NetworkingCCNA

Spanning Tree Protocol (STP) Explained for CCNA

Plug two switches together with two cables and watch your network die. Every broadcast frame creates a perfect loop, and within seconds the switches are forwarding billions of frames, consuming all available bandwidth. Spanning Tree Protocol is the mechanism that prevents this from happening by blocking redundant paths while keeping them ready for failover. Understanding STP means understanding how switches decide which ports stay active, which get blocked, and how that decision changes when a link goes down. The CCNA exam tests this heavily in both standalone questions and troubleshooting scenarios.

8 min

4 sections · 7 exam key points

5 practice questions

Why STP exists and how loops form

Ethernet switches forward broadcasts to every port except the one the frame arrived on. Add a redundant cable between two switches and a single broadcast bounces back and forth forever, each pass multiplying as switches forward it again and again. This is called a broadcast storm, and it will saturate a 1 Gbps link in under a second.

Physical redundancy is necessary for reliability, so disabling extra cables is not a real solution. STP solves this by logically blocking one of the redundant links while keeping it physically connected. If the active link fails, STP unblocks the backup path automatically. You get both redundancy and a loop-free topology.

How STP elects the root bridge and assigns port roles

STP starts by electing a root bridge, which becomes the reference point for the entire topology. Every switch participates by sending Bridge Protocol Data Units (BPDUs) advertising its Bridge ID, which combines a configurable priority (default 32768) and the switch MAC address. The switch with the lowest Bridge ID wins. Because ties on priority go to the lowest MAC, you should always set priority manually on your intended root bridge rather than relying on MAC address luck.

Once the root bridge is elected, every other switch finds its shortest path back to the root. The port that provides that shortest path is the root port, and it stays forwarding. On each network segment, the switch closest to the root becomes the designated switch, and its port on that segment is the designated port, also forwarding. Any port that is neither a root port nor a designated port gets blocked. Blocked ports receive BPDUs but never forward data frames.

Port states matter for troubleshooting: a port starts in Blocking, moves through Listening and Learning, and finally reaches Forwarding. Classic STP takes up to 50 seconds to converge because of the 15-second forward delay timers at Listening and Learning. RSTP (802.1w) compresses this to under a second by using negotiation instead of timers.

RSTP improvements and PortFast

Rapid Spanning Tree Protocol keeps the same role concepts but replaces the slow timer-based convergence with a direct negotiation between switches. When a link comes up, adjacent switches exchange proposals and agreements. If the downstream switch confirms it has no other paths through that port, the upstream switch moves directly to Forwarding without waiting. Real-world RSTP convergence is typically under a second.

PortFast is a feature that bypasses STP states on ports connected to end devices like PCs or printers. Instead of waiting up to 30 seconds for Listening and Learning, the port goes directly to Forwarding. Only enable PortFast on access ports connected to end hosts, never between switches. Combining PortFast with BPDU Guard shuts down the port immediately if a BPDU arrives, protecting against someone accidentally connecting a switch to what should be an end-host port.

How to choose the correct answer

Root bridge election: lowest Bridge ID wins. Tie on priority goes to lowest MAC address. To control which switch is root, lower its priority below the default 32768.

Port role identification: the port facing toward the root bridge is the root port. The designated port on each segment is the one from the switch closest to the root. Everything else is either blocked or not connected.

Slow convergence or ports taking 30 seconds to forward: classic STP with forward delay timers. Sub-second convergence: RSTP (802.1w). PortFast skips STP states on access ports. BPDU Guard shuts down a PortFast port that receives a BPDU.

Loop prevention on access layer: STP or RSTP. Loop prevention on access ports connected to users: PortFast plus BPDU Guard.

STP vs RSTP comparison

Feature	STP (802.1D)	RSTP (802.1w)
Convergence time	30-50 seconds	Under 1 second
Port states	Blocking, Listening, Learning, Forwarding	Discarding, Learning, Forwarding
Convergence method	Timer-based (forward delay)	Proposal/agreement negotiation
BackboneFast/UplinkFast	Optional add-ons	Built in
BPDU handling	Passive (waits for timeout)	Active (expires aged BPDUs quickly)

Key exam facts — CCNA

Root bridge: lowest Bridge ID (priority + MAC). Lower priority = more likely to win.
Root port: each non-root switch has exactly one, facing toward the root bridge.
Designated port: one per segment, on the switch closest to the root.
Any port not a root port or designated port is blocked.
STP convergence: up to 50 seconds. RSTP (802.1w): under 1 second.
PortFast: bypasses STP states for end hosts. Never use between switches.
BPDU Guard: err-disables a PortFast port that receives a BPDU.

Common exam traps

The switch with the highest priority becomes the root bridge.

STP elects the switch with the LOWEST Bridge ID. Since priority is the first component, a lower priority value wins, not a higher one. Default priority is 32768.

Blocked ports do not participate in STP at all.

Blocked ports still receive and process BPDUs. They are silent on data traffic but fully active in the STP topology. This is what allows them to detect topology changes and unblock when needed.

