Root Bridge Election – Bridge ID, Priority, PVST+ & Security

1. What Is a Root Bridge and Why Does It Exist?

In any Layer 2 network with redundant switch links, there is a risk of broadcast storms — packets looping indefinitely because switches flood broadcasts out every port except the one they arrived on. Without loop prevention, a single broadcast frame would multiply exponentially, consuming all bandwidth within milliseconds.

Spanning Tree Protocol (STP, IEEE 802.1D) solves this by electing one switch as the Root Bridge — the logical centre of the Layer 2 topology. Every other switch then calculates the single best (lowest-cost) path to reach the Root Bridge and blocks all other redundant paths. The result is a loop-free tree topology rooted at the Root Bridge, with all blocked paths kept in standby ready to activate if the primary path fails.

  Without STP — broadcast storm:
  SW1 ---- SW2
   |   \/   |       Broadcast enters SW1:
   |   /\   |       SW1 floods to SW2 and SW3
  SW3 ---- SW4       SW2 floods back to SW1, SW3, SW4
                     SW3 floods back to SW1, SW2, SW4
  Frames multiply exponentially -- 100% bandwidth consumed
  MAC table flaps -- network unusable within seconds

  With STP -- loop-free tree:
        SW1 (Root Bridge)
       /       \
     SW2        SW3
       \       /
        SW4 (one port BLOCKED)

  SW4's blocked port stops the loop. If SW1-SW2 link fails,
  the blocked port automatically unblocks to restore connectivity.

2. Bridge ID (BID) — Structure and Components

Every switch has a unique Bridge ID (BID) used for Root Bridge election. The BID is an 8-byte value composed of two fields: a 2-byte priority and a 6-byte MAC address. The switch with the lowest BID wins the election.

  Bridge ID structure (8 bytes total):

  +------------------+-------------------+------------------------------+
  |  Bridge Priority |  Extended Sys ID  |        MAC Address           |
  |   (4 bits)       |    (12 bits)      |         (6 bytes)            |
  +------------------+-------------------+------------------------------+
  |  Bits 15-12      |   Bits 11-0       |   AA:BB:CC:DD:EE:FF          |
  +------------------+-------------------+------------------------------+

  Priority field (16 bits = 2 bytes) broken into two sub-fields:
  - 4-bit priority multiplier:  valid values 0-15 (steps of 4096)
  - 12-bit Extended System ID:  contains the VLAN number

  Example for VLAN 10 with priority 32768:
  Priority bits: 32768 / 4096 = 8 (binary: 1000)
  Extended Sys ID = 10 (VLAN 10 in decimal)
  Actual BID priority field = (8 x 4096) + 10 = 32778

  Example for VLAN 1 with priority 32768:
  Actual BID priority field = 32768 + 1 = 32769

  This is why default priority for VLAN 1 = 32769, not 32768!

BID Component	Size	Default Value	Function
Bridge Priority	4 bits (of the 2-byte priority field)	32768 (binary: 1000 0000 0000 0000)	Administratively configurable; primary election criterion. Must be a multiple of 4096 (0–61440)
Extended System ID	12 bits (of the 2-byte priority field)	VLAN number (e.g., 1 for VLAN 1)	Automatically added by the switch to identify the VLAN. This is why per-VLAN priorities differ by VLAN ID
MAC Address	6 bytes (48 bits)	Switch's base MAC address (burned-in)	Tiebreaker when priorities are equal — lower MAC wins

Extended System ID is the most common exam trap: When you configure spanning-tree vlan 10 priority 32768, the actual priority shown in show spanning-tree vlan 10 will be 32778 (32768 + 10). For VLAN 1 it will show 32769. Always account for the VLAN ID addition when calculating effective BID values.

3. Root Bridge Election — Step-by-Step Algorithm

The election begins when switches first connect and start exchanging BPDUs (Bridge Protocol Data Units). Every switch initially assumes it is the Root Bridge and advertises its own BID as the Root ID in its BPDUs. Switches update their view of the root as they receive BPDUs with lower BIDs.

  Election algorithm:

  Step 1: Every switch powers on and sends BPDUs claiming to be root.
          BPDU contains: Root ID = own BID, Path Cost = 0, Sender BID = own BID

  Step 2: Each switch compares received Root ID with its own BID.
          If received Root ID is LOWER than current best root -> update root

  Step 3: After the max-age timer (20 sec default), the switch with the
          lowest BID is agreed upon as the Root Bridge.

  Step 4: The Root Bridge sends Hello BPDUs every 2 seconds on all ports.
          All other switches relay these BPDUs to their downstream neighbours.

  Election decision:
  Compare Priority first:
    Lower priority number wins (e.g., 4096 beats 32768)
  If priority is TIED:
    Compare MAC address (lower MAC wins)
    MAC: 0000.AAAA.AAAA beats 0000.BBBB.BBBB

  Example election (4 switches, VLAN 1):
  SW1: Priority 32769, MAC 0011.1111.1111  -> DROTHER
  SW2: Priority  4097, MAC 0022.2222.2222  -> ROOT (lowest priority)
  SW3: Priority 32769, MAC 0033.3333.3333  -> DROTHER
  SW4: Priority 32769, MAC 0044.4444.4444  -> DROTHER

  SW2 wins because 4097 < 32769 regardless of MAC addresses.

Election with Equal Priorities — MAC Tiebreaker

  All four switches have default priority (VLAN 1 = 32769):
  SW1: Priority 32769, MAC 0011.1111.1111  -> ROOT (lowest MAC)
  SW2: Priority 32769, MAC 0022.2222.2222
  SW3: Priority 32769, MAC 0033.3333.3333
  SW4: Priority 32769, MAC 0044.4444.4444

  SW1 wins because all priorities equal; SW1 has lowest MAC.
  This is dangerous in production -- the switch with lowest MAC
  (often oldest hardware) becomes root unintentionally.
  Always configure priority explicitly on your intended root!

4. Bridge Priority Configuration

Priority must be a multiple of 4096 (due to the 4-bit priority field). Valid values: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440.

! ── Method 1: Set explicit priority value ─────────────────────────────────
! Best for precise control; value shown in output = priority + VLAN ID
Switch(config)# spanning-tree vlan 10 priority 4096
! Effective BID priority = 4096 + 10 = 4106

Switch(config)# spanning-tree vlan 10 priority 0
! Priority 0 guarantees this switch becomes root for VLAN 10
! (0 + 10 = 10; no other switch can beat this unless also set to 0)

! ── Method 2: spanning-tree root macro (recommended) ─────────────────────
! Automatically sets priority to 24576 (primary) or 28672 (secondary)
! and adjusts timers. Cisco best practice for production.

Switch(config)# spanning-tree vlan 10 root primary
! Sets priority to 24576 for VLAN 10 (or lower if current root has <= 24576)
! Effective: 24576 + 10 = 24586

Switch(config)# spanning-tree vlan 10 root secondary
! Sets priority to 28672 for VLAN 10 -- becomes root if primary fails
! Effective: 28672 + 10 = 28682

! ── Verify priority configured ────────────────────────────────────────────
Switch# show spanning-tree vlan 10 | include Priority
  Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)
  Root ID    Priority    24586

Priority Value	What It Means	When to Use
0	Absolute lowest — guarantees root status (effective = VLAN ID only)	When you must guarantee this switch is root regardless of any other switch; use carefully
4096	Very low — highly likely to be root	Primary root in multi-switch environments
8192	Low	Secondary root (backup if primary fails)
24576	Below default — set by `root primary` macro	Cisco recommended for primary root bridge designation
28672	Slightly below default — set by `root secondary` macro	Cisco recommended for secondary/backup root bridge
32768	Default — effective value = 32768 + VLAN ID (e.g., 32769 for VLAN 1)	Unmodified switch; random root election based on MAC
61440	Highest configurable — almost never becomes root	Explicitly prevent a switch from becoming root

5. Root Bridge Placement — Impact on Traffic Flow

Where the Root Bridge is placed determines how traffic flows through the entire Layer 2 network. STP builds all paths relative to the Root Bridge, so placing it poorly causes traffic to take suboptimal routes.

  Suboptimal root placement (root at access layer):

                   [Access-SW1] <-- ROOT
                  /              \
          [Distribution-SW1]  [Distribution-SW2]
                  \              /
                   [Core-Switch]

  Problem: Traffic between servers (on Core) must travel UP to Access-SW1
  (Root) and back DOWN -- wasting bandwidth on access-layer links.
  Access switches have lower bandwidth (1G) while core has 10G/40G.

  Optimal root placement (root at core/distribution):

                   [Core-Switch] <-- ROOT
                  /              \
          [Distribution-SW1]  [Distribution-SW2]
              /     \              /     \
         [Access]  [Access]  [Access]  [Access]

  Traffic flows UP the tree (high-speed core links) and ACROSS.
  Access-layer ports that lead AWAY from root get blocked --
  these are lower-bandwidth links anyway, so correct behaviour.

Design rule: In a three-tier campus network (core, distribution, access), place the Root Bridge at the core layer. Place the secondary (backup) root at another core switch. This ensures inter-VLAN and server traffic always uses the highest-speed links. Never let an access-layer switch become root — it would funnel all traffic through low-speed access links.

6. PVST+ — Per-VLAN Root Bridge Election

Cisco's PVST+ (Per-VLAN Spanning Tree Plus) runs a separate, independent STP instance for each VLAN. This allows different VLANs to have different Root Bridges, enabling load balancing across redundant uplinks.

  PVST+ Load Balancing Example:

  Two core switches connected to two distribution switches:

                 SW-Core-A            SW-Core-B
                (Root VLAN10)        (Root VLAN20)
                /         \          /         \
           SW-Dist-1    SW-Dist-2-SW-Dist-3  SW-Dist-4

  VLAN 10 tree: SW-Core-A is root
    All VLAN 10 traffic flows through SW-Core-A
    SW-Core-B ports for VLAN 10 are blocked

  VLAN 20 tree: SW-Core-B is root
    All VLAN 20 traffic flows through SW-Core-B
    SW-Core-A ports for VLAN 20 are blocked

  Result: Both uplinks carry traffic simultaneously
  (for different VLANs) -- bandwidth is fully utilised!

! Configure SW-Core-A as root for odd VLANs, secondary for even:
SW-Core-A(config)# spanning-tree vlan 10,30,50 root primary
SW-Core-A(config)# spanning-tree vlan 20,40,60 root secondary

! Configure SW-Core-B as root for even VLANs, secondary for odd:
SW-Core-B(config)# spanning-tree vlan 20,40,60 root primary
SW-Core-B(config)# spanning-tree vlan 10,30,50 root secondary

! Verify per-VLAN root status:
SW-Core-A# show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: Vlan0010 Vlan0030 Vlan0050

SW-Core-A# show spanning-tree vlan 10
VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    24586
             Address     0011.1111.1111
             This bridge is the root     <-- confirms root status
  ...

STP Variant	Root Elections	Load Balancing	Notes
STP (802.1D)	One per network (all VLANs share same tree)	Not possible	Single Common Spanning Tree (CST); one blocked port is blocked for ALL VLANs
PVST / PVST+	One per VLAN	Yes — different roots per VLAN	Cisco proprietary; PVST+ adds 802.1Q trunk support; default on Cisco switches
RSTP (802.1w)	One per network	Not possible	Faster convergence than STP; same single-tree limitation
Rapid PVST+ (802.1w)	One per VLAN	Yes	Cisco default on modern switches; combines RSTP speed with PVST+ per-VLAN elections
MST (802.1s)	One per MST instance (groups of VLANs)	Yes — per instance	Most scalable; multiple VLANs share an instance; reduces BPDU overhead compared to PVST+

7. Verifying Root Bridge Status — show spanning-tree Output

! ── On the ROOT BRIDGE itself ──────────────────────────────────────────────
SW-Core-A# show spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    24586
             Address     0011.1111.1111
             This bridge is the root          <-- KEY: confirms this is root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)
             Address     0011.1111.1111
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ----
Gi0/1               Desg FWD 4         128.1    P2p
Gi0/2               Desg FWD 4         128.2    P2p
! Root bridge: ALL ports are DESIGNATED (Desg) -- root never has root ports

! ── On a NON-ROOT switch ───────────────────────────────────────────────────
SW-Access-1# show spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    24586
             Address     0011.1111.1111       <-- Root bridge MAC (NOT this switch)
             Cost        4                    <-- Path cost to reach root
             Port        1 (GigabitEthernet0/1) <-- Port facing root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     0044.4444.4444       <-- THIS switch's MAC
             ...

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ----
Gi0/1               Root FWD 4         128.1    P2p   <-- faces root bridge
Gi0/2               Altn BLK 4         128.2    P2p   <-- BLOCKED (alternate)
Gi0/3               Desg FWD 4         128.3    P2p   <-- faces downstream switch

! Interpreting output:
! Root ID section: shows who the root is (MAC + priority)
! Bridge ID section: shows THIS switch's own BID
! If Root ID MAC = Bridge ID MAC: THIS switch IS the root
! If "This bridge is the root" appears: confirms root status
! Port roles: Root (best path to root), Desg (root-facing downstream),
!             Altn (blocked backup), Bkup (blocked redundant on same segment)

Key show spanning-tree Commands

Switch# show spanning-tree                 ! All VLANs summary
Switch# show spanning-tree vlan 10         ! Detailed for VLAN 10
Switch# show spanning-tree vlan 10 detail  ! Very verbose -- all port details
Switch# show spanning-tree summary         ! Which VLANs this switch is root for
Switch# show spanning-tree root            ! Root bridge info for all VLANs (table)
Switch# show spanning-tree interface Gi0/1 ! STP status for one interface

8. Root Bridge Election During Network Changes

The Root Bridge election is not a one-time event — it can re-trigger whenever the network topology changes.

Trigger Event	What Happens	Impact
New switch joins with lower BID	The new switch sends superior BPDUs; existing switches update their root view; new switch becomes root	Full STP reconvergence — ports transition through Blocking → Listening → Learning → Forwarding (up to 50 sec in classic STP; ~1 sec in RSTP)
Current Root Bridge fails	Remaining switches stop receiving Hello BPDUs; after Max Age timer (20 sec), they declare root as lost and hold a new election	Network disruption during the Max Age + convergence period (up to 50+ sec in STP; faster in RSTP)
Priority manually changed	Switch sends new BPDUs with updated priority; if new priority is lower than current root, election re-runs	Controlled reconvergence — schedule changes during maintenance windows
Link failure on non-root switch	Affected switch recalculates paths to root; may trigger a port state change but not a new root election (root is still present)	Local reconvergence on affected switch only

STP reconvergence times: Classic STP (802.1D) can take up to 50 seconds to reconverge (20 sec Max Age + 15 sec Listening + 15 sec Learning). RSTP (802.1w) typically converges in 1–2 seconds using proposal/agreement handshakes. This is the primary reason Rapid PVST+ (RSTP per VLAN) is now the default on Cisco switches.

9. RSTP and Root Bridge Election

RSTP (Rapid Spanning Tree Protocol, 802.1w) uses the same Root Bridge election algorithm as classic STP — lowest BID wins — but dramatically accelerates the convergence process after the election.

Feature	STP (802.1D)	RSTP (802.1w)
Election algorithm	Lowest BID wins	Identical — lowest BID wins
BPDU origination	Only Root Bridge originates BPDUs; others relay	Every switch originates BPDUs every 2 sec
BPDU version field	Version 0	Version 2
Convergence time	30–50 seconds	1–2 seconds (proposal/agreement mechanism)
Port states	Blocking, Listening, Learning, Forwarding, Disabled	Discarding, Learning, Forwarding (3 states)
Port roles	Root, Designated, Blocked	Root, Designated, Alternate, Backup, Disabled
Failure detection	Max Age timer (20 sec)	3 missed Hello intervals (6 sec)

See RSTP (Rapid STP) Lab for detailed coverage of the proposal/agreement mechanism and port role differences.

