![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-1.png\")
<\/p>\nRoot Guard is a layer 2 security mechanism designed to protect the\u00a0\u201cRoot Bridge\u201d\u00a0and ensure it remains as the\u00a0\u201cRoot\u201d\u00a0in the spanning tree topology. Root guard can protect against mis-configurations and mitigate MiM type attacks.<\/p>\n
Lets say in the topology below\u00a0\u201cSW-1\u201d\u00a0has been elected as the\u00a0\u201cRoot Bridge\u201d\u00a0with the default priority of 32768 however its MAC address is lower than\u00a0\u201cSW-2\u201d\u00a0what\u2019s there to prevent\u00a0\u201cSW-2\u201d\u00a0or another switch that is plugged into the network with a lower \u201cBridge-ID\u201d from becoming the root? Nothing\u2026.<\/p>\n
This can have severe consequences \u2013 if a mis-configuration occurs it will impact the network performance, alternatively a malicious user could perform a MiM type attack making themselves the\u00a0\u201cRoot Bridge\u201d\u00a0they could then route traffic through them while capturing data.<\/p>\n
<\/p>\n
<\/p>\n
Root Guard to the Rescue!<\/strong><\/p>\n Root Guard says If a superior BPDU (with a lower bridge-id) claiming to be the root bridge comes in on ports its configured on, it will place those ports into a loop inconsistent state (not err-disabled) thus preventing an STP topology change.\u00a0 The port will remain down only for that switch\/switches coming in on the violating port until the issue is resolved, or the device is restored as not being the root. Once superior BPDU\u2019s stop coming in, the connection is restored automatically.<\/p>\n Root Guard is normally configured on the root bridge itself, or on the distribution switches. Cisco recommends you put it on the root bridge and protect that guy. you could put it on access switches but it all depends on how much you trust your admins.<\/p>\n \u00a0Configuration Example<\/strong><\/p>\n In the example below,\u00a0\u201cCore-SW\u201d\u00a0is the\u00a0\u201cRoot Bridge\u201d\u00a0with a default priority of 32769, and a lower MAC of 400. We will take a look at configuring \u201cRoot Guard\u201d on the\u00a0\u201cCore-SW\u201d we will then manually configure\u00a0\u201cSW-1\u201d\u00a0with a lower\u00a0\u201cBridge-ID\u201d\u00a0and observe how\u00a0\u201cRoot Guard\u201d\u00a0behaves.<\/p>\n The topology has been setup using GNS3<\/p>\n Step 1:<\/strong>\u00a0Lets verify the current STP topology<\/p>\n Core-SW<\/strong><\/p>\n #show spanning-tree<\/p>\n We can see that\u00a0\u201cCore-SW\u201c is running RSTP and it has a default priority of\u00a0\u201c32769\u201d\u00a0its MAC address is ending in\u00a0\u201c0400\u201d\u00a0this switch is currently acting as the\u00a0\u201cRoot Bridge\u201d, all ports are in a forwarding state.<\/p>\n SW-1<\/strong><\/p>\n #show spanning-tree<\/p>\n \u201cSW-1\u201c\u00a0is also running RSTP and it has a default priority of\u00a0\u201c32769\u201d\u00a0its MAC address is ending in\u00a0\u201c0500\u201d\u00a0this switch knows the\u00a0\u201cRoot Bridge\u201d which is the\u00a0\u201cCore-SW\u201d,\u00a0\u201cE0\/1\u201d\u00a0is its root port back to the\u00a0\u201cRoot Bridge\u201d<\/p>\n Step 2:<\/strong>\u00a0On both switches run debugging for spanning-tree so that we can review this information later.<\/p>\n Core-SW<\/strong><\/p>\n #debug spanning-tree events<\/p>\n SW-1<\/strong><\/p>\n #debug spanning-tree events<\/p>\n Step 3:<\/strong>\u00a0On the\u00a0\u201cCore-SW\u201d\u00a0configure\u00a0\u201cRoot Guard\u201d\u00a0on interface\u00a0\u201cE0\/0\u201d\u00a0to prevent superior BPDU\u2019s from being received on this interface.<\/p>\n #conf t<\/p>\n #Int e0\/0<\/p>\n #spanning-tree guard root<\/p>\n A syslog message will be displayed indicating\u00a0\u201cRoot Guard\u201d\u00a0has now been enabled.<\/p>\n Step 4:<\/strong>\u00a0Configure\u00a0\u201cSW-1\u201d\u00a0with a lower spanning-tree priority for the default VLAN 1 of 4096<\/p>\n #conf t<\/p>\n #spanning-tree vlan 1 priority 4096<\/p>\n Step 5:<\/strong>\u00a0let\u2019s take a look on the\u00a0\u201cCore-SW\u201d, as expected\u00a0\u201cRoot Guard\u201d\u00a0has blocked interface\u00a0\u201cE0\/0\u201d\u00a0as it has received a superior BPDU from\u00a0\u201cSW-1\u201d\u00a0on this port.