Configuring STP Root Guard


The Root Guard feature is used to enforce the positioning/placement of root bridge in a network. In STP, there is no provision to have full control on the selection of the root bridge or switch. Any switch can be selected as the root bridge.  If the bridge priority is set to 0, that switch is likely to become the  root bridge. However,  even with this configuration, there is no guarantee since there can be another switch with priority 0 and a lower MAC address that gets selected as root bridge.


The Root Guard feature forces a port to be a designated port (and does not allow it to become root port). This prevents any one of the neighboring switches from becoming the root switch. Thus, the Root Guard feature provides a way to enforce the placement or positioning of the root bridge in the network.  

 

If a port on which the Root Guard feature is enabled receives a superior BPDU, it moves the port into a root-inconsistent state (similar to a listening state).  In this state, no traffic is forwarded across this port. Root Guard must be enabled on all ports where the root bridge should not appear.


To configure root guard, use the command:


CLI (network-admin@Leaf1) > stp-port-modify port port-list root-guard


stp-port-modify

Modify the Spanning Tree Protocol Parameters.

port port-list

Specify the port or port list.

Specify one or more of the following options:


block|no-block

Specify if a STP port blocks BPDUs.

bpdu-guard|no-bpdu-guard

Enable or disable STP port BPDU guard.

root-guard|no-root-guard

Enable or disable STP port Root guard.


To view the root guard configuration details, use the command:


CLI (network-admin@Leaf1) > stp-port-show