10. Security — Root Guard and BPDU Guard

The Root Bridge election mechanism can be exploited by an attacker who connects a switch with a lower BID, causing a rogue switch to be elected Root Bridge. This redirects all Layer 2 traffic through the attacker's switch, enabling man-in-the-middle attacks.

  Rogue Root Bridge attack:

  SW-Core (Priority 4097) -- legitimate Root Bridge
  |
  SW-Distribution
  |         |
  SW-Access  [Attacker's switch: Priority 0] <-- plugged into access port
                       ^
                       Sends BPDUs with Priority 0 claiming to be root
                       All traffic redirects through attacker's switch
                       Attacker captures data in transit

Root Guard

Root Guard prevents a port from ever becoming a Root Port — it will never accept a superior BPDU that would make the connected switch the new Root Bridge. If a superior BPDU is received, the port is placed in a root-inconsistent state (effectively blocking) and generates a syslog message.

! Enable Root Guard on distribution-facing ports
! (ports that should NEVER receive superior BPDUs from a new root)
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# spanning-tree guard root

! Verify Root Guard status:
Switch# show spanning-tree inconsistentports

Name                    Interface              Inconsistency
----------------------- ---------------------- ------------------
VLAN0010                GigabitEthernet0/1     Root Inconsistent

! The port is blocking (protecting the topology)
! When the superior BPDUs stop, the port automatically recovers

BPDU Guard

BPDU Guard is used on PortFast-enabled access ports (ports connected to end devices like PCs and printers that should never receive BPDUs). If any BPDU is received on a BPDU Guard port, the port is immediately placed in an err-disabled state (shut down). This prevents a rogue switch from connecting to an access port and influencing STP.

! Enable BPDU Guard globally on all PortFast ports:
Switch(config)# spanning-tree portfast bpduguard default

! Enable BPDU Guard on a specific interface:
Switch(config)# interface GigabitEthernet0/10
Switch(config-if)# spanning-tree bpduguard enable

! Verify err-disabled ports:
Switch# show interfaces status err-disabled
Port      Name     Status         Reason           Err-disabled Vlans
Gi0/10             err-disabled   bpduguard

! Re-enable after resolving the cause:
Switch(config)# interface GigabitEthernet0/10
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

Feature	Root Guard	BPDU Guard
Protects against	Rogue root bridge on uplink/trunk ports	Rogue switch on access/PortFast ports
Triggers on	Superior BPDU received (would change root)	Any BPDU received (even inferior)
Port action	Port enters root-inconsistent state (blocking)	Port enters err-disabled state (shutdown)
Recovery	Automatic — recovers when superior BPDUs stop	Manual — requires `shutdown / no shutdown` (or auto-recovery timer)
Applied to	Designated ports facing potential rogue roots (distribution, access uplinks)	Access ports with PortFast (connected to PCs, printers — never switches)

11. Troubleshooting Root Bridge Issues

Symptom	Likely Cause	Diagnostic Command	Fix
Wrong switch is Root Bridge	Priority not configured on intended root; default priority (32768) on all switches leaves election to lowest MAC address	`show spanning-tree vlan [id]` — check Root ID MAC and compare to intended root	`spanning-tree vlan [id] root primary` on intended root switch
Suboptimal traffic paths (traffic using slow links)	Root Bridge is in access/distribution layer instead of core; STP builds paths toward wrong location	`show spanning-tree vlan [id]` — check Root ID; trace path using Root Port chain	Move root to core switch; configure per-VLAN roots with PVST+ for load balancing
Root Bridge keeps changing (flapping)	Unstable link to current root; rogue switch advertising lower BID; misconfigured priority	`debug spanning-tree events`; `show logging` for topology change messages	Enable Root Guard on appropriate ports; check cabling; verify no unauthorised switches connected
Port stuck in root-inconsistent state	Root Guard triggered — superior BPDUs arriving on a Root Guard port	`show spanning-tree inconsistentports`	Investigate source of superior BPDUs; remove rogue switch; Root Guard auto-recovers when BPDUs stop
Port stuck in err-disabled	BPDU Guard triggered — BPDU received on PortFast port (switch connected to access port)	`show interfaces status err-disabled`	Remove the switch from the access port; fix the cause; `shutdown / no shutdown` on the port to restore

12. Complete Configuration Example — Core/Distribution/Access

! Topology: Core switch (SW-Core), two Distribution switches (SW-Dist-1, SW-Dist-2),
!           two Access switches (SW-Access-1, SW-Access-2)
! Goal: SW-Core is root for all VLANs; SW-Dist-1 is secondary root

! ── SW-Core: Primary Root for all VLANs ───────────────────────────────────
SW-Core(config)# spanning-tree mode rapid-pvst

SW-Core(config)# spanning-tree vlan 1,10,20,30 root primary
! Sets priority 24576 for each VLAN (effective: 24577/24586/24596/24606)

! Enable Root Guard on downlink ports (no superior BPDUs should come from
! distribution/access switches)
SW-Core(config)# interface range GigabitEthernet0/1 - 4
SW-Core(config-if-range)# spanning-tree guard root

! ── SW-Dist-1: Secondary Root for all VLANs ───────────────────────────────
SW-Dist-1(config)# spanning-tree mode rapid-pvst
SW-Dist-1(config)# spanning-tree vlan 1,10,20,30 root secondary
! Sets priority 28672

! ── SW-Access-1: PortFast and BPDU Guard on host ports ────────────────────
SW-Access-1(config)# spanning-tree mode rapid-pvst

