Root Guard will make sure you don’t accept a certain switch as a root bridge. BPDUs are sent and processed normally but if a switch suddenly sends a BPDU with a superior bridge ID you won’t accept it as the root bridge. Normally SW2 would become the root bridge because it has the best bridge ID, fortunately we have Root Guard on SW3 so it’s not going to happen!
Let me demonstrate this with the following topology:
Let me show you the configuration by using SW2 and SW3, first I will make sure that SW3 is NOT the root bridge:
SW2(config)#spanning-tree vlan 1 priority 4096
Now we’ll enable root guard on SW2:
SW2(config)#interface fa0/16 SW2(config-if)#spanning-tree guard root %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/16.
We get a nice notification message that it has been enabled. Let’s enable a debug so we can see what is going on:
SW2#debug spanning-tree events Spanning Tree event debugging is on
Now we’ll upset SW2 by changing the priority to the lowest value possible (0) on SW3. Normally it should now become the root bridge: