RSTP / Rapid Spanning Tree Configuration

Classic 802.1D Spanning Tree Protocol was designed in an era when a 30–50 second convergence delay was acceptable. In modern networks, that delay causes application sessions to time out and VoIP calls to drop whenever a link fails or a switch reboots. RSTP (Rapid Spanning Tree Protocol, IEEE 802.1w) replaces the passive timer-based convergence of 802.1D with an active proposal/agreement handshake that allows ports to transition to Forwarding in as little as one or two hello intervals — typically under one second. On Cisco switches, RSTP runs as Rapid PVST+, maintaining a separate spanning tree instance per VLAN (just like PVST+) while delivering 802.1w rapid convergence on every point-to-point link.

RSTP achieves speed through three mechanisms: ports directly connected to end devices transition immediately to Forwarding as edge ports; upstream links use the proposal/agreement synchronisation to transition without waiting for timers; and only two port roles (Root Port and Designated Port) have forwarding paths, while the Alternate Port provides an instantly activated backup. This lab configures Rapid PVST+ from scratch, sets correct edge and link-type parameters, applies protective features like BPDU Guard, and uses show spanning-tree detail to confirm that rapid transitions are occurring rather than classic timer-based ones.

RSTP interacts closely with VLAN design — for VLAN creation and trunk configuration that RSTP operates over see VLAN Creation and Management, Trunk Port Configuration, and VLANs. For the root bridge election and PVST+ load balancing concepts see Spanning Tree Root Bridge Configuration and STP Overview. For PortFast and BPDU Guard configuration see PortFast and BPDU Guard. For port security features applied to edge ports see Port Security and Port Security — Sticky MAC.

1. RSTP — Core Concepts

802.1D vs 802.1w Comparison

Feature	Classic 802.1D	RSTP 802.1w / Rapid PVST+
Convergence time	30–50 seconds (2× Forward Delay = 30 s default)	1–2 seconds on point-to-point links; immediate on edge ports
Port states	5 states: Disabled, Blocking, Listening, Learning, Forwarding	3 states: Discarding (combines Disabled/Blocking/Listening), Learning, Forwarding
Port roles	Root, Designated, Blocked (non-designated)	Root, Designated, Alternate, Backup
Convergence mechanism	Passive timer expiry — waits for Max Age (20 s) + Listening (15 s) + Learning (15 s)	Active proposal/agreement handshake — switch-to-switch negotiation without waiting for timers
Topology Change	TCN BPDUs propagate to Root Bridge; Root floods TC for Max Age	Each switch independently flushes its MAC table and propagates TC for 2× Hello Time only
BPDU handling	Only Root Bridge originates BPDUs; non-root switches relay	Every switch originates BPDUs every Hello Time; missing 3× Hello Times declares link failure
Edge port (end device)	PortFast — Cisco proprietary feature; still sends BPDUs	Edge port — standard 802.1w concept; moves immediately to Forwarding; loses edge status if BPDU received
Cisco implementation	PVST+ (per-VLAN STP)	Rapid PVST+ — one RSTP instance per VLAN

RSTP Port Roles

Role	State	Description
Root Port	Forwarding	The single best path toward the Root Bridge on each non-root switch. Determined by lowest path cost to Root. One Root Port per switch (none on the Root Bridge itself)
Designated Port	Forwarding	The best port on each network segment (link) toward the Root Bridge. Forwards BPDUs and data onto the segment. One Designated Port per segment
Alternate Port	Discarding	Provides a backup path to the Root Bridge — a better BPDU is received from another switch on the same segment. Instantly transitions to Root Port if the current Root Port fails (sub-second failover)
Backup Port	Discarding	Provides a backup to a Designated Port on the same shared segment — rare in modern full-duplex switched networks. Only seen when two ports on the same switch connect to a hub
Disabled	Discarding	Administratively shut down or not connected

Link Types

Link Type	How Determined	RSTP Behaviour
Point-to-point	Automatically detected on full-duplex links (the default for all modern switch ports). Can be manually forced with `spanning-tree link-type point-to-point`	Eligible for rapid transition via proposal/agreement handshake. Achieves sub-second convergence
Shared	Automatically detected on half-duplex links (legacy hubs). Can be forced with `spanning-tree link-type shared`	Falls back to 802.1D timer-based convergence — rapid transitions disabled on this link
Edge	Configured with `spanning-tree portfast` (Cisco CLI) or globally via `spanning-tree portfast default`	Immediately transitions to Forwarding on link-up — no proposal/agreement needed. Loses edge status and sends Topology Change if a BPDU is received

Proposal / Agreement Handshake

  Root Bridge (SW1)                    Non-Root (SW2)
  Gi0/1 — Designated                  Gi0/1 — electing Root Port
  ──────────────────────────────────────────────────────────────
  1. SW1 sends BPDU with Proposal bit set
     "I want to be Designated — agree?"      ──────────────────►

  2.                                          SW2 receives Proposal
                                              SW2 puts ALL non-edge
                                              ports into Discarding
                                              (sync step — prevents
                                              temporary loops)

  3.                                          SW2 sends Agreement
     ◄──────────────────  "Agreed — you are Designated"

  4. SW1 Gi0/1 transitions immediately
     to FORWARDING (no timer wait)

  5. SW2 Gi0/1 transitions to FORWARDING
     as Root Port

  Total time: 1–2 Hello intervals (~2–4 seconds worst case;
              often sub-second on direct links)

2. Lab Topology

          ┌───────────────────────────────────┐
          │         NetsTuts-SW1              │
          │    (Root Bridge — VLAN 10, 20)    │
          │  Priority: 4096 (VLAN 10)         │
          │  Priority: 8192 (VLAN 20)         │
          └──────────┬──────────┬─────────────┘
              Gi0/1  │          │  Gi0/2
           (trunk)   │          │  (trunk)
                     │          │
          ┌──────────┘          └─────────────┐
          │  NetsTuts-SW2                      │  NetsTuts-SW3
          │  Priority: 8192 (VLAN 10)         │  Priority: 8192 (VLAN 10)
          │  Priority: 4096 (VLAN 20)         │  Priority: 12288 (VLAN 20)
          └──────────────┬────────────────────┘
                    Gi0/3│ (trunk — cross-link)
                         │
  Access ports (edge ports / PortFast):
    SW2: Fa0/1–Fa0/10 → VLAN 10 (workstations)
    SW3: Fa0/1–Fa0/10 → VLAN 20 (servers)
    SW1: Gi0/3        → VLAN 10 (management host)

  VLANs: 10 (Users), 20 (Servers)
  STP mode: Rapid PVST+

3. Step 1 — Enable Rapid PVST+

Rapid PVST+ is the default on modern Cisco IOS switches (IOS 12.2+ and all Catalyst switches). Verify and explicitly configure it to ensure consistency across the environment:

! ════════════════════════════════════════════════════
! Configure on ALL switches: SW1, SW2, SW3
! ════════════════════════════════════════════════════

NetsTuts-SW1>en
NetsTuts-SW1#conf t

! ── Set STP mode to Rapid PVST+ ─────────────────────
spanning-tree mode rapid-pvst
!
! ── Verify the mode change ───────────────────────────
NetsTuts-SW1#show spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: VLAN0010, VLAN0020
  PortFast BPDU Guard Default is disabled
  Portfast BPDU Filter Default is disabled
  Logging  BPDU Guard Default is disabled
  UplinkFast                is disabled
  BackboneFast              is disabled
  Configured Pathcost method used is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0010                     0         0        0          3          3
VLAN0020                     0         0        0          3          3

The Switch is in rapid-pvst mode line confirms the mode change. In Rapid PVST+, the Listening and Blocking state columns should always show zero for a stable topology — all ports should be either Forwarding or in the RSTP Discarding state (which maps to Blocking in the summary). If Listening shows non-zero values after the topology has converged, a port is behaving like classic 802.1D — typically caused by a shared-type link or an incompatible switch running legacy 802.1D.

4. Step 2 — Configure Root Bridge and Bridge Priority

Never let the Root Bridge election happen by chance — the switch with the lowest MAC address wins by default, which is often the oldest switch. Explicitly set the Root Bridge with spanning-tree vlan [id] priority [value] or use the macro spanning-tree vlan [id] root primary:

! ════════════════════════════════════════════════════
! SW1 — Primary Root for VLAN 10; Secondary for VLAN 20
! ════════════════════════════════════════════════════

NetsTuts-SW1#conf t

! ── Method 1: explicit priority ──────────────────────
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 8192
!
! ── Method 2: macro (sets priority to 24576 or lower) ─
! spanning-tree vlan 10 root primary
! spanning-tree vlan 20 root secondary
!

! ════════════════════════════════════════════════════
! SW2 — Secondary Root for VLAN 10; Primary for VLAN 20
! (per-VLAN load balancing between uplinks)
! ════════════════════════════════════════════════════

NetsTuts-SW2#conf t
spanning-tree vlan 10 priority 8192
spanning-tree vlan 20 priority 4096
!

! ════════════════════════════════════════════════════
! SW3 — Non-root for both VLANs
! ════════════════════════════════════════════════════

NetsTuts-SW3#conf t
spanning-tree vlan 10 priority 8192
spanning-tree vlan 20 priority 12288
!

Bridge priority must be a multiple of 4096 — IOS enforces this because the lower 12 bits of the Bridge ID are reserved for the System ID Extension (the VLAN number). Valid values are: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768 (default), 36864, 40960, 45056, 49152, 53248, 57344, 61440. The lowest Bridge Priority + Bridge MAC address wins the Root Bridge election. Configuring SW1 with priority 4096 for VLAN 10 ensures it is always preferred over SW2 (priority 8192) and SW3. The per-VLAN priority assignments implement load balancing: VLAN 10 traffic uses SW1 as Root (flowing via SW1-SW2 uplink) while VLAN 20 traffic uses SW2 as Root (flowing via SW2-SW3 uplink), distributing traffic across both trunks. After completing configuration save with write memory.

Verify Root Bridge Election

NetsTuts-SW1#show spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    4106
             Address     0023.04FA.1234
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    4106   (priority 4096 sys-id-ext 10)
             Address     0023.04FA.1234
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Desg FWD 4         128.1    P2p
Gi0/2               Desg FWD 4         128.2    P2p
Gi0/3               Desg FWD 4         128.3    P2p Edge

The This bridge is the root line confirms SW1 has won the VLAN 10 Root Bridge election. The Bridge ID Priority shows 4106 — this is the configured priority (4096) plus the VLAN System ID Extension (10), giving 4096 + 10 = 4106. All three interfaces show Desg FWD (Designated, Forwarding) — correct for the Root Bridge, which has all ports as Designated. The Type: P2p confirms full-duplex point-to-point links eligible for rapid transitions. Gi0/3 shows Edge in addition to P2p — this is the PortFast-configured access port to the management host.

5. Step 3 — Configure Edge Ports (PortFast)

Access ports connected to end devices (PCs, servers, printers, IP phones) must be configured as edge ports. This allows them to transition immediately to Forwarding on link-up without waiting for the proposal/agreement process — a PC should never wait for STP before it can DHCP and boot:

Individual Port PortFast

! ════════════════════════════════════════════════════
! SW2 — configure access ports as edge ports
! ════════════════════════════════════════════════════

NetsTuts-SW2#conf t

! ── Apply PortFast to individual access ports ─────────
interface range FastEthernet0/1 - 10
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
 !
 ! ── BPDU Guard: shutdown port if BPDU received ────────
 spanning-tree bpduguard enable
!

Global PortFast Default (All Access Ports)

! ── Enable PortFast on all access ports globally ─────
! ── (does not affect trunk ports) ────────────────────
spanning-tree portfast default
!
! ── Enable BPDU Guard globally for all PortFast ports ─
spanning-tree portfast bpduguard default
!

spanning-tree portfast default enables PortFast on all access-mode ports automatically — any interface configured with switchport mode access becomes an edge port. Trunk ports are not affected, which is the correct behaviour since switch-to-switch links must never be edge ports. spanning-tree portfast bpduguard default globally enables BPDU Guard on every PortFast port. BPDU Guard is the critical protection mechanism: if any BPDU arrives on an edge port (indicating a switch has been plugged in instead of a PC), the port is immediately placed into err-disabled state, preventing a loop. Without BPDU Guard, a user plugging in an unmanaged switch on an edge port could disrupt the entire STP topology. For additional edge port protection see DHCP Snooping & Dynamic ARP Inspection and PortFast and BPDU Guard.

SW3 Access Ports — VLAN 20 Servers

NetsTuts-SW3#conf t

interface range FastEthernet0/1 - 10
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast
 spanning-tree bpduguard enable
!

6. Step 4 — Verify and Set Link Types on Trunk Ports

RSTP rapid transitions only work on point-to-point links. Point-to-point is automatically detected on full-duplex ports (all modern switch-to-switch links). Verify and explicitly configure if auto-detection produces incorrect results:

! ════════════════════════════════════════════════════
! SW1 — trunk ports to SW2 and SW3
! ════════════════════════════════════════════════════

NetsTuts-SW1#conf t

interface GigabitEthernet0/1
 description Trunk-to-SW2
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 ! ── Explicitly set point-to-point for RSTP rapid transitions ─
 spanning-tree link-type point-to-point
 no shutdown
!
interface GigabitEthernet0/2
 description Trunk-to-SW3
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 spanning-tree link-type point-to-point
 no shutdown
!

! ════════════════════════════════════════════════════
! SW2 — trunk to SW1 and SW3
! ════════════════════════════════════════════════════

NetsTuts-SW2#conf t

interface GigabitEthernet0/1
 description Trunk-to-SW1
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 spanning-tree link-type point-to-point
 no shutdown
!
interface GigabitEthernet0/3
 description Trunk-to-SW3-crosslink
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 spanning-tree link-type point-to-point
 no shutdown
!

! ════════════════════════════════════════════════════
! SW3 — trunk to SW1 and SW2
! ════════════════════════════════════════════════════

NetsTuts-SW3#conf t

interface GigabitEthernet0/2
 description Trunk-to-SW1
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 spanning-tree link-type point-to-point
 no shutdown
!
interface GigabitEthernet0/3
 description Trunk-to-SW2-crosslink
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 spanning-tree link-type point-to-point
 no shutdown
!

Explicitly configuring

spanning-tree link-type
    point-to-point

on trunk ports ensures RSTP rapid transitions are always available, even if the duplex setting is later changed or auto-negotiated incorrectly. A port operating at half-duplex (detected as shared link type) will silently fall back to 802.1D convergence — the network continues to function but convergence after a failure takes 30–50 seconds instead of under 1 second. The link type can be verified with show spanning-tree detail under each interface's entry — look for "link type is point-to-point by default" or "link type is point-to-point (configured)."

Configure STP Port Cost (Optional — Path Tuning)

! ── Set long path cost method (802.1t — values for Gbps links) ─
spanning-tree pathcost method long
!
! ── Path cost reference table (long method):
! ── 10 Mbps  = 2,000,000
! ── 100 Mbps = 200,000
! ── 1 Gbps   = 20,000
! ── 10 Gbps  = 2,000
!
! ── Override specific port cost to influence Root Port selection ─
interface GigabitEthernet0/1
 spanning-tree vlan 10 cost 10
!

7. Step 5 — Protective STP Features

BPDU Guard — Protect Edge Ports

! ── Per-port BPDU Guard (overrides global setting) ───
interface FastEthernet0/1
 spanning-tree bpduguard enable
!
! ── Verify BPDU Guard err-disabled recovery ──────────
NetsTuts-SW2#show spanning-tree summary
...
  Name                   Blocking Listening Learning Forwarding STP Active
  VLAN0010                     1         0        0          9         10
  ! ── 1 port in Blocking/err-disabled ─────────────────

NetsTuts-SW2#show interfaces FastEthernet0/1 status
Port      Name               Status       Vlan   Duplex Speed Type
Fa0/1                        err-disabled 10     full   100   10/100BaseTX

! ── To recover manually: ─────────────────────────────
NetsTuts-SW2#conf t
interface FastEthernet0/1
 shutdown
 no shutdown
!
! ── Or configure automatic err-disable recovery ──────
errdisable recovery cause bpduguard
errdisable recovery interval 300
!

When BPDU Guard triggers, the port moves to err-disabled — administratively down and requiring manual intervention to recover (or automatic via errdisable recovery). The err-disabled state is intentional: it forces human review before the port is re-enabled. Log messages appear on the console:

%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port
    FastEthernet0/1 with BPDU Guard enabled. Disabling port.

The errdisable recovery cause bpduguard command enables automatic recovery after the configured interval (300 seconds by default) — useful in lab environments but should be evaluated carefully in production where an automatically re-enabled port may loop again.

Root Guard — Prevent Unauthorised Root Bridge

! ── Root Guard: applied on Designated ports facing
! ── downstream switches that should NEVER become Root ──
! ── Applied on SW1 ports facing SW2 and SW3 ───────────

NetsTuts-SW1#conf t

interface GigabitEthernet0/1
 ! ── Prevent SW2 from becoming Root Bridge ────────────
 spanning-tree guard root
!
interface GigabitEthernet0/2
 spanning-tree guard root
!

Root Guard is applied on ports where the switch is the Designated switch and should always remain so. If a superior BPDU is received on a Root Guard port (indicating a switch with a better Bridge Priority has appeared — perhaps an attacker or a misconfigured switch), the port moves to root-inconsistent state and stops forwarding. Unlike err-disabled, root-inconsistent is self-healing — when the superior BPDUs stop arriving, the port automatically transitions back to Forwarding. The key placement rule: Root Guard on ports leading toward access layer switches; BPDU Guard on edge ports connecting to end devices. Never configure both on the same port.

BPDU Filter — Suppress BPDUs on Edge Ports

! ── BPDU Filter: stop sending BPDUs on edge ports ────
! ── WARNING: use with extreme caution — disabling BPDUs
! ── on a port that connects to a switch creates a loop ─
spanning-tree portfast bpdufilter default
! ── Effect: stops BPDU transmission on PortFast ports
! ── BUT still processes received BPDUs and disables
! ── PortFast if a BPDU is received (global mode)
!
! ── Per-port BPDU Filter (DANGEROUS — disables ALL BPDUs) ─
! interface FastEthernet0/1
!  spanning-tree bpdufilter enable
! ── Per-port mode ignores received BPDUs entirely — loop risk!

BPDU Filter has two behaviours depending on whether it is configured globally or per-port. The global form (via spanning-tree portfast bpdufilter default) stops sending BPDUs on PortFast ports but still processes received BPDUs — if a BPDU arrives, PortFast is disabled and normal STP runs. The per-port form (spanning-tree bpdufilter enable on an interface) both stops sending AND stops processing received BPDUs — the port effectively becomes invisible to STP. This is dangerous: a loop can form silently because STP never detects it. Use per-port BPDU Filter only on provider-facing ports where BPDU leakage must be prevented by SLA requirement, never on internal access ports.

8. Step 6 — Verification

show spanning-tree detail — The Primary RSTP Diagnostic

NetsTuts-SW1#show spanning-tree vlan 10 detail

 VLAN0010 is executing the rstp compatible Spanning Tree protocol
  Bridge Identifier has priority 4096, sysid 10, address 0023.04FA.1234
  Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
  We are the root of the spanning tree
  Topology change flag not set, detected flag not set
  Number of topology changes 3, last change occurred 00:04:21 ago
          from GigabitEthernet0/1
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300

 Port 1 (GigabitEthernet0/1) of VLAN0010 is designated forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.1.
   Designated root has priority 4106, address 0023.04FA.1234
   Designated bridge has priority 4106, address 0023.04FA.1234
   Designated port id is 128.1, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   Link type is point-to-point by default
   BPDU: sent 1284, rcvd 1268
   *** Rapid Transition to forwarding ***

 Port 2 (GigabitEthernet0/2) of VLAN0010 is designated forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.2.
   Designated root has priority 4106, address 0023.04FA.1234
   Designated bridge has priority 4106, address 0023.04FA.1234
   Designated port id is 128.2, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1198, rcvd 1142
   *** Rapid Transition to forwarding ***

 Port 3 (GigabitEthernet0/3) of VLAN0010 is designated forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.3.
   Designated root has priority 4106, address 0023.04FA.1234
   Designated bridge has priority 4106, address 0023.04FA.1234
   Designated port id is 128.3, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 987, rcvd 0
   The port is in the portfast condition
   *** Rapid Transition to forwarding ***

The phrase "Rapid Transition to forwarding" at the bottom of each port entry is the definitive confirmation that RSTP rapid convergence is functioning. If this line is absent and replaced with forward delay timer counts, the port is converging using 802.1D timer-based mechanisms — typically because the link type is shared (half-duplex) or the remote switch is running legacy 802.1D. Key fields to check: Link type is point-to-point — mandatory for rapid transition; Number of transitions to forwarding state — low numbers confirm the topology is stable (excessive transitions indicate a flapping link or topology instability); BPDU: sent [N], rcvd [N] — both counters incrementing confirms active bidirectional BPDU exchange; Gi0/3 showing rcvd 0 BPDUs and portfast condition confirms the edge port is not receiving BPDUs from any switch.

show spanning-tree vlan — Port Role and State Summary

NetsTuts-SW2#show spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    4106
             Address     0023.04FA.1234
             Cost        4
             Port        1 (GigabitEthernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8202   (priority 8192 sys-id-ext 10)
             Address     0030.A3BB.5678
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1               Root FWD 4         128.1    P2p
Gi0/3               Desg FWD 4         128.3    P2p
Fa0/1               Desg FWD 100       128.4    P2p Edge
Fa0/2               Desg FWD 100       128.5    P2p Edge
Fa0/3               Desg FWD 100       128.6    P2p Edge

SW2's VLAN 10 topology: Gi0/1 is the Root Port (role: Root) forwarding toward SW1. Gi0/3 is a Designated Port forwarding on the cross-link to SW3. The access ports (Fa0/1–Fa0/3) show P2p Edge — confirming both point-to-point link type and edge (PortFast) status. For VLAN 20, run the same command — SW2 should appear as Root Bridge with all ports as Designated, and SW3's uplink to SW2 should be its Root Port (because SW2 has priority 4096 for VLAN 20).

show spanning-tree vlan — SW3 Alternate Port (Backup Path)

NetsTuts-SW3#show spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    4106
             Address     0023.04FA.1234
             Cost        4
             Port        2 (GigabitEthernet0/2)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8202   (priority 8192 sys-id-ext 10)
             Address     0041.2C11.9ABC
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Root FWD 4         128.2    P2p
Gi0/3               Altn BLK 4         128.3    P2p
Fa0/1               Desg FWD 100       128.4    P2p Edge

SW3's Gi0/3 (the cross-link to SW2) shows role Altn BLK — Alternate Port in Blocking/Discarding state. This is the RSTP Alternate Port providing an instant failover path. If SW3's Root Port (Gi0/2 to SW1) fails, Gi0/3 transitions from Alternate to Root Port immediately without any proposal/agreement handshake — the Alternate Port already knows it has a valid path to the Root Bridge (it was receiving superior BPDUs on Gi0/3 from SW2). This sub-second failover is the key advantage over 802.1D where the backup port would wait through Max Age (20 s) + Listening (15 s) + Learning (15 s) = 50 seconds before forwarding.

Simulate Failover — Observe Rapid Transition

! ── Simulate SW1-SW3 link failure (on SW1) ───────────
NetsTuts-SW1#conf t
interface GigabitEthernet0/2
 shutdown
!
! ── Immediately check SW3 topology ───────────────────
NetsTuts-SW3#show spanning-tree vlan 10

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Desg BLK 4         128.2    P2p
Gi0/3               Root FWD 4         128.3    P2p
Fa0/1               Desg FWD 100       128.4    P2p Edge

! ── Gi0/3 is now Root Port — instant failover! ───────
! ── Gi0/2 is Designated (link-down side shows BLK) ───

! ── Restore the link ─────────────────────────────────
NetsTuts-SW1#conf t
interface GigabitEthernet0/2
 no shutdown
!

The failover output demonstrates RSTP's rapid recovery. When SW1's Gi0/2 is shut down, SW3 detects the topology change within 3 × Hello Time (6 seconds) — actually faster in practice as the physical link-down event is immediate. SW3's Alternate Port (Gi0/3) transitions to Root Port essentially instantaneously, without any proposal/agreement needed, because it was already receiving valid BPDUs from SW2 with a path to the Root Bridge. Compare this to classic 802.1D: the backup port would remain blocked for 50 seconds after the failure, causing all VLAN 10 traffic through SW3 to be interrupted for nearly a minute.

Verification Command Summary

Command	What It Shows	Key Fields to Check
`show spanning-tree summary`	STP mode, Root Bridge status, per-VLAN port state counts	"Switch is in rapid-pvst mode"; Listening and Blocking columns = 0 in stable topology
`show spanning-tree vlan [id]`	Root Bridge identity, Bridge ID, per-port role/state/cost/type for the VLAN	Root Port (Root FWD), Designated (Desg FWD), Alternate (Altn BLK); Type P2p or P2p Edge
`show spanning-tree vlan [id] detail`	Full per-port detail including link type, BPDU counters, transition count, and rapid transition confirmation	"Rapid Transition to forwarding" — must be present on all point-to-point ports; link type is point-to-point
`show spanning-tree interface [intf] detail`	Single interface STP detail across all VLANs — role, state, cost, link type, transition history	Useful for isolating a specific port's STP behaviour; checks edge status and transition count
`show spanning-tree summary totals`	Aggregate port state counts across all VLANs	Large Listening count indicates STP reconverging; large Blocking count is normal (redundant links)
`show mac address-table`	MAC address table — useful during TC events to see if entries are flushing	Low MAC count after topology change confirms MAC flush occurred as expected
`show spanning-tree inconsistentports`	Ports in root-inconsistent or loop-inconsistent state — STP protection features have triggered	Any port listed here requires investigation — either a superior BPDU was received (Root Guard) or a BPDU was received on an edge port (BPDU Guard triggered err-disabled, shown separately)
`show errdisable recovery`	Causes of err-disabled ports and recovery timers configured	Confirms bpduguard recovery is enabled/disabled and the current interval setting

9. Troubleshooting Rapid PVST+

Problem	Symptom	Cause	Fix
Convergence still takes 30+ seconds	`show spanning-tree vlan [id] detail` does not show "Rapid Transition to forwarding"; convergence after link failure takes 30–50 seconds	Link type is shared (half-duplex) — RSTP falls back to 802.1D convergence on shared links; or one switch in the path is running legacy 802.1D (different spanning-tree mode)	Check `show spanning-tree vlan [id] detail` for "link type is shared" on the affected port. Fix with `spanning-tree link-type point-to-point` on both ends. Verify duplex with `show interfaces [intf] \| include Duplex` — half-duplex triggers shared link type. Check remote switch with `show spanning-tree summary` — mode must be rapid-pvst on all switches
Port flapping in and out of Forwarding	`show spanning-tree vlan [id] detail` shows high "Number of transitions to forwarding state"; syslog shows repeated STP topology change messages	Physical link instability (cable, SFP, or NIC issue); unidirectional link (STP receives but cannot send BPDUs in one direction); or a loop creating a BPDU storm	Check physical layer: `show interfaces [intf]` for input/output errors and CRC errors. Verify both ends of the link are up. Check `show spanning-tree vlan [id] detail \| include BPDU` — if sent is high but rcvd is 0 on both ends, unidirectional link failure. Enable Loop Guard with `spanning-tree guard loop` on uplink ports to detect unidirectional failures. See Troubleshooting Layer 2 VLANs & Trunks
BPDU Guard not triggering on edge port with switch connected	An unmanaged switch is connected to a PortFast port; BPDU Guard expected to err-disable but port remains up	BPDU Guard not enabled on the specific port — global `spanning-tree portfast bpduguard default` only applies to ports in PortFast mode; if PortFast was configured per-port but BPDU Guard was configured globally without also enabling PortFast globally, the port may not have BPDU Guard active	Verify: `show spanning-tree interface [intf] portfast` — shows whether BPDU Guard is active on that port. Apply BPDU Guard per-port with `spanning-tree bpduguard enable` directly on the interface for certainty
Unintended Root Bridge elected	`show spanning-tree vlan [id]` shows an unexpected switch as Root Bridge — often the switch with the oldest (lowest) MAC address	Bridge priority not configured — all switches default to 32768 and the switch with the lowest MAC address wins. A new switch added with default priority can become Root Bridge if its MAC is lower	Configure explicit priorities on all switches: `spanning-tree vlan [id] priority [value]`. Set Root Guard on distribution/core switch ports facing access layer to prevent any new switch from claiming Root. Apply `spanning-tree vlan [id] root primary` on the intended Root Bridge for immediate correction
Root Guard triggers root-inconsistent on wrong port	A legitimate upstream switch port enters root-inconsistent state; traffic stops forwarding on that port; `show spanning-tree inconsistentports` lists the port	Root Guard applied on the wrong port — Root Guard should only be on ports facing switches that should never become Root. If applied on an uplink toward the actual Root Bridge, the superior BPDUs from the Root Bridge trigger Root Guard, blocking the uplink	Remove Root Guard from the affected port: `no spanning-tree guard root` on the interface. Root Guard belongs on distribution-to-access downlinks, not on core-to-distribution uplinks. The port auto-recovers once Root Guard is removed and BPDUs stop triggering the inconsistent state
Topology changes flooding MAC table excessively	`show mac address-table count` shows low MAC counts despite active hosts; periodic traffic flooding observed on all ports; syslog shows repeated "%SPANTREE-5-TOPOTRAP" messages	Frequent STP topology changes are flushing the MAC address table. In RSTP, each topology change flushes MACs on all non-edge ports. A flapping access port (physical layer issue) triggers repeated TCs, causing continuous MAC table flushing and broadcast flooding	Identify the source of topology changes: `show spanning-tree detail \| include topology` shows the last port that triggered a TC. Fix the physical layer issue on that port. Ensure access ports are configured with PortFast — edge ports do not generate topology changes when they transition, which eliminates TC flooding from host port flaps
STP mode mismatch — one switch running 802.1D	Some ports on switches running Rapid PVST+ show "link type is shared" or do not show "Rapid Transition to forwarding" despite full-duplex links; convergence on affected paths is slow	An 802.1D switch in the topology causes RSTP switches to fall back to 802.1D behaviour on the affected ports. RSTP is backward compatible — when a switch receives a legacy 802.1D BPDU, it migrates that port to 802.1D operation. The migration is sticky until a protocol migration check is performed	Upgrade the legacy 802.1D switch to Rapid PVST+. If it cannot be upgraded, isolate it. On RSTP switches connected to it, run `clear spanning-tree detected-protocols interface [intf]` to force the port to re-probe for RSTP capability after the legacy switch is replaced

Key Points & Exam Tips

RSTP (802.1w) replaces 802.1D's timer-based convergence with a proposal/agreement handshake that transitions ports to Forwarding in one to two Hello intervals — typically under one second on point-to-point links.
RSTP has 3 port states: Discarding (covers Disabled/Blocking/Listening), Learning, Forwarding. Classic 802.1D has 5. The Listening state is eliminated in RSTP — ports go directly from Discarding to Learning during rapid transition.
RSTP has 4 port roles: Root Port (best path to Root), Designated Port (best port on a segment), Alternate Port (backup Root Port — instant failover), Backup Port (backup on same segment — rare). The Alternate Port is the key to RSTP's fast failover: it already knows a valid path to Root and transitions without any handshake.
Rapid transitions only work on point-to-point links (full-duplex). Shared links (half-duplex) fall back to 802.1D convergence. Modern switch-to-switch links are always full-duplex — verify with show interfaces | include Duplex.
Edge ports (PortFast) transition immediately to Forwarding on link-up — no handshake required. An edge port that receives a BPDU immediately loses its edge status and participates in normal RSTP.
BPDU Guard protects edge ports by err-disabling any port that receives a BPDU. Always enable BPDU Guard on access ports — it prevents users from connecting unauthorised switches.
Root Guard prevents downstream switches from becoming Root Bridge. Apply on designated ports facing the access layer. Root-inconsistent state is self-healing (unlike err-disabled from BPDU Guard).
Bridge priority must be a multiple of 4096. Default is 32768. Always configure explicit priorities — never let the Root Bridge be elected by lowest MAC address.
Cisco's implementation is Rapid PVST+ — a separate RSTP instance per VLAN. Use per-VLAN priority configuration to achieve load balancing across trunk links.
The key verification command is show spanning-tree vlan [id] detail — look for "Rapid Transition to forwarding" on all point-to-point ports. Its absence means timer-based convergence is occurring on that port.

Next Steps: With Rapid PVST+ converging quickly, the next step is optimising which switch is Root for each VLAN to achieve per-VLAN load balancing across redundant trunk links. See Spanning Tree Root Bridge Configuration. For the trunk ports that carry multiple VLAN spanning tree instances see Trunk Port Configuration. For protecting edge ports with PortFast and BPDU Guard see PortFast and BPDU Guard and DHCP Snooping & Dynamic ARP Inspection. For redundant uplinks using EtherChannel see EtherChannel LACP. For Layer 2 troubleshooting see Troubleshooting Layer 2 VLANs & Trunks.

TEST WHAT YOU LEARNED

1. What is the fundamental mechanism that makes RSTP converge faster than classic 802.1D, and what condition must be true for this mechanism to work?

A. RSTP uses shorter timer values — the Forward Delay is reduced from 15 seconds to 1 second and Max Age from 20 seconds to 6 seconds. Any full-duplex link qualifies B. RSTP uses an active proposal/agreement handshake between adjacent switches to synchronise port transitions without waiting for timer expiry. The switch that wants to become Designated sends a BPDU with the Proposal bit set; the downstream switch places all non-edge ports into Discarding (sync), then sends an Agreement BPDU. The Designated port transitions to Forwarding immediately upon receiving Agreement. This requires a point-to-point (full-duplex) link — shared (half-duplex) links cannot use the handshake and fall back to 802.1D timer-based convergence C. RSTP pre-calculates all possible topology states and caches the result so that when a link fails, the pre-computed forwarding table can be applied immediately without any negotiation D. RSTP eliminates the Learning state entirely — ports go directly from Discarding to Forwarding, which removes the 15-second forward delay. Any link type qualifies for this optimisation

Correct answer is B. The proposal/agreement mechanism is the core innovation of 802.1w. In 802.1D, a port must wait passively through Listening (15 s) and Learning (15 s) states before forwarding — these timers exist to ensure BPDUs have propagated throughout the topology and no loops exist. RSTP replaces this passive wait with an active negotiation: when a Designated port wants to transition to Forwarding, it sends a Proposal BPDU. The receiving switch executes the sync procedure — putting all its non-edge, non-Root ports into Discarding to prevent loops — then replies with an Agreement. The Designated port transitions immediately. This cascades down the tree: each switch negotiates with its downstream neighbour in sequence, so the entire tree converges in a number of steps equal to the tree diameter rather than after a fixed 30-second timer. The full-duplex requirement exists because the handshake is a switch-to-switch negotiation — shared media (hubs) may have multiple switches, making it impossible to guarantee the Agreement came from the correct switch. Half-duplex detection triggers shared link type, which reverts to 802.1D behaviour.

2. A switch shows port Gi0/1 as role Altn BLK in `show spanning-tree vlan 10`. What does this mean and what happens if the Root Port on the same switch fails?

A. Altn BLK means the port has been administratively blocked by STP because a loop was detected — it will remain blocked until the loop is manually resolved B. Altn BLK is the Alternate Port — it is receiving inferior BPDUs from a downstream switch. If the Root Port fails, the Alternate Port must go through the full proposal/agreement cycle (2–4 seconds) before forwarding C. Altn BLK indicates the port is in the 802.1D Blocking state — this switch is running legacy STP despite Rapid PVST+ being configured D. Altn BLK is the RSTP Alternate Port — it is receiving a superior BPDU from another switch that provides an alternative path to the Root Bridge. The port is Discarding (BLK in Cisco's display) but is actively monitoring the topology. If the current Root Port fails, the Alternate Port transitions to Root Port immediately without any proposal/agreement — sub-second failover. This is possible because the Alternate Port has already validated a path to the Root Bridge through the BPDUs it was receiving

Correct answer is D. The Alternate Port is one of RSTP's key contributions over 802.1D. In 802.1D, a blocked port (non-designated) had to wait through Max Age (20 s) + Listening (15 s) + Learning (15 s) = 50 seconds before it could become the Root Port after a failure. In RSTP, the Alternate Port has been continuously receiving BPDUs from an upstream switch with a known path to the Root Bridge — it has a "pre-validated" backup path in memory. When the current Root Port's link goes down (physical failure detected immediately), the switch simply promotes the Alternate Port to Root Port without any negotiation — the path has already been validated. This is what enables the sub-second failover that makes RSTP viable for voice and video networks. The key distinction: Alternate Port failover requires no handshake (instant), while a brand-new port coming up requires the proposal/agreement handshake (1–2 seconds). Option B is incorrect about the timing — proposal/agreement is only needed for new or transitioning Designated Ports, not for Alternate-to-Root Port transitions.

3. Why must bridge priority values be configured as multiples of 4096, and what is the actual Bridge ID transmitted in RSTP BPDUs when a switch is configured with priority 32768 on VLAN 10?

A. The 16-bit Bridge Priority field in the Bridge ID is split: the upper 4 bits carry the configurable priority (in units of 4096), and the lower 12 bits carry the System ID Extension — the VLAN number. For VLAN 10 with priority 32768: the transmitted Bridge ID priority is 32768 + 10 = 32778. This is why show spanning-tree shows "priority 32778 (priority 32768 sys-id-ext 10)." IOS enforces the multiple-of-4096 rule because the lower 12 bits are reserved for the VLAN number and cannot be set through the priority command B. Bridge priority is a multiple of 4096 because RSTP requires exactly 16 spanning tree instances — one per 4096 VLAN IDs. VLAN 10 uses the second instance (4096 × 2 = 8192) C. The 4096 granularity is a Cisco proprietary requirement for PVST+ — standard 802.1w allows any even number as bridge priority D. Priority must be a multiple of 4096 to ensure the bridge priority field is always non-zero — a priority of zero would cause the switch to unconditionally win every Root Bridge election, which is reserved for the default root guard behaviour

Correct answer is A. The Bridge ID is an 8-byte value consisting of a 2-byte Priority field followed by a 6-byte MAC address. In the original 802.1D specification, all 16 bits of the priority field were configurable (0–65535). IEEE 802.1t extended this for per-VLAN and per-instance STP: the 16-bit priority field was redefined as a 4-bit priority component (bits 15–12) plus a 12-bit System ID Extension (bits 11–0) carrying the VLAN number or MST instance number. The 4-bit priority component can only represent multiples of 4096 (2^12 = 4096) — IOS exposes this as configurable values 0, 4096, 8192, ... 61440. The System ID Extension (VLAN number) is automatically added to produce the full transmitted Bridge ID. This design allows switches to differentiate spanning tree instances per VLAN using the same MAC address — the VLAN number in the System ID Extension makes each VLAN's Bridge ID unique even when the base MAC and configured priority are identical. When engineers compare Bridge IDs for Root Bridge election, they must include the System ID Extension: a switch with priority 32768 on VLAN 10 has a lower effective Bridge ID than the same switch on VLAN 20 (32778 vs 32788).

4. What is the difference between BPDU Guard and Root Guard, and where should each be applied?

A. BPDU Guard and Root Guard are identical features with different names — both err-disable a port when a BPDU is received. BPDU Guard is configured on access ports; Root Guard on trunk ports B. Root Guard blocks all BPDUs from entering the switch; BPDU Guard blocks only superior BPDUs. Root Guard applies to all ports; BPDU Guard applies only to PortFast ports C. BPDU Guard protects edge ports (PortFast) from switch connections — any BPDU received err-disables the port immediately, requiring manual recovery. Applied on access ports facing end devices. Root Guard protects the topology from unauthorised Root Bridge elections — if a superior BPDU is received on a Root Guard port, the port enters root-inconsistent (stops forwarding) but self-recovers when the superior BPDUs stop. Applied on Designated ports facing access layer switches that should never become Root Bridge. Neither should be configured on the same port D. BPDU Guard prevents topology changes from propagating to access ports; Root Guard prevents the Root Bridge from sending BPDUs to switches with higher priority configurations

Correct answer is C. BPDU Guard and Root Guard address different threats at different points in the topology. BPDU Guard's purpose is simple: access ports should never receive BPDUs because end devices (PCs, phones, servers) do not send BPDUs. Any BPDU on an access port means a switch has been connected — potentially creating a loop or allowing an attacker to manipulate the STP topology. BPDU Guard responds with the harshest action (err-disabled) to ensure human review before the port is restored. Root Guard's purpose is more nuanced: it is acceptable for downstream switches to participate in STP (they must, to support VLANs), but they should never be able to claim the Root Bridge role. Root Guard allows normal BPDUs but blocks superior BPDUs — it enforces the administrator's decision about which switch should be Root. The root-inconsistent state is self-healing because it is designed for legitimate operational scenarios (e.g. a misconfigured switch is corrected and stops sending superior BPDUs, after which the port should automatically resume normal operation). The placement rule follows the principle of least privilege: BPDU Guard where no BPDUs should ever arrive; Root Guard where BPDUs are expected but Root Bridge superiority must be controlled.

5. `show spanning-tree vlan 10 detail` does not show "Rapid Transition to forwarding" on any port, despite the switch being configured with `spanning-tree mode rapid-pvst`. What is the most likely cause?

A. The switch is the Root Bridge — the Root Bridge never shows rapid transitions because it originates BPDUs rather than receiving proposals B. Rapid PVST+ requires IOS 15.0 or later — older IOS versions silently fall back to 802.1D even when rapid-pvst mode is configured C. The spanning-tree link-type point-to-point command was not entered on any port — this command is mandatory and RSTP does not auto-detect full-duplex D. A switch in the topology is running legacy 802.1D. When an RSTP switch receives a legacy 802.1D BPDU on a port, it migrates that port to 802.1D operation — proposal/agreement is disabled on the affected port and timer-based convergence is used. This 802.1D migration can spread if the legacy switch is in the path of the handshake. Confirm by checking show spanning-tree vlan [id] detail for "link type is shared" or "We are using 802.1D on [port]" and identify which adjacent switch is sending legacy BPDUs

Correct answer is D. RSTP is designed to be backward compatible with 802.1D — when an RSTP switch connects to a legacy 802.1D switch, it automatically falls back to 802.1D behaviour on that port. The detection mechanism is simple: if a received BPDU does not have the Version 2 flag set (as all 802.1w BPDUs do), the port migrates to 802.1D operation. This migration is "sticky" — the port stays in 802.1D mode even if the legacy switch is replaced, until the administrator manually resets it with clear spanning-tree detected-protocols interface [intf]. The absence of "Rapid Transition to forwarding" across all ports (not just some) suggests the issue is upstream near the Root Bridge — if a legacy switch is between the Root Bridge and this switch, all BPDUs relayed through it will appear as 802.1D. Option C is incorrect — RSTP does auto-detect full-duplex and automatically uses point-to-point link type; the explicit spanning-tree link-type point-to-point command overrides auto-detection but is not mandatory. Option A is partially true (Root Bridge ports are always Designated) but Root Bridge ports still show rapid transition confirmation when the handshake completes.

6. During the RSTP proposal/agreement handshake, the downstream switch places all its non-edge ports into Discarding before sending Agreement. Why is this sync step necessary, and what would happen without it?

B. The sync step prevents a temporary bridging loop during the transition period. Consider a chain: Root → SW2 → SW3. When SW1 proposes to SW2 and SW2 transitions to Forwarding, SW2 must ensure its downstream port to SW3 is not also forwarding simultaneously — if both SW2's Root Port (to Root) and SW2's Designated Port (to SW3) were forwarding at the same time before SW3 has completed its own sync, a transient loop could form. By placing all downstream ports into Discarding first, SW2 guarantees that no traffic can loop through it during the transition window. Once SW2's Root Port is confirmed Forwarding (after Agreement), SW2 then propagates the proposal to SW3, which repeats the sync for its downstream, cascading the safe transition down the tree A. The sync step is a timer-based safety check — the switch waits in Discarding for one Hello Time to ensure BPDUs have propagated before sending Agreement. The Discarding state serves the same role as the Listening state in 802.1D C. The sync step allows the switch to verify that its MAC address table is flushed before agreeing — it places ports in Discarding while it clears the forwarding database to prevent stale entries from causing misdelivery D. The sync step is optional — switches can send Agreement immediately without Discarding ports. The Discarding period is simply a courtesy to ensure the Proposal sender is ready before traffic begins forwarding

Correct answer is B. The synchronisation procedure is the loop-prevention mechanism that makes the proposal/agreement handshake safe to execute without timers. In 802.1D, the Listening and Learning timers existed because BPDUs needed time to propagate through the entire topology — a port could not forward until all switches had learned the correct topology. RSTP replaces this passive wait with an active guarantee: before a switch confirms that an upstream port can safely forward (by sending Agreement), it first ensures that no loop can form through its own downstream ports by temporarily blocking them. This synchronisation propagates down the tree recursively: SW2 syncs SW3, SW3 syncs SW4, and so on. At each step, the sync is nearly instantaneous (microseconds for the blocking action), so the entire chain converges in roughly (tree diameter × Hello interval) time instead of a fixed 50-second wait. The sync is what allows RSTP to make the mathematical guarantee "there are no loops" without requiring timer-based proof-by-waiting.

7. An access port configured with PortFast receives a BPDU. What happens immediately, and what is the long-term implication?

A. The port immediately loses its edge port status and begins participating in normal RSTP operation — it sends a Topology Change notification and enters the proposal/agreement process. If BPDU Guard is enabled, the port is also err-disabled simultaneously. Without BPDU Guard, the port remains operationally up but is no longer an edge port — it will go through normal RSTP convergence on subsequent link events, potentially causing the 1–2 second delay that PortFast was meant to eliminate B. The port ignores the BPDU because PortFast is configured — BPDUs on PortFast ports are filtered by default and have no effect on port state C. The port transitions to Discarding and waits for the administrator to manually re-enable PortFast — PortFast must be removed and re-applied after any BPDU is received D. The port sends a Root Guard response BPDU to the device that sent the BPDU, and if a second BPDU is received, BPDU Guard triggers err-disabled

Correct answer is A. The behaviour of a PortFast edge port upon receiving a BPDU is a critical RSTP design decision. Edge ports are defined by the absence of BPDUs — the switch assumes edge status based on configuration (spanning-tree portfast) but dynamically validates it during operation. A BPDU can only come from another switch (end devices like PCs do not send BPDUs), so receiving a BPDU definitively proves this is a switch-to-switch link, not an edge. RSTP immediately revokes edge status and the port participates in normal RSTP topology, including generating a Topology Change. This is the correct safe behaviour — it ensures that a user plugging in an unmanaged hub or switch doesn't silently create a forwarding path that bypasses STP protection. BPDU Guard builds on this foundation: it adds an immediate err-disabled action as an additional protective layer, preventing the now-non-edge port from participating in STP at all until an administrator investigates. Note that edge status is only lost for the current link-up event — if the link goes down and comes back up without a switch connected, PortFast immediately re-engages. The port "re-earns" edge status on each link-up event based on whether BPDUs are received.

8. How does Rapid PVST+ handle Topology Change notifications differently from classic 802.1D, and why does this matter for network performance?

