Search

Home >> Knowledgebase >> CCNA Security >> What is Root Guard and how to configure Root Guard in Cisco Switches

What is Root Guard and how to configure Root Guard in Cisco Switches

Root Guard protects the Spanning Tree Protocol (STP) topology attack of replacing the original Root Bridge with a rogue Root Bridge. When a Root Guard feature enabled switch port receives a superior BPDU from a rogue switch, the state of the port is changed into a root-inconsistent state, thus enforcing the position of original Root Bridge. Once the port state is changed into root-inconsistent state (similar to STP listening state), no user data is sent via that port. However, after the flow of superior BPDUs is stopped, the port state will change back to the forwarding state. In other words, Root Guard feature of Cisco Switches prevents a Designated Port from becoming a Root Port.

Root Guard feature can be enabled on switch ports that is connected to other switches that should never become a Root Bridge. For example, a port on the distribution layer switch which is connected to an access layer switch can be Root Guard enabled, because the access layer switch should never become the Root Bridge.

 

How to configure Root Guard in Cisco Switches

To enable Root Guard, use following commands.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface giga 0/0
OmniSecuSW1(config-if)#spanning-tree guard root
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

To disable Root Guard, use following commands.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface giga 0/0
OmniSecuSW1(config-if)#no spanning-tree guard root
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

<< Root Guard, BPDU Guard and BPDU Filter
What is BPDU Guard and how to configure BPDU Guard in Cisco Switches >>
Related Tutorials