Files
CCNA-Notes/21. Root Guard (STP Toolkit).md
2026-05-28 18:07:53 +02:00

2.4 KiB

id, aliases, tags
id aliases tags
1779981231-AJMV
Root Guard (STP Toolkit)

Root Guard (STP Toolkit)

STP prevents loops by electing a root bridge and ensuring that each other switch has only one valid path to reach it.

YOu shouldn't randomly select the root bridge. Some things you should consider include:

  • Optimal traffic flow
    • minimize latency
    • minimize congestion
  • Stability and reliability

The Problem

Within your own LAN, you can easily control the root brdige by setting its priority to 0.

  • But there are cases where you might connect your LAN to other switches outside of your direct control:
    • A service provider offering Metro Ethernet service to customers
      • Often used to connect sites within a MAN
  • Even if you set your root bridge's priority to 0, its role can be taken by another switch with a lower MAC address .

The solution

  • Root Guard can be configured to protect your STP topology by preventing your switches from accepting superior BPDUs from switches outside of your control.
    • Superior BPDUs = a BPDU that is superior in the STP algorith (e.g Claiming a better root bridge ID). If you want to ensure that the root bridge rmains in your LAN, you can configure Root Guard on the ports connected to switches outside of your control

To enable root Guard on a port

SW1(config-if) spanning-tree guard root

There is no command to enable it by default from global config mode

If a Root Guard-enabled port receives a BPDU, it will enter the Broken (Root inconsistent) state effectively disabling it

  • The port will not able to forward data frames and will discard any frames it receives.

To re-enable a port disabled by Root Guard, you must solve the issue that disabled the port

  • the disabled port must stop receiving superior BDPUs.
  • tell the customer to increase the priority value of their switch.

Once teh superior BPDUs received age out, the ports will automatically be re-enabled.

  • A BPDU's Max Age is 20 seconds by default.

To see the Root guard

SW1(config-if)# do show spanning-tree

## if it's broken
Gi0/1  Desg BKN*4       128.3   P2p  *ROOT_Inc

BKN = Broken
ROOT_Inc = Root inconsistent

## if it's Work
Gi0/1  Desg FWD 4       128.3   P2p  

Review

Prevents a port from becoming a Root Port by disabling it if superior BPDUs are received, Thereby enforcing the current Root Bridge