UDLD and Loopguard

chrisayres · ‎03-23-2006

We have been having problems with Spanningtree, it has been recommended that we implement UDLD and Loopguard.

My understanding is that both of these can be applied globally or per interface.

It is obviously easier to do this globally.

Will this cause problems on links that connect to end devices that will not be participating in either UDLD or Loopguard

glen.grant · ‎03-23-2006

I believe you will only set this up on links between cisco devices and thus should not effect end users , someone can chime in if my interpretation is incorrect.

Francois Tallet · ‎03-23-2006

For loopguard at least, there will be no problem (I think it will be fine for UDLD also btw). The feature can work with third party device, however, it should only be configured on point-to-point links. P2p for the STP perspective means that there are only 2 STP devices on the physical segment.

By default, if you enable loopguard globally, it will be effective on all interfaces that are full-duplex (assumed to be p2p). If for some reason, you have a full-duplex link leading to several STP peers (if you are running STP over a provider network for instance), you should disable explicitly loopguard on this interface. This is not common...

The IEEE introduces a mechanism (the dispute mechanism) that performs in a much better way the duty of loopguard. If you are running the latest IEEE standard version of MST, you will not need loopguard (this feature will be implemented in Rapid-PVST soon).

Regards,

Francois

bhedlund · ‎03-23-2006

Hi,

UDLD needs to be enabled globally and will take effect on all full-duplex fiber interfaces. You need not worry about this affecting a neighbor switch without UDLD because until a UDLD neighbor is first formed there is no impact on the interface.

Loop-Guard does NOT need to be enabled globally and can be turned on per-interface. In fact, this is the safest way to do it. Only enable loop-guard on Root and Alternate ports. Do not enable loop-gurad on Designated ports. Loop-guard is a local setting and does not require interaction with a neighbor for its operation. Loop-guard simply says, 'If I stop receiving BPDUs on this port, put this port in loop-inconsistent state, do not transition to forwarding.'

If you are having Spanning-Tree problems, in addition to UDLD and Loop-Guard, you should make sure you have PortFast BPDU-Guard enabled globally on all switches with portfast ports.

Most Spanning-Tree loops are created in the access layer when a well intentioned user patches two switches together on portfast ports, or patches a hub to the network with two ports. Portfast and BPDU-Guard will protect you from this.

Also, consider Root-Guard. This will protect the integrity of your Spanning-Tree Root Bridge. If a new switch is mistakenly added to the network with a lower priority Root-Guard will prevent it from becoming a root bridge. Root-Guard simply says, 'If I receive a superior BPDU on this interface put it in root-inconsistent state rather than treating it as a new Root port.' Only enable Root-Guard on Designated ports at the Root bridge.

You should also double-check that all VLANs show the Root bridge to be what you expect it to be. Sometimes people add new VLANs to their LAN and forget to assign root priorities.

Please rate all helpful posts.

Regards,

Brad