Guarding Against Rogue STP Root Bridges
What is root guard?

Root guard limits the switch ports out of which the root bridge may be negotiated. If a root guard-enabled port receives BPDUs that are superior to those being sent by the current root bridge, then that port will be moved to a root-inconsistent state, which is effectively equal to an STP listening state. No data traffic will be forwarded across this port.

Example: Using Root Guard
In the example, switches A and B are the core of the network. Switch A is the root bridge for a VLAN. Switch C is an access layer switch. The link between B and C is blocking on the C side. The flow of STP BPDUs is shown with arrows.

On the left, device D begins to participate in STP. If the priority of switch D were any value lower than that of the current root bridge, it would be a superior BPDU, and switch D would be elected the root bridge. This would cause the link connecting switch A and B to block, thus causing all traffic from switch B to flow through switch C in the access layer, which is clearly non-advantageous. If root guard were configured on the port of switch C where switch D was attached, switch D would never have been elected the root bridge.

Root guard is configured on a per-port basis. If there is a superior BPDU received on the port, root guard does not take the BPDU into account and so puts the port into root inconsistent state. Once switch D stops sending superior BPDUs, the port will be unblocked again and will transition through STP states as any other port. Recovery requires no intervention. A root guard port is in an STP designated state.

Root guard should be enabled on all ports where the root bridge is not anticipated. In the example, root guard should be enabled as follows:

  • Switch A – port connecting to switch C
  • Switch B – port connecting to switch C
  • Switch C – port connecting to switch D

A root guard-enabled port is in an STP designated port state.

The following console message appears when root guard blocks a port:

%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77. Moved to root-inconsistent state