Spanning Tree

Root-Guard

Sections:

Overview:

  • Root Guard prevents an unauthorized switch from becoming the root bridge in an STP domain
  • The main role of Root Guard is to prevent a port from accepting superior BPDUs that would cause a switch to become the Root Bridge
  • Root Guard ensures that the designated Root Bridge remains in control of the network, and no other switch on the network can accidently or maliciously claim to be the Root Bridge

How it Works:

  • When Root Guard is enabled on a switch port, it will block any superior BPDUs (Bridge Protocol Data Unit) received on that port
  • If an unauthorized switch attempts to take control (i.e., it sends out a BPDU claiming to be the root), Root Guard will place the port in a "Root Inconsistent" state and prevent it from forwarding traffic
  • When superior BPDUs on a Root Inconsistent port are no longer received, the port will automatically transition back to a forwarding state re-enabling the port for traffic flow
  • Root Guard is typically enabled on a per port basis in interface configuration mode

When to use

  • Root Guard is Ideal for ports connecting to end devices such as access ports not participating in electing a root bridge 

Lab Topology

Scenario:

  • A network engineer replaced the AccessSW1 device with a spare switch but forgot to adjust the switch STP priority value before plugging it into the network
  • Turns out this spare switch has a priority set to '0' equaling to the lowest and best priority value to become the Root Switch
  • However, both distribution switches have root guard enabled on the interfaces facing downstream towards the spare switch protecting the core switch from receiving superior BPDUs 

Added Notes: 

  • If Root Guard is triggered, the root inconsistent ports will blackhole any downstream devices and clients from communicating on the network during the duration of the superior BPDUs 

Root Guard Configuration

Enabling Root Guard on interface Gi2/0 on DistroSW1 and interface G0/1 on DistroSW2.

To simulate Root Guard taking action, I've adjusted the STP priority value of the Access switch to become the preferred Root Bridge sending out superior BPDUs upstream.

Root Guard taking action by placing interface Gi2/0 on the HQ-Distro-SW1 in a root inconsistent state after receiving superior BPDUs from the access switch downstream.

The access switch is blackholed from communicating on the network but will still claim itself as a Root Bridge.