Home > STP Questions

STP Questions

January 28th, 2021 Go to comments

Quick review about BPDUGuard & BPDUFilter:

BPDU Guard feature allows STP to shut an access port in the event of receiving a BPDU and put that port into err-disabled state. BPDU Guard is configured under an interface via this command:

Switch(config-if)#spanning-tree bpduguard enable

Or configured globally via this command (BPDU Guard is enabled on all PortFast interfaces):

Switch(config)#spanning-tree portfast edge bpduguard default

BPDUFilter is designed to suppress the sending and receiving of BPDUs on an interface. There are two ways of configuring BPDUFilter: under global configuration mode or under interface mode but they have subtle difference.

If BPDUFilter is configured globally via this command:

Switch(config)#spanning-tree portfast bpdufilter default

BPDUFilter will be enabled on all PortFast-enabled interfaces and will suppress the interface from sending or receiving BPDUs. This is good if that port is connected to a host because we can enable PortFast on this port to save some start-up time while not allowing BPDU being sent out to that host. Hosts do not participate in STP and hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being transmitted to host devices.

If BPDUFilter is configured under interface mode like this:

Switch(config-if)#spanning-tree bpdufilter enable

It will suppress the sending and receiving of BPDUs. This is the same as disabling spanning tree on the interface. This choice is risky and should only be used when you are sure that port only connects to host devices.

Question 1


The purpose of Port Fast is to minimize the time interfaces must wait for spanning-tree to converge, it is effective only when used on interfaces connected to end stations.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html

Question 2

Question 3


SW1 needs to block one of its ports to SW2 to avoid a bridging loop between the two switches. Unfortunately, it blocked the fiber port Link2. But how does SW2 select its blocked port? Well, the answer is based on the BPDUs it receives from SW1. A BPDU is superior than another if it has:
1. A lower Root Bridge ID
2. A lower path cost to the Root
3. A lower Sending Bridge ID
4. A lower Sending Port ID

These four parameters are examined in order. In this specific case, all the BPDUs sent by SW1 have the same Root Bridge ID, the same path cost to the Root and the same Sending Bridge ID. The only parameter left to select the best one is the Sending Port ID (Port ID = port priority + port index). And the port index of Gi0/0 is lower than the port index of Gi0/1 so Link 1 has been chosen as the primary link.

Therefore we must change the port priority to change the primary link. The lower numerical value of port priority, the higher priority that port has. In other words, we must change the port-priority on Gi0/1 of SW1 (not on Gi0/1 of SW2) to a lower value than that of Gi0/0.

Question 4


Where to Use MST
This diagram shows a common design that features access Switch A with 1000 VLANs redundantly connected to two distribution Switches, D1 and D2. In this setup, users connect to Switch A, and the network administrator typically seeks to achieve load balancing on the access switch Uplinks based on even or odd VLANs, or any other scheme deemed appropriate.

MST_usage.pngReference: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24248-147.html

Question 5


From the second command output (show spanning-tree mst) we learn that MST1 includes VLANs 10 & 20. Therefore if we want DSW1 to become root bridge for these VLANs we need to set the MST 1 region to root -> The command “spanning-tree mst 1 root primary” can do the trick. In fact, this command runs a macro and sets the priority lower than the current root.

Also we can see the current root bridge for these VLANs has the priority of 32769 (default value + sysid) so we can set the priority of DSW1 to a specific lower value. But notice that the priority must be a multiple of 4096. Therefore D is a correct answer.

Question 6


In the topology above, we see DSW2 has lowest priority 24576 so it is the root bridge for VLAN 10 so surely all traffic for this VLAN must go through it. All of DSW2 ports must be in forwarding state. And:

+ The direct link between DSW1 and ALSW1 is blocked by STP.
+ The direct link between DSW1 and ALSW2 is also blocked by STP.

Therefore PC1 must go via this path: PC1 -> ALSW1 -> DSW2 -> DSW1.

Question 7


Root guard does not allow the port to become a STP root port, so the port is always STP-designated. If a better BPDU arrives on this port, root guard does not take the BPDU into account and elect a new STP root. Instead, root guard puts the port into the root-inconsistent STP state which is equal to a listening state. No traffic is forwarded across this port.

Below is an example of where to configure Root Guard on the ports. Notice that Root Guard is always configure on designated ports.


To configure Root Guard use this command:

Switch(config-if)# spanning-tree guard root

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

Question 8

  1. LTZY
    February 20th, 2021

    For question 3.
    Refer to the exhibit. Link1 is a copper connection and Link2 is a fiber connection. The fiber port must be the primary port for all forwarding. The output of the show spanning-tree command on SW2 shows that the fiber port is blocked by spanning tree. An engineer enters the spanning-tree port-priority 32 command on G0/1 on SW2, but the port remains blocked.

    Which command should be entered on the ports that are connected to Link2 to resolve the issue?

    A. Enter spanning-tree port-priority 4 on SW2
    B. Enter spanning-tree port-priority 224 on SW1
    C. Enter spanning-tree port-priority 64 on SW2wrong
    D. Enter spanning-tree port-priority 32 on SW1

    The correct answer is stated is D.

    I think there’s some error on the question? As on the exhibit the SW1 is the root bridge, therefore all ports on the SW1 is designated(FWD) and no further config is needed on the SW1’s end. On the other side SW2, needs to block one of it’s ports going to the root bridge, and it is via the ff:

    1. A lower path cost to the Root –> Tie, based on the show spanning-tree command both ports to the root bridge(SW1) has the same cost of 4.
    2. A lower Root Bridge ID –> Tie as both interfaces are pointing to the same SW (SW1) = same bridge ID.
    3. A lower Sending Port Priority/ID –> Which is by default makes the link1 via G0/0 on SW2 the forwarding port as it has the lower port ID advertised by SW1 (G0/0).

    The question states that “An engineer enters the spanning-tree port-priority 32 command on G0/1 on SW2, but the port remains blocked.”

    ^Wouldn’t this command already makes the interface G0/1 the forwarding port as it has the lower port-priority (32) compared to the G0/0 (120)?

    It seems there is some confusion on this question itself. Or maybe someone can correct me if my understanding is wrong.


  2. contoso
    March 28th, 2021

    @LTZY: The answer is already stated: SW1 is root bridge for VLAN10. SW2 is not the root bridge as result of “show spanning-tree”
    SW1 needs to block one of its ports to SW2 to avoid a bridging loop between the two switches. Unfortunately, it blocked the fiber port Link2 (because of port index gi0/1 is higher than gi0/0). But how does SW2 select its blocked port? Well, the answer is based on the BPDUs it receives from SW1. A BPDU is superior than another if it has:
    1. A lower Root Bridge ID
    2. A lower path cost to the Root
    3. A lower Sending Bridge ID
    4. A lower Sending Port ID

  3. PacMan
    April 24th, 2021

    Q 7 – answer B does not “explicitly configure a switch as the root bridge”, it only protects switch from further superior BPDUs so D is correct.

  4. ez0p4o
    May 4th, 2021

    PacMan, as per the document provided below Q7:
    ” Note: The administrator can set the root bridge priority to 0 in an effort to secure the root bridge position. But there is no guarantee against a bridge with a priority of 0 and a lower MAC address.

    The root guard feature provides a way to enforce the root bridge placement in the network. ”
    So the answer is correct and is B

  5. slim
    May 5th, 2021

    @ez0p4o Thank you for clarifying, i also thought the answer was setting the Priority to 0.

  6. bigs
    May 5th, 2021

    Question 6 – the diagram shows the links from DSW2 to the two ALSW switches as being 1 Gbps while all other links are 10 Gbps. Shouldn’t that make ALSW1’s root port Gi0/1 and Gi0/2 in blocking state? I have access to an EVE lab and labbed it up and that’s how it works in my lab.

  7. AT
    May 7th, 2021

    About Q7:
    Answer A is meningless because 32768 is the default priority on any switch.
    Answer B mentions access-ports with portfast. In my understanding access ports do not relate to downstream switches. After all the question is talking about a 3-tier architecture, which means trunks between switches. Root Guard must be applied on switch-to-switch ports to have any effect towards the desired result.
    Answer C is talking about BPDU guard applied on switch-to-switch ports, but BPDU guard works on Access ports with Portfast (and trunks connected to Servers) and will disable the port upon receipt of any BPDU (not only a superior one) therefore blocking communication in any case, so this is not acceptable as well.
    I believe that D is the better answer, and it is the only one that explicity configures the switch as a root bridge.

    @Digitaltut – Please review the correct answer again

  8. RM
    May 16th, 2021


    Answer A and D could be correct. Depending if they using the short or the long cost for a port and they don’t have changed the port costs.

    With short cost the 1 Gig connection have a cost of 4 and the 10 Gig a cost of 2. That would mean the cost from ALSW1 to Root would be 4 and the cost from ALSW1 over DSW1 to Root would be also 4 (2x 10Gig = 4). In this case the lower bridge ID wins.

    If they using the long cost, the cost for 1Gig is 20000 and for 10 Gig 2000. That would mean the ALSW1 to Root path cost 20000 and the ALSW1 over DSW1 to Root would have a cost of 4000. In this case the 10 Gig connection would win.

    By default the switches should use the short cost, but can someone find any hint the graphic that they using long cost?

  9. Werewolf
    July 3rd, 2021

    Q1: What is the primary effect of the spanning-tree portfast command?
    A. It enables BPDU messages
    B. It minimizes spanning-tree convergence time
    C. It immediately puts the port into the forwarding state when the switch is reloaded
    D. It immediately enables the port in the listening state

    Why is “C” incorrect?

  10. Werewolf
    July 3rd, 2021

    ALSW1 must choice a root port. It is receiving BPDUs via G0/1 and G0/2 from the root bridge DSW2.
    The cost scheme “short” is used by default.
    The BPDU DSW2 -> DSW1 -> ALSW1 has a cost 2+2=4
    The BPDU DSW2 -> ALSW1 has a cost 4 too.
    So ALSW1 must compare BridgeID.
    The BridgeID of DSW1 is 001b.xxxx
    The BridgeID of DSW2 is 0018.xxxx and it is LOWER than the BridgeID of DSW1
    So the root port will be only G0/2 and the answer “A” is INCORRECT.
    The way from PC1 to DSW1 is ALSW1 -> DSW2 -> DSW1. Answer “D”!

  11. anon
    July 20th, 2021


    Q1:We are used to thinking that portfast makes the access port come up quicker but the cisco material explicitly says “An interface with Port Fast enabled goes through the normal cycle of spanning-tree status changes when the switch is restarted.” The less obvious implication is that it still is quicker when the single interface transitions from down to up rather than the whole switch.

  1. No trackbacks yet.