Showing results for 
Search instead for 
Did you mean: 

STP error message received: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port in Cisco Catalyst switches running Cisco IOS system software





Root Guard is useful in avoiding Layer 2 loops during network anomalies. The Root Guard feature forces an interface to become a designated port to prevent surrounding switches from becoming a root switch. In other words, Root Guard provides a way to enforce the root bridge placement in the network. The Root Guard feature prevents a Designated Port from becoming a Root Port. If a port on which the Root Guard feature receives a superior BPDU, it moves the port into a root-inconsistent state (effectively equal to a listening state), thus maintaining the current Root Bridge status.


The Root Guard feature prevents a port from becoming a Root Port, thus ensuring that the port is always a Designated Port. Unlike other STP enhancements, which can also be enabled on a global basis, Root Guard must be manually enabled on all ports where the Root Bridge should not appear. Because of this, it is important to ensure a deterministic topology when designing and implementing STP in the LAN. After the Root Guard feature is enabled on a port, the switch does not enable that port to become an STP root port. The port remains as an STP designated port. In addition, if a better BPDU is received on the port, Root Guard disables (err-disables) the port rather than processing the BPDU


The following shows the SYSLOG message that is generated if a superior configuration BPDU is received on a port that has root guard enabled:



%SPANTREE-2-ROOTGUARDBLOCK: Port X/Y tried to become non-designated in VLAN Z

    Moved to root -inconsistent state


Once superior configuration BPDUs cease to be received on the blocked port, the switch restores the port as indicated by this message:






1) Enter the "show spanning-tree inconsistentports" command in order to display the list of interfaces with root guard inconsistencies.


2) Determine why devices connected to the listed portssend BPDUs with a superior root bridge and take action to prevent further occurrences. Once the BPDUs that falsely advertise a superior root bridge are stopped, the interfaces automatically recover and operate normally. Make sure that it is appropriate to have root guard enabled on the interfaces.


Note: This message is only generated once per second for each physical interface, not for each MST instance or VLAN. Although this message indicates a specific MST instance or VLAN, it could also apply to other MST instances or VLANs in the same physical interface.


For further assistance and support, use theTAC Service Request Tool in order topen a case with Cisco Technical Support.

Related Information:

Spanning Tree Protocol Root Guard Enhancement

Spanning Tree Protocol Problems and Related Design Considerations

CreatePlease to create content
Content for Community-Ad