PVST and PVST+ – Per-VLAN Spanning Tree, Root Bridge, and Load Balancing

1. Why PVST? — The Problem with Classic STP

The original IEEE 802.1D Spanning Tree Protocol was designed for a simpler era — one where a network had a single flat Layer 2 domain. It runs a single spanning tree instance for all VLANs. One root bridge is elected for the whole network, and blocked ports are the same regardless of which VLAN's traffic they carry. This creates two significant problems:

  Classic STP — single instance, all VLANs:
  ┌────────────────────────────────────────────────────────────┐
  │         Root Bridge                                        │
  │         [Switch A]                                         │
  │        /           \                                       │
  │  [Switch B]     [Switch C]                                 │
  │       |               |                                    │
  │  [Switch D]──────[Switch E]  ← one link BLOCKED by STP    │
  │                                                            │
  │  Result: ALL VLANs (10, 20, 30) must use the SAME paths.  │
  │  The blocked link wastes bandwidth for every VLAN.         │
  └────────────────────────────────────────────────────────────┘

  PVST — separate instance per VLAN:
  ┌────────────────────────────────────────────────────────────┐
  │  VLAN 10 instance: Switch A = Root                        │
  │  VLAN 10 path: A→B→D   VLAN 10 blocked port: D–E          │
  │                                                            │
  │  VLAN 20 instance: Switch B = Root                        │
  │  VLAN 20 path: B→D→E   VLAN 20 blocked port: A–C          │
  │                                                            │
  │  Result: each VLAN uses a DIFFERENT active path.           │
  │  All physical links carry SOME traffic → true load balance.│
  └────────────────────────────────────────────────────────────┘

2. PVST vs PVST+ — Key Differences

Both PVST and PVST+ run a separate STP instance per VLAN. The critical distinction is trunking support — PVST uses Cisco-proprietary ISL trunks while PVST+ adds support for the industry-standard IEEE 802.1Q trunk, making it interoperable with non-Cisco equipment. PVST+ is the default STP mode on all modern Cisco switches.

Feature	Classic 802.1D STP	PVST	PVST+
STP instances	One for all VLANs (CST)	One per VLAN	One per VLAN
Trunking protocol	Any (VLAN-unaware)	Cisco ISL only	IEEE 802.1Q (also ISL)
Interoperability	Any IEEE 802.1D switch	Cisco-only	Standards-compatible via CST on native VLAN
Default on Cisco	No	No (legacy)	Yes — `spanning-tree mode pvst`
Per-VLAN root bridge	No	Yes	Yes
Load balancing	No	Yes	Yes
BPDU destination MAC	0180.C200.0000 (IEEE)	0100.0CCC.CCCD (Cisco)	0100.0CCC.CCCD (VLAN-tagged) + 0180.C200.0000 (native VLAN)
Convergence time	~30–50 seconds	~30–50 seconds	~30–50 seconds
Protocol standard	IEEE 802.1D	Cisco proprietary	Cisco proprietary (VLAN-aware 802.1D)

3. Root Bridge Election — Bridge ID and Priority

In PVST and PVST+, each VLAN independently elects its own root bridge using the same election rules as classic STP — the switch with the lowest Bridge ID wins. The Bridge ID is a combination of priority and MAC address, evaluated per VLAN. See Root Bridge Election for full details.

  Bridge ID structure (8 bytes total):
  ┌──────────────────────────────┬──────────────────────────────┐
  │   Priority (2 bytes)         │   Switch MAC Address (6 bytes)│
  │  = Priority value (4 bits)   │   (base MAC — globally unique)│
  │  + Extended System ID (VLAN) │                              │
  │    (12 bits = VLAN number)   │                              │
  └──────────────────────────────┴──────────────────────────────┘

  Priority value is configured in multiples of 4096:
  Valid values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672,
                32768 (default), 36864, ..., 61440

  Actual Bridge ID priority = configured value + VLAN ID
  Example: switch configured priority 32768 for VLAN 10
  Actual priority in Bridge ID = 32768 + 10 = 32778

  Root bridge election:
  1. Compare Bridge ID priority values — LOWEST wins
  2. If priorities are equal → LOWEST MAC address wins

  To force a switch to become root for VLAN 10:
  Set its priority lower than all other switches for that VLAN.
  E.g., set to 4096 if all others are at default 32768.

Priority Value	Use Case	Notes
0	Absolute root (never use in production)	Cannot be lower — guaranteed to win election
4096	Primary root bridge	Well below default; wins against all default-priority switches
8192	Secondary (backup) root bridge	Wins if primary (4096) fails
32768	Default — all Cisco switches ship with this value	Election between default switches decided by lowest MAC
61440	Explicitly prevent becoming root	Highest configurable value — will never win unless all others are also at max

Automatic root placement shortcut: Instead of manually setting a specific priority number, Cisco IOS provides a macro command that automatically calculates the optimal priority:

  Switch(config)# spanning-tree vlan 10 root primary
  ! Sets priority to 24576 (or lower if needed to beat current root)

  Switch(config)# spanning-tree vlan 10 root secondary
  ! Sets priority to 28672 (backup root)

4. STP Port Roles

In PVST/PVST+, every switch port is assigned one of the following roles per VLAN. The roles determine how each port participates in the spanning tree.

Port Role	Location	Function	Per-VLAN?
Root Port (RP)	On every non-root switch — exactly one per switch per VLAN	The port with the best (lowest cost) path back to the root bridge for this VLAN. Always in Forwarding state.	Yes — a port may be Root Port for VLAN 10 and Designated for VLAN 20
Designated Port (DP)	One per network segment — always on the root bridge for every one of its ports	Forwards frames toward downstream switches on this segment; sends BPDUs toward non-root switches. Always in Forwarding state.	Yes
Alternate Port	Non-root switch — the backup path to the root	Receives a better BPDU from another switch on the same segment. Blocked state — takes over if the Root Port fails.	Yes
Backup Port	Non-root switch — two ports on the same segment	Receives a better BPDU from its own switch. Blocked state — takes over if the Designated Port on the same segment fails.	Yes
Disabled	Any	Administratively shutdown or not participating in STP.	Yes

  Three switches, full mesh — VLAN 10, Switch A is root:

  [Switch A — Root]
   Gi0/1 = Designated (to Switch B)
   Gi0/2 = Designated (to Switch C)
        |              |
  [Switch B]      [Switch C]
   Gi0/1 = Root Port (→A)    Gi0/1 = Root Port (→A)
   Gi0/2 = Designated (→C)   Gi0/2 = Alternate (blocked)

  The Gi0/2 link between B and C:
  Switch B's port = Designated (it has the better path to root via A)
  Switch C's port = Alternate (blocked to prevent a loop)

5. STP Port States

When STP makes a topology decision (port role assigned) the port transitions through states before becoming active. In PVST/PVST+ (classic 802.1D-based), the five states are:

State	Duration	Forwards Frames?	Learns MACs?	Receives BPDUs?	Description
Blocking	Up to 20s (Max Age)	No	No	Yes	Port receives BPDUs and determines its role; does not forward any data frames to prevent loops
Listening	15s (Forward Delay)	No	No	Yes	Port participates in root bridge election by sending and processing BPDUs; not yet forwarding or learning
Learning	15s (Forward Delay)	No	Yes	Yes	Port builds the MAC address table from incoming frames without forwarding them; reduces flooding when it transitions to Forwarding
Forwarding	Indefinite	Yes	Yes	Yes	Normal operation — port forwards data frames and continues learning MACs; only Root Ports and Designated Ports reach this state
Disabled	Indefinite	No	No	No	Port is administratively shut down or not participating in STP

  Port state transition timeline (new link comes up):
  Port up → Blocking (20s) → Listening (15s) → Learning (15s) → Forwarding
  Total: up to 50 seconds before a port forwards data!

  This is why PVST+ convergence is slow and why PortFast exists —
  PortFast skips Listening and Learning for access ports connected to
  end devices (never use on switch-to-switch links).

6. Load Balancing with Per-VLAN Root Bridges

The most powerful benefit of PVST/PVST+ over classic STP is the ability to achieve true Layer 2 load balancing by assigning different VLANs different root bridges. With classic STP, all traffic for every VLAN must follow the same spanning tree — redundant links that are blocked for one VLAN are blocked for all. With PVST/PVST+, you can utilise every physical link simultaneously — just for different VLANs.

  Network: S1 — S2 — S3 (triangle topology)
  VLANs: 10 (Sales), 20 (Engineering), 30 (Management)

  Without PVST (classic STP — one root for all):
  Root = S1
  S1–S2: Forwarding (all VLANs)
  S1–S3: Forwarding (all VLANs)
  S2–S3: BLOCKED (all VLANs) ← this link is completely wasted

  With PVST+ (separate root per VLAN):
  VLAN 10: S1 = Root → S1–S2 active, S1–S3 active, S2–S3 BLOCKED
  VLAN 20: S2 = Root → S2–S1 active, S2–S3 active, S1–S3 BLOCKED
  VLAN 30: S3 = Root → S3–S1 active, S3–S2 active, S1–S2 BLOCKED

  All three physical links carry traffic — just for different VLANs.
  Bandwidth on every link is utilised → true load balancing.

  Configuration:
  S1(config)# spanning-tree vlan 10 priority 4096   ! S1 = root for VLAN 10
  S2(config)# spanning-tree vlan 20 priority 4096   ! S2 = root for VLAN 20
  S3(config)# spanning-tree vlan 30 priority 4096   ! S3 = root for VLAN 30

  Also set secondary roots (backup):
  S2(config)# spanning-tree vlan 10 priority 8192   ! S2 = backup root for VLAN 10
  S3(config)# spanning-tree vlan 20 priority 8192   ! S3 = backup root for VLAN 20
  S1(config)# spanning-tree vlan 30 priority 8192   ! S1 = backup root for VLAN 30

7. BPDUs in PVST and PVST+

BPDUs (Bridge Protocol Data Units) are the control frames that STP uses to exchange topology information. PVST/PVST+ BPDUs carry VLAN-specific information so each STP instance can be managed independently.

STP Variant	BPDU Destination MAC	VLAN Info	Notes
Classic 802.1D STP	`0180.C200.0000`	None — single instance	IEEE standard multicast address
PVST	`0100.0CCC.CCCD`	Yes — VLAN tag in Cisco-proprietary format	Cisco-proprietary; ISL trunks only
PVST+ (non-native VLANs)	`0100.0CCC.CCCD`	Yes — VLAN ID in 802.1Q tag	Cisco-proprietary multicast; sent tagged over 802.1Q trunk
PVST+ (native VLAN / VLAN 1)	`0180.C200.0000`	No tag (native VLAN = untagged)	Uses IEEE standard MAC for VLAN 1 — enables interoperability with non-Cisco switches on the native VLAN

The dual BPDU behaviour of PVST+ for the native VLAN is what enables interoperability with IEEE 802.1D switches: those switches see and process standard BPDUs on the native VLAN as part of the Common Spanning Tree (CST), while Cisco switches also handle the per-VLAN PVST+ BPDUs on tagged VLANs.

8. Cisco IOS Configuration

PVST+ is enabled by default on all Cisco Catalyst switches. No explicit global configuration is needed to use it. Configuration primarily involves setting root bridge priorities and applying STP security features.

Verify Current STP Mode

  Switch# show spanning-tree summary
  Switch is in pvst mode          ← confirms PVST+ is active
  Root bridge for: VLAN0010 VLAN0020
  Extended system ID              is enabled
  Portfast Default                is disabled
  PortFast BPDU Guard Default     is disabled
  Portfast BPDU Filter Default    is disabled
  Loopguard Default               is disabled
  ...

Set Root Bridge Priority Per VLAN

  ! Manual priority (multiples of 4096 only):
  Switch(config)# spanning-tree vlan 10 priority 4096
  Switch(config)# spanning-tree vlan 20 priority 8192

  ! Automatic macro (recommended):
  Switch(config)# spanning-tree vlan 10 root primary
  Switch(config)# spanning-tree vlan 10 root secondary

  ! View the result:
  Switch# show spanning-tree vlan 10
  VLAN0010
    Spanning tree enabled protocol ieee
    Root ID    Priority    4106   ← 4096 + VLAN 10 = 4106
               Address     0011.2233.4455
               This bridge is the root
    Bridge ID  Priority    4106
               Address     0011.2233.4455
  ...

Set Root Bridge on a Specific Interface (Path Cost)

  ! Influence root port selection by adjusting port cost (lower = preferred):
  Switch(config)# interface GigabitEthernet0/1
  Switch(config-if)# spanning-tree vlan 10 cost 10

  ! Or adjust port priority (lower = preferred, in multiples of 32):
  Switch(config-if)# spanning-tree vlan 10 port-priority 64

Change STP Mode (PVST+ to Rapid PVST+)

  Switch(config)# spanning-tree mode rapid-pvst
  ! Switches ALL VLANs from PVST+ to Rapid PVST+ simultaneously.
  ! Rapid PVST+ is backward-compatible with PVST+.

  Switch(config)# spanning-tree mode pvst
  ! Revert to PVST+ (slower convergence)

Configure STP Timers (Advanced)

  ! Adjust hello, forward-delay, and max-age per VLAN (root bridge only):
  Switch(config)# spanning-tree vlan 10 hello-time 2      ! default 2s
  Switch(config)# spanning-tree vlan 10 forward-time 15   ! default 15s
  Switch(config)# spanning-tree vlan 10 max-age 20        ! default 20s

  ! Only change timers on the ROOT bridge — all others learn them from BPDUs.
  ! Incorrect timer changes on non-root switches can cause instability.

See: STP Root Bridge Lab | PortFast & BPDU Guard Lab | 802.1Q Trunk Configuration | VLAN Configuration

9. STP Security Features

PVST/PVST+ networks are vulnerable to several attacks and misconfigurations. Cisco provides three key security features to protect the STP topology.

BPDU Guard

BPDU Guard immediately error-disables (err-disables) a port if it receives a BPDU. It is designed for access ports connected to end devices (PCs, printers, servers) — these should never send BPDUs. If a rogue switch or hub is connected to an access port, it could send BPDUs and potentially win the root bridge election, disrupting the entire network.

  ! Enable BPDU Guard on a specific interface:
  Switch(config)# interface GigabitEthernet0/1
  Switch(config-if)# spanning-tree bpduguard enable

  ! Enable BPDU Guard globally on all PortFast-enabled ports:
  Switch(config)# spanning-tree portfast bpduguard default

  ! When triggered: port goes to err-disabled state
  %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet0/1
    with BPDU Guard enabled. Disabling port.
  %PM-4-ERR_DISABLE: bpduguard error detected on Gi0/1, putting Gi0/1 in err-disable state

  ! To recover (fix the cause first, then):
  Switch(config-if)# shutdown
  Switch(config-if)# no shutdown
  ! Or configure automatic recovery:
  Switch(config)# errdisable recovery cause bpduguard
  Switch(config)# errdisable recovery interval 300

Root Guard

Root Guard prevents a port from becoming a root port — effectively preventing any switch connected on that port from becoming the root bridge. If a superior BPDU arrives on a Root Guard-enabled port, the port is placed in a "root-inconsistent" state (blocking) rather than being error-disabled. When the superior BPDUs stop, the port automatically recovers.

  ! Enable Root Guard on ports facing downstream switches:
  Switch(config)# interface GigabitEthernet0/2
  Switch(config-if)# spanning-tree guard root

  ! Apply Root Guard on ports facing the network edge —
  ! NOT on uplinks toward the legitimate root bridge.

  ! When triggered:
  %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Gi0/2
    on VLAN0010.

  ! Automatically recovers when superior BPDUs stop arriving —
  ! no manual intervention needed (unlike BPDU Guard).

PortFast

PortFast allows an access port to skip the Listening and Learning states and go directly to Forwarding when a device connects. Without PortFast, a PC would wait up to 30 seconds before it could communicate — which causes DHCP timeouts, boot failures, and user complaints. Never enable PortFast on a port connected to another switch — it bypasses loop protection.

  ! Enable PortFast on a specific access port:
  Switch(config)# interface GigabitEthernet0/3
  Switch(config-if)# spanning-tree portfast

  ! Enable PortFast globally on all access (non-trunk) ports:
  Switch(config)# spanning-tree portfast default

  ! Port transition with PortFast:
  Without PortFast: Link up → Blocking(20s) → Listening(15s) → Learning(15s) → Forwarding
  With PortFast:    Link up → Forwarding immediately (skips 30s delay)

  ! PortFast ports still participate in STP — they will transition
  ! to Blocking if a loop is detected.

BPDU Filter

BPDU Filter prevents BPDUs from being sent or received on a port. It is less commonly used than BPDU Guard because it silently suppresses BPDUs rather than error-disabling the port — this can mask loop conditions. Use with caution.

  Switch(config-if)# spanning-tree bpdufilter enable
  ! Use only on ports where BPDUs are genuinely not needed,
  ! such as provider-facing ports in Metro Ethernet designs.

Feature	Triggers On	Action	Recovery	Use On
BPDU Guard	Receiving any BPDU	Error-disables the port immediately	Manual (shutdown/no shutdown) or errdisable recovery	Access ports connected to end devices (PCs, servers)
Root Guard	Receiving a superior BPDU (potential new root)	Places port in root-inconsistent state (blocking)	Automatic when superior BPDUs stop	Ports facing edge switches that should never become root
PortFast	Port link-up	Skips Listening and Learning → immediate Forwarding	N/A (always active on the port)	Access ports connected to end devices only

See: Port Security Violation Modes | ACLs | PortFast & BPDU Guard Reference

10. PVST+ vs Rapid PVST+ vs MSTP

Feature	PVST+	Rapid PVST+	MSTP (802.1s)
IEEE standard base	802.1D (classic STP)	802.1w (RSTP)	802.1s (MSTP)
Convergence time	~30–50 seconds	~1–5 seconds	~1–5 seconds
STP instances	One per VLAN	One per VLAN	One per group of VLANs (mapped to MST instances)
CPU/memory overhead	High (500 VLANs = 500 instances)	High (same — one per VLAN)	Low (few instances regardless of VLAN count)
Load balancing	Yes — different root per VLAN	Yes — different root per VLAN	Yes — different root per MST instance
Vendor support	Cisco only	Cisco only	Multi-vendor (IEEE standard)
Best for	Small Cisco-only networks with few VLANs	Cisco-only networks needing fast convergence	Large or multi-vendor networks with many VLANs
Cisco IOS command	`spanning-tree mode pvst`	`spanning-tree mode rapid-pvst`	`spanning-tree mode mst`

Rapid PVST+ is identical to PVST+ in configuration and operation — all the same priority commands, BPDU Guard, Root Guard, and PortFast syntax work without modification. The only change is the underlying protocol uses 802.1w mechanisms (proposal/agreement handshake between switches) instead of timer-based transitions, reducing convergence from ~50 seconds to ~1–5 seconds. For any new Cisco deployment, Rapid PVST+ is the recommended choice.

