The Four Port Roles
In a spanning tree, every port on every switch has one of four roles:
- Root Port (RP): The single port on non-root switches with the best (lowest cost) path back to the root bridge
- Designated Port (DP): The port on each network segment closest to the root (lowest cost to root among ports on that segment)
- Alternate Port (AP): A port that could become root port if the current root port fails; currently blocked
- Backup Port (BP): A port on the same segment as the designated port; blocked (rare in modern topologies)
(The terms "blocked" and "alternate" are often used interchangeably; the distinction matters mostly in Rapid STP.)
Root Port Selection
The root port is the single best path from a switch back to the root bridge. Selection criteria (in order):
- Lowest root path cost (sum of link costs from this switch to the root)
- Lowest upstream bridge ID (tie-breaker: which neighbor advertises the lower BID?)
- Lowest upstream port ID (tie-breaker: which port on that neighbor?)
- Lowest local port ID (tie-breaker: which of this switch's ports is lowest-numbered?)
Example: Selecting Root Port
Lab topology:
[SW1] ← Root (BID: 4096.aabb.cc00.1100)
|
├─ Link A (1 Gbps): to SW2 port Eth0/0
│
├─ Link B (1 Gbps): to SW2 port Eth0/1 (direct, parallel link)
│
└─ Link C (100 Mbps): to SW2 port Eth1/0
SW2 has three ports facing SW1. All advertise the same root (SW1) and root path cost from SW1 = 0:
Eth0/0 receives BPDU: Root cost 0, sender port ID 128.1 (priority 128, port 1)
Eth0/1 receives BPDU: Root cost 0, sender port ID 128.2
Eth1/0 receives BPDU: Root cost 0, sender port ID 128.3
All three paths have equal root path cost (0 + local cost). Tie-breaking:
- All come from the same upstream BID (SW1's), so upstream BID is tied
- Compare upstream port IDs: 128.1 < 128.2 < 128.3 → Eth0/0 wins
SW2# show spanning-tree vlan 1
VLAN0001
Bridge ID Priority 32768
Address aabb.cc00.2200
Root ID Priority 4096
Address aabb.cc00.1100
Root port is Ethernet0/0, cost 4, port priority 128
Real-World Scenario: Two Root Paths
[SW1] ← Root (BID: 4096.aabb.cc00.1100)
/ \
/ \
Link A Link B (1 Gbps each)
/ \
[SW2] [SW3] (intermediate switches)
\ /
Link C Link D (1 Gbps)
\ /
[SW4]
SW4 sees BPDUs from both directions:
Via SW2 (Link C):
Root cost = 0 (from SW1 to SW2) + 4 (SW2 to SW4) = 4
Upstream bridge: SW2 (32768.aabb.cc00.2200)
Upstream port: 128.x
Via SW3 (Link D):
Root cost = 0 (from SW1 to SW3) + 4 (SW3 to SW4) = 4
Upstream bridge: SW3 (32768.aabb.cc00.3300)
Upstream port: 128.y
Root path costs are equal. Tie-breaker: lowest upstream bridge ID:
SW2 BID: 32768.aabb.cc00.2200
SW3 BID: 32768.aabb.cc00.3300
SW2 < SW3 (lower MAC), so SW4 selects the port facing SW2 as root port
SW4# show spanning-tree vlan 1
Root port is Ethernet0/2, cost 4, port priority 128
Designated Port Selection
A designated port is the forwarding port on a segment (link) closest to the root. Only one port per segment can be designated.
Selection criteria (in order):
- Lowest root path cost among all ports on that segment
- Lowest bridge ID of the switch behind that port (if root path costs tie)
- Lowest port ID on that switch (if bridge IDs tie)
Example: Designated Port on a Link
Link between SW2 and SW4 in the earlier topology:
SW2 port Eth0/2: Root path cost = 4 (direct to root + 0 from SW1)
SW4 port Eth0/2: Root path cost = 4 (via SW2) + 4 (SW2-SW4) = 8
SW2's port has lower root path cost (4 < 8), so SW2's port is designated. It forwards. SW4's port on this link is not the root port (SW4's root port is via SW3), so this port is either alternate or backup.
Parallel Links (EtherChannel Consideration)
When two switches are connected by multiple parallel links (not yet bundled into an EtherChannel), all but one port on each switch will be blocked:
[SW1] ─────── [SW2]
| Link A |
└─ Link B ──┘
If both links are 1 Gbps:
- Link A: SW1 port Eth0/0, SW2 port Eth0/0
- Link B: SW1 port Eth0/1, SW2 port Eth0/1
Assuming SW1 is root:
Link A:
SW1 Eth0/0: Root cost 0 (root itself), port ID 128.1 → Designated
SW2 Eth0/0: Root cost 4, sees upstream port ID 128.1 → Blocking
Link B:
SW1 Eth0/1: Root cost 0, port ID 128.2 → Designated
SW2 Eth0/1: Root cost 4, port ID 128.2 → Blocking
Wait—both of SW2's ports have the same cost (4) to root, same upstream bridge (SW1), but different upstream port IDs (128.1 vs 128.2). The port that receives the BPDU from the lower upstream port ID (128.1) becomes the root port:
SW2# show spanning-tree vlan 1 brief
Eth0/0: Root FWD (receives upstream port ID 128.1)
Eth0/1: Altn BLK (receives upstream port ID 128.2)
This is why Cisco recommends bundling parallel links into EtherChannel. Without it, you're wasting bandwidth.
Alternate and Backup Ports
Alternate Port
An alternate port is a blocked port that has a better path to the root than the designated port on its segment. It's essentially a "secondary root port candidate."
[SW1] ─── [SW2] ─── [SW3]
Link A Link B
If Link A fails and SW3 needs to reach root through SW2, Link B's blocked status prevents a loop at that moment. But if Link B's designated port (on SW2) fails, Link B's port on SW3 transitions from alternate to root port, and traffic reroutes.
Backup Port
A backup port is less common—it's a blocked port on the same segment as the designated port, but behind a different switch interface. In point-to-point links (most modern networks), backup ports don't occur. They appear mainly in shared-media segments or misconfigured parallel links.
Understanding Port Roles in Practice
Show Command Output
SW2# show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4096
Address aabb.cc00.1100
Cost 4
Port 1 (Ethernet0/0)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768
Address aabb.cc00.2200
Port role counts Spanning tree 4
Root 1
Desg 2
Alt 1
Bkup 0
Interface Role Sts Cost Priority Forward
Name Type
─────────────────────────────────────────────────
Eth0/0 Root FWD 4 128.1 P2p
Eth0/1 Desg FWD 4 128.2 P2p
Eth0/2 Alt BLK 4 128.3 P2p
Eth0/3 Desg FWD 19 128.4 P2p
Breakdown:
- Eth0/0: Root port (single best path to root), forwarding, cost 4
- Eth0/1, Eth0/3: Designated ports (best ports on their segments toward root), forwarding
- Eth0/2: Alternate port (blocked, can become root port if Eth0/0 fails)
The "Port role counts" summary shows 1 root, 2 designated, 1 alternate, 0 backup.
Manual Inspection of a Segment
To verify port roles on a specific segment:
SW2# show spanning-tree vlan 1 interface ethernet 0/1 detail
Port 1 (Ethernet 0/0)
Port identifier Eth0/0 128.1
Designated root/priority 4096 / 4096.aabb.cc00.1100
Designated cost/bridge ID 0 / 32768.aabb.cc00.1100
Designated port/priority 128.1 / 128.0
Timers: message age 0, forward delay 0
BPDU: sent 6, received 1234
Port 2 (Ethernet 0/1)
Port identifier Eth0/1 128.2
Designated root/priority 4096 / 4096.aabb.cc00.1100
Designated cost/bridge ID 4 / 32768.aabb.cc00.2200
Designated port/priority 128.2 / 128.0
Timers: message age 0, forward delay 0
BPDU: sent 1267, received 0
On Eth0/0: "Designated bridge ID" matches this switch's BID (32768.aabb.cc00.2200), but at the bottom it shows "Designated cost/bridge ID" = 0, meaning the designated port is on the root. This is correct for a root port.
On Eth0/1: "Designated bridge ID" = 32768.aabb.cc00.2200 (this switch), meaning this port is designated on its segment (it's the closest to root on that link).
How Port Roles Change During Convergence
When a link fails:
- The switch detects BPDU timeout
- All port roles are recalculated based on new topology
- Alternate ports may become new root ports
- Designated ports on new paths are activated
- State transitions happen (blocking → listening → learning → forwarding)
Example:
Before Link A failure:
[SW1] ─ Eth0/0(D) ─ Eth0/0(R) [SW2]
└ Eth0/1(D) ─ Eth0/1(A) ─ Eth0/2(A) [SW3]
After Link A fails:
SW2 Eth0/0 stops receiving BPDUs
SW2 detects root unreachable
SW2 selects Eth0/2 (currently blocked alternative path) as new root port
Eth0/2 transitions: Blocking → Listening → Learning → Forwarding
Traffic now flows: SW2 → SW3 → SW1
Rapid STP (RSTP) accelerates these transitions from 30-50 seconds to 2-6 seconds using proposals and agreements.
Troubleshooting Port Roles
Problem: Wrong Root Port Selected
If a switch has chosen a suboptimal root port:
SW2# show spanning-tree vlan 1 root
Root Hello Max Fwd
Vlan Root ID Cost Age Dly Root Por
──────────────────────────────────────────────────────────────────
VLAN0001 4096 aabb.cc00.1100 8 2 15 Eth0/1
Root cost is 8 (higher than expected for a 1 Gbps direct link, which should be 4). Check if:
- The link is actually 100 Mbps (cost 19)
- The port cost was manually set to an unexpected value
Problem: Unexpected Blocked Port
If a port that should be designated is instead blocked, verify:
- Other switches on the same segment have lower root path cost
- Bridge IDs are as expected
- Port priorities aren't manually overridden
What's Next
Read Article 4: STP Port States—Blocking, Listening, Learning, Forwarding, and Disabled to understand the five state transitions a port goes through and why the 50-second convergence time matters.