A. Rapid PVST+ sends TC BPDUs to the Root Bridge which then broadcasts a global MAC table flush to all switches simultaneously — identical to 802.1D but faster because the BPDUs travel at 802.1w rate B. Rapid PVST+ suppresses Topology Change notifications entirely — MAC tables are never flushed during convergence, which prevents the broadcast flooding that 802.1D TC caused C. In 802.1D, only the Root Bridge could originate TC BPDUs, and the TC flag was set for Max Age (20 s) causing all switches to shorten their MAC aging timers, producing prolonged flooding. In RSTP, every switch independently generates and propagates its own TC BPDUs to all non-edge ports for only 2 × Hello Time (4 seconds). Each switch that receives a TC flushes its MAC entries for all ports except the one the TC arrived on. This localised, time-bounded approach causes less flooding and resolves faster than 802.1D's centralised timer approach. Edge ports never generate TCs — this is why PortFast must be configured on access ports to prevent host link flaps from causing unnecessary MAC flushes across the network D. RSTP uses a dedicated TC VLAN to carry Topology Change notifications — TC BPDUs travel on VLAN 1 only and switches ignore TC notifications on any other VLAN

Correct answer is C. The Topology Change mechanism in 802.1D had a significant performance impact: when any switch detected a topology change, it notified the Root Bridge via a TCN BPDU; the Root Bridge then set the TC flag in its BPDUs for Max Age + Forward Delay (35 seconds); every switch that received BPDUs with TC set reduced its MAC aging timer to Forward Delay (15 seconds), causing nearly all MAC entries to age out quickly and forcing the switch to flood unknown destinations — a significant burst of flooding traffic across the entire network for up to 35 seconds. RSTP's approach is more surgical: each switch detects its own topology change (when a non-edge port transitions to Forwarding), flushes its own MAC table for the relevant ports, and propagates TC to all other non-edge ports for just 2 × Hello Time. The receiving switches flush their MAC tables similarly. The result is localised and time-bounded MAC flushing that resolves in 4 seconds maximum instead of 35 seconds, and only affects switches in the path of the changed topology, not the entire network. The PortFast (edge port) exclusion from TC generation is critical: without it, every time a PC reboots or its NIC restarts, a TC would propagate through the entire switching domain, causing a brief period of flooding. Modern networks with thousands of edge ports would generate continuous TC storms if edge ports were not excluded.

9. A switch running Rapid PVST+ has two uplinks to the distribution layer. Both are point-to-point, full-duplex Gigabit ports. `show spanning-tree vlan 10` shows one as Root FWD and the other as Altn BLK. What determines which port becomes the Root Port?

A. The Root Port is always the port with the lowest port number — Gi0/1 is always preferred over Gi0/2 regardless of path cost or bridge information B. The Root Port is randomly assigned during the proposal/agreement handshake — whichever upstream switch sends its Agreement first wins C. The Root Port is determined by the port with the highest speed — Gigabit is always preferred over Fast Ethernet, but between two Gigabit ports the choice is arbitrary D. Root Port selection follows a four-step tie-breaking process in order: (1) lowest Root Path Cost — the cumulative cost from this port to the Root Bridge; (2) lowest Sender Bridge ID — the Bridge Priority + MAC of the upstream switch sending BPDUs; (3) lowest Sender Port ID — the port priority + port number of the upstream switch's port; (4) lowest local Port ID — used only when the same switch connects via two ports to the same upstream switch. In a two-uplink scenario, if both paths have equal cost (both Gigabit to the same distribution switch), the Sender Bridge ID breaks the tie — the uplink connected to the distribution switch with the lower Bridge ID becomes Root Port

Correct answer is D. Root Port selection is deterministic and follows the same criteria as 802.1D, applied in order until a tie is broken. Step 1 (Root Path Cost) is usually the deciding factor when uplinks have different speeds — a Gigabit uplink has lower cost than a Fast Ethernet uplink, making it preferred. Step 2 (Sender Bridge ID) becomes the tie-breaker when two uplinks have identical path costs, which is common in symmetric designs where both uplinks connect to different distribution switches at the same speed. The distribution switch with the lower Bridge Priority (or lower MAC if priorities are equal) provides superior BPDUs, making its connected downlink the Root Port. Step 3 (Sender Port ID) is used when two uplinks connect to the same upstream switch on different ports — the upstream switch's port with lower priority (configurable with spanning-tree vlan [id] port-priority [value]) is preferred. Step 4 (local Port ID) is used in the rare case where one switch has two physical links to the exact same upstream switch port (via a hub), which is uncommon in modern networks. Understanding this tie-breaking sequence is essential for designing predictable STP topologies and for diagnosing why an unexpected port became the Root Port.

10. A network engineer wants to implement per-VLAN load balancing using Rapid PVST+. VLAN 10 traffic should use SW1 as Root (and flow via the SW1-SW2 trunk), while VLAN 20 traffic should use SW2 as Root (and flow via the SW2-SW3 trunk). What is the correct configuration, and how does it achieve load balancing?

A. Configure VLAN 10 and VLAN 20 with the same priority on both switches — STP automatically load balances per-VLAN when priorities are equal by using the MAC address as a tie-breaker, alternating Root Bridge roles B. Load balancing requires MSTP (Multiple Spanning Tree) — Rapid PVST+ runs a single instance for all VLANs and cannot differentiate paths per VLAN C. Configure SW1 with lower priority for VLAN 10 (e.g. 4096) and higher priority for VLAN 20 (e.g. 8192). Configure SW2 with higher priority for VLAN 10 (e.g. 8192) and lower priority for VLAN 20 (e.g. 4096). SW1 becomes Root for VLAN 10 — its ports are all Designated Forwarding, meaning the SW1-SW2 trunk carries VLAN 10 traffic. SW2 becomes Root for VLAN 20 — the SW2-SW3 trunk carries VLAN 20 traffic. The redundant links carry different VLAN traffic simultaneously rather than one being blocked for all VLANs D. Configure port priority on the trunk ports — set lower port priority on the SW1-SW2 trunk for VLAN 10 and lower port priority on the SW2-SW3 trunk for VLAN 20. Root Bridge location does not affect load balancing

Correct answer is C. Rapid PVST+ (like its predecessor PVST+) runs a completely independent spanning tree instance per VLAN — each VLAN has its own Root Bridge election, its own port roles, and its own forwarding topology. This independence is what enables per-VLAN load balancing. By configuring different Bridge Priorities per VLAN, the network administrator can designate different Root Bridges for different VLANs, causing each VLAN's traffic to flow over a different physical path. In the example: VLAN 10 has SW1 as Root (priority 4096) — all ports on SW1 become Designated for VLAN 10, so VLAN 10 traffic from SW3 flows up to SW1 (the Root) and from SW1 down to SW2 via the SW1-SW2 trunk. VLAN 20 has SW2 as Root (priority 4096) — VLAN 20 traffic from SW3 flows up to SW2 directly via the SW2-SW3 trunk. The physical trunks carry both VLANs but the STP-active path for each VLAN is different — one trunk is forwarding VLAN 10 as active path while VLAN 20 uses it as a blocked redundant path, and vice versa on the other trunk. Both physical trunks are utilised simultaneously for different VLAN traffic, achieving genuine load balancing without any additional protocols. This is the fundamental design advantage of Rapid PVST+ over a single-instance STP like MST's CIST or legacy 802.1D.

Back to Home