PortFast can be used on inter-switch links to speed up convergence.

PortFast is only safe on ports connected to end hosts. On inter-switch links, PortFast can cause temporary loops during convergence. Use RSTP for fast inter-switch convergence.

Practice questions — Spanning Tree Protocol

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.A network administrator wants to ensure that SW1 always becomes the root bridge for VLAN 10. What is the most reliable way to accomplish this?

A.Set SW1's MAC address to the lowest value on the network

B.Set SW1's STP priority to 0 for VLAN 10

C.Enable PortFast on all SW1 uplinks

D.Increase SW1's bridge priority to 61440

Explanation: Setting the bridge priority to 0 (or a value lower than other switches' default of 32768) guarantees SW1 wins the root bridge election for VLAN 10. The lowest Bridge ID wins, and priority is the high-order component. You cannot control MAC addresses, and increasing priority makes winning less likely.

Q2.A port on a switch is stuck in the Listening state for 30 seconds before transitioning. Which STP version is most likely running?

A.RSTP (802.1w)

B.STP (802.1D)

C.Rapid PVST+

D.MST (802.1s)

Explanation: Classic STP (802.1D) uses 15-second forward delay timers, causing ports to spend 15 seconds in Listening and 15 seconds in Learning before reaching Forwarding — up to 50 seconds total. RSTP replaces timers with proposal/agreement negotiation, achieving sub-second convergence.

Q3.A network engineer enables PortFast on an access port and a user connects an unmanaged switch to that port. What is the security risk and which feature mitigates it?

A.MAC flooding; mitigated by Dynamic ARP Inspection

B.STP loop; mitigated by BPDU Guard

C.VLAN hopping; mitigated by native VLAN changes

D.Broadcast storm; mitigated by storm control

Explanation: An unmanaged switch connected to a PortFast port will send BPDUs, potentially disrupting the STP topology or creating loops. BPDU Guard detects an incoming BPDU on a PortFast port and immediately err-disables it, removing the risk of loop formation.

Q4.In an STP topology with three switches, SW-A is the root bridge. SW-B connects to SW-A via Gi0/1 (cost 4) and via SW-C to SW-A (cost 8). What is SW-B's root port?

A.The port toward SW-C, because it is a longer path

B.Gi0/1, because it has the lowest path cost to the root

C.The port with the highest MAC address

D.The port that is currently in Blocking state

Explanation: The root port is the port providing the lowest-cost path back to the root bridge. SW-B's direct connection to SW-A has cost 4, while the path through SW-C costs 8. Gi0/1 (cost 4) becomes the root port. Lower cost always wins.

Q5.Which STP port state forwards data frames but does NOT learn MAC addresses?

A.Blocking

B.Listening

C.Learning

D.Forwarding

Explanation: In the Listening state, a port participates in STP (sends/receives BPDUs) but neither learns MAC addresses nor forwards data frames. In Learning, it adds MAC addresses to the table but still does not forward data. Only Forwarding does both. Blocking receives BPDUs but does nothing else.

Frequently asked questions — Spanning Tree Protocol

What is the default STP bridge priority and how do I change it?

The default bridge priority is 32768. To make a switch more likely to become the root bridge, lower the priority with 'spanning-tree vlan <vlan-id> priority <value>'. Valid values are multiples of 4096 (0, 4096, 8192 ... 61440). The 'spanning-tree vlan <id> root primary' shortcut sets priority to 24576 automatically.

What is the difference between STP and RSTP?

STP (802.1D) uses timer-based convergence taking 30–50 seconds. RSTP (802.1w) uses a proposal/agreement handshake between switches and converges in under 1 second. RSTP also reduces port states from five to three (Discarding, Learning, Forwarding) and incorporates the behaviors of optional STP add-ons like BackboneFast and UplinkFast.

When should I use PortFast and when is it dangerous?

Use PortFast only on access ports connected to end hosts (PCs, printers, servers) where no switch will ever connect. PortFast skips the Listening and Learning states so the port reaches Forwarding immediately, preventing delays for DHCP and login. Never enable PortFast on inter-switch links — it can cause temporary forwarding loops during convergence. Pair PortFast with BPDU Guard to protect against accidental switch connections.

What does BPDU Guard do and where should it be configured?

BPDU Guard err-disables a port immediately upon receiving a BPDU. It should be configured globally on all PortFast-enabled ports or individually on access ports. It protects against users connecting unauthorized switches to the access layer. A port in err-disabled state must be manually re-enabled (or auto-recovery configured) after the rogue switch is removed.

How is STP tested on the CCNA exam?

The CCNA tests root bridge election (lowest Bridge ID), port role identification (root port, designated port, blocked port), convergence time differences between STP and RSTP, PortFast and BPDU Guard configuration and purpose, and troubleshooting scenarios where ports are stuck in blocking or not converging. Expect topology diagrams where you identify port roles and predict which ports will block.

Practice this topic

CCNApractice questions

Test yourself on Spanning Tree Protocol

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime