Root Guard is the third spanning-tree hardening feature, after PortFast and BPDU Guard. It protects an interface from EVER becoming a root port. If a switch on the other side of a Root-Guard-enabled port claims to be a better root (sends a superior BPDU), the port is moved to "root-inconsistent" state - blocking - until the superior BPDU stops. This lab configures Root Guard on SW1's uplinks and explains when to use it.
What you will learn
- What Root Guard does and how it differs from BPDU Guard
- When Root Guard triggers (root-inconsistent state)
- The canonical placement: uplinks from access switches towards the distribution layer
- How to configure on a single port and read its state
- How Root Guard recovers (automatically, unlike BPDU Guard)
What this lab does NOT cover
- Loop Guard (a defense against unidirectional link failures - different problem)
- BPDU Filter (silently drops BPDUs without err-disabling - rarely used)
Topology
Download the STP+VLAN Reference Lab .yaml
Three IOSvL2 switches in a triangle with VLANs 10/20/99, dot1q trunks, rapid-PVST root election (SW1 root, SW2 backup), and an LACP EtherChannel between SW1 and SW2.
