--- id: 1779981231-AJMV aliases: - Root Guard (STP Toolkit) tags: [] --- # Root Guard (STP Toolkit) STP prevents loops by electing a root bridge and ensuring that each other switch has only *one valid path* to reach it. YOu shouldn't randomly select the root bridge. Some things you should consider include: - Optimal traffic flow - minimize latency - minimize congestion - Stability and reliability ## The Problem Within your own [[LAN]], you can easily control the root brdige by setting its priority to 0. - But there are cases where you might connect your LAN to other switches outside of your direct control: - A service provider offering Metro Ethernet service to customers - Often used to connect sites within a [[MAN]] - Even if you set your root bridge's priority to 0, its role can be taken by another switch with a lower [[MAC address]] . ## The solution - *Root Guard* can be configured to protect your [[STP]] topology by preventing your switches from accepting superior [[BPDU]]s from switches outside of your control. - Superior BPDUs = a BPDU that is superior in the STP algorith (e.g Claiming a better root bridge ID). If you want to ensure that the root bridge rmains in your [[LAN]], you can configure Root Guard on the ports connected to switches outside of your control To enable root Guard on a port ```Cisco SW1(config-if) spanning-tree guard root ``` There is no command to enable it by default from global config mode If a Root Guard-enabled port receives a BPDU, it will enter the *Broken* (Root inconsistent) state effectively disabling it - The port will not able to forward data frames and will discard any frames it receives. To re-enable a port disabled by Root Guard, you must solve the issue that disabled the port - the disabled port must stop receiving superior BDPUs. - tell the customer to increase the priority value of their switch. Once teh superior BPDUs received age out, the ports will automatically be re-enabled. - A BPDU's Max Age is 20 seconds by default. To see the Root guard ```Cisco SW1(config-if)# do show spanning-tree ## if it's broken Gi0/1 Desg BKN*4 128.3 P2p *ROOT_Inc BKN = Broken ROOT_Inc = Root inconsistent ## if it's Work Gi0/1 Desg FWD 4 128.3 P2p ``` ## Review Prevents a port from becoming a Root Port by disabling it if superior BPDUs are received, Thereby enforcing the current [[Root Bridge]]