Root Guard Prevents Rogue Root Bridge | Generated by AI
Question: Which STP feature prevents a rogue device from becoming the root bridge in a network?
A) BPDU Guard
B) Root Guard
C) Loop Guard
D) UDLD
Answer:
The correct answer is B) Root Guard.
Comprehensive explanation of each option
-
A) BPDU Guard
BPDU Guard is typically enabled on access ports (e.g., PortFast ports connected to end devices).
If the port receives any BPDU (which should never happen from a legitimate PC/phone), BPDU Guard immediately puts the port into err-disabled state.
Purpose: Prevents rogue or misconfigured switches connected to access ports from participating in STP and potentially causing topology issues.
It does not directly prevent a rogue switch from becoming the root bridge — it simply shuts the port down if the rogue device sends BPDUs. The rogue device could still influence the topology on other ports or segments if connected elsewhere. -
B) Root Guard
Root Guard is enabled on designated ports where the network administrator expects the current root bridge to remain superior (usually downlink ports toward access-layer switches).
If a superior BPDU (one advertising a better/lower root bridge ID or lower path cost to the current root) is received on a Root Guard-enabled port, the port is placed into root-inconsistent state (effectively blocked) until the superior BPDUs stop arriving.
Purpose: Explicitly prevents any device connected to that port from ever becoming the root bridge or advertising itself as having a better path to the root.
This is the feature designed specifically to stop a rogue switch from taking over as the STP root bridge. -
C) Loop Guard
Loop Guard protects against situations where a blocking port stops receiving BPDUs (e.g., due to unidirectional link failure) and mistakenly transitions to forwarding, creating a loop.
When enabled, if a non-designated port stops receiving BPDUs, Loop Guard puts the port into loop-inconsistent state instead of letting it move to forwarding.
Purpose: Prevents Layer 2 loops caused by unidirectional failures, not rogue root bridge takeovers. -
D) UDLD (UniDirectional Link Detection)
UDLD detects and disables unidirectional links (fiber or copper) where one side can transmit but not receive, which can cause spanning-tree loops or blackholing.
It works in normal and aggressive modes; in aggressive mode it will err-disable the port if the neighbor is not responding properly.
Purpose: Prevents loops and traffic blackholes caused by physical-layer unidirectional failures, not rogue root bridge election.
Summary Table
| Feature | Prevents rogue device from becoming root? | Primary purpose |
|---|---|---|
| BPDU Guard | No (shuts port on any BPDU) | Protect access ports from rogue switches |
| Root Guard | Yes | Prevent downstream switch from ever becoming root |
| Loop Guard | No | Prevent loops from unidirectional link failures |
| UDLD | No | Detect and disable unidirectional physical unidirectional links |
Therefore, the feature that specifically prevents a rogue device from becoming the STP root bridge is Root Guard (B).