cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
376
Views
10
Helpful
1
Replies

UDLD and Loopguard

chrisayres
Level 1
Level 1

We have been having problems with Spanningtree, it has been recommended that we implement UDLD and Loopguard.

My understanding is that both of these can be applied globally or per interface.

It is obviously easier to do this globally.

Will this cause problems on links that connect to end devices that will not be participating in either UDLD or Loopguard

1 Reply 1

bhedlund
Level 4
Level 4

Hi,

UDLD needs to be enabled globally and will take effect on all full-duplex fiber interfaces. You need not worry about this affecting a neighbor switch without UDLD because until a UDLD neighbor is first formed there is no impact on the interface.

Loop-Guard does NOT need to be enabled globally and can be turned on per-interface. In fact, this is the safest way to do it. Only enable loop-guard on Root and Alternate ports. Do not enable loop-gurad on Designated ports. Loop-guard is a local setting and does not require interaction with a neighbor for its operation. Loop-guard simply says, 'If I stop receiving BPDUs on this port, put this port in loop-inconsistent state, do not transition to forwarding.'

If you are having Spanning-Tree problems, in addition to UDLD and Loop-Guard, you should make sure you have PortFast BPDU-Guard enabled globally on all switches with portfast ports.

Most Spanning-Tree loops are created in the access layer when a well intentioned user patches two switches together on portfast ports, or patches a hub to the network with two ports. Portfast and BPDU-Guard will protect you from this.

Also, consider Root-Guard. This will protect the integrity of your Spanning-Tree Root Bridge. If a new switch is mistakenly added to the network with a lower priority Root-Guard will prevent it from becoming a root bridge. Root-Guard simply says, 'If I receive a superior BPDU on this interface put it in root-inconsistent state rather than treating it as a new Root port.' Only enable Root-Guard on Designated ports at the Root bridge.

You should also double-check that all VLANs show the Root bridge to be what you expect it to be. Sometimes people add new VLANs to their LAN and forget to assign root priorities.

Please rate all helpful posts.

Regards,

Brad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco