Root Guard is useful in avoiding Layer 2 loops during network anomalies. The Root Guard feature forces an interface to become a designated port to prevent surrounding switches from becoming a root switch. In other words, Root Guard provides a way to enforce the root bridge placement in the network. The Root Guard feature prevents a Designated Port from becoming a Root Port. If a port on which the Root Guard feature receives a superior BPDU, it moves the port into a root-inconsistent state (effectively equal to a listening state), thus maintaining the current Root Bridge status.
The Root Guard feature prevents a port from becoming a Root Port, thus ensuring that the port is always a Designated Port. Unlike other STP enhancements, which can also be enabled on a global basis, Root Guard must be manually enabled on all ports where the Root Bridge should not appear. Because of this, it is important to ensure a deterministic topology when designing and implementing STP in the LAN. After the Root Guard feature is enabled on a port, the switch does not enable that port to become an STP root port. The port remains as an STP designated port. In addition, if a better BPDU is received on the port, Root Guard disables (err-disables) the port rather than processing the BPDU
The following shows the SYSLOG message that is generated if a superior configuration BPDU is received on a port that has root guard enabled:
%SPANTREE-2-ROOTGUARDBLOCK: Port X/Y tried to become non-designated in VLAN Z
Moved to root -inconsistent state
Once superior configuration BPDUs cease to be received on the blocked port, the switch restores the port as indicated by this message:
%SPANTREE-2-ROOTGUARDUNBLOCK: Port X/Y restored in VLAN Z
2) Determine why devices connected to the listed portssend BPDUs with a superior root bridge and take action to prevent further occurrences. Once the BPDUs that falsely advertise a superior root bridge are stopped, the interfaces automatically recover and operate normally. Make sure that it is appropriate to have root guard enabled on the interfaces.
Note: This message is only generated once per second for each physical interface, not for each MST instance or VLAN. Although this message indicates a specific MST instance or VLAN, it could also apply to other MST instances or VLANs in the same physical interface.