Root Guard is a mechanism that allows the administrator to control where candidate root bridges can be connected to the network, it will basically prevent the wrong switch (say a random one just added) from becoming the root bridge.  If a Rood guard port receives a BPDU that might cause the sender to become the root bridge the port is placed into “root-inconsistent” state and traffic does not pass traffic through it.  When the port stops receiving these BPDUs it automatically re-enables itself (going through the normal STP states).

In essence root guard designates that a port can only relay BPDUs and not receive them. The port can never become a root port that would normally only receive BPDUs.

Root Guard is generally configured on the distribution switch ports facing the access switches or service provider switches that have customer switches attached. When enabled on an interface it applies to all the VLANS to which the interface belongs.

Do not enable root guard on the same interface that uses UplinkFast, also you cannot enable both root guard and loop guard at the same time.

SNMP and Syslog

Coming soon(ish)


  • (conig-if)# spanning-tree guard root  !enabled on a per port basis
  • show spanning-tree inconsistent ports

Lab Example

As opposed to reinventing the wheel for the labs Rene Molenaar over at GNS3Vault does a good job;


  • Cisco Website
  • CCNP Switch: Cert Kit – Cisco Press
  • Designing Cisco Network Service Architectures (ARCH) – Cisco Press
  • CCNP BCMSN: Exam Certification Guide – Cisco Press