Day21 STP Root Guard

1. Root Guard is an STP toolkit feature that protects the root bridge election by preventing a port from becoming a root port when it receives superior BPDUs.

2. Root Guard is typically used when connecting your switches to switches outside your direct control, such as when a service provider connects to customer networks.

3. When a Root Guard-enabled port receives a superior BPDU, it enters a "broken" and "root inconsistent" state, effectively blocking all traffic on that port.

4. Unlike BPDU Guard, Root Guard automatically recovers once the port stops receiving superior BPDUs (after the Max Age timer expires, approximately 20 seconds).

5. Root bridge selection should not be random—it should consider optimal traffic flow (minimizing latency and congestion) and switch stability/reliability.

Commands

spanning-tree guard root ← Enable Root Guard (interface config mode)

show spanning-tree ← Verify Root Guard status (look for BKN/ROOT_Inc)

Key Numbers

1. Root Guard vs. BPDU Guard Recovery

   • Root Guard: Automatic recovery when superior BPDUs stop

   • BPDU Guard: Requires manual intervention or ErrDisable Recovery

2. Configuration Mode Confusion

   • Root Guard: Interface config mode ONLY

   • PortFast/BPDU Guard/BPDU Filter: Can be enabled globally

3. Where to Configure Root Guard

   • Configure on ports facing external/untrusted switches

   • DON'T configure on customer ports connecting TO a provider (defeats the purpose)

4. Priority of 0 Doesn't Guarantee Root

   • Even with priority 0, a switch with a lower MAC address can become root

   • This is WHY Root Guard exists

5. Port State Terminology

   • "BKN" = Broken (blocked)

   • "ROOT_Inc" = Root Inconsistent

   • Don't confuse with err-disabled state

Scenario: Service Provider Network

[Service Provider LAN] [Customer LAN]

SW1 (Root) ─── SW2 ─────────── SW4 ─── SW6

│ │

SW3 ─────────── SW5 ─────┘

Problem: Customer's SW6 has lower MAC → Could become root

Solution: Enable Root Guard on SW2 & SW3 ports facing customer

SW2(config)# interface g0/2

SW2(config-if)# spanning-tree guard root

SW3(config)# interface g0/2

SW3(config-if)# spanning-tree guard root

What Happens:

1. SW4/SW5 send BPDUs claiming SW6 is root (superior BPDUs)

2. SW2/SW3 G0/2 ports enter "broken/root inconsistent" state

3. Traffic blocked until customer increases SW6's priority

4. After ~20 seconds of no superior BPDUs → automatic recovery

An STP feature that prevents a port from becoming a root port by placing it in a "broken/root inconsistent" state if it receives superior BPDUs.

spanning-tree guard root (in interface configuration mode)

No. Unlike PortFast and BPDU Guard, Root Guard can ONLY be configured in interface configuration mode.

"Broken" and "Root Inconsistent" state (shown as BKN and ROOT_Inc in show commands)

Automatically—once the port stops receiving superior BPDUs (after Max Age timer expires, ~20 seconds)

A BPDU with better/lower parameters in the STP algorithm, such as a lower root bridge ID.

20 seconds

: Root Guard recovers automatically when superior BPDUs stop. BPDU Guard requires manual intervention or ErrDisable Recovery configuration.

On ports connecting to switches outside your direct control (e.g., service provider ports facing customer switches)

Because another switch with priority 0 but a LOWER MAC address would have a better (lower) bridge ID and become root.

1) Optimal traffic flow (minimize latency and congestion) 2) Stability and reliability of the switch

The VLAN ID (e.g., priority 0 + VLAN 1 = priority 1)

show spanning-tree (look for BKN status and ROOT_Inc notation)

No—this would block the links and prevent communication over the provider's network.

All traffic is cut off—the port cannot forward frames and discards any frames it receives.