VLAN. To do so, this command sets the base priority — the priority value that is then added to the VLAN ID to calculate the switch’s priority — to a value lower than the current root switch’s base priority. This command chooses the base priority as follows:

  • 24,576, if the current root has a base priority higher than 24,576
  • 4096 less than the current root’s base priority if the current root’s priority is 24,576 or lower.

STP troubleshooting

  1. determine the root switch
  2. for each nonroot switch, determine its one root port (RP) and cost to reach the root switch through that RP.
  3. For each segment, determine the designated port (DP) and the cost advertised by the DP onto that segment

Determining the root switch

  1. Pick a switch at which to begin, and find the root switch’s BID and the local switch’s BID in the VLAN in question using the show spanning-tree vlan vlan-id exec command.
  2. If the root BID and local BID are equal, the local switch is the root switch.
  3. If the root BID is not equal to the local switch’s BID, follow these steps:
    a. Find the RP interface on the local switch (also in the show spanning-tree command output
    b. Using cisco discovery protocol (CDP) or other documentation, determine which switch is on the other end of the RP interface found in Step 3a
    c. Log in to the switch on the other end of the RP interface and repeat this process, starting at Step 1.

Determining the root port on nonroot switches

  1. Determine all possible paths over which a frame, sent by the nonroot switch, can reach the root switch
  2. For each possible path in Step 1, add the costs of all outgoing interfaces in that path
  3. The lowest cost found is the cost to reach the root, and the outgoing interface is that switch’s RP.
  4. If the cost ties, use the port priority tiebreaker, and if that ties, use the lowest port number tiebreaker

determining the designate port on each lan segment

  1. For switches connected to the same LAN segment, the switch with the lowest cost to reach the root is the DP on that segment.
  2. In case of a tie, among the switches that tied on cost, the switch with the lowest BID becomes the DP.

stp convergence

  • for interfaces that stay in the same STP state, nothing needs to change.
  • For interfaces that need to move from a Forwarding State, to a Blocking State, the switch immediately changes the state to Blocking.
  • For interfaces that need to move from a Blocking State to a Forwarding State, the switch first moves the interface to Listening State, then Learning State, each for the time specified by the forward delay timer (default15 seconds). Only then will the interface be placed into Forwarding State.

command reference

spanning-tree vlan vlan-number root primary – Global configuration command that changes this switch to the root switch. This switch’s priority is changed to the lower of either 24,576 or 4096 less than the priority of the current root bridge when the command was issued.

spanning-tree vlan vlan-number root secondary – Global configuration command that sets this switch’s STP base priority to 28,672.

spanning-tree [vlan vlan-id] {priority priority} – Global configuration command that changes the bridge priority of this switch for the specified VLAN.

spanning-tree [vlan vlan-number] cost cost – Interface subcommand that changes the STP cost to the configured value.

channel-group channel-group-number mode {auto | desirable | on} – Interface subcommand that enables EtherChannel on the interface.

spanning-tree portfast – Interface subcommand that enables PortFast on the interface.

spanning-tree bpduguard enable – Interface subcommand to enable BPDU guard on an interface

spanning-tree mode {mst | rapid-pvst | pvst} – Global command to enable PVST+ and 802.1d (pvst), PVRST and 802.1w (rapid-pvst), or IEEE 802.1s (multiple spanning trees) and 802.1w (mst)

show spanning-tree – Lists details about the state of STP on the switch, including the state of each port

show spanning-tree interface interface-id – Lists STP information only for the specified port

show spanning-tree vlan-id – Lists STP information for the specified VLAN

show spanning-tree [vlan vlan-id] root – Lists information about each VLAN’s root or just the specified VLAN

show spanning-tree [vlan vlan-id] bridge – Lists STP information about the local switch for each VLAN or for just the specified VLAN

debug spanning-tree events – Causes the switch to provide informational messages about changes in the STP topology

show etherchannel [channel-group-number] {brief | detail | port | port-channel | summary} – Lists information about the state of EtherChannels on this switch.

2 thoughts on “CCNA (ICND-2) STP (Spanning Tree Protocol) key points.
  1. Hi! Anybody can help me?
    I have been trying do understand the STP concepts, choosing the designated and non-designated ports:

    Using 3 switches as a trianglo, I can see the correct chose – The lowest priority/mac election works and the highest value tur the port on blocking state. Using four switches works different.
    The highest looks wins the election and put the port on designated status.
    Labs tested on Packet Tracer and Catalysts 2950 hands on and the simptons are the same.
    Could you explain-me that?
    Thanks for any help!
    My regards,

    Julio Moreira

    • Thank you for your question Julio. STP chooses designated and non-designated ports based on a few factors. The first of these is determining which switch will be root. This, and other criteria, is where the lowest priority / mac election comes into play.

      Switches elect a root switch based on the BID in the BPDUs. The root switch is the switch with the lowest numeric value for the BID. Because the two-part bridge ID starts with the priority value, essentially the switch with the lowest priority becomes the root. If a tie occurs based on the priority of the BID, the switch with the lowest MAC address portion of the BID is the root. STP elects a root with a process that begins with all switches claiming to be the root by sending Hello BPDUs listing their BIDs. If a switch hears a Hello that lists a better (lower) BID–called a Superior Hello– that switch stops advertising itself as root and starts forwarding the superior Hello. Eventually everyone agrees with the switch that has the best (lowest) BID.

      When I built a 4 switch network where I wanted to see what ports became root or designated, what I did was to force my network to have a root election, by running the command spanning-tree vlan1 root primary in global config on my S1. S1 of course became root and therefor all ports became Designated ports. Switches S2 and S3 which are both S1’s neighbors, both have a port that is directly connected to the root switch. This Directly connected port is the Root port, and the remaining ports are the Designated ports. But then we get to S4, and S4 is a little different. None of S4’s ports directly connect to the root switch, but the switch none the less must make a decision on which port to send and receive data on. S4 makes the decision to give the lowest connected port the Root role. In this case that port was fa0/1 which is connected to S2.

      If you would like to build the network I’ve described in packet tracer to gain a better understanding use the following key to do so;

      Connect 4 switches
      S1 Fa0/2 connects to S2 Fa0/2
      S1 Fa0/1 connects to S3 Fa0/1
      S2 Fa0/1 connects to S4 Fa0/1
      S3 Fa0/2 connects to S4 Fa0/2

      Configure S1 with the command spanning-tree vlan1 root primary in Global config.

      Observe using sh spanning-tree

Leave a Reply