Root Guard Blocking Intended Uplink
Presenting Symptom
A switch port configured as an intended uplink is in a blocking state despite having a superior BPDU, causing connectivity loss to the root bridge.
Network Context
This is a small enterprise campus network with three Cisco Catalyst 2960 switches running IOS 15.0. Switch A is the root bridge, Switch B is a distribution switch, and Switch C is an access switch. The link between Switch B and Switch C is intended as an uplink from C to B, but Root Guard is enabled on Switch B's port facing Switch C.
Diagnostic Steps
Check the spanning-tree status of the blocked port
show spanning-tree interface gigabitethernet 0/1VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0011.2233.4455
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0011.2233.4455
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg BLK 4 128.1 P2p *ROOT_GuardThe port role is 'Desg' (designated) but the state is 'BLK' (blocking) and the output shows '*ROOT_Guard' indicating Root Guard has placed the port in a root-inconsistent state.
Verify the BPDU received on the blocked port
show spanning-tree interface gigabitethernet 0/1 detailPort 1 (GigabitEthernet0/1) of VLAN0001 is forwarding Port path cost 4, Port priority 128, Port identifier 128.1. Designated root has priority 32769, address 0011.2233.4455 Designated bridge has priority 32769, address 0011.2233.4455 Designated port id is 128.1, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is point-to-point by default Root guard is enabled on the port BPDU: sent 10, received 5
The port is receiving BPDUs from a bridge that claims to be the root (same bridge ID as the local root). Root Guard blocks the port if it receives a superior BPDU (lower bridge ID) than the current root. Here, the received BPDU indicates the sending bridge is root, which is superior if the local root has a higher priority. This triggers Root Guard to block the port.
Check the root bridge information on the local switch
show spanning-tree rootRoot Hello Max Fwd Vlan Root ID Cost Time Age Dly Root Port ---------------- -------------------- --------- ----- --- --- --------- VLAN0001 32769 0011.2233.4455 0 2 20 15 This bridge is root
The local switch believes it is the root bridge. If a superior BPDU arrives on a Root Guard-enabled port, the port is blocked. This confirms that the remote switch (Switch C) is sending BPDUs with a lower bridge ID, causing Root Guard to block the intended uplink.
Examine the configuration of the blocked interface
show running-config interface gigabitethernet 0/1interface GigabitEthernet0/1 spanning-tree guard root
The command 'spanning-tree guard root' is configured on the interface, enabling Root Guard. This is the direct cause of the blocking behavior.
Root Cause
Root Guard is enabled on the intended uplink port (GigabitEthernet0/1) of Switch B. When Switch C sends a superior BPDU (with a lower bridge ID than Switch B's root), Root Guard places the port in a root-inconsistent (blocking) state to prevent an unauthorized switch from becoming root. This blocks the intended uplink traffic.
Resolution
Verification
After applying the fix, verify the port state: SwitchB# show spanning-tree interface gigabitethernet 0/1 Expected output: Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg FWD 4 128.1 P2p The port state should be 'FWD' (forwarding) and the '*ROOT_Guard' indicator should be gone.
Prevention
1. Only enable Root Guard on ports that connect to switches that should never become the root bridge (e.g., access layer switches). 2. Ensure consistent bridge priority configuration: set the desired root bridge with a lower priority (e.g., 0) and other switches with higher priorities. 3. Use BPDU Guard instead of Root Guard on access ports to prevent unauthorized switches from connecting.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario tests understanding of STP security features, specifically Root Guard. The exam may present a troubleshooting scenario where a port is blocking despite correct cabling, and the candidate must identify Root Guard as the cause. Key fact: Root Guard blocks a port if it receives a superior BPDU, placing it in a root-inconsistent state.
Exam Tips
Remember that Root Guard is configured per interface with 'spanning-tree guard root' and causes the port to go into a root-inconsistent (blocking) state when a superior BPDU is received.
Distinguish Root Guard from BPDU Guard: BPDU Guard shuts down the port (errdisable) upon receiving any BPDU, while Root Guard only blocks the port upon receiving a superior BPDU.
In exam output, look for '*ROOT_Guard' in 'show spanning-tree interface' output to identify Root Guard blocking.
Commands Used in This Scenario
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions