Spanning-tree Rootguard contradiction


I’ve come across some info while doing CCNP labs which kinda contradicts what i’ve learned in CCNA. Here goes: “Inside your network, using rootguard would actually be harmful. Your network can be considered trustworthy and there is no rogue root switch to protect against. Using rootguard in your own network would cause it to be unable to converge on a new workable spanning-tree if any of the primary links failed, and it would also prevent your network from converging to a secondary root switch if the primary root switch failed entirely.”

The way i would implement it is to configure rootguard on my root bridges downstream ports since theres always the possibility of users bringing a switch which unintentionally becomes root, or adding an old switch to the production network. Above says not to implement rootguard. Could somebody maybe clarify ? Thankyou!


Hello Timo

Networking approaches to various topics and configurations can vary widely. The opinions of networking professionals and even vendors themselves can easily become contradictory. For the specific situation, it is first a good idea to fully understand the feature in question.

Rootguard is useful when you want to ensure that a specific switch will become the STP root bridge. The administrator can set the root bridge priority to 0 in an effort to secure the root bridge position. But there is no guarantee against a bridge with a priority of 0 and a lower MAC address.

The root guard feature provides a way to enforce the root bridge placement in the network.

Now it is a matter of opinion to say that if you actually need to use rootguard, then you don’t have full control of your network. If you are in a completely controlled environment, then it won’t be necessary. If however there is the chance that an employee may bring in a switch with a sufficiently small MAC address and connect it to the network thus making it the new STP root bridge causing STP to reconverge, then rootguard should be used. Rootguard is also especially important in networks with shared administrative control, where different administrative entities or companies control one switched network. Does that mean that your network is not trustworthy? No, but just that the arrangement is such that there is an increase in risk of some changes being made that will affect your STP convergence.

Now as for this comment:

If rootguard is correctly implemented, then this statement is false. Rootguard is implemented on a per port basis. You must enable root guard on all ports where the root bridge should not appear. In a way, you can configure a perimeter around the part of the network where the STP root bridge is able to be located. This does not block STP from re-converging in case of a failure, but just limits the candidate root bridges that can be selected.

You can find out more about the rootguard feature at this Cisco documentation:

I hope this has been helpful!


1 Like