! Enable PortFast and BPDU Guard on all access host ports:
SW-Access-1(config)# interface range FastEthernet0/1 - 24
SW-Access-1(config-if-range)# switchport mode access
SW-Access-1(config-if-range)# spanning-tree portfast
SW-Access-1(config-if-range)# spanning-tree bpduguard enable

! ── Verify from SW-Core ────────────────────────────────────────────────────
SW-Core# show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: Vlan0001 Vlan0010 Vlan0020 Vlan0030

SW-Core# show spanning-tree vlan 10
VLAN0010
  Root ID    Priority    24586
             Address     aabb.cc00.0100
             This bridge is the root

SW-Core# show spanning-tree root
                                        Root    Hello Max Fwd
Vlan          Root ID          Cost    Time  Age Dly  Root Port
Vlan0001    24577 aabb.cc00.0100    0    2    20  15
Vlan0010    24586 aabb.cc00.0100    0    2    20  15
Vlan0020    24596 aabb.cc00.0100    0    2    20  15

13. Key Points & Exam Tips

Root Bridge election = lowest BID wins. BID = Priority + Extended System ID + MAC. Priority compared first; MAC is tiebreaker only when priorities are equal.
Extended System ID: VLAN number is added to the priority field. Default priority for VLAN 1 = 32769 (32768 + 1). For VLAN 10 = 32778 (32768 + 10). This is the most common exam calculation trap.
Priority must be a multiple of 4096: Valid values are 0, 4096, 8192 ... 61440. Setting any other value is rejected by Cisco IOS.
Use spanning-tree vlan [id] root primary (sets 24576) and root secondary (sets 28672) for clean production configuration.
Root Bridge has ALL designated ports — it never has a Root Port (there is no "path to itself"). If you see a Root Port on a switch, that switch is NOT the root.
PVST+ runs independent elections per VLAN — enables load balancing by assigning different VLANs to different root bridges.
RSTP uses the same election algorithm as STP but every switch originates BPDUs (not just the root) and failure detection uses 3 × Hello interval (6 sec) instead of Max Age (20 sec).
Root Guard → used on trunk/designated ports facing possible rogue roots; places port in root-inconsistent (blocking) state on superior BPDU; auto-recovers. BPDU Guard → used on access PortFast ports; places port in err-disabled on ANY BPDU; requires manual recovery.
Verify with: show spanning-tree vlan [id], show spanning-tree summary, show spanning-tree root, show spanning-tree inconsistentports.
Root placement best practice: Core layer switch = root; distribution switch = secondary root. Never let access-layer switches become root.

14. Root Bridge Election Quiz

1. Four switches all have default bridge priority (32768) on VLAN 1. Their MAC addresses are: SW1: 0011.1111.1111, SW2: 0022.2222.2222, SW3: 0033.3333.3333, SW4: 0044.4444.4444. Which switch becomes Root Bridge, and what is its effective BID priority for VLAN 1?

A. SW4 becomes root because it has the highest MAC address; effective priority = 32768 B. SW1 becomes root because it has the lowest MAC address (tiebreaker when all priorities equal); effective priority = 32769 (32768 + VLAN 1 extended system ID of 1) C. SW1 becomes root; effective priority = 32768 D. No root is elected — all priorities are equal so STP cannot function

Correct answer is B. When all switches have the same bridge priority, the MAC address is the tiebreaker — the switch with the lowest MAC address wins. SW1's MAC (0011.1111.1111) is numerically the lowest of the four, so SW1 becomes Root Bridge. The effective BID priority is not simply 32768 — the Extended System ID adds the VLAN number to the priority field. For VLAN 1, the effective priority = 32768 + 1 = 32769. This is a critical detail: the output of show spanning-tree vlan 1 will show "Priority 32769" even though the configured priority is 32768. This scenario also illustrates why default priorities are dangerous in production — the switch with the lowest MAC (often the oldest hardware) becomes root, regardless of its position in the network or its processing capability.

2. An engineer configures `spanning-tree vlan 20 priority 32768` on SW-Core. What value will `show spanning-tree vlan 20` display for the Bridge Priority, and why does it differ from the configured value?

A. 32768 — the configured value is shown directly B. 32788 — STP adds 20 to the base priority for all VLANs C. 20 — the VLAN ID replaces the priority D. 32788 — because the Extended System ID adds the VLAN number (20) to the configured priority (32768). The 2-byte priority field is split: 4 bits for the configurable multiplier and 12 bits for the VLAN ID. Effective priority = 32768 + 20 = 32788

Correct answer is D. The Extended System ID is a 12-bit field within the 2-byte BID priority field that automatically contains the VLAN number. When you configure spanning-tree vlan 20 priority 32768, the switch stores the configurable portion as 32768 but when building the actual BID for VLAN 20, it adds the Extended System ID (20) to produce 32788. The show spanning-tree vlan 20 output will display: "Priority 32788 (priority 32768 sys-id-ext 20)" — the parenthetical clarifies the breakdown. This applies to every VLAN: VLAN 1 adds 1 to get 32769, VLAN 100 adds 100 to get 32868, and so on. Understanding this is essential for correctly calculating which switch will win a Root Bridge election across multiple VLANs with the same configured priority base.

3. SW-A (Priority 4096, VLAN 1 effective: 4097) is the current Root Bridge. A new switch SW-X is added to the network with its default priority. SW-X has MAC address 0000.0000.0001 (the lowest MAC on the network). What happens, and who is Root Bridge after SW-X joins?