<\/p>\n Let\u2019s take a look at the STP topology, we should see no change<\/p>\n #show spanning-tree<\/p>\n From the output below we can see that\u00a0\u201cCore-SW\u201d\u00a0is still the\u00a0\u201cRoot Bridge\u201d\u00a0however interface\u00a0\u201cE0\/0\u201d\u00a0has now been blocked by\u00a0\u201cRoot Guard\u201d<\/p>\n Take a look at the debug messages on\u00a0\u201cSW-1\u201d\u00a0we can see that upon setting its spanning-tree priority to 4096 it updated its role and became the\u00a0\u201cRoot Bridge\u201d it transitioned its\u00a0\u201cRoot Port\u201d\u00a0to\u00a0\u201cDesignated\u201d. This has happened because the\u00a0\u201cCore-SW\u201d\u00a0blocked this device and as\u00a0\u201cSW-1\u201d\u00a0has no communication with the\u00a0\u201cCore-SW\u201d\u00a0it considers itself as the\u00a0\u201cRoot Bridge\u201d<\/p>\n Let\u2019s take a look at the STP topology for\u00a0\u201cSW-1\u201d,<\/p>\n #show spanning-tree<\/p>\n We can see that the\u00a0\u201cRoot Bridge\u201d\u00a0is itself and all ports are now forwarding.<\/p>\n Step 6:<\/strong>\u00a0Lets restore the priority on\u00a0\u201cSW-1\u201d\u00a0and take a look at how\u00a0\u201cCore-SW\u201d\u00a0responds.<\/p>\n #no spanning-tree vlan 1 priority 4096<\/p>\n Instantly we can see debug messages, first setting itself back to the default priority and then updating its roles according to the superior BPDU received from\u00a0\u201cCore-SW\u201d<\/p>\n Let\u2019s take a look at the debugging messages on\u00a0\u201cCore-SW\u201d\u00a0we can see that\u00a0\u201cRoot Guard\u201d\u00a0has stopped receiving superior BPDU\u2019s on interface\u00a0\u201cE0\/0\u201dand therefore is now unblocking the port. However, there seems to be a dispute, this will be due to both switches having the default Priority of\u00a0\u201c32769\u201d\u00a0the next step is for the switches to resolve this dispute is based on the lowest MAC address, in this case it will be the\u00a0\u201cCore-SW\u201d<\/p>\n Let\u2019s take a look at the STP topology on\u00a0\u201cCore-SW\u201d<\/p>\n #show spanning-tree<\/p>\n We can see that\u00a0\u201cCore-SW\u201d\u00a0is still the\u00a0\u201cRoot Bridge\u201d\u00a0and\u00a0\u201cE0\/0\u201d\u00a0is now forwarding again.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Root Guard is a layer 2 security mechanism designed to protect the\u00a0\u201cRoot Bridge\u201d\u00a0and ensure it remains as the\u00a0\u201cRoot\u201d\u00a0in the spanning tree topology. Root guard can<\/p>\n","protected":false},"author":1,"featured_media":575,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,9],"tags":[65,23,64],"class_list":["post-559","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-switching","tag-spanning-tree-2","tag-stp","tag-tagsroot-guard"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/559","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=559"}],"version-history":[{"count":2,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/559\/revisions"}],"predecessor-version":[{"id":577,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/559\/revisions\/577"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/575"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-2.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-3.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-4.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-5.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-6.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-7.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-8.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-9.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-10.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-11.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-12.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-13.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-14.png\")
<\/p>\n![](\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/word-image-559-15.png\")
<\/p>\n