See: RSTP / Rapid PVST+ | STP (802.1D)

11. Verification Commands

  ! Show STP status for all VLANs:
  Switch# show spanning-tree

  ! Show STP for a specific VLAN:
  Switch# show spanning-tree vlan 10

  VLAN0010
    Spanning tree enabled protocol ieee
    Root ID    Priority    4106            ← root bridge priority
               Address     aabb.cc00.0100  ← root bridge MAC
               Cost        4               ← cost to reach root
               Port        1 (GigabitEthernet0/1)   ← root port
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

    Bridge ID  Priority    32778 (priority 32768 sys-id-ext 10)
               Address     aabb.cc00.0200
               Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
               Aging Time  300 sec

  Interface        Role Sts Cost      Prio.Nbr Type
  ---------------- ---- --- --------- -------- ------
  Gi0/1            Root FWD 4         128.1    P2p
  Gi0/2            Altn BLK 4         128.2    P2p

  ! Column meanings:
  ! Role: Root (Root Port), Desg (Designated), Altn (Alternate/blocked)
  ! Sts:  FWD (Forwarding), BLK (Blocking), LRN (Learning), LIS (Listening)
  ! Cost: Path cost to root; lower = better
  ! Type: P2p (point-to-point link), Shr (shared/hub), Edge (PortFast)

  ! Summary of all STP instances:
  Switch# show spanning-tree summary

  ! Detailed per-port STP info (timers, sent/received BPDUs):
  Switch# show spanning-tree detail

  ! Verify BPDU Guard and PortFast status:
  Switch# show spanning-tree interface GigabitEthernet0/3 detail

  ! Check for err-disabled ports:
  Switch# show interfaces status err-disabled
  Switch# show errdisable recovery

12. Troubleshooting PVST/PVST+

Symptom	Likely Cause	Diagnostic Steps
Broadcast storm / network loop	BPDUs filtered by an ACL or misconfigured BPDU Filter; PortFast enabled on a switch-to-switch link	Check CPU utilisation — a storm causes CPU to spike; `show spanning-tree summary` to confirm STP is running; verify no ACL blocks multicast to `0100.0CCC.CCCD`
Suboptimal traffic path / all traffic through one switch	Root bridge is an unintended switch (e.g., lowest MAC won the election by default)	`show spanning-tree vlan <id>` — check "Root ID" section to see which switch is root; set explicit priorities to control root placement
Port stuck in Blocking/Listening/Learning	Root Guard blocking a port receiving superior BPDUs; normal STP convergence still in progress; timer issue	`show spanning-tree detail` — look for "root-inconsistent" state indicating Root Guard; verify timers are not misconfigured on a non-root switch
Port in err-disabled state (BPDU Guard triggered)	A switch or device sending BPDUs was connected to an access port protected by BPDU Guard	`show interfaces status err-disabled`; remove the rogue device; `shutdown` / `no shutdown` on the affected interface to restore it
Slow convergence after link failure (30–50s delay)	Using PVST+ (802.1D-based) instead of Rapid PVST+	Verify with `show spanning-tree summary`; upgrade to Rapid PVST+: `spanning-tree mode rapid-pvst`
PVST+ and non-Cisco switch interop issue	Native VLAN mismatch; non-Cisco switch receiving PVST+ BPDUs it does not understand	Verify native VLAN matches on both ends of the trunk; non-Cisco switches will process standard BPDUs (IEEE MAC) on the native VLAN for CST interop

13. Advantages and Disadvantages

Advantages of PVST/PVST+	Disadvantages of PVST/PVST+
Per-VLAN load balancing — all physical links can carry traffic for different VLANs simultaneously	One STP instance per VLAN — in a network with 200 VLANs, 200 separate spanning tree instances are running; high CPU and memory consumption on switches
Granular topology control — independently optimise each VLAN's root bridge, path costs, and failover	Slow convergence (~30–50 seconds) when a link fails (unless Rapid PVST+ is used)
Enhanced redundancy — a failure in one VLAN's spanning tree does not affect other VLANs	Cisco-proprietary — requires Cisco switches throughout or careful PVST+ native-VLAN interop with non-Cisco devices
PVST+ is default — no extra configuration needed to enable per-VLAN STP on Cisco switches	More complex troubleshooting — must verify STP state per VLAN, not just overall; mismatched priorities can cause suboptimal paths on specific VLANs
Compatible with Rapid PVST+ — upgrading from PVST+ to Rapid PVST+ requires only a single global command with no other changes	Not scalable for large networks with hundreds of VLANs — MSTP is more appropriate in those environments

14. Exam Tips & Key Points

PVST/PVST+ is Cisco-proprietary — not an IEEE standard. PVST uses ISL trunks only; PVST+ adds 802.1Q support. PVST+ is the default on all modern Cisco switches.
The Bridge ID = Priority + Extended System ID (VLAN) + MAC. Priority must be configured in multiples of 4096. Default priority is 32768. The switch with the lowest Bridge ID wins the root election.
Know the priority macro commands: spanning-tree vlan <n> root primary sets priority 24576; root secondary sets 28672.
Know all four port roles: Root Port (one per switch — best path to root), Designated Port (one per segment — forwards toward downstream), Alternate Port (blocked backup for root port), Backup Port (blocked backup for designated port).
Know all five port states: Blocking → Listening (15s) → Learning (15s) → Forwarding → Disabled. Total time without PortFast: up to 50 seconds.
BPDU Guard = error-disables access ports that receive BPDUs (protects against rogue switches); Root Guard = blocks ports that receive superior BPDUs (protects root bridge placement); PortFast = skips Listening/Learning on access ports for fast host connectivity. Never use PortFast on switch-to-switch links.
PVST/PVST+ convergence = ~30–50s. Rapid PVST+ convergence = ~1–5s. Upgrade with spanning-tree mode rapid-pvst.
PVST+ BPDUs use MAC 0100.0CCC.CCCD for tagged VLANs and 0180.C200.0000 (IEEE standard) for the native VLAN — enabling CST interoperability with non-Cisco switches on the native VLAN.
Load balancing: assign different VLANs different root bridges to utilise all physical links simultaneously. Example: Switch A = root for VLAN 10, Switch B = root for VLAN 20.
For large or multi-vendor networks use MSTP (802.1s) which groups VLANs into instances, dramatically reducing STP overhead.

