cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
40622
Views
61
Helpful
10
Replies

Where to apply loop-guard

Hello community,

after a layer2 loop in our LAN environment I decided to configure udld and loop-guard, but I got a bit mixed up as to where loop guard should be configured.

We have 2x 65xx acting as VTP servers (layer2 connection between them). Each one is root for a number of VLANS. The udld part is easy. I have configured it on all optical connections.

For switches forming triangles with the 65xx I have enabled "spanning-tree guard loop" on the uplinks.

What about switches forming a square topology with the 65xx. Is it sufficient to enable loop-guard on only the uplinks, or shoud it also be enabled on link between the two access switches.

I have read a number of cisco documents and in some it is stated to enable loop-guard on all non-designated ports and in other it says enable it everywhere. In practice,  do I enable it everywhere or is it enough to just go with the uplinks? Ports will be designated for one vlan and non-designated for the other, so there is no point in figuring out the exact role of the ports.

Thank you in advance,

Katerina

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello Katerina,

The BPDU Loop Guard is a prevention mechanism that tries to avoid switching loops caused by a sudden stop of BPDU arrival on a port, and subsequent transition of this port to the Designated Forwarding role/state. Now, if you think about ports that rely on timely arrival of BPDUs to maintain their current role/state, these are Root port, Alternate port, and Backup port. Especially the Alternate and Backup ports are meant to be Discarding, and should they cease to receive BPDUs, they will move into Designate Forwarding, possibly creating a loop.

Therefore, the BPDU Loop Guard should be applied at least to ports that are Alternate (a Backup port is on a shared-type link, and Loop Guard runs only on point-to-point links). However, because in a per-VLAN environment each trunk port can be in diverse roles/states for individual VLANs, I suggest simply configuring the Loop Guard on all ports using the global configuration level command spanning-tree loopguard default.

Perhaps you know this document - it discusses the Loop Guard feature in a closer detail.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml

Best regards,

Peter

View solution in original post

10 Replies 10

Peter Paluch
Cisco Employee
Cisco Employee

Hello Katerina,

The BPDU Loop Guard is a prevention mechanism that tries to avoid switching loops caused by a sudden stop of BPDU arrival on a port, and subsequent transition of this port to the Designated Forwarding role/state. Now, if you think about ports that rely on timely arrival of BPDUs to maintain their current role/state, these are Root port, Alternate port, and Backup port. Especially the Alternate and Backup ports are meant to be Discarding, and should they cease to receive BPDUs, they will move into Designate Forwarding, possibly creating a loop.

Therefore, the BPDU Loop Guard should be applied at least to ports that are Alternate (a Backup port is on a shared-type link, and Loop Guard runs only on point-to-point links). However, because in a per-VLAN environment each trunk port can be in diverse roles/states for individual VLANs, I suggest simply configuring the Loop Guard on all ports using the global configuration level command spanning-tree loopguard default.

Perhaps you know this document - it discusses the Loop Guard feature in a closer detail.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml

Best regards,

Peter

Peter,

thank you for your answer. I have already read this document, but it always helps to get an individuals opionion. For the time being I will enable loop-guard on the inter-connections between the access switches and also on the uplinks, since these are the Alt ports and Root ports. To be frank, I do not want to create a loop myself (by enabling the loop guard globally), so I prefer to do it in a controlled manner.

On any new deployment, I will make sure to enable loopguard globally!

Best Regards,

Katerina

Hello!

I am preparing for CCNP switch exam and I dont understand this explanation:

"Configuring access mode ont the port can filter BPDU from other vlans from coming to the port and force loopguard feature to set this port into loop inconsistent state."

If a port is in access mode why does loopguard care other vlans on that port?

Thank You for advance!

Zsolt

On some switches I enabled loopguard globally (those where I wasn't  really sure where I should apply it). My LMS (cisco prime 4.1) reported  (through discrepancy reports) that loopguard is enabled on ports with  "spanning-tree portfast".

Theory states:


Loop guard cannot be enabled for ports on  which portfast is enabled.  Since BPDU guard works on portfast-enabled  ports, some restrictions  apply to BPDU guard. Loop guard cannot be  enabled on dynamic VLAN ports  since these ports have portfast enabled.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml#loop_guard_vs_uld

So even if loopguard is enabled globally, it will not  take effect on ports with "spanning-tree portfast". So I should ignore  the discrepancy report.

Correct?

Thank you in advance,

Katerina

Hello Katerina,

Personally, I would ignore those messages from your LMS. The assessment of the co-existence (or lack of it) between LoopGuard and PortFast is correct - they mutually exclude themselves because a LoopGuard-protected port has to receive BPDUs while a PortFast port loses its PortFast operational status after receiving just a single BPDU.

Best regards,

Peter

Final question Peter

"Spanning-tree portfast" and "spanning-tree guard loop" mutually exclude one another. But how will the access-port function if both are configured? Which of the commands take precedence or does it depend?

Will the "no spanning-tree guard loop" command have any effect on a portfast enabled port?

We do not have bpduguard enabled, which I understand is the case for portfast to lose its operational status if it receives a BPDU.

Best Regards,

Katerina

Hello Katerina,

I apologize for answering lately - your last post got somehow buried among more recent posts - sorry for that. I guess a function should be implemented at CSC that would allow me to see if a thread I've responded to was changed since the last time I've responded - without e-mailing me (I would soon be flooded by e-mails I'm afraid).

Nevertheless, to your question.

But how will the access-port function if both are configured? Which of the commands take precedence or does it depend?

I've just tested that in our lab. You can configure both LoopGuard and PortFast on the same port. As long as the port is connected to an end device that does not send BPDUs, the PortFast is active and the LoopGuard apparently does nothing. There is, sadly, no command for me to know if the LoopGuard is actually active (or I don't know about such command).

As soon as a device sending BPDUs is connected to such a port, the PortFast is deactivated (it remains configured but is not effective until the port is disconnected and connected again). So the LoopGuard remains the only feature active on this port, and it behaves in a completely usual way.

So their mutual configuration actually does not appear to be in any way influencing each other. Probably even when PortFast is configured and active on the port, the LoopGuard is active as well - but there is no way of knowing that because it is basically impossible to have a port receiving and processing BPDUs and yet being PortFast-enabled, and so it's not possible to trip the LoopGuard protection while having a PortFast-enabled port.

I am not sure if I expressed myself clearly here - please feel welcome to ask further!

Best regards,

Peter

Hello Peter,

thank you so much for taking the time to also test and answer my question. I really appreciate it!

Your answer is very clear and it helps me to get a better understanding of how things will actually work in real life.

Best regards,

Katerina

manish arora
Level 6
Level 6

UDLD & Loopgurad serves the same purpose :-

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml#loop_guard_vs_uld

Where should I enable LoopGuard , Cisco says let do it on all the non-designated ports to avoid unintention forwarding when BPDU's goes missing :-

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml#loop_guard

Personally what I use ? depends upon the switch fabric and complexity.

Manish

Tharak Abraham
Level 3
Level 3

STP Loopgaurd is used to prevent STP loops occuring due to unidirectional links.

This feature is similar to UDLD, but it uses STP BPDU keepalives if there is a unidirectional link.

Ideally loopguard should be enabled on all the interswitch links.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco