Denying a port the role of root port

Syntax:


spanning-treeport-list root-guard

When a port is enabled as root-guard, it cannot be selected as the root port even if it receives superior STP BPDUs. The port is assigned an "alternate" port role and enters a blocking state if it receives superior STP BPDUs.

A superior BPDU contains both "better" information on the root bridge and path cost to the root bridge, which would normally replace the current root bridge selection.

The superior BPDUs received on a port enabled as root-guard are ignored. All other BPDUs are accepted and the external devices may belong to the spanning tree as long as they do not claim to be the Root device.

Use this command on MSTP switch ports that are connected to devices located in other administrative network domains to:
  • Ensure the stability of the core MSTP network topology so that undesired or damaging influences external to the network do not enter.

  • Protect the configuration of the CIST root bridge that serves as the common root for the entire network.

Default: Disabled