What is the Spanning Tree Root Guard?

Quick Definition: Spanning tree root guard is a security feature network engineers and administrators can enable to protect the root bridge’s (switch) status. This feature helps protect the network from rogue switches becoming the root bridge in an attempt to conduct malicious activities.

Who doesn’t enjoy more efficient, more secure networking? That’s what you get with spanning tree protocol (STP) root guard, also simply referred to as spanning tree root guard or STP root guard. STP root guard improves upon a weakness of the standard spanning tree protocol, which does not allow for the enforcement of network topology. 

More specifically, the STP root guard protects the assigned root bridge from being overridden, and a new root bridge from being assigned.  In this article, we'll gain a deeper understanding of the purpose and uses of spanning tree root guard. We’ll look at the benefits of STP root guard and briefly mention similar concepts. We'll also walk through the basics of configuring STP root guard, and troubleshooting issues that may arise. 

Spanning Tree Protocol (STP): A Definition

To understand STP root guard and its uses, we must first understand the spanning tree protocol. Although many network technology vendors had implemented similar safeguards, the spanning tree protocol was formally adopted when the Institute of Electrical and Electronics Engineers (IEEE) published a set of standards (802.1D) to address the prevention of infinite network loops. 

To analogize spanning tree protocol, think of it like a phone-call notification tree: the “root” of the tree calls two people, who then each call two more people, and so on until there are no more people left to call. The first caller would know when everyone has been called once they receive notification from the people at the very end of their tree, and that would be the end of the phone calls. 

Now imagine if the first caller wasn’t aware they were the first caller, and began calling the next two people on the list again. That continuous loop is what would happen if the spanning tree protocol did not assign a root bridge (switch) within the network.

Part of the boot process for switches includes sending what are called bridge protocol data units, or BPDUs, which are used to detect topology loops within a local area network (LAN).

BPDUs contain valuable information such as the switch’s MAC address, ports, bridge ID (BID), and more. The BID consists of a switch’s MAC address and priority value and is used to establish the root bridge on the network. The switch with the lowest BID on the network is designated as the root bridge. Think of it like the switches drawing straws, but in this scenario, the shortest straw is the winner. 

So how do we make sure the root bridge stays the root bridge and everything works smoothly? Although this article focuses on spanning tree root guard, it’s also worth mentioning BPDU guards and BPDU filters as additional security measures. Because the root bridge relies on BPDUs to designate a root bridge, it makes sense that we can block further transmission of BPDUs once the root bridge has been assigned. 

The BPDU filter function restricts the transmission of BPDUs to a switch, whereas the BPDU guard function prevents the receipt of BPDUs directly at the switch. Let’s use the example of a package delivery service as a non-technical example: BPDU filtering would be the equivalent of removing a specific destination from a delivery route, and BPDU guard would be the equivalent of not being able to deliver to a specific address because of a gate blocking the path. 

What is Spanning Tree Root Guard?

Now that we understand more about spanning tree protocol and some of the other protections available, we’ll cover spanning tree root guard in more detail. We’ve already established the need for a root bridge (switch), which is to prevent infinite loops, but we need to protect that root bridge and ensure it remains the root. 

Transferring from one root bridge to another leads to temporary outages, and can even be a security risk depending on which device is attempting to become the new root bridge. Remember, a switch is designated a root bridge because it has the lowest BID, which consists of a MAC address and a priority level, both of which can be altered. 

Spanning tree root guard is a security feature that is configured at the port level, and works by ensuring enabled ports don’t accept superior BPDUs, or claims from other non-root bridges that they are the new root bridge. Not only does spanning tree root guard not accept superior BPDUs, but it also places the receiving port in a root-inconsistent state, which is essentially a listening mode. No traffic will be forwarded through an interface in a root-inconsistent state. 

A port will remain in a root-inconsistent state so long as it is receiving superior BPDUs from another device and should become active again once the receipt of superior BPDUs stops. This security feature is especially useful when protecting your organization from rogue devices, particularly rogue switches. 

The last thing your organization needs is for a rogue (often malicious) switch to become your environment’s root bridge and cause all types of havoc, which is why spanning tree root guard is so important. Without protections like root guard, BPDU filter, and BPDU guard, your network becomes more susceptible to attackers gaining a foothold within your environment. 

How to Configure Spanning Tree Root Guard

Thankfully, configuring spanning tree root guard is fairly easy. You'll only need a few items to get started:

• Proper access to the switch(es) on which you intend to enable spanning tree root guard.

• Knowledge of the interface(s) on which you intend to enable spanning tree root guard.

Once you’re ready and logged into your switch, type the following commands:

A couple of notes on these commands: You'll need to replace the interface within “interface 1/1/1” with the interface(s) you are configuring. 

Additionally, you should verify the exact commands with the version of the switch you are working with. “spanning-tree rootguard” may work, or you may need to enter “spanning-tree root-guard”, “spanning-tree root”, or something else. 

How to Troubleshoot Spanning Tree Root Guard

As with any technology, you may experience some issues when implementing or using root guard. One of the most common issues you will experience with root guard is the result of spanning tree root guard moving a port from an active state to a root-inconsistent state which will not forward traffic. 

Remember, a port should only be in a root-inconsistent state when receiving superior BPDUs. There are several commands you can use to check the status of your ports, but we’ll cover a couple:

• “show spanning-tree vlan # summary” (where # is replaced with the vlan number you wish to check)

• “show spanning-tree vlan #” (where # is replaced with the vlan number you wish to check)

In either case, ports that are blocked by the root guard will display the message “ROOT_Inc”, indicating the port is blocked because of the root guard.

What are Best Practices for Spanning Tree Root Guard?

One of the best things you can do with spanning tree root guard is to enable it. It’s disabled by default, which means your network’s root bridge is susceptible to losing its root status to another, possibly rogue, device. 

Root bridge transfers can lead to network latency, temporary network outages, and more malicious activity if the new root bridge is a rogue switch trying to gain a foothold in your environment. Just by enabling root guard, you're taking a step to improve your network’s security. 

Another best practice is to specify your root bridge rather than letting the network choose for you. Your root bridge should be selected based on your network topology and typically involves some strategizing since you want to optimize your network. Since you now know root bridges are selected based on BID, which consists of MAC address and priority, you should also know you can change the priority of the switch you want to be your network’s root bridge. 

You should consider a switch’s capabilities when selecting your root bridge. Selecting a switch with limited resources and slow speeds can slow down your entire network. An even more disastrous scenario is if a poorly selected root bridge goes offline, your network would have to assign a new root bridge, which may lead to additional issues.

Conclusion

Spanning tree root guard is probably one of the easiest security and optimization features to implement and troubleshoot, especially considering the types of risks it protects against. Once configured, which is as simple as one command, the spanning tree root guard works by rejecting superior BPDUs sent from other switches attempting to become the root bridge. 

Although this rejection restricts the use of the port receiving superior BPDUs for the duration of the attempt by placing it into a root-inconsistent state, the port should self-correct once the attempted transmission of superior BPDUs ends. In the event you need to troubleshoot, you’ll know the STP root guard is the culprit when you see “ROOT_Inc” listed next to the non-transmitting port.