A. SW-X becomes Root Bridge because it has the lowest MAC address B. SW-X becomes Root Bridge because it is the newest switch C. SW-A remains Root Bridge. SW-X's default priority gives it an effective BID of 32769 (VLAN 1). SW-A's effective BID of 4097 is lower than 32769 — priority is compared first, before MAC address. SW-X's excellent MAC address is irrelevant because its priority is worse D. A new election runs but the result is indeterminate

Correct answer is C. This question tests the critical understanding that priority is always compared before MAC address. The MAC address is ONLY used as a tiebreaker when priorities are exactly equal. SW-X has default priority = effective BID of 32769 for VLAN 1. SW-A has configured priority 4096 = effective BID of 4097 for VLAN 1. Since 4097 < 32769, SW-A wins regardless of MAC addresses. SW-X sends BPDUs claiming to be root (BID = 32769 + 0000.0000.0001), but when SW-A receives these BPDUs, it compares them to its own BID (4097) and finds its own BID is lower. SW-A ignores SW-X's superior BPDU claim and continues advertising itself as root. A new election does technically re-run when SW-X joins, but SW-A wins immediately. This scenario shows why configuring priority on your intended root is the only reliable way to ensure correct root placement.

4. A network engineer runs `show spanning-tree vlan 10` on SW-Access-1 and sees the output includes "Root Port: GigabitEthernet0/1" and also "This bridge is the root." Is this output valid, and what does it tell you?

A. This output is invalid — a switch cannot simultaneously be the Root Bridge AND have a Root Port. The Root Bridge has all Designated ports (no Root Port exists). This indicates a configuration error or corrupted output. Verify with show spanning-tree vlan 10 detail B. Valid — the Root Bridge always has one Root Port pointing to itself C. Valid — Root Ports exist on every switch including the Root Bridge D. The Root Port shown is the management port, which is separate from STP

Correct answer is A. This is a fundamentally contradictory output. By definition, the Root Bridge is the reference point of the entire STP tree — ALL paths lead TO it; no paths lead FROM it toward another root. The Root Port is defined as "the port on a non-root switch with the lowest-cost path to the Root Bridge." Since the Root Bridge IS the root, it has no path to travel to reach itself — it cannot have a Root Port. All ports on the Root Bridge are Designated ports (they forward traffic and represent the root bridge toward downstream segments). If a switch's show spanning-tree output simultaneously shows "This bridge is the root" and a Root Port, something is wrong — this could be a display glitch, a bug, or the switch is actually not the root for that VLAN (the message may be leftover from a previous state). Always verify with the Root ID section: if Root ID MAC matches Bridge ID MAC, the switch is the root and should have no Root Port.

5. A network uses PVST+ with two core switches (SW-Core-A and SW-Core-B) and two distribution switches. Both uplinks (SW-Core-A and SW-Core-B) carry all VLANs (10, 20, 30). Currently SW-Core-A is root for all VLANs. The team notices that the SW-Core-B uplinks are completely idle. What configuration change would utilise both uplinks?

A. Enable EtherChannel between the two core switches to combine both links B. Increase SW-Core-B's priority so it also becomes root for all VLANs C. Configure PVST+ load balancing: make SW-Core-A the root for VLANs 10 and 30, and SW-Core-B the root for VLAN 20. Each core switch becomes root for a subset of VLANs, forcing traffic to use both uplinks simultaneously for different VLANs D. Disable STP on SW-Core-B's ports to allow forwarding

Correct answer is C. This is the primary use case for PVST+ per-VLAN root bridge configuration. When SW-Core-A is root for ALL VLANs, STP blocks all SW-Core-B uplinks for all VLANs (since they are not the best path to root). The SW-Core-B links exist for redundancy but carry zero traffic under normal conditions — a waste of bandwidth. PVST+ solves this by running separate STP elections per VLAN. By making SW-Core-A root for VLANs 10 and 30 (and secondary for VLAN 20) and SW-Core-B root for VLAN 20 (and secondary for VLANs 10 and 30): VLAN 10 and 30 traffic flows through SW-Core-A's links; VLAN 20 traffic flows through SW-Core-B's links. Both uplinks now carry traffic simultaneously for different VLANs. Option A (EtherChannel) is valid for different scenarios but EtherChannel between core switches doesn't directly solve per-VLAN load balancing — and EtherChannel and STP interact differently. Option D would create loops and is never a valid production change.

6. An IT security team discovers that a rogue switch was connected to a distribution switch port and briefly became Root Bridge for VLAN 10, redirecting all VLAN 10 traffic. Root Guard was not enabled. What two configurations should be deployed to prevent this from happening again?

A. Increase the legitimate root's priority to 61440 so no rogue can beat it B. Disable STP on all VLANs to prevent BID comparisons C. Enable BPDU Guard on distribution switch ports facing the rogue device D. Enable Root Guard on distribution switch ports facing access switches (prevents superior BPDUs from making those ports Root Ports); and set the legitimate root's priority to 0 or 4096 to make it extremely difficult to beat even if Root Guard were bypassed

Correct answer is D. Defense in depth requires two layers of protection. Layer 1 — Root Guard on distribution/access-facing ports: spanning-tree guard root on the ports where rogue switches might connect. If any superior BPDU arrives claiming a better root, the port enters root-inconsistent state (blocks) immediately. The rogue switch cannot become root because its BPDUs never propagate. Layer 2 — Lower the legitimate root's priority aggressively: spanning-tree vlan 10 priority 0 gives an effective BID of just 10 (VLAN 1 ID) — mathematically impossible to beat without also setting priority 0 AND having a lower MAC. This "belt and suspenders" approach means even if Root Guard were somehow bypassed or not applied to every port, the attacker would need priority 0 AND a lower MAC than the legitimate root. Option A is backwards — increasing priority makes it easier to beat, not harder (lower priority = harder to beat). Disabling STP (option B) removes loop protection entirely and would cause broadcast storms — never acceptable. BPDU Guard (option C) is correct for access/PortFast ports but would be wrong on distribution ports where trunks and legitimate switches connect — BPDU Guard err-disables the port on any BPDU, which would break normal STP operation between legitimate switches.

