TB - GNS3 Lab: Spanning Tree Protocol (STP) with Root Guard

Rooooooooooooooooooooooot

Lab by: https://gns3vault.com/switching/spanning-tree-root-guard

🛡️ Lab Goal

• Configure SW2 as the root bridge for VLAN 1.
• Configure SW3 with a STP priority of 4096 for VLAN 1.
• Ensure SW1 does not accept SW3 as the root bridge using Root Guard.

---

🖥️ Lab Topology

• SW1 gi0/0 ↔ SW2 gi0/0
• SW1 gi0/1 ↔ SW2 gi0/1
• SW1 gi0/2 ↔ SW3 gi0/1
• SW1 gi0/3 ↔ SW3 gi0/0

---

1️⃣ Basic Setup

On all 3 switches:

conf t
hostname SWx         ! Replace x with 1, 2, or 3
no ip routing
vlan 1
exit

Enable trunking and interfaces:

interface range gi0/0 - 3
 no shutdown
 switchport
 switchport mode trunk

---

2️⃣ Configure STP Priorities

On SW2 (Root Bridge):

conf t
spanning-tree vlan 1 priority 0
end

On SW3 (Secondary, but not root):

conf t
spanning-tree vlan 1 priority 4096
end

---

3️⃣ Enable Root Guard on SW1

Apply Root Guard on ports Gi0/2 and Gi0/3 (facing SW3):

conf t
interface range gi0/2, gi0/3
 spanning-tree guard root
end

---

4️⃣ Verify Spanning Tree Role

Run the following on all switches:

show spanning-tree vlan 1

• SW2 should say: This bridge is the root
• SW1 and SW3 should point to SW2 as root

---

5️⃣ Test Root Guard

Temporarily force SW3 to claim root:

conf t
spanning-tree vlan 1 priority 0
end

Then on SW1:

show spanning-tree inconsistentports

✅ Ports Gi0/2 and Gi0/3 should be in root-inconsistent state.

---

6️⃣ Revert and Verify

Restore SW3 to priority 4096:

conf t
spanning-tree vlan 1 priority 4096
end

Verify STP and ensure interfaces return to forwarding state.

---

✅ Lab Complete

• SW2 elected as root bridge.
• Root Guard protected SW1 from false root claims.
• You practiced configuring and verifying STP behavior and Root Guard.