1-36Configuring Root GuardA root bridge and its secondary root bridges must reside in the same region. The root bridge of the CISTand its secondary root bridges are usually located in the high-bandwidth core region. Configurationerrors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge,which causes a new root bridge to be elected and network topology jitter to occur. In this case, flows thatshould travel along high-speed links may be led to low-speed links, and network congestion may occur.You can avoid this problem by utilizing the root guard function. Ports with this function enabled can onlybe kept as designated ports in all MSTIs. When a port of this type receives configuration BPDUs withhigher priorities, it turns to the discarding state (rather than become a non-designated port) and stopsforwarding packets (as if it is disconnected from the link). It resumes the normal state if it does notreceive any configuration BPDUs with higher priorities for a specified period.z You are recommended to enable root guard on the designated ports of a root bridge.z Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functionsenabled on a port, any of the other two functions cannot take effect even if you have configured iton the port.Configuration PrerequisitesMSTP runs normally on the switch.Configuration procedureFollow these steps to configure the root guard function in system view:To do... Use the command... RemarksEnter system view system-view —Enable the root guard functionon specified portsstp interface interface-listroot-protectionRequiredThe root guard function isdisabled by default.Follow these steps to enable the root guard function in Ethernet port view:To do... Use the command... RemarksEnter system view system-view —Enter Ethernet port view Interface interface-typeinterface-number —Enable the root guard functionon the current port stp root-protectionRequiredThe root guard function isdisabled by default.