STP Port Roles – Root Port, Designated Port, Alternate, Backup & Selection Rules

1. Why Port Roles Exist — The Loop Problem

Ethernet networks with redundant switch links provide resilience — if one path fails, traffic can take another route. But without a mechanism to manage those redundant paths, Layer 2 loops form immediately when a device sends a broadcast. Switches flood broadcasts out every port except the ingress, creating frames that circulate indefinitely, consuming all bandwidth within seconds.

  Redundant links WITHOUT STP:
  PC-A sends a broadcast frame.
  SW1 floods it to SW2 and SW3.
  SW2 floods it back to SW1 and SW3.
  SW3 floods it back to SW1 and SW2.
  Each switch multiplies the frame -- the loop is instantaneous and fatal.

  Layer 2 loop consequences:
  1. Broadcast storm -- 100% bandwidth consumed within seconds
  2. MAC table instability -- same MAC learned on multiple ports
  3. Multiple frame delivery -- same unicast frame received many times
  4. Network unusable -- all user traffic displaced by storm frames

  STP solution: assign each port a ROLE that determines whether it
  forwards traffic or blocks it, creating a loop-free tree topology
  while keeping redundant paths in standby.

2. Overview — All STP Port Roles

Role	Code in show spanning-tree	Forwards User Traffic?	Learns MACs?	Quantity per Switch	STP Version
Root Port (RP)	Root	Yes	Yes	Exactly one (except on Root Bridge — zero)	STP, RSTP, PVST+, Rapid PVST+
Designated Port (DP)	Desg	Yes	Yes	One per segment; multiple per switch	STP, RSTP, PVST+, Rapid PVST+
Blocking Port	Altn / BLK	No	No	Zero or more	Classic STP (802.1D) only
Alternate Port	Altn	No (discarding)	No	Zero or more	RSTP (802.1w), Rapid PVST+
Backup Port	Back	No (discarding)	No	Zero or more	RSTP (802.1w), Rapid PVST+
Disabled	Disabled	No	No	Zero or more	All versions

Role vs State — critical distinction: A port role describes what the port does in the STP topology (Root Port = best path to root; Designated Port = best port for a segment). A port state describes its operational condition at a moment in time (Forwarding, Blocking, Listening, Learning, Disabled). A Root Port is always in Forwarding state during normal operation — but during convergence it passes through Listening and Learning states first. See STP Port States for the full state machine.

3. STP Path Cost — The Foundation of Role Selection

STP assigns a path cost to each port based on its link speed. Lower cost = better path. Path costs are cumulative — each switch adds the cost of the incoming port to its running total as it calculates the path to the Root Bridge.

Link Speed	IEEE 802.1D Cost (Long)	IEEE 802.1D Cost (Short)	Notes
10 Gbps	2	2	10GE uplinks, data centre interconnects
1 Gbps	4	4	Modern standard for access-distribution uplinks
100 Mbps	19	19	Fast Ethernet — still common on older access switches
10 Mbps	100	100	Legacy Ethernet — rarely seen in modern networks

  Path cost accumulation example:

  Root Bridge
      |  (Gi0/1 = 1 Gbps, cost 4)
     SW1   -- Root Port cost to root = 4
      |  (Fa0/1 = 100 Mbps, cost 19)
     SW2   -- Root Port cost to root = 4 + 19 = 23
      |  (Fa0/2 = 100 Mbps, cost 19)
     SW3   -- Root Port cost to root = 4 + 19 + 19 = 42

  Each switch adds the INCOMING PORT'S cost (the port facing the root).
  The OUTGOING port cost toward the root is NOT added by this switch --
  it is added by the next switch downstream.

  Important: You add the cost of the PORT YOU RECEIVE BPDUs ON,
  not the port you send them out of.

Manually Overriding Port Cost

! Override the default cost on a specific port:
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# spanning-tree vlan 10 cost 10
! Lowering cost makes this port more likely to become Root Port
! Raising cost makes it less preferred

! Verify:
Switch# show spanning-tree vlan 10
Interface           Role Sts Cost      Prio.Nbr Type
Gi0/1               Root FWD 10        128.1    P2p  <-- custom cost applied

4. Root Port (RP) — Selection and Tiebreakers

The Root Port is the port on a non-root switch that provides the best (lowest cumulative cost) path to the Root Bridge. Every non-root switch has exactly one Root Port. The Root Bridge itself has no Root Port — all its ports are Designated Ports.

  Root Port selection — four-level tiebreaker process:

  Tiebreaker 1: Lowest TOTAL path cost to Root Bridge
  (sum of all port costs along the path from this switch to root)

  Tiebreaker 2: Lowest SENDER Bridge ID
  (if two upstream neighbours offer equal path cost, prefer the one
  with the lower BID -- the more preferred neighbour is the better path)

  Tiebreaker 3: Lowest SENDER Port ID (priority + port number)
  (if the same upstream switch has two links to this switch and
  offers equal path cost on both, prefer the link from the
  upstream switch's lower-priority/lower-numbered port)

  Tiebreaker 4: Lowest LOCAL Port ID
  (final tiebreaker: on THIS switch, prefer the port with the
  lower priority, then lower port number)

  The vast majority of elections are decided at Tiebreaker 1.
  Tiebreaker 2 handles multi-path topologies.
  Tiebreakers 3 and 4 handle parallel links between the same switches.

  Root Port selection example — triangle topology:

  SW-Root (Priority 4096)
  Gi0/1 --------  Gi0/1 SW-A (Priority 32769)
  Gi0/2 --------  Gi0/2 SW-B (Priority 32769)
  SW-A Gi0/2 ---  SW-B Gi0/1

  On SW-A:
  Gi0/1: cost 4 to reach SW-Root via one Gigabit hop
  Gi0/2: cost 4 + 4 = 8 to reach SW-Root via SW-B then SW-Root
  Winner: Gi0/1 becomes Root Port (cost 4 < 8)

  On SW-B:
  Gi0/2: cost 4 to reach SW-Root via one Gigabit hop
  Gi0/1: cost 4 + 4 = 8 to reach SW-Root via SW-A then SW-Root
  Winner: Gi0/2 becomes Root Port (cost 4 < 8)

Root Port — Key Facts

One per non-root switch, always — no exceptions. If a switch has multiple paths to the root, one wins; the others are blocked (or become Alternate Ports in RSTP).
Always in Forwarding state during normal operation — frames flow toward the root through this port.
The Root Bridge has zero Root Ports — it IS the root; there is no "path to itself."
Traffic on the Root Port flows toward the Root Bridge (upstream).

5. Designated Port (DP) — Selection and Tiebreakers

Every network segment (link between two switches) must have exactly one Designated Port — the port that will forward traffic toward the Root Bridge on behalf of that segment. There is one DP per segment, and a switch can have many DPs — one for each segment it connects to.

  Designated Port — what "per segment" means:

  SW-Root --- SW-A (two switches, one segment between them)
  This segment needs exactly ONE designated port.

  Root Bridge's port toward SW-A: path cost to root = 0 (IS the root)
  SW-A's port toward SW-Root: path cost to root = 4 (Gi uplink)

  Winner: Root Bridge's port (cost 0 < cost 4) becomes Designated Port
  SW-A's port toward root becomes ROOT PORT (not Designated)

  Rule: The Root Bridge ALWAYS has all Designated Ports.
  Its cost to reach itself = 0 -- unbeatable by any other switch.

  Designated Port on a non-root segment:

  SW-A (Root Port on Gi0/1, cost 4 to root)
    |
  SW-B Gi0/1  -- SW-A Gi0/2 (segment between SW-A and SW-B)

  Both SW-A (Gi0/2) and SW-B (Gi0/1) are candidates for DP on this segment.
  SW-A's Gi0/2: SW-A's total cost to root = 4. Offers cost 4 to reach root.
  SW-B's Gi0/1: SW-B's total cost to root = 4 + 4 = 8 (via SW-A) or 4 (via SW-Root).
  (Assume SW-B also has direct link to root at cost 4: then it's a tie -- see tiebreakers)

  Tiebreaker sequence for Designated Port selection:
  1. Lowest accumulated path cost to root (this side vs other side)
  2. Lowest Bridge ID of the switch (SW-A vs SW-B BID comparison)
  3. Lowest Port ID on the winning switch

  The NON-winning port on the segment becomes Blocking / Alternate.

Designated Port — Key Facts

One per segment — exactly one DP per link between two switches.
Multiple per switch allowed — the Root Bridge has one DP on every link; distribution switches often have several DPs toward access switches.
Always in Forwarding state — DPs carry traffic away from the root toward downstream switches.
All Root Bridge ports are Designated — the root's cost to reach itself is 0, so it always wins the DP election on every directly connected segment.

6. Blocking Port (Classic STP) / Alternate Port (RSTP)

Any port that is neither a Root Port nor a Designated Port is placed in a non-forwarding role. In classic STP (802.1D) this is simply called a Blocking Port. In RSTP (802.1w) the same concept is split into two more specific roles: Alternate and Backup.

  Triangle topology — complete role assignment:

       SW-Root (Root Bridge)
      /                    \
   Gi0/1 (DP)           Gi0/2 (DP)
     |                        |
  SW-A                     SW-B
  Gi0/1 (Root Port)       Gi0/1 (Root Port)
  Gi0/2 (DP)              Gi0/2 (Altn/BLK) <-- blocked to break the loop
     \                        /
      --- SW-A Gi0/2 -- SW-B Gi0/2 ---
                 segment

  On the SW-A to SW-B segment:
  SW-A's Gi0/2: path cost to root via SW-A = 4 (SW-A's RP cost)
  SW-B's Gi0/2: path cost to root via SW-B = 4 (SW-B's RP cost)
  Tie on cost! -> Tiebreaker 2: compare BIDs
  SW-A BID: 32769 + lower MAC -> wins if MAC is lower
  SW-B BID: 32769 + higher MAC -> loses
  Result: SW-A Gi0/2 = Designated Port (FWD)
          SW-B Gi0/2 = Blocking / Alternate Port (BLK)

  The loop is broken. SW-B Gi0/2 sits in standby --
  if SW-A fails, it will activate to restore connectivity.

What a Blocking Port Still Does

Receives BPDUs — a blocking port still listens for BPDUs so it knows when the topology changes and can react.
Does NOT forward user frames — no data traffic in either direction.
Does NOT learn MAC addresses — the CAM table is not updated from traffic on a blocking port.
Can become Forwarding — if the Designated Port on this segment fails, the blocking port transitions to Designated and eventually Forwarding (after Listening + Learning in classic STP; immediately in RSTP via proposal/agreement).

7. Alternate and Backup Ports (RSTP)

RSTP (802.1w) refines the non-forwarding category into two distinct roles with different recovery behaviours, enabling the rapid convergence that makes RSTP so much faster than classic STP.

Role	What It Is	What It Backs Up	Recovery Trigger	State
Alternate Port	Alternative path to the Root Bridge — an alternate Root Port waiting in standby	The current Root Port on this switch	Root Port fails → Alternate Port immediately becomes new Root Port (no timer delays in RSTP)	Discarding
Backup Port	Redundant connection to the same segment where this switch already has a Designated Port	The current Designated Port on the same segment	Designated Port fails → Backup Port becomes Designated Port	Discarding

  Alternate Port scenario:
  SW-B has two paths to Root Bridge -- via SW-A and directly via Gi0/3.
  Gi0/1: Root Port (cost 4, best path via SW-A uplink)
  Gi0/3: Alternate Port (cost 8, longer path direct)

  Root Port fails (Gi0/1 link down):
  RSTP: Gi0/3 (Alternate) immediately transitions to Root Port
  No timers needed -- direct promotion (sub-second convergence)

  Backup Port scenario (rare -- requires hub or shared segment):
  SW-A connects to a hub with TWO ports (Gi0/4 and Gi0/5)
  Gi0/4: Designated Port (better port ID -- lower priority or port number)
  Gi0/5: Backup Port (same segment as Gi0/4 -- redundant DP to the same hub)

  Backup ports are uncommon in modern networks (hubs are obsolete)
  but the concept appears on CCNA exams.

8. Complete Port Role Selection Algorithm

  Step-by-step port role assignment for every switch in the network:

  STEP 1: ROOT BRIDGE ELECTION
  The switch with the lowest Bridge ID becomes Root Bridge.
  All ports on the Root Bridge become DESIGNATED PORTS.
  (Root Bridge cost to itself = 0, always wins every segment election)

  STEP 2: ROOT PORT SELECTION (on every non-root switch)
  For each non-root switch, select the port with:
  -> Lowest cumulative path cost to Root Bridge  (main criterion)
  -> If tied: lowest Sender Bridge ID            (tiebreaker 2)
  -> If tied: lowest Sender Port ID              (tiebreaker 3)
  -> If tied: lowest Local Port ID               (tiebreaker 4)
  This port becomes the ROOT PORT (forwarding).

  STEP 3: DESIGNATED PORT SELECTION (per segment)
  For every segment (link between two switches):
  Both ends compare their path cost to root:
  -> Lower cost side becomes DESIGNATED PORT (forwarding)
  -> If tied: lower Bridge ID wins
  -> If tied: lower Port ID wins
  The Root Bridge always wins (cost = 0)

  STEP 4: BLOCKING / ALTERNATE PORT
  Any port that is neither Root Port nor Designated Port is:
  -> BLOCKING PORT (classic STP 802.1D)
  -> ALTERNATE PORT (RSTP 802.1w, if it's an alternate path to root)
  -> BACKUP PORT (RSTP 802.1w, if it's redundant on same segment as DP)

9. Port Role vs Port State — The Critical Distinction

Port roles and port states are two separate but related concepts. Roles describe function in the topology; states describe operational condition.

Port State (Classic STP)	Duration	Sends/Receives BPDUs?	Learns MACs?	Forwards Traffic?
Blocking	Max Age (20 sec default)	Receives only	No	No
Listening	Forward Delay (15 sec)	Yes — sends and receives	No	No
Learning	Forward Delay (15 sec)	Yes	Yes	No
Forwarding	Indefinite (normal operation)	Yes	Yes	Yes
Disabled	Until re-enabled	No	No	No

The relationship between roles and states during normal operation:

Port Role	Normal State	Transitional States
Root Port	Forwarding	Blocking → Listening → Learning → Forwarding (30 sec in STP)
Designated Port	Forwarding	Blocking → Listening → Learning → Forwarding (30 sec in STP)
Blocking Port	Blocking	Transitions to Listening if topology changes
Alternate Port (RSTP)	Discarding	Discarding → Forwarding immediately on RP failure (RSTP)
Backup Port (RSTP)	Discarding	Discarding → Forwarding on DP failure (RSTP)

See STP Port States for the complete state machine, timer values, and transition diagrams.

10. Reading show spanning-tree — Port Role Output

Switch# show spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    4097
             Address     0011.1111.1111
             Cost        4
             Port        1 (GigabitEthernet0/1)    <-- Root Port is Gi0/1
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     0044.4444.4444
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ----
Gi0/1               Root FWD 4         128.1    P2p   <-- Root Port (FWD)
Gi0/2               Desg FWD 4         128.2    P2p   <-- Designated Port (FWD)
Gi0/3               Altn BLK 4         128.3    P2p   <-- Alternate/Blocked (BLK)
Fa0/1               Desg FWD 19        128.4    P2p   <-- Designated (FastEth cost 19)
Fa0/2               Desg FWD 19        128.5    P2p   <-- Designated

! Role column codes:
! Root = Root Port (forwarding toward Root Bridge)
! Desg = Designated Port (forwarding away from Root Bridge to segment)
! Altn = Alternate Port (blocked, alternate path to root -- RSTP)
! Back = Backup Port (blocked, redundant to same segment -- RSTP)
! Mstr = Master Port (MST specific)

! Sts (State) column codes:
! FWD = Forwarding (active, passing user traffic)
! BLK = Blocking/Discarding (not forwarding user traffic)
! LIS = Listening (transitional -- classic STP only)
! LRN = Learning (transitional -- learning MACs, not yet forwarding)
! DIS = Disabled

! Cost column: current STP cost configured on this port
! Prio.Nbr: Port priority (default 128) + port number (e.g., 128.1 = priority 128, port 1)

show spanning-tree per-interface and summary

! Check one interface:
Switch# show spanning-tree interface GigabitEthernet0/1
Vlan                Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- ----
VLAN0001            Root FWD 4         128.1    P2p
VLAN0010            Root FWD 4         128.1    P2p

! Check all VLANs summary:
Switch# show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: Vlan0001

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     1         0        0          3          4
VLAN0010                     0         0        0          4          4

11. Port Priority — Influencing Role Selection

When path costs are equal and BIDs are equal (parallel links between the same two switches), the port priority (part of the Port ID) becomes the tiebreaker. Lower port priority = preferred port. Port priority can be manually tuned to influence which port becomes Root Port or Designated Port.

! Default port priority = 128. Range: 0–240 in increments of 16.
! Lower value = preferred.

! Influence which port on THIS switch is preferred by a downstream switch
! (affects the downstream switch's Root Port selection):
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# spanning-tree vlan 10 port-priority 64
! Setting lower port priority on Gi0/1 makes it the preferred port
! for downstream switches to use as their Root Port toward this switch

! Verify port priority in show spanning-tree:
! Prio.Nbr = 64.1  means port priority 64, port number 1
! Prio.Nbr = 128.2 means port priority 128 (default), port number 2

12. PortFast and BPDU Guard — Edge Port Roles

Access ports connected to end devices (PCs, printers, IP phones) go through STP's Listening + Learning states by default (30 seconds) before forwarding. PortFast skips these transitional states, putting the port immediately into Forwarding. BPDU Guard protects PortFast ports from rogue switches.

! Enable PortFast on an access port:
Switch(config-if)# switchport mode access
Switch(config-if)# spanning-tree portfast
! Port immediately enters Forwarding state when a device connects
! PC gets network access in seconds instead of 30+ seconds
! WARNING: Never enable PortFast on ports connected to other switches

! Enable BPDU Guard (protects PortFast ports from switches):
Switch(config-if)# spanning-tree bpduguard enable
! Port enters err-disabled if any BPDU is received
! Prevents a rogue switch connected to an access port from participating in STP

! Enable PortFast globally on all access ports:
Switch(config)# spanning-tree portfast default

! Enable BPDU Guard globally on all PortFast-enabled ports:
Switch(config)# spanning-tree portfast bpduguard default

See PortFast & BPDU Guard for detailed configuration and port security implications.

