Spanning-Tree Guard Root Command on CISCO Router/Switch

Apr 25, 2018 Last Updated: Apr 25, 2019 CCNA Study Guide No Comments
Tweet Share Pin it

Command

Spanning-Tree Guard Root

Use

This command will disable any port that a superior BPDU is received on. This is done to ensure a switch will remain root at all times.

Syntax

Switch(config-if)#spanning-tree guard root

Example

Spanning-Tree Guard Root Command on CISCO Router/Switch 1

In the below example we will configure SW1’s trunk ports to use root guard. First, we will ensure SW1 is root for all possible VLANs

SW1(config)#spanning vlan 1-4094 root primary

SW1(config-if)#do sh spanning vlan 10

VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address 0012.00cb.6c80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24586 (priority 24576 sys-id-ext 10)
Address 0012.00cb.6c80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg LRN 19 128.2 P2p 
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/5 Desg FWD 19 128.5 P2p
Fa0/8 Desg FWD 19 128.8 P2p
Fa0/9 Desg FWD 19 128.9 P2p
Fa0/10 Desg FWD 19 128.10 P2p
Fa0/19 Desg FWD 19 128.19 P2p

Next we will configure root guard on the trunk ports.

SW1(config)#int ra fa0/19-24
SW1(config-if-range)#spanning guard root
SW1(config-if-range)#
10:02:52: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/19.
10:02:52: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/20.
10:02:52: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/21.
10:02:52: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/22.
10:02:52: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/23.
10:02:52: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/24.

Now we will configure SW2 to become root for all ports.

SW2(config)#spanning vlan 1-4094 root primary

Notice that SW1 is now blocking the trunk ports.

10:08:26: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/23 on VLAN0001.
10:08:28: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/21 on VLAN0017.
SW1(config)#do show spanning vlan 10

VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 24586
Address 0019.060c.4f80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24586 (priority 24576 sys-id-ext 10)
Address 0019.060c.4f80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/19 Desg BKN*19 128.21 P2p *ROOT_Inc
Fa0/20 Desg BKN*19 128.22 P2p *ROOT_Inc
Fa0/21 Desg BKN*19 128.23 P2p *ROOT_Inc
Fa0/22 Desg BKN*19 128.24 P2p *ROOT_Inc
Fa0/23 Desg BKN*19 128.25 P2p *ROOT_Inc
Fa0/24 Desg BKN*19 128.26 P2p *ROOT_Inc
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x