2.5 Spanning Tree Protocol (STP) and RSTP

The Loop Problem STP Solves

Ethernet frames have no TTL, so a broadcast that enters a Layer 2 loop circulates forever, multiplying until it consumes all bandwidth — a broadcast storm. Loops also cause MAC table instability (the same source MAC flapping between ports) and duplicate unicast frames. STP (Spanning Tree Protocol, IEEE 802.1D) prevents this by computing a loop-free tree: it elects a single reference point, then blocks any port that would create a redundant path, keeping it ready to unblock if the primary path fails.

Root Bridge Election

Every switch has a Bridge ID (BID) made of a 16-bit priority plus its MAC address. The switch with the lowest BID becomes the root bridge. Default priority is 32768, and it must be set in multiples of 4096 (because the lower 12 bits carry the VLAN ID as the "system ID extension"). When priorities tie, the lowest MAC address wins — which means by default the oldest switch (lowest MAC) often becomes root, usually not what you want.

Force a chosen switch to be root with one of:

Switch(config)# spanning-tree vlan 10 root primary
Switch(config)# spanning-tree vlan 10 priority 24576

root primary lowers priority to 24576 (or lower if needed to beat the current root). Always set the root manually in the core; an unplanned root in an access closet creates suboptimal paths.

Port Roles, Costs, and States

After root election, every other switch picks its root port (the one lowest-cost path back to the root) by adding up STP path costs. Memorize the modern (long) cost values:

Each segment also elects one designated port (forwarding) per link; remaining ports are blocked (non-designated). Classic 802.1D port states and timers are exam staples:

Total convergence is roughly 30-50 seconds (20 + 15 + 15). That delay is why a PC plugged into a non-PortFast port waits before getting DHCP.

RSTP and Rapid PVST+

RSTP (Rapid Spanning Tree, IEEE 802.1w) converges in seconds (often under 6) using a proposal/agreement handshake instead of timers. It adds two backup roles: the alternate port (a backup path to the root) and the backup port (a backup designated port on a shared segment). RSTP states collapse to discarding, learning, and forwarding. Rapid PVST+ is Cisco's default — it runs a separate RSTP instance per VLAN, letting you place a different root bridge for VLAN 10 versus VLAN 20 to load-balance.

Protection Features

• PortFast moves an access/edge port straight to forwarding, skipping listening/learning — never enable it on a port facing another switch.
• BPDU Guard err-disables a PortFast port the instant it receives a BPDU, blocking a rogue switch.
• Root guard keeps a designated port from becoming root, protecting your planned root bridge (used facing downstream switches).
• Loop guard prevents a non-designated port from wrongly forwarding when BPDUs stop arriving (e.g., a unidirectional link).

How a Switch Builds the Tree

STP's algorithm runs in three decisions you should be able to recite. First, elect one root bridge for the whole topology — the lowest Bridge ID. Second, each non-root switch picks one root port, the single port with the lowest cumulative cost back to the root (ties broken by lowest sender Bridge ID, then lowest sender port ID). Third, each segment elects one designated port that advertises the lowest cost to the root; the loser on that segment becomes a non-designated (blocking) port. The result is exactly one active path between any two points, with redundant links held in reserve.

Switches exchange this information in BPDUs (Bridge Protocol Data Units) sent every 2 seconds (the hello time) to multicast 0180.C200.0000. When BPDUs stop arriving on a blocked port for the max age (20 seconds in classic STP), the switch assumes the path failed and begins transitioning a backup port toward forwarding — the source of STP's slow recovery.

Manual Tuning and Per-VLAN Roots

Because the default election often picks the wrong (oldest) switch, you deliberately set the root in the distribution/core. With Rapid PVST+ you can balance load by making one switch root for some VLANs and a second switch root for others:

Switch1(config)# spanning-tree vlan 10,30 root primary
Switch2(config)# spanning-tree vlan 20,40 root primary

You can also tune a single link's preference with spanning-tree vlan 10 cost 10 on a port or change a switch's likelihood of winning with spanning-tree vlan 10 priority 8192. Set the secondary root (priority 28672) on the backup core switch with root secondary so failover is predictable.

STP Exam Traps

Lock in these points. Bridge priority must be a multiple of 4096 — IOS rejects 5000. The lowest MAC address breaks a priority tie, so a lower priority always beats a lower MAC. PortFast belongs only on edge/host ports; enabling it toward another switch risks a transient loop, which is why BPDU Guard pairs with it to err-disable the port if a switch appears. Root guard faces downstream to protect your planned root, while loop guard and UDLD address unidirectional-link failures where BPDUs silently stop.

Finally, do not confuse port states (blocking/listening/learning/forwarding in 802.1D; discarding/learning/forwarding in RSTP) with port roles (root, designated, alternate, backup) — the exam tests both and expects you to map a role to its likely state.