×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Where to apply loop-guard

Answered Question
Jul 9th, 2012
User Badges:

Hello community,


after a layer2 loop in our LAN environment I decided to configure udld and loop-guard, but I got a bit mixed up as to where loop guard should be configured.


We have 2x 65xx acting as VTP servers (layer2 connection between them). Each one is root for a number of VLANS. The udld part is easy. I have configured it on all optical connections.

For switches forming triangles with the 65xx I have enabled "spanning-tree guard loop" on the uplinks.

What about switches forming a square topology with the 65xx. Is it sufficient to enable loop-guard on only the uplinks, or shoud it also be enabled on link between the two access switches.


I have read a number of cisco documents and in some it is stated to enable loop-guard on all non-designated ports and in other it says enable it everywhere. In practice,  do I enable it everywhere or is it enough to just go with the uplinks? Ports will be designated for one vlan and non-designated for the other, so there is no point in figuring out the exact role of the ports.



Thank you in advance,


Katerina

Correct Answer by Peter Paluch about 5 years 1 month ago

Hello Katerina,


The BPDU Loop Guard is a prevention mechanism that tries to avoid switching loops caused by a sudden stop of BPDU arrival on a port, and subsequent transition of this port to the Designated Forwarding role/state. Now, if you think about ports that rely on timely arrival of BPDUs to maintain their current role/state, these are Root port, Alternate port, and Backup port. Especially the Alternate and Backup ports are meant to be Discarding, and should they cease to receive BPDUs, they will move into Designate Forwarding, possibly creating a loop.


Therefore, the BPDU Loop Guard should be applied at least to ports that are Alternate (a Backup port is on a shared-type link, and Loop Guard runs only on point-to-point links). However, because in a per-VLAN environment each trunk port can be in diverse roles/states for individual VLANs, I suggest simply configuring the Loop Guard on all ports using the global configuration level command spanning-tree loopguard default.


Perhaps you know this document - it discusses the Loop Guard feature in a closer detail.


http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml


Best regards,

Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Peter Paluch Mon, 07/09/2012 - 23:29
User Badges:
  • Cisco Employee,

Hello Katerina,


The BPDU Loop Guard is a prevention mechanism that tries to avoid switching loops caused by a sudden stop of BPDU arrival on a port, and subsequent transition of this port to the Designated Forwarding role/state. Now, if you think about ports that rely on timely arrival of BPDUs to maintain their current role/state, these are Root port, Alternate port, and Backup port. Especially the Alternate and Backup ports are meant to be Discarding, and should they cease to receive BPDUs, they will move into Designate Forwarding, possibly creating a loop.


Therefore, the BPDU Loop Guard should be applied at least to ports that are Alternate (a Backup port is on a shared-type link, and Loop Guard runs only on point-to-point links). However, because in a per-VLAN environment each trunk port can be in diverse roles/states for individual VLANs, I suggest simply configuring the Loop Guard on all ports using the global configuration level command spanning-tree loopguard default.


Perhaps you know this document - it discusses the Loop Guard feature in a closer detail.


http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml


Best regards,

Peter

katerina.dardoufa Mon, 07/09/2012 - 23:50
User Badges:

Peter,


thank you for your answer. I have already read this document, but it always helps to get an individuals opionion. For the time being I will enable loop-guard on the inter-connections between the access switches and also on the uplinks, since these are the Alt ports and Root ports. To be frank, I do not want to create a loop myself (by enabling the loop guard globally), so I prefer to do it in a controlled manner.


On any new deployment, I will make sure to enable loopguard globally!


Best Regards,


Katerina

pauloz1977 Fri, 10/24/2014 - 02:12
User Badges:

Hello!

I am preparing for CCNP switch exam and I dont understand this explanation:

"Configuring access mode ont the port can filter BPDU from other vlans from coming to the port and force loopguard feature to set this port into loop inconsistent state."

If a port is in access mode why does loopguard care other vlans on that port?

Thank You for advance!

Zsolt

katerina.dardoufa Tue, 07/10/2012 - 03:38
User Badges:

On some switches I enabled loopguard globally (those where I wasn't  really sure where I should apply it). My LMS (cisco prime 4.1) reported  (through discrepancy reports) that loopguard is enabled on ports with  "spanning-tree portfast".


Theory states:



Loop guard cannot be enabled for ports on  which portfast is enabled.  Since BPDU guard works on portfast-enabled  ports, some restrictions  apply to BPDU guard. Loop guard cannot be  enabled on dynamic VLAN ports  since these ports have portfast enabled.


http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml#loop_guard_vs_uld


So even if loopguard is enabled globally, it will not  take effect on ports with "spanning-tree portfast". So I should ignore  the discrepancy report.


Correct?


Thank you in advance,

Katerina

Peter Paluch Tue, 07/10/2012 - 07:16
User Badges:
  • Cisco Employee,

Hello Katerina,


Personally, I would ignore those messages from your LMS. The assessment of the co-existence (or lack of it) between LoopGuard and PortFast is correct - they mutually exclude themselves because a LoopGuard-protected port has to receive BPDUs while a PortFast port loses its PortFast operational status after receiving just a single BPDU.


Best regards,

Peter

katerina.dardoufa Tue, 07/10/2012 - 07:41
User Badges:

Final question Peter


"Spanning-tree portfast" and "spanning-tree guard loop" mutually exclude one another. But how will the access-port function if both are configured? Which of the commands take precedence or does it depend?

Will the "no spanning-tree guard loop" command have any effect on a portfast enabled port?


We do not have bpduguard enabled, which I understand is the case for portfast to lose its operational status if it receives a BPDU.



Best Regards,

Katerina

Peter Paluch Wed, 07/11/2012 - 10:12
User Badges:
  • Cisco Employee,

Hello Katerina,


I apologize for answering lately - your last post got somehow buried among more recent posts - sorry for that. I guess a function should be implemented at CSC that would allow me to see if a thread I've responded to was changed since the last time I've responded - without e-mailing me (I would soon be flooded by e-mails I'm afraid).


Nevertheless, to your question.


But how will the access-port function if both are configured? Which of the commands take precedence or does it depend?


I've just tested that in our lab. You can configure both LoopGuard and PortFast on the same port. As long as the port is connected to an end device that does not send BPDUs, the PortFast is active and the LoopGuard apparently does nothing. There is, sadly, no command for me to know if the LoopGuard is actually active (or I don't know about such command).


As soon as a device sending BPDUs is connected to such a port, the PortFast is deactivated (it remains configured but is not effective until the port is disconnected and connected again). So the LoopGuard remains the only feature active on this port, and it behaves in a completely usual way.


So their mutual configuration actually does not appear to be in any way influencing each other. Probably even when PortFast is configured and active on the port, the LoopGuard is active as well - but there is no way of knowing that because it is basically impossible to have a port receiving and processing BPDUs and yet being PortFast-enabled, and so it's not possible to trip the LoopGuard protection while having a PortFast-enabled port.


I am not sure if I expressed myself clearly here - please feel welcome to ask further!


Best regards,

Peter

katerina.dardoufa Wed, 07/11/2012 - 21:49
User Badges:

Hello Peter,


thank you so much for taking the time to also test and answer my question. I really appreciate it!


Your answer is very clear and it helps me to get a better understanding of how things will actually work in real life.



Best regards,

Katerina

manish arora Mon, 07/09/2012 - 23:30
User Badges:
  • Silver, 250 points or more

UDLD & Loopgurad serves the same purpose :-

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml#loop_guard_vs_uld


Where should I enable LoopGuard , Cisco says let do it on all the non-designated ports to avoid unintention forwarding when BPDU's goes missing :-

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml#loop_guard


Personally what I use ? depends upon the switch fabric and complexity.


Manish

Tharak Abraham Mon, 07/09/2012 - 23:46
User Badges:
  • Bronze, 100 points or more

STP Loopgaurd is used to prevent STP loops occuring due to unidirectional links.

This feature is similar to UDLD, but it uses STP BPDU keepalives if there is a unidirectional link.


Ideally loopguard should be enabled on all the interswitch links.

Actions

This Discussion