Root Guard is useful in avoiding Layer 2 loops during network anomalies. The Root Guard feature forces an interface to become a designated port to prevent surrounding switches from becoming a root switch. In other words, Root Guard provides a way to enforce the root bridge placement in the network. The Root Guard feature prevents a Designated Port from becoming a Root Port. If a port on which the Root Guard feature receives a superior BPDU, it moves the port into a root-inconsistent state (effectively equal to a listening state), thus maintaining the current Root Bridge status.
The Root Guard feature prevents a port from becoming a Root Port, thus ensuring that the port is always a Designated Port. Unlike other STP enhancements, which can also be enabled on a global basis, Root Guard must be manually enabled on all ports where the Root Bridge should not appear. Because of this, it is important to ensure a deterministic topology when designing and implementing STP in the LAN. After the Root Guard feature is enabled on a port, the switch does not enable that port to become an STP root port. The port remains as an STP designated port. In addition, if a better BPDU is received on the port, Root Guard disables (err-disables) the port rather than processing the BPDU
The following shows the SYSLOG message that is generated if a superior configuration BPDU is received on a port that has root guard enabled:
%SPANTREE-2-ROOTGUARDBLOCK: Port X/Y tried to become non-designated in VLAN Z
Moved to root -inconsistent state
Once superior configuration BPDUs cease to be received on the blocked port, the switch restores the port as indicated by this message:
%SPANTREE-2-ROOTGUARDUNBLOCK: Port X/Y restored in VLAN Z
2) Determine why devices connected to the listed portssend BPDUs with a superior root bridge and take action to prevent further occurrences. Once the BPDUs that falsely advertise a superior root bridge are stopped, the interfaces automatically recover and operate normally. Make sure that it is appropriate to have root guard enabled on the interfaces.
Note: This message is only generated once per second for each physical interface, not for each MST instance or VLAN. Although this message indicates a specific MST instance or VLAN, it could also apply to other MST instances or VLANs in the same physical interface.
Hi, I am struggling with the setup of the WLC 9800 on a Catalyst 9300 Switch. I would like to configure it from DNA Center but I think DNA Center is not aware that I have one.Here is the output from my switch Next reload AIR license Level: AIR DNA Ad...
Hi all, I’ve been reading up and SPAN and the use of aggregator taps and full duplex taps. I feel i have a better understanding of each, but i still have a question that cannot seem find the answer to, hopefully somebody will know the answer to...
Dear All , I am doing my thesis on Segment Routing and trying to show the benefits of SR by using GNS3 and building a network and implementing SR and testing some use cases I'd need your help and suggestions the network is as shown below &n...
Hi All and thanks for any clues or solutions. First Issue My VPN setup seems to work ( Connects fine to my Iphone and Ipad) even with some issues in the log !! ?? Should I just ignore those ?? %CRYPTO-6-IKMP_MODE_FAILUR...
Hi, I'm testing a dual cloud dmvpn as a backup for mpls. Dmvpn using ibgp and mpls using ebgp between hub and spokes. Each Cloud has single hub and these two hubs sharing same DC LAN Network subnet and using eigrp in DC.Each huB has one mpls li...