Spanning-Tree RootGuard

Hi Rene

I have two psyhical links connected to the core switch in port-channel with multiple vlans. How should I configure rootguard? On vlans, psyhical links or directly on port-channel?

Hello Serveradmin

Take a look at this post:

If you have further questions, let us know!

I hope this has been helpful!


Hi Team ,

This feature works only if switch with high priority is connected directly to root switch port or even if the high priority switch is connected via another switch in path to the root switch ?


Hello Ziad

This feature will only affect the local switch. If it is configured on a specific interface, any superior BPDUs received on that interface will be disregarded and will not change the currently defined root bridge within the local switch.

Now this feature can be configured on the root bridge itself, or on other switches downstream. In any case, once a superior BPDU is seen on such an interface, it will block that particular VLAN. That means that such BPDUs are not sent upstream to the root bridge, but are blocked there.

So the feature will activate at the local switch, but will not allow the BPDUs to be further propagated.

I hope this has been helpful!


Hi All,
Any command can show interface guard root enable?

Hello Chun

There are two ways to see if root guard is employed on an interface. The first is to use the following command:

SW1#show spanning-tree interface gigabitEthernet 0/1 detail

A sample output from this command can be seen below:

 Port 2 (GigabitEthernet0/1) of VLAN0001 is designated forwarding 
   Port path cost 4, Port priority 128, Port Identifier 128.2.
   Designated root has priority 32769, address 5254.000c.f48d
   Designated bridge has priority 32769, address 5254.000c.f48d
   Designated port id is 128.2, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Root guard is enabled on the port
   BPDU: sent 936, received 1

Notice on the second last line, it states that Root guard is enabled on the port.

The other way to check is to simply look at the running config like so:

SW1#show running-config interface gigabitEthernet 0/1
Building configuration...

Current configuration : 95 bytes
interface GigabitEthernet0/1
 negotiation auto
 no cdp enable
 spanning-tree guard root


You can see that the spanning-tree guard root command is in the configuration of the interface.

I hope this has been helpful!


I’m using two backbones and I’m using HSRP.
Is there any problem if I set the guard root on the interface Vlan of Backbone 1 and Backbone 2?

Hello YongHun

I haven’t completely understood your topology. I assume that you want one of the two HSRP switches to be the root bridge for half of the VLANs being served, and the other to be the root bridge for the other half.

In any case, keep in mind that Root Guard should be applied to Layer 2 interfaces, specifically on the switch ports that are connected to other switches. It is not applicable to SVIs since SVIs are associated with Layer 3 functionality.

If you share a little bit more about your topology, and let us know some more about what you want to achieve, we may be able to help you further.

I hope this has been helpful!