Perhaps you are thinking that should a user plug in a switch that has a superior Bridge ID to the Core’s, then all users will be affected by the Root Guard putting the Access layer’s connection to the Distribution layer in “Root inconsistent” state?
This won’t happen if you do as Rene suggested and make sure that all of your user facing ports on the Access switches have BPDU guard enabled. If you do that, then any BPDU received, whether it is superior or inferior, will trigger that port to go into an err-disabled state. Think of Root Guard as being a special type of BPDU Guard.
Configuring it this way, however, doesn’t prevent a scenario where a non-desirable Root Bridge could be elected at the Distribution layer.
Some examples of this:
- a new Distribution switch is plugged in with a superior BPDU and changes the entire spanning-tree topology.
- A Core switch fails, but an existing distribution switch now has a the superior Bridge ID.
In either case, your root bridge would not be at the core layer which would result in inefficient traffic patterns. To stop this from happening, you must set your switch priorities correctly, but the Root Guard feature acts as a final measure of protection.