Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Spanning-Tree Root Guard

This is a question on how Spanning-Tree Root Guard works.

First, root bridges are elected (or selected) on a per vlan basis. But Root Guard is implemented on a trunking port without any vlan information. So, how does root guard know which vlan to protect.

What if you have several vlans and you want a different switch to be the root for each vlan. Root Guard won’t know which vlan to protect?

Am I missing something? If anyone has an explanation, I would love it. Thanks.

VIP Purple

Re: Spanning-Tree Root Guard

Hello Anthony,

as I understand it, the root guard feature is not meant to be implemented on trunk ports that are under your own administrative control, but rather on edge ports connecting e.g. an ISP to external devices. Since root guard applies to all VLANs, it would block a trunk port trying to become the root port. I guess the idea is that you, as the administrator of your network, need to be protected against external switches trying to become the root, but that your internal STP configuration should not be affected...



New Member

Re: Spanning-Tree Root Guard

GP, thanks for the information. I really don't like this command because in the Cisco text I can find, they only give examples of its use within a 3 or 4 switch network, and mention nothing about proper use of it within vlans.

Anyway, thanks again.

Re: Spanning-Tree Root Guard

Hi Anthony,

Rootguard can only be configured per port, but it is applied on a per instance basis. So basically, if rootguard is configured on a trunk, only vlans receiving superior information would be blocked (assuming you are running PVST).



CreatePlease to create content