Unit 1: Network Infrastructure
This will allow you to demonstrate your networking skills, knowledge, and abilities, with a focus on enterprise-level switching, routing, and multicast components that support cross-platform (inter)operability and integration with the most recent software-defined technologies.
Spanning tree root guard is a security feature that can be set up at the port level. It works by making sure that ports that are activated don’t accept superior BPDUs or claims from other non-root bridges that they are the new root bridge. Spanning Tree Root Guard not only doesn’t accept superior BPDUs, but it also puts the incoming port in a state called “root-inconsistent,” which is basically just a listening mode. If an interface is in a root-inconsistent state, no data will be sent through it.
In the event that a port ceases receiving superior BPDUs from another device, it should become active again, but until then, it will stay in a root-inconsistent state.
In the absence of safeguards such as root guard, BPDU filter, and BPDU guard, your network is left more open to infiltration by attackers.
Spanning Tree Root Guard Configuration
Thankfully, setting up root guard is pretty simple. To begin, you will only need a few things:
- Access to the switch(es) where you want to enable spanning tree root guard.
- Knowing about the interface(s) where you want to enable spanning tree root guard.
Enter the following commands into your switch once you’re ready:
Switch# configure terminal
Switch(config)# interface 1/1/10
Switch(config-if)# spanning-tree rootguard
Troubleshooting Root Guard
When implementing or utilizing root guard, you just might run into some problems, just like you would with any other technology. One of the most common problems that you will encounter with root guard is the consequence of spanning tree root guard changing a port from an active state to a root-inconsistent state, which will prevent traffic from being forwarded.
It is important to keep in mind that receiving superior BPDUs is the only time a port should be in a root-inconsistent state. In order to verify the status of your ports, you can use a number of different commands; however, we will just discuss a couple of them here:
Membership Required
This Course and partial content under every lesson is restricted for Members Only. You must be a member to fully access this Course / Lesson content. You can still preview partially visible text content by using "Preview" tab for Every Lesson.