Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
16581
Views
5
Helpful
0
Comments

STP error message received: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port in Cisco Catalyst switches running Cisco IOS system software

TCC_2
Level 10
Level 10

‎06-22-2009 06:17 PM - edited ‎03-01-2019 04:20 PM

 

Introduction:

 

Root Guard is useful in avoiding Layer 2 loops during network anomalies. The Root Guard feature forces an interface to become a designated port to prevent surrounding switches from becoming a root switch. In other words, Root Guard provides a way to enforce the root bridge placement in the network. The Root Guard feature prevents a Designated Port from becoming a Root Port. If a port on which the Root Guard feature receives a superior BPDU, it moves the port into a root-inconsistent state (effectively equal to a listening state), thus maintaining the current Root Bridge status.

 

The Root Guard feature prevents a port from becoming a Root Port, thus ensuring that the port is always a Designated Port. Unlike other STP enhancements, which can also be enabled on a global basis, Root Guard must be manually enabled on all ports where the Root Bridge should not appear. Because of this, it is important to ensure a deterministic topology when designing and implementing STP in the LAN. After the Root Guard feature is enabled on a port, the switch does not enable that port to become an STP root port. The port remains as an STP designated port. In addition, if a better BPDU is received on the port, Root Guard disables (err-disables) the port rather than processing the BPDU

 

The following shows the SYSLOG message that is generated if a superior configuration BPDU is received on a port that has root guard enabled:

 

 

%SPANTREE-2-ROOTGUARDBLOCK: Port X/Y tried to become non-designated in VLAN Z

    Moved to root -inconsistent state

 

Once superior configuration BPDUs cease to be received on the blocked port, the switch restores the port as indicated by this message:

 

%SPANTREE-2-ROOTGUARDUNBLOCK: Port X/Y restored in VLAN Z

 

Resolution:

 

1) Enter the "show spanning-tree inconsistentports" command in order to display the list of interfaces with root guard inconsistencies.

 

2) Determine why devices connected to the listed portssend BPDUs with a superior root bridge and take action to prevent further occurrences. Once the BPDUs that falsely advertise a superior root bridge are stopped, the interfaces automatically recover and operate normally. Make sure that it is appropriate to have root guard enabled on the interfaces.

 

Note: This message is only generated once per second for each physical interface, not for each MST instance or VLAN. Although this message indicates a specific MST instance or VLAN, it could also apply to other MST instances or VLANs in the same physical interface.

 

For further assistance and support, use theTAC Service Request Tool in order topen a case with Cisco Technical Support.

Related Information:

Spanning Tree Protocol Root Guard Enhancement

Spanning Tree Protocol Problems and Related Design Considerations

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents