> For the complete documentation index, see [llms.txt](https://sanderzegers.gitbook.io/fortiswitch/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sanderzegers.gitbook.io/fortiswitch/spanning-tree/root-guard.md).

# Root Guard

A change of the root switch in a spanning-tree topology, can cause a network disruption and reroute of traffic. To prevent this from happening root guard was introduced.

When root guard is enabled on a port, it ignores superior BPDUs and thus prevents root bridge change.

If a superioir BPDU is detected, it will not accept the new root bridge and the port will go into alternative role, thus not forwarding any traffic.\
If a BPDU with a lower bridge id is detected, the switch will participate normally in the spanning-tree topology.

Following log entries are created:

<figure><img src="/files/blyWAbPDV5DvMtnMOt1q" alt=""><figcaption></figcaption></figure>

As soons as the other bridge priority goes down, the port changes back to forwarding mode:

<figure><img src="/files/R0vqEdwxNus8VBVxdrbz" alt=""><figcaption></figcaption></figure>

Root guard is also visible on the switch, when the 'RG' flag is active on a port :

```
#diagnose stp instance list
--- cut ---

  CISCO_SW1          100M    200000     128        ALTERNATIVE  DISCARDING   2          EN RG 
  CISCO_SW2          100M    200000     128        ALTERNATIVE  DISCARDING   2          EN RG 
  SW1                2G      1          128        ROOT         FORWARDING   2          EN 

  Flags: EN(STP enable), ED(Edge), LP(Loop Protection Triggered)
  RG(Root Guard Triggered), BG(BPDU Guard Triggered), IC(PVST Port Inconsistent)
  MV(PVST Port Vlan Mismatch)

--- cut ---
```

Deploy root guard on ports where you do not expect to see any BPDUs from a switch that could attempt to become the root bridge.

Typically used on ports leading toward access layers or edge parts of the network where you want to ensure the core or distribution layer remains the STP root.

At its core, Root Guard serves to protect the status of the existing root bridge, ensuring that the structure of the STP topology remains intact against unforeseen changes from new root bridges.&#x20;

On the other hand, BPDU Guard primarily focuses on the overall integrity of the network. It does this by swiftly disabling any ports that detect the presence of unexpected devices, particularly those that might be transmitting BPDUs


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://sanderzegers.gitbook.io/fortiswitch/spanning-tree/root-guard.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.