Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Enabling root guard on a port-channel

I want to enable root guard on all trunk ports on a 6509 core switch running native IOS.

Regarding the port-channels, should I enable root guard on the individual interfaces that make up the port-channels or on the port-channels themselves?

Many thanks!


Re: Enabling root guard on a port-channel

Hi, root guard is normally enabled on ports going to switches on customer networks (ie switches you don't look after yourself). You would not want to configure this on your own trunk links unless you had certain switches you definitely do not want to become root in the STP domain.

New Member

Re: Enabling root guard on a port-channel

Hi Mark,

I have a primary and secondary root bridge, my 6509 and a redundant 6509. If they are both unavailable then my network is down anyway. I never want *anything* to be the root bridge other than one of these two core switches.

There are no loops in the network other than the access switches all dual-homing to both cores.

I have had issues when rebooting access switches and adding new access switches to the network resulting in a spanning-tree election and purging of MAC address tables.

Some of the services running on the network are not at all resilient to even very brief periods of network availability.

I was hoping to use root guard to prevent these issues from reoccurring.

Re: Enabling root guard on a port-channel

Sure, this makes sense now. So Rootguard will stop access switches becoming the root but I'm not sure if this will stop all STP recalculations? If an access link's uplink (primary) fails and the blocked link goes into forwarding I would imagine this also causes STP to recalculate for that VLAN (although I would have to test this). Have you looked into running RSTP? The failover time for this would be approx 1-2 seconds for a small network?

New Member

Re: Enabling root guard on a port-channel

Thanks for your reply Mark.

I'm already running Rapid PVST on the two core switches. The access switches unfortunately don't support it yet so are just running PVST but I'm hoping to upgrade them to RPVST capable switches in the near future.

Unfortunately I don't have a test lab so I haven't been able to test what would happen should the primary uplink fail and the blocked link transition to forwarding.

If the root bridge itself is down then STP will recalculate for all VLANs as it fails over to the the redundant core, but if it were just to be the access switch uplink that failed I'm not sure what the result would be.

I will try and research this and update the thread!