Loop Guard

To prevent loops that might develop if a port that should be blocking transitions to the forwarding state we have loop guard. This could happen if a port stops receiving BPDUs, maybe due to a unidirectional (on point-to-point) link or software/configuration problem on the neighbour.

The following shows an example with both loop guard disabled and then enabled.

You will see that the port stops receiving BPDUs the STP conceives the topology as loop free. The blocking port will eventually go into a forwarding state therefore creating a loop. Without the loop guard feature, the port assumes the designated port role thus leading to a bridging loop.

Enabling loop guard prevents an alternative or root port from becoming designated in the absence of BPDUs. If suddenly no BPDUs are received on a non-designated port (more precisely, on root and alternate ports), loop guard puts that port in ‘loop inconsistant’ blocking state rather than transiting to a forwarding state (listening/learning/forwarding).

The Cisco best practice is to enable loop guard on the L2 ports between distribution switches and on the uplink ports from access to the distribution switches. It is also most effective when configured with UDLD.

You cannot enable both loop guard and root guard at the same time.

You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP.

When the loop guard blocks an inconsistent port, this message is logged:

%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/24 on VLAN0050.

Once the BPDU is received on a port in a loop-inconsistent STP state, the port transitions into another STP state. According to the received BPDU, this means that the recovery is automatic and intervention is not necessary. After recovery, this message is logged:

%SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port FastEthernet0/24 on VLAN0050.

Commands

(config)# spanning-tree loopguard default   !# enable on all point-to-point links on the switch
(config-if)# spanning-tree guard loop   !# enable on a specific port

Router#show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID           is disabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is enabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short
 
Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
Total                        0         0        0          0          0

Lab Example

Resources

  • Cisco Website & [2]
  • CCNP Switch: Cert Kit
  • Designing Cisco Network Service Architectures (ARCH)
Show Comments

Get the latest posts delivered right to your inbox.