Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

STP: Placement of Root Guard

Please help to advise on the ports to configure guard root so that Sw1 can remain as the Root, in the event the priorities of Sw2, Sw3, Sw4 or Sw5 are reduced.

For both examples, please assume all else are equal (priority, link cost, etc).

For Example 1, should I place guard root on

Sw2 F0/3,

Sw3 F0/3,

Sw1 F0/1 and 0/2?


Sw2 F0/2 and F0/3,

Sw3 F0/2 and F0/3?

For Example 2, should I place guard root on

Sw2 F0/3 and F0/4,

Sw3 F0/3 and F0/4,

Sw1 F0/1 and F0/2?


Sw2 F0/2, F0/3, F0/4,

Sw3 F0/2, F0/3, F0/4?

Any other combination is welcomed.



Re: STP: Placement of Root Guard

Nobody can really answer your question without knowing what you are ready to sacrifice;-)

Rootguard is not something that is designed to make sure that bridge X is the root. For instance, if I configure rootguard on all the ports of a particular bridge, I'm sure it's going to be a root bridge. However, it might be entirely disconnected from the network and break connectivity throughout my backbone!

Basically, rootguard is a feature allowing you to enforce a policy. A root port of a given bridge is the port that is connecting the subtree below the bridge to the rest of the network. By configuring rootguard on a port, you prevent it from ever becoming a root port. So the policy I was referring to sounds like: I'd rather lose connectivity to the rest of the network rather than accepting connectivity through this port. That's this policy that is missing in your post.

Typically, you configure rootguard on edge port for instance, because you'd rather lose connectivity to an edge port rather that accepting connectivity through it.

Often, you want to enforce a policy that you don't want to use an access bridge as a backup to your backbone. For example, in your example 1 or 2, you don't want to use the link sw4-sw5 as a backup path should connectivity be lost between sw2-sw3. You'd rather split your network in two rather than doing that. In that case, you would configure rootguard on the downstream ports on sw2-sw3 (f0/3, f0/4).



CreatePlease to create content