This is a question on how Spanning-Tree Root Guard works.
First, root bridges are elected (or selected) on a per vlan basis. But Root Guard is implemented on a trunking port without any vlan information. So, how does root guard know which vlan to protect.
What if you have several vlans and you want a different switch to be the root for each vlan. Root Guard wont know which vlan to protect?
Am I missing something? If anyone has an explanation, I would love it. Thanks.
as I understand it, the root guard feature is not meant to be implemented on trunk ports that are under your own administrative control, but rather on edge ports connecting e.g. an ISP to external devices. Since root guard applies to all VLANs, it would block a trunk port trying to become the root port. I guess the idea is that you, as the administrator of your network, need to be protected against external switches trying to become the root, but that your internal STP configuration should not be affected...
GP, thanks for the information. I really don't like this command because in the Cisco text I can find, they only give examples of its use within a 3 or 4 switch network, and mention nothing about proper use of it within vlans.
Anyway, thanks again.
Rootguard can only be configured per port, but it is applied on a per instance basis. So basically, if rootguard is configured on a trunk, only vlans receiving superior information would be blocked (assuming you are running PVST).