Unlike the BPDU Guard which will disable a port upon receipt of a BPDU, the Spanning Tree Root Guard feature will allow BPDU’s through a port to maintain the spanning tree topology, however if it receives a superior BPDU, which indicates that another switch is trying to become the root bridge it will err-disable the port.
This feature is used to protect your root bridges from misconfiguration or a layer 2 man in the middle attack.
Where do you configure Spanning Tree Root Guard?
The root guard feature is configured on all downstream ports from your core and distribution layer switches.
How it works?
Consider this simple topology below
With spanning tree root guard configured on the ports labelled with a red cross this is what is going to happen.
As the BPDU’s come in the switch is going to inspect the bpdu’s and allow them through, however if there is a bpdu received that is superior to the root bridge, i.e advertising a better cost to the root bride then this is going to indicate another switch trying to become root or a potential man in the middle attack.
The port will be put into an err-disable state thus enforcing the position of the root bridge. Hence the name of the feature Root Guard.
Configuring Spanning Tree Root Guard
You configure spanning tree root guard on a per interface basis
SW1(config-if)#spanning-tree guard root
From the Cisco documentation
Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure. However, if root guard is also enabled, all the backup interfaces used by the UplinkFast feature are placed in the root-inconsistent state (blocked) and are prevented from reaching the forwarding state.
For more info on the spanning tree root guard feature check the cisco documentation click here