spanning-tree guard root
Enables root guard on a switch port to prevent it from becoming a root port in the Spanning Tree Protocol, protecting against rogue switches that might try to become the root bridge.
spanning-tree guard rootWhen to Use This Command
- Prevent an unauthorized switch connected to an access port from becoming the root bridge.
- Protect the STP topology on a port connected to a switch in a different administrative domain.
- Ensure that a designated port remains designated and does not transition to root port due to inferior BPDUs.
- Use on ports connecting to end-user devices that should never participate in STP root election.
Command Examples
Enable root guard on an interface
interface GigabitEthernet0/1
spanning-tree guard rootSwitch(config-if)# spanning-tree guard root Switch(config-if)#
The command is entered without any output confirmation. Root guard is enabled on the interface. If the interface receives a superior BPDU (indicating a potential root bridge), the port will be placed into a root-inconsistent state (blocking) to protect the current root.
Verify root guard configuration
show spanning-tree interface GigabitEthernet0/1 detailGigabitEthernet0/1 is up, line protocol is up Port 1 (GigabitEthernet0/1) of VLAN 1 is designated forwarding Port path cost 4, Port priority 128, Port identifier 128.1 Designated root has priority 32768, address 0011.2233.4455 Designated bridge has priority 32768, address 0011.2233.4455 Designated port id is 128.1, designated path cost 4 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 BPDU: sent 10, received 5 Root guard is enabled on this port.
The output shows the interface status and STP parameters. The key line is 'Root guard is enabled on this port.' confirming root guard is active. If a superior BPDU were received, the port state would show 'root-inconsistent' instead of 'designated forwarding'.
Understanding the Output
When root guard is enabled, the switch monitors BPDUs received on the port. If a superior BPDU (with lower bridge ID or path cost) is received, the port is placed into a root-inconsistent state (blocking) to prevent the attached switch from becoming root. The 'show spanning-tree interface' command displays the port state; a healthy port shows 'designated forwarding' or 'alternate blocking'. If root guard triggers, the state becomes 'root-inconsistent' and the port blocks traffic. The 'show spanning-tree inconsistentports' command lists all ports in inconsistent states. Good values: port is forwarding normally. Bad values: port is root-inconsistent, indicating a potential STP attack or misconfiguration.
CCNA Exam Tips
Root guard is configured on a per-port basis and prevents the port from becoming a root port; it does not affect BPDU forwarding.
If a port with root guard receives a superior BPDU, it enters a root-inconsistent state (blocking) until the superior BPDUs stop.
Root guard is typically used on ports that should never be the root port, such as access ports or ports connecting to end devices.
The exam may ask you to distinguish root guard from BPDU guard: BPDU guard shuts down the port (errdisable) if any BPDU is received, while root guard only reacts to superior BPDUs.
Common Mistakes
Confusing root guard with BPDU guard; root guard does not disable the port on BPDU reception, only on superior BPDUs.
Applying root guard to all ports including uplinks, which can cause unnecessary blocking if the root bridge changes.
Forgetting that root guard must be configured on the port where the unwanted root bridge might appear, not on the root bridge itself.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions