Enables the guard root to restrict which interface is allowed to be the spanning tree root port or the device's path-to-the-root.
Guard root is disabled.
Interface configuration mode
Guard root protects the root bridge from malicious attacks and unintentional misconfigurations where a bridge device that is not intended to be the root bridge becomes the root bridge. This causes severe bottlenecks in the data path. Guard root ensures that the port on which it is enabled is a designated port. If the guard root enabled port receives a superior Bridge Protocol Data Unit (BPDU), it goes to a discarding state.
If the VLAN parameter is not provided, the guard root functionality is applied globally for all per-VLAN instances. But for the VLANs which have been configured explicitly, the per-VLAN configuration takes precedence over the global configuration.
The root port provides the best path from the switch to the root switch.
To enable guard root:
device# configure terminal device(config)# interface ethernet 1/5 device(conf-if-eth-1/5)# spanning-tree guard root