7. A switch port has BPDU Guard enabled. A network technician connects a new Cisco IP phone to the port (IP phones have an internal switch and send BPDUs). What happens to the port, and how is it resolved?

A. Nothing — BPDU Guard only triggers on rogue switches, not IP phones B. The port immediately enters err-disabled state because a BPDU was received. Resolution: remove the phone, verify the phone has its own internal switch disabled or configure the phone's CDP/BPDU settings; then shutdown / no shutdown the port to recover C. The port enters root-inconsistent state until the phone is removed D. BPDU Guard ignores BPDUs from Cisco devices — only third-party switches trigger it

Correct answer is B. BPDU Guard is binary — it triggers on ANY BPDU received on the protected port, regardless of the source. It does not distinguish between legitimate Cisco IP phones, rogue switches, or any other BPDU-sending device. Cisco IP phones contain an integrated 3-port switch (one port uplink to switch, one port to PC, one internal to phone processor) and do send BPDUs. When the phone connects to a BPDU Guard-enabled port, the port immediately goes err-disabled. This is correct security behavior — the port was configured expecting only an end device (PC) to connect. Resolution steps: (1) Verify the phone is the legitimate device (not a rogue switch). (2) If the phone is legitimate, consider whether BPDU Guard is appropriate for this port — if the phone is the only device and security requires BPDU Guard, some phones allow disabling their internal switch STP participation via CDP or LLDP configuration. (3) Alternatively, remove BPDU Guard from this port if the phone is trusted. (4) To restore: interface → shutdown → no shutdown. For automatic recovery, configure errdisable recovery cause bpduguard and errdisable recovery interval 300.

8. An engineer configures `spanning-tree vlan 10 priority 4097` on SW-Core. The command is rejected by Cisco IOS. Why, and what is the correct command?

A. Bridge priority must be a multiple of 4096 — 4097 is not valid. The 4-bit priority field can only represent multiples of 4096 (0, 4096, 8192...61440). The correct command is spanning-tree vlan 10 priority 4096 B. 4097 is too low — minimum priority is 32768 C. The VLAN must be created before setting STP priority D. Priority 4097 is valid but requires global config mode, not VLAN mode

Correct answer is A. The Bridge Priority field in the BID is 2 bytes (16 bits), but only the upper 4 bits are the configurable priority multiplier. The lower 12 bits are automatically populated with the VLAN ID (Extended System ID). Since the configurable portion is 4 bits (values 0-15), the actual priority must be a multiple of 4096 (2^12): 0×4096=0, 1×4096=4096, 2×4096=8192, 3×4096=12288, ..., 15×4096=61440. Any value that is not a multiple of 4096 is rejected with an error like "% Bridge Priority must be in increments of 4096." The common trap: someone tries to set priority 4097 thinking they're setting it "just above" 4096, but 4097 is not a valid value. The correct command is spanning-tree vlan 10 priority 4096 — the effective BID priority will then be 4096 + 10 = 4106.

9. In a PVST+ network, SW-Core-A has been configured as root for VLAN 10 with `spanning-tree vlan 10 root primary`. A second engineer accidentally configures `spanning-tree vlan 10 priority 0` on SW-Access-3 (an access-layer switch). What is the result?

A. Nothing changes — access switches cannot be root B. SW-Core-A remains root because the root primary macro locks in the root status permanently C. SW-Access-3 becomes Root Bridge for VLAN 10. Priority 0 gives SW-Access-3 an effective BID of 10 (VLAN 1 ID), which beats SW-Core-A's effective BID of 24586 (24576 + 10). All VLAN 10 traffic now flows through the access switch — a serious misconfiguration D. STP convergence fails and VLAN 10 goes down

Correct answer is C. Priority 0 is the lowest possible configured priority. The effective BID for SW-Access-3 VLAN 10 = 0 + 10 = 10. SW-Core-A's effective BID = 24576 + 10 = 24586. Since 10 < 24586, SW-Access-3 wins the election and becomes Root Bridge for VLAN 10. This is a real operational risk — the root primary macro does NOT permanently lock root status; it simply sets priority to 24576. Any switch configured with a lower priority will beat it in a new election. The consequences in this case: VLAN 10 traffic that previously used 10G core links now has to flow through 1G access links (SW-Access-3's uplinks), causing severe congestion. This scenario shows why Root Guard should be deployed on all distribution-facing ports — with Root Guard on SW-Core-A's downlinks, SW-Access-3's superior BPDUs would be blocked and SW-Core-A would remain root. Always use Root Guard to protect intended root placement against accidental or malicious priority changes.

10. How does RSTP differ from classic STP specifically in terms of Root Bridge election and BPDU handling? What key operational difference allows RSTP to detect Root Bridge failure much faster?

A. RSTP uses a completely different election algorithm — highest BID wins instead of lowest B. RSTP uses the same lowest-BID election algorithm. The key difference is BPDU origination: in STP, only the Root Bridge generates BPDUs; in RSTP, EVERY switch generates its own Hello BPDUs every 2 seconds. This allows any switch to detect Root failure after just 3 missed Hellos (6 seconds) rather than waiting for Max Age (20 seconds) C. RSTP adds a third election criterion after priority and MAC: the switch uptime D. RSTP eliminates the Root Bridge concept — any switch can forward without a central root

Correct answer is B. RSTP (802.1w) and STP (802.1D) use identical Root Bridge election algorithms — the switch with the lowest Bridge ID (priority + Extended System ID + MAC) wins, and the election logic is the same. The fundamental operational improvement in RSTP is the BPDU model. Classic STP: only the Root Bridge originates Hello BPDUs (every 2 seconds); non-root switches simply relay the root's BPDUs toward their downstream neighbours. If the root fails, switches must wait for BPDUs to age out (Max Age = 20 seconds) before declaring the root lost and starting a new election. Total detection + reconvergence: 20 + 15 + 15 = 50 seconds. RSTP: EVERY switch generates its own Hello BPDU every 2 seconds on all active ports. Each switch considers a neighbour relationship aged out if it doesn't receive 3 consecutive Hellos (6 seconds). If the Root Bridge fails, neighbouring switches detect the failure in 6 seconds, immediately declare their stored root information as expired, and a new election propagates through the network within seconds. Combined with the proposal/agreement mechanism (which allows immediate port transitions without timer delays), RSTP achieves convergence in 1–2 seconds. See RSTP Lab for the complete proposal/agreement walkthrough.

← Back to Home

Root Bridge Election – Bridge ID, Priority, PVST+ & Security

1. What Is a Root Bridge and Why Does It Exist?

2. Bridge ID (BID) — Structure and Components

3. Root Bridge Election — Step-by-Step Algorithm

Election with Equal Priorities — MAC Tiebreaker

4. Bridge Priority Configuration

5. Root Bridge Placement — Impact on Traffic Flow

6. PVST+ — Per-VLAN Root Bridge Election

7. Verifying Root Bridge Status — show spanning-tree Output

Key show spanning-tree Commands

8. Root Bridge Election During Network Changes

9. RSTP and Root Bridge Election

10. Security — Root Guard and BPDU Guard

Root Guard

BPDU Guard

11. Troubleshooting Root Bridge Issues

12. Complete Configuration Example — Core/Distribution/Access

13. Key Points & Exam Tips

14. Root Bridge Election Quiz

1. Four switches all have default bridge priority (32768) on VLAN 1. Their MAC addresses are: SW1: 0011.1111.1111, SW2: 0022.2222.2222, SW3: 0033.3333.3333, SW4: 0044.4444.4444. Which switch becomes Root Bridge, and what is its effective BID priority for VLAN 1?

2. An engineer configures spanning-tree vlan 20 priority 32768 on SW-Core. What value will show spanning-tree vlan 20 display for the Bridge Priority, and why does it differ from the configured value?

3. SW-A (Priority 4096, VLAN 1 effective: 4097) is the current Root Bridge. A new switch SW-X is added to the network with its default priority. SW-X has MAC address 0000.0000.0001 (the lowest MAC on the network). What happens, and who is Root Bridge after SW-X joins?

4. A network engineer runs show spanning-tree vlan 10 on SW-Access-1 and sees the output includes "Root Port: GigabitEthernet0/1" and also "This bridge is the root." Is this output valid, and what does it tell you?

6. An IT security team discovers that a rogue switch was connected to a distribution switch port and briefly became Root Bridge for VLAN 10, redirecting all VLAN 10 traffic. Root Guard was not enabled. What two configurations should be deployed to prevent this from happening again?

7. A switch port has BPDU Guard enabled. A network technician connects a new Cisco IP phone to the port (IP phones have an internal switch and send BPDUs). What happens to the port, and how is it resolved?

8. An engineer configures spanning-tree vlan 10 priority 4097 on SW-Core. The command is rejected by Cisco IOS. Why, and what is the correct command?

9. In a PVST+ network, SW-Core-A has been configured as root for VLAN 10 with spanning-tree vlan 10 root primary. A second engineer accidentally configures spanning-tree vlan 10 priority 0 on SW-Access-3 (an access-layer switch). What is the result?

10. How does RSTP differ from classic STP specifically in terms of Root Bridge election and BPDU handling? What key operational difference allows RSTP to detect Root Bridge failure much faster?

2. An engineer configures `spanning-tree vlan 20 priority 32768` on SW-Core. What value will `show spanning-tree vlan 20` display for the Bridge Priority, and why does it differ from the configured value?

4. A network engineer runs `show spanning-tree vlan 10` on SW-Access-1 and sees the output includes "Root Port: GigabitEthernet0/1" and also "This bridge is the root." Is this output valid, and what does it tell you?

8. An engineer configures `spanning-tree vlan 10 priority 4097` on SW-Core. The command is rejected by Cisco IOS. Why, and what is the correct command?

9. In a PVST+ network, SW-Core-A has been configured as root for VLAN 10 with `spanning-tree vlan 10 root primary`. A second engineer accidentally configures `spanning-tree vlan 10 priority 0` on SW-Access-3 (an access-layer switch). What is the result?