15. Summary Reference Table

Topic	PVST / PVST+ Detail
STP instances	One per VLAN — independent root, topology, and blocked ports per VLAN
Default on Cisco	Yes — PVST+ is default; enabled automatically
Trunk support	PVST: ISL only; PVST+: 802.1Q and ISL
Root bridge election	Lowest Bridge ID (priority + VLAN + MAC) per VLAN
Default STP priority	32768; configure in multiples of 4096
Set root (manual)	`spanning-tree vlan <n> priority 4096`
Set root (macro)	`spanning-tree vlan <n> root primary`
Convergence	~30–50 seconds (PVST+); ~1–5 seconds (Rapid PVST+)
BPDU Guard	`spanning-tree bpduguard enable` — err-disables port on BPDU receipt
Root Guard	`spanning-tree guard root` — blocks port if superior BPDU received
PortFast	`spanning-tree portfast` — skip Listening/Learning on access ports
Verify STP per VLAN	`show spanning-tree vlan <n>`
Upgrade to Rapid PVST+	`spanning-tree mode rapid-pvst`

PVST and PVST+ Quiz

1. What is the primary operational difference between traditional 802.1D STP and PVST?

A. PVST runs a single instance for all VLANs, just like traditional STP, but with faster convergence B. PVST runs a separate spanning tree instance per VLAN — each VLAN independently elects its own root bridge and maintains its own topology, enabling per-VLAN load balancing C. Traditional STP supports per-VLAN load balancing but PVST does not — PVST simplifies management by using a single instance D. PVST is an IEEE standard that replaces 802.1D with multi-vendor per-VLAN support

Correct answer is B. PVST (Per VLAN Spanning Tree) is Cisco's proprietary enhancement of IEEE 802.1D STP. The fundamental difference is that PVST runs a completely independent spanning tree instance for every VLAN in the network. Each instance has its own root bridge, its own set of port roles (Root, Designated, Alternate), and its own blocked ports. This enables a crucial capability that classic STP cannot provide: different VLANs can use different active paths through the network, achieving true Layer 2 load balancing. With classic 802.1D, one root bridge is elected for all VLANs, all VLANs share the same active paths, and blocked links are wasted for every VLAN simultaneously.

2. A network has three switches (S1, S2, S3) connected in a triangle. VLANs 10 and 20 are configured. How does PVST+ enable load balancing across all three links?

A. By using EtherChannel to bond all three links together and distributing traffic across them based on MAC address hashing B. By using fewer CPU resources, which allows the switch to forward traffic on blocked ports during high utilisation periods C. PVST+ automatically detects congestion and temporarily unblocks ports to relieve traffic pressure D. By configuring S1 as root for VLAN 10 and S2 as root for VLAN 20 — each VLAN's spanning tree blocks a different link, so all three physical links carry traffic simultaneously for different VLANs

Correct answer is D. Load balancing with PVST+ is achieved through deliberate root bridge placement. In a triangle topology (S1–S2–S3), each spanning tree instance must block exactly one link to prevent loops. By setting S1 as root for VLAN 10, that instance blocks the S2–S3 link. By setting S2 as root for VLAN 20, that instance blocks the S1–S3 link. The result: VLAN 10 traffic uses S1–S2 and S1–S3 links; VLAN 20 traffic uses S2–S1 and S2–S3 links. All three physical links are actively carrying traffic — just for different VLANs. This is configured with spanning-tree vlan 10 priority 4096 on S1 and spanning-tree vlan 20 priority 4096 on S2. Note: EtherChannel (option A) bundles physical links but does not replace per-VLAN STP load balancing — they solve different problems.

3. What specific capability does PVST+ add over original PVST, and why does this matter for modern networks?

A. PVST+ adds support for Cisco ISL trunks, which PVST lacked — ISL is the newer trunking standard B. PVST+ runs only a single spanning tree instance for better scalability — it removes PVST's per-VLAN requirement C. PVST+ adds support for IEEE 802.1Q VLAN trunks and interoperability with non-Cisco switches via the Common Spanning Tree on the native VLAN — this is critical because ISL is Cisco-proprietary and largely obsolete D. PVST+ adds faster convergence using RSTP — it converts the 802.1D timer-based mechanism to a proposal/agreement handshake

Correct answer is C. The original PVST only worked over Cisco's ISL (Inter-Switch Link) trunk protocol — a Cisco-proprietary encapsulation that wraps the entire original frame. ISL is not supported by any other vendor and has been deprecated even by Cisco on most modern platforms. PVST+ was introduced to add support for IEEE 802.1Q — the industry-standard trunk protocol that inserts a 4-byte tag into the Ethernet frame and is supported by all vendors. PVST+ also provides interoperability with non-Cisco 802.1D switches by sending standard IEEE BPDUs on the native VLAN (untagged), allowing those switches to participate in a Common Spanning Tree (CST) while Cisco switches additionally run per-VLAN instances on tagged VLANs. This is why PVST+ is the default on all modern Cisco switches.

4. What is the destination MAC address used by PVST+ BPDUs for tagged (non-native) VLANs, and what does this tell you about interoperability?

A. 0100.0CCC.CCCD — this is a Cisco-proprietary multicast MAC; non-Cisco switches do not process these BPDUs, meaning PVST+ per-VLAN instances on tagged VLANs are not understood by non-Cisco equipment B. 01FF.FFFF.FFFF — this is the standard IPv4 multicast MAC used by all IEEE STP implementations C. 0000.0C07.ACXX — this is the HSRP virtual MAC address used for gateway redundancy D. 0180.C200.0000 — this is the IEEE standard STP multicast MAC used for both Cisco and non-Cisco BPDUs

Correct answer is A. PVST+ BPDUs for tagged (non-native) VLANs use the Cisco-proprietary destination MAC 0100.0CCC.CCCD. Non-Cisco switches do not recognise this multicast address and will not process these BPDUs — they simply forward or flood them. This means that on tagged VLANs, PVST+ instances are invisible to non-Cisco switches. The interoperability workaround is the native VLAN: PVST+ also sends standard IEEE BPDUs (destination MAC 0180.C200.0000) on the native VLAN, which non-Cisco switches process normally as part of their Common Spanning Tree (CST). This gives a partial interoperability where the native VLAN topology is shared, but all other VLANs' spanning trees are Cisco-only. Option C's MAC (0000.0C07.ACXX) belongs to HSRP virtual gateway addresses — unrelated to STP.

5. A network engineer wants Switch A to always be the root bridge for VLAN 10. All switches are at default priority (32768). What is the correct approach?

A. Set Switch A's priority to 99999 — the highest priority value wins the root election B. Set Switch A's priority to 4096 (lower than the default 32768) using "spanning-tree vlan 10 priority 4096" — the switch with the LOWEST bridge ID wins, so a lower priority guarantees Switch A becomes root C. Set Switch A's priority to 32769 — one above default so it stands out in the election D. Configure "spanning-tree vlan 10 root 4096" — this sets the root bridge directly without affecting priority

Correct answer is B. Root bridge election is won by the switch with the lowest Bridge ID. The Bridge ID combines the configured priority value (the dominant factor) and the switch's MAC address (tie-breaker). To reliably win, set a priority lower than all other switches. Since the default is 32768, setting Switch A to 4096 guarantees it wins. The exact command is spanning-tree vlan 10 priority 4096. Note that priority values must be multiples of 4096 (0, 4096, 8192, etc.) — the IOS will reject any value that is not a valid multiple. Option A describes the highest priority, which would lose the election. Option C would be above default and also lose. Option D is not valid IOS syntax — the correct shortcut is spanning-tree vlan 10 root primary.

6. A network with 500 VLANs is running PVST+. What is the primary scalability concern, and what is the recommended alternative?

A. PVST+ does not support load balancing across 500 VLANs — use EtherChannel instead B. PVST+ only supports a maximum of 64 VLANs — networks with more VLANs must use a different protocol C. PVST+ is incompatible with Cisco equipment when more than 100 VLANs are configured D. 500 VLANs means 500 separate STP instances — each running SPF calculations, sending BPDUs, and consuming CPU/memory; MSTP (802.1s) is the recommended alternative as it groups many VLANs into a small number of instances

Correct answer is D. Every VLAN in PVST+ runs its own completely independent spanning tree instance. Each instance sends Hello BPDUs every 2 seconds, processes topology changes, runs SPF calculations, and maintains its own state tables. At 500 VLANs, that means 500 BPDU floods every 2 seconds, 500 separate SPF recalculations per topology change, and 500× the memory overhead compared to classic STP. On lower-end switches, this can cause significant CPU overhead and slow convergence even for VLAN-specific changes. MSTP (Multiple Spanning Tree Protocol, IEEE 802.1s) solves this by grouping multiple VLANs into a single MST instance — a network might have 500 VLANs but only 3–5 MST instances, with each instance serving as the STP for its group of VLANs.

7. Which command correctly sets Switch S1 as the root bridge for VLAN 10 by assigning the lowest valid non-zero priority?

