Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


What is best recommended for STP?

1. Ra#(config)spanning-tree vlan 5 root primary

(It will cause priority 8212)

Any switch with low priority can take over root switch status.

root guard needs to be configured to prevent it.

2. Ra#(config)spanning-tree vlan 5 priority 0

More capability when setting the priority for switch. You can even put the priority 0. But any rogue switch with priority 0 and lower mac address can take root switch status again.

So anyway root guard should be configured.

As i understood,

In normal situation all switches has priority 32678. So you can control both with root and primary command. In case of security you must put root guard option of stp, to prevent an malicious attack. Because switch with priority below the 32678 means- misconfiguration or stp attack!



Cisco Employee



I agree with you on this and there is a difference when you use the above two commands.

Here are my observations:

1. Ra#(config)spanning-tree vlan 5 root primary, This command will set the bridge ID to 24576 by default with Extended Sytem ID enabled and will lower down the vlaue by 4096 when ever the root switches sees any switch with ID 24576 or lower than that. With Extended SysID disabled, it sets the vlaue to 8192 and the switch sets the bridge priority for the specified VLANs to 1 less than the lowest bridge priority.

2. With Command, Ra#(config)spanning-tree vlan 5 priority 0, you are manually setting the root bridge ID to 0. This will make sure that your switch will always be the root bridge for a particular Vlan as fas as the priority for that vlan is greater than 0. If you have two switches with the same command configured for a particular vlan, then the switch checks the lower mac-address of either of the switches. The switch with lower mac-address will become the root bridge as the priority are same.

In any case, you have to enable rootguard on the switches in your STP domain.

HTH,Please rate if it does.

-amit singh