Home / Basics / ccna / networking / Root Guard / CCNA Basics : What is Root Guard ?

CCNA Basics : What is Root Guard ?

August 24, 2025 , , ,

What is Root Guard?

Root Guard is designed to prevent an undesirable root bridge from appearing on the network and triggering re-convergence. It works per port. If a switch receives a superior BPDU (one with a better bridge ID) on a port with Root Guard enabled, that port is placed into a special root-inconsistent state. While in this state, the port stops sending and receiving regular data but continues to listen for BPDUs.

What is Root Guard? www.thenetworkdna.com

How Root Guard Works ?

If you have a port that is configured with root guard and it receives a superior BPDU it will move that specific vlan to a root inconsistent state which effectively means it will stop passing traffic to that vlan off that port.  Because of this you need to be very careful where you put the root-guard not only for normal environment scenarios but you need to be aware of what would happen if your primary root bridge goes down. 

The easiest thing to do would be to only setup root-guard on your primary root bridge to avoid a scenario where your root bridge goes down and you happen to have root guard configured on the only port available to get to your new root bridge.

 The Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs

The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state

Note: Root guard is best deployed towards ports that connect to switches which should not be the root bridge

The Root Guard feature can be enabled on all switch ports in the network off of which the root bridge should not appear. Root guards protects the root bridge from being modified without administrator permission by another switch.

If you manage all the switches you do not need root guard, because you can just set the switch priorities. Root guard is needed when you connect a network that you manage to one that you do not.

Configuring Root Guard 

Root Guard is enabled manually on each port where it’s needed. It’s disabled by default. We can enable it per interface with the following command in interface configuration mode:

Switch(config-if)# spanning-tree guard root

We check if any ports are in the root-inconsistent state using the following command:

Switch# show spanning-tree inconsistent ports