13. RSTP Port Roles Compared to Classic STP

Classic STP (802.1D)	RSTP (802.1w) Equivalent	Key Difference
Root Port	Root Port	Same role; RSTP transitions to forwarding faster via proposal/agreement mechanism instead of timer wait
Designated Port	Designated Port	Same role; RSTP uses proposal/agreement for rapid forwarding transition (no 30-second wait)
Blocking Port	Alternate Port	Explicitly named as "Alternate" in RSTP; can immediately become Root Port on failure — no timer delays
Blocking Port	Backup Port	Specifically for redundant connections to the same segment; can immediately become Designated Port on failure
Disabled	Disabled	Same

See RSTP (Rapid STP) Lab for the proposal/agreement mechanism that enables near-instant convergence.

14. Troubleshooting Port Roles

Symptom	Likely Cause	Diagnostic Command	Fix
Broadcast storm / MAC table instability	STP not blocking a redundant port — a loop exists. Possibly STP disabled, or a port that should be blocking is Forwarding	`show spanning-tree` — look for unexpected FWD ports; check for ports not participating in STP	Verify STP is running; check for unmanaged switches (no STP) creating loops; verify PortFast not enabled on inter-switch links
Unexpected Root Port or suboptimal path	Unintended Root Bridge (low MAC wins by default); wrong port costs; misconfigured port priority	`show spanning-tree vlan [id]` — check Root ID and port costs; `show spanning-tree root`	Configure correct root with `spanning-tree vlan [id] root primary`; adjust port costs or priority to influence path selection
Port stuck in Listening or Learning state	STP convergence in progress — timing issue; or a topology change notification is causing repeated transitions	`show spanning-tree vlan [id] detail` — check topology change count; `debug spanning-tree events`	Investigate topology changes with `show spanning-tree detail \| include topology`; fix instability at source
Access port takes 30+ seconds to come up	PortFast not enabled on end-device ports — STP running Listening + Learning states unnecessarily	`show spanning-tree interface Fa0/x` — if PortFast shows "not enabled," that's the issue	`spanning-tree portfast` on access ports; add `spanning-tree bpduguard enable` for security
Port in err-disabled after BPDU received	BPDU Guard triggered — a switch was connected to a PortFast-enabled port	`show interfaces status err-disabled`; `show port-security interface [int]`	Remove the switch; recover port with `shutdown / no shutdown`; investigate why a switch was connected to an access port

Key Verification Commands

Switch# show spanning-tree                           ! All VLANs, all ports
Switch# show spanning-tree vlan 10                   ! VLAN 10 only -- roles + states
Switch# show spanning-tree vlan 10 detail            ! Verbose -- timers, topology changes
Switch# show spanning-tree interface Gi0/1           ! One port across all VLANs
Switch# show spanning-tree root                      ! Root bridge per VLAN table
Switch# show spanning-tree summary                   ! Count of ports per state
Switch# show spanning-tree inconsistentports         ! Ports in root-inconsistent state

15. Key Points & Exam Tips

Root Port: One per non-root switch. Best path to Root Bridge. Always Forwarding. Root Bridge has ZERO Root Ports.
Designated Port: One per segment. Best port for a link. Multiple per switch. Always Forwarding. All Root Bridge ports are Designated.
Blocking / Alternate Port: Neither RP nor DP. Not forwarding. Receives BPDUs. Activates if RP or DP fails.
Selection tiebreakers (in order): (1) Lowest path cost to root, (2) Lowest sender BID, (3) Lowest sender Port ID, (4) Lowest local Port ID. Most elections resolved at step 1.
Path costs: 10 Gbps = 2, 1 Gbps = 4, 100 Mbps = 19, 10 Mbps = 100. Lower cost = preferred. Can be manually overridden with spanning-tree vlan [id] cost [value].
Role vs State: Role = function in topology (RP, DP, Alternate). State = operational condition (Forwarding, Blocking, Listening, Learning). A Root Port in normal operation has role=Root, state=FWD.
RSTP additions: Alternate Port (backs up Root Port) and Backup Port (backs up Designated Port on same segment). Both are Discarding. Enable immediate failover without timer delays.
PortFast: Skips Listening+Learning (30 sec wait). Use only on access ports to end devices. Never on inter-switch links.
BPDU Guard: Err-disables a PortFast port if any BPDU received. Protects against rogue switch connections to access ports.
show spanning-tree is the primary diagnostic command. Check Role and Sts columns. Role codes: Root, Desg, Altn, Back. State codes: FWD, BLK, LIS, LRN, DIS.

16. STP Port Roles Quiz

1. In a three-switch triangle topology (SW-Root as Root Bridge, SW-A and SW-B connected to each other and both connected to SW-Root), all links are Gigabit (cost 4). What port roles are assigned on SW-B's two ports?

A. Both ports are Root Ports — SW-B has two paths to the root B. The port directly connected to SW-Root = Root Port (cost 4, direct path). The port connected to SW-A = Alternate/Blocking (cost 4+4=8, longer path). SW-B has exactly one Root Port — the best path wins; the other is blocked C. One Root Port and one Designated Port — SW-B has a DP toward SW-A D. Both ports are Designated Ports

Correct answer is B. SW-B has two paths to the Root Bridge: Path 1 — directly via SW-Root at cost 4 (one Gigabit hop). Path 2 — via SW-A then SW-Root at cost 4+4=8 (two Gigabit hops). STP selects the path with the lowest cumulative cost as the Root Port. Cost 4 < cost 8, so the direct link to SW-Root becomes the Root Port. The port connected to SW-A offers a higher-cost path (8) and cannot be a Root Port — it becomes Blocking (classic STP) or Alternate (RSTP). It is NOT a Designated Port because SW-A's port on that same segment also connects to the root at cost 4, and SW-A's BID may win the DP election on that segment. Each non-root switch has exactly one Root Port — never two. The Root Port is always toward the best path to root, and all other upward-facing ports are either blocked or alternate.

2. SW-X and SW-Y are connected by two parallel Gigabit links (Gi0/1 and Gi0/2 on each switch). SW-X is closer to the Root Bridge (cost 4) and will have the Designated Ports on both links. On SW-Y, both ports face SW-X with equal path cost. What tiebreaker determines which of SW-Y's ports becomes the Root Port?

A. SW-Y's MAC address B. The interface with the higher port number wins C. SW-X's Bridge ID (BID) D. SW-X's Port ID — both links come from the same sender (SW-X) so sender BID is tied. The tiebreaker is the SENDER's Port ID. SW-X's lower-numbered port (Gi0/1, port ID 128.1) beats Gi0/2 (128.2). SW-Y's port connected to SW-X's Gi0/1 becomes Root Port

Correct answer is D. This scenario is the classic parallel-links tiebreaker situation. The four-level tiebreaker works like this: Tiebreaker 1 — path cost: both paths from SW-Y to root have the same cost (4 via SW-X, which has cost 4 to root). Tie. Tiebreaker 2 — sender Bridge ID: both links come from SW-X. SW-X's BID is the same on both links. Tie. Tiebreaker 3 — sender Port ID: SW-X's Gi0/1 has Port ID 128.1 (priority 128, port number 1). SW-X's Gi0/2 has Port ID 128.2. Lower wins. SW-X's Gi0/1 (128.1 < 128.2) is the preferred port. Therefore SW-Y's port connected to SW-X's Gi0/1 becomes the Root Port. SW-Y's port connected to SW-X's Gi0/2 becomes Blocking/Alternate. Note: it is SW-X's Port ID (the SENDER's port) that is compared, not SW-Y's local port ID. This is a common exam confusion.

3. A network engineer runs `show spanning-tree vlan 10` and sees SW-Core's port Gi0/2 shows "Desg FWD." What does this mean, and does SW-Core forward traffic on Gi0/2?

A. Designated port in Disabled state — port is administratively down B. Default port — no STP role assigned yet C. Gi0/2 is a Designated Port in Forwarding state — it is the best port for the segment it connects to (lowest cost to root), and it is actively forwarding user traffic away from the root toward the downstream switch or segment D. Designated port in full-duplex mode

Correct answer is C. In show spanning-tree output, the "Role" and "Sts" (State) columns appear together on each interface line. "Desg" = Designated Port role — this port has won the election as the best port for its segment to forward traffic. "FWD" = Forwarding state — the port is actively sending and receiving user traffic and learning MAC addresses. A Designated Port in FWD state means the port is fully active: it forwards traffic FROM the root toward the downstream segment (the Designated Port's direction is away from the root). The port contributes to normal network operation. If it showed "Desg LRN" it would be a Designated Port transitioning through the Learning state (not yet forwarding). If it showed "Altn BLK" it would be blocked. The combination of Desg + FWD is the normal operational state for a Designated Port.

4. Why does the Root Bridge always have all its ports as Designated Ports and never as Root Ports?

A. The Root Bridge's accumulated path cost to itself is zero — the lowest possible value. It wins the Designated Port election on every segment it connects to because no other switch can offer a lower cost to root. A Root Port would require a "best path to root," but the root bridge IS the root — it has no upstream path B. The Root Bridge is configured to have only Designated Ports via a Cisco IOS command C. The Root Bridge has a higher priority which forces all its ports to be Designated D. Root Ports are not allowed on any switch with a priority below 32768

Correct answer is A. This is a fundamental STP principle with two interlocked explanations. First, from the Root Port perspective: a Root Port is defined as the port on a non-root switch with the best (lowest cumulative cost) path to the Root Bridge. The Root Bridge IS the root — it cannot have a "path to itself." Therefore, by definition, the Root Bridge can never have a Root Port. Second, from the Designated Port perspective: for every segment the Root Bridge connects to, it participates in the Designated Port election. The Root Bridge's accumulated path cost to itself = 0. Every other switch on that segment has a path cost of at least 1 (one link cost minimum). Since 0 is always lower than any positive number, the Root Bridge always wins the Designated Port election on every segment. Therefore all its ports are Designated. This is also why Root Bridge placement matters for traffic flow — all traffic ultimately flows toward and through the Root Bridge.

5. In a Rapid PVST+ network, an access switch SW-Edge has two uplinks to two different distribution switches: Gi0/1 to SW-Dist-A (Root Port, cost 4) and Gi0/2 to SW-Dist-B (Alternate Port, cost 8). The link to SW-Dist-A fails. What happens to Gi0/2, and how long does it take in Rapid PVST+?

A. Gi0/2 transitions after 50 seconds (Max Age + Listening + Learning timers) B. Gi0/2 stays blocked — only the administrator can activate it manually C. Gi0/2 (Alternate Port) immediately becomes the new Root Port and transitions to Forwarding state in under 1 second. The Alternate Port in RSTP/Rapid PVST+ is pre-qualified as the backup root path and does not need to wait for timers D. Gi0/2 becomes a Designated Port, not a Root Port

Correct answer is C. This demonstrates the key advantage of RSTP's Alternate Port over classic STP's Blocking Port. In classic STP (802.1D): when the Root Port fails, the blocking port must wait for the Max Age timer (20 seconds) to expire, then pass through Listening (15 seconds) and Learning (15 seconds) states — 50 seconds total before forwarding. In RSTP (802.1w / Rapid PVST+): the Alternate Port is actively maintained as a pre-qualified backup root path. The switch already knows the Alternate Port can reach the Root Bridge (it received BPDUs from SW-Dist-B throughout normal operation). When the Root Port fails, RSTP does not need to re-run the full election process — the Alternate Port is immediately promoted to Root Port and transitions directly to Forwarding state without waiting for any timers. This convergence typically completes in under 1 second. Gi0/2 correctly becomes the new Root Port (not a Designated Port — DP faces downstream segments, not upstream toward root).

6. A switch has four ports: Gi0/1 (Root Port), Gi0/2 (Designated Port on segment to SW-A), Gi0/3 (Designated Port on segment to SW-B), and Gi0/4 (Blocking). The show spanning-tree output for Gi0/4 shows: `Altn BLK 4`. What does the "4" represent and what role does this port play?

A. The port number 4; the port is a Backup Port B. The STP path cost (4 = Gigabit link). Gi0/4 is an Alternate Port (blocked backup path to root) in Blocking/Discarding state. It provides a standby path to the Root Bridge that will activate if the Root Port (Gi0/1) fails C. The VLAN ID; the port is a Disabled Port D. The port priority; the port is a Root Port

Correct answer is B. In the show spanning-tree interface table, the columns are: Interface, Role, Sts, Cost, Prio.Nbr, Type. The "4" in the Cost column is the STP path cost configured or auto-detected for that port. Cost 4 corresponds to a Gigabit Ethernet interface (1000BASE-T = cost 4 per the IEEE 802.1D-2004 standard). The Role "Altn" = Alternate Port — this is RSTP terminology for a blocked port that serves as a pre-qualified backup path to the Root Bridge. If the Root Port (Gi0/1) fails, Gi0/4 (Alternate) will immediately become the new Root Port in RSTP without timer delays. "BLK" = Blocking state (or Discarding in RSTP notation — in Rapid PVST+, BLK and Discarding are functionally equivalent). The Prio.Nbr would appear after the cost field (e.g., "128.4" meaning priority 128, port number 4).

7. An engineer enables PortFast on an inter-switch trunk link (Gi0/24, which connects to another managed switch). What is the risk, and what should be done instead?

A. No risk — PortFast works the same on trunk ports as access ports B. The port will go err-disabled because trunk ports cannot use PortFast C. PortFast will be automatically disabled by IOS on trunk ports D. The port will immediately transition to Forwarding, bypassing STP's Listening and Learning states. If the downstream switch creates a topology loop before STP has fully converged, a broadcast storm can occur. PortFast should only be used on access ports to end devices. Remove PortFast from trunk links; use Root Guard or BPDU Guard on appropriate ports instead

Correct answer is D. PortFast is designed exclusively for switch ports that connect to end devices (PCs, printers, IP phones) — devices that will never send BPDUs and will never create a loop. PortFast works by skipping the Listening and Learning transition states and immediately putting the port into Forwarding state when a link comes up. For end devices, this is safe and desirable (users don't wait 30 seconds for network access). On an inter-switch link, enabling PortFast is dangerous because: (1) The connected switch sends BPDUs and participates in STP. (2) When the trunk link comes up with PortFast, it immediately forwards — before STP has run the election and determined which ports should be blocked. If this creates a temporary loop before STP converges on the new topology, a broadcast storm can occur. Cisco IOS does warn when PortFast is enabled on a trunk with " %Warning: portfast should only be enabled on ports connected to a single host..." but it still applies the configuration. The correct approach: PortFast only on access ports; BPDU Guard to protect those ports; Root Guard on distribution-facing ports instead.

8. On the segment between SW-X and SW-Y, both ports have equal path cost to the Root Bridge. SW-X has Bridge Priority 32768 and MAC 0011.AAAA.AAAA. SW-Y has Bridge Priority 32768 and MAC 0022.BBBB.BBBB. Which port becomes Designated Port on this segment?

A. SW-X's port — SW-X has the lower MAC address (0011 < 0022), giving it the lower Bridge ID. Lower BID wins the Designated Port election when path costs are tied B. SW-Y's port — higher MAC addresses are preferred for Designated Ports C. Both become Designated Ports simultaneously D. Neither — the segment remains blocked when costs are equal

Correct answer is A. When two switches compete for the Designated Port role on a shared segment and path costs are equal, the Bridge ID tiebreaker is applied. Bridge ID = Priority + Extended System ID + MAC Address. Both switches have the same priority (32768 + VLAN ID). So the MAC address is the final differentiator. SW-X MAC: 0011.AAAA.AAAA. SW-Y MAC: 0022.BBBB.BBBB. Comparing numerically: 0011 < 0022, so SW-X has the lower (better) Bridge ID. SW-X's port wins — it becomes the Designated Port (Forwarding). SW-Y's port on this segment becomes Blocking/Alternate. Note: the rule for all STP elections (Root Port, Designated Port, Root Bridge) is consistently "LOWER wins" — lower cost, lower BID, lower port ID. There is never a case where STP prefers higher values (other than port priority numbers where lower still means preferred/lower).

9. An engineer wants a specific port (Fa0/10, default cost 19) on SW-Access to be preferred as the Root Port over Fa0/11 (also default cost 19) for VLAN 20. Both connect to the same upstream distribution switch. What command achieves this on SW-Access?

A. spanning-tree vlan 20 priority 100 on SW-Access B. spanning-tree vlan 20 root primary on SW-Access C. spanning-tree vlan 20 cost 10 on interface Fa0/10 — lowering the cost below 19 makes Fa0/10 the preferred (lower cost) path to root, winning the Root Port election over Fa0/11 D. spanning-tree portfast on Fa0/10

Correct answer is C. The Root Port is selected on each switch based on the lowest cumulative path cost to the Root Bridge. Currently both Fa0/10 and Fa0/11 have the same cost (19 for Fast Ethernet), same sender BID (same upstream distribution switch), and the tiebreaker falls to the sender's port ID and then local port ID. To explicitly force Fa0/10 to be preferred, the engineer lowers its STP cost below 19: interface Fa0/10 then spanning-tree vlan 20 cost 10. Now Fa0/10 offers a path cost of 10 vs Fa0/11's path cost of 19. Lower cost wins — Fa0/10 becomes Root Port, Fa0/11 becomes Alternate/Blocking. Option A (bridge priority) affects Root Bridge election, not which local port becomes Root Port. Option B (root primary) makes SW-Access the Root Bridge, which changes the entire topology — not the goal. Option D (PortFast) bypasses STP states but does not affect Root Port selection and should not be used on uplinks.

10. A network shows frequent topology change notifications (TCNs) logged in syslog. `show spanning-tree vlan 10 detail` shows a very high "Number of topology changes" counter and the Root Port keeps transitioning. What is the most likely cause and the recommended diagnostic approach?

A. The Root Bridge priority needs to be lowered to stabilise topology changes B. An unstable link (flapping interface) or a device repeatedly connecting and disconnecting is triggering continuous TCNs. Run show spanning-tree vlan 10 detail | include from to identify which port is generating topology changes, then check that interface for physical layer errors C. STP is not supported in this VLAN and should be disabled D. The aging time for the MAC address table is too short, causing unnecessary topology changes

Correct answer is B. STP Topology Change Notifications (TCNs) are generated whenever a port transitions from Forwarding to Blocking or from Blocking to Forwarding. A single topology change causes all switches to shorten their MAC address aging time to Forward Delay (15 sec) and flush their MAC tables, causing a burst of unknown unicast flooding. If TCNs are happening frequently (visible in syslog as %SPANTREE-5-TOPOTRAP or similar), something is causing repeated port state transitions. The most common cause: an unstable link (SFP problem, degraded cable, duplex mismatch) that keeps bouncing up and down. Each bounce generates a TCN. Also common: a PC repeatedly connecting/disconnecting on an access port without PortFast enabled. Diagnostic commands: show spanning-tree vlan 10 detail — look for "topology changes" counter and "last topology change from" port field. That tells you which port is the source. Then show interfaces [port] for CRC errors, input errors, and flap count. Fix: PortFast on access ports (prevents PC connect/disconnect from generating TCNs); fix the physical layer issue on the unstable link.

← Back to Home