A. spanning-tree vlan 10 priority 4096 — sets priority to 4096 (lowest non-zero valid value, well below the default 32768) B. vlan 10 root 4096 — not valid IOS syntax C. root vlan 10 4096 — not valid IOS syntax D. spanning-tree priority vlan 10 4096 — incorrect keyword order; the correct syntax places "vlan" before "priority"

Correct answer is A. The Cisco IOS command to set the STP priority for a specific VLAN is spanning-tree vlan <vlan-id> priority <value>, entered in global configuration mode. The value must be a multiple of 4096. Setting 4096 is the lowest non-zero value, which guarantees this switch wins the root election against all switches at the default priority of 32768. The alternative macro command is spanning-tree vlan 10 root primary, which automatically sets the optimal priority. The syntax in option D reverses the vlan and priority keywords and is not accepted by IOS.

8. BPDU Guard is enabled on an access port. A technician accidentally connects a small unmanaged hub to that port, and a switch is connected to the hub. What happens and how is it resolved?

A. The port automatically becomes a trunk and processes BPDUs from the connected switch — no action needed B. BPDU Guard slows the port to 10 Mbps and generates a syslog warning but continues forwarding traffic C. The port immediately enters err-disabled state when the first BPDU arrives from the connected switch; the technician must disconnect the rogue device, then manually recover the port with shutdown/no shutdown, or configure errdisable recovery D. Root Guard activates and places the port in root-inconsistent blocking state until the switch stops sending BPDUs

Correct answer is C. BPDU Guard is specifically designed to protect access ports from rogue switch connections. When enabled on a port, the moment any BPDU is received — regardless of the BPDU's content — the port is immediately error-disabled (err-disabled). A syslog message is generated. The port remains completely down until manually recovered. Recovery steps: (1) identify and remove the rogue device causing BPDUs; (2) recover the port with interface Gi0/x / shutdown / no shutdown. Alternatively, configure automatic recovery with

errdisable recovery cause
                  bpduguard

and set an interval. Option D describes Root Guard behaviour — Root Guard blocks a port when it receives a superior BPDU (one claiming to be a better root bridge), and it recovers automatically. BPDU Guard triggers on any BPDU and requires manual recovery.

9. A network engineer notices that after a link failure, hosts on a VLAN running PVST+ cannot communicate for about 45 seconds. What is the cause, and what is the recommended fix?

A. The CST (Common Spanning Tree) is taking over from PVST+ — switch to PVST to avoid CST interference B. PVST+ is based on 802.1D STP which uses timer-based convergence — the Listening (15s) and Learning (15s) states cause the ~30–50 second delay; switching to Rapid PVST+ (spanning-tree mode rapid-pvst) reduces convergence to 1–5 seconds C. BPDU Guard is filtering BPDUs and preventing convergence — disable BPDU Guard to allow faster reconvergence D. The STP priority values are misconfigured — reducing the root bridge priority to 0 will speed up convergence

Correct answer is B. PVST+ is based on the classic IEEE 802.1D STP mechanism which uses fixed timer values for state transitions. When a link fails and a blocked Alternate Port must become active, it transitions: Blocking → Listening (15s Forward Delay) → Learning (15s Forward Delay) → Forwarding. The total delay is 30 seconds minimum, often up to 50 seconds including the Max Age timer. This is the fundamental limitation of classic STP and PVST+. Rapid PVST+ (based on IEEE 802.1w RSTP) replaces the timer-based approach with a proposal/agreement handshake between adjacent switches. This allows convergence in 1–5 seconds in most cases. The upgrade is a single global command — spanning-tree mode rapid-pvst — and all priority, BPDU Guard, Root Guard, and PortFast configurations remain unchanged.

10. When should a network engineer choose MSTP over PVST+ for spanning tree management?

A. In small Cisco-only networks with fewer than 20 VLANs — MSTP is simpler to configure in those environments B. When no VLANs are configured — MSTP operates on the native VLAN only and is more efficient without VLANs C. When only Cisco ISL trunks are in use — MSTP requires ISL for proper VLAN tagging D. In large networks with many VLANs (especially multi-vendor environments) — MSTP groups hundreds of VLANs into a small number of instances, dramatically reducing STP overhead and providing IEEE-standard interoperability across vendors

Correct answer is D. PVST+ and Rapid PVST+ are excellent for small to medium Cisco-only networks where per-VLAN control is valuable. As the VLAN count grows, however, the overhead becomes prohibitive — each VLAN runs its own instance with its own BPDUs, SPF calculations, and state maintenance. MSTP (Multiple Spanning Tree Protocol, IEEE 802.1s) solves this by mapping multiple VLANs to a small number of MST instances. An enterprise with 200 VLANs might configure just 3 MST instances (e.g., instance 1 for VLANs 1–100, instance 2 for VLANs 101–200, instance 0 for everything else). This gives the load balancing benefit (different instances can have different root bridges) with a fraction of the overhead. MSTP is also an IEEE standard (802.1s), making it fully interoperable across all vendor equipment — crucial in multi-vendor environments where PVST+ BPDUs are not understood by non-Cisco switches.

← Back to Home