STP - Loop Guard
Spanning tree is the L2 control plane protocol we have to ensure a loop-free network. It does so by blocking redundant links.
Topology
Here, SW1 is the root switch with a priority of 4096. SW2 has been configured for root secondary. SW3 is default. Ultimately these configurations result in the above converged STP topology.
Initial configurations
SW1
SW1#sh run | sec span
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 4096
SW1#
SW2
SW2#sh run | sec span
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 28672
SW2#
SW3
SW3#sh run | sec span
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree extend system-id
SW3#
Loop Guard
Loop guard is an STP enhancement. It works by adding an extra check before letting a blocking port transition into forwarding state. If no BDPUs are received on the non-designated port, the port is moved into a loop inconsistent state.
Confiugration
Loop guard can be enabled on a per-port basis, but also globally. I recommend enabling it globally on all switches.
! SW3
int e0/0
spanning-tree guard loop
or globally:
! SW3
spanning-tree loopguard default
Verification
Notice the Loop guard is enabled on the port
! SW3
SW3#sh span int e0/0 detail
Port 1 (Ethernet0/0) of VLAN0001 is root forwarding
Port path cost 100, Port priority 128, Port Identifier 128.1.
Designated root has priority 4097, address aabb.cc00.0100
Designated bridge has priority 4097, address aabb.cc00.0100
Designated port id is 128.2, designated path cost 0
Timers: message age 1, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Loop guard is enabled on the port
BPDU: sent 4, received 3734
SW3#
And when enabled globally, it says Loop guard is enabled by default on the port
! SW3
SW3#sh span int e0/1 deta
Port 2 (Ethernet0/1) of VLAN0001 is broken (Loop Inconsistent)
Port path cost 100, Port priority 128, Port Identifier 128.2.
Designated root has priority 4097, address aabb.cc00.0100
Designated bridge has priority 32769, address aabb.cc00.0300
Designated port id is 128.2, designated path cost 100
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 0
Link type is point-to-point by default
Loop guard is enabled by default on the port
BPDU: sent 2, received 267
SW3#
A simple show spanning-tree summary will also reveal if the feature is globally enabled (as default):
! SW3
SW3#sh span summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
Portfast Edge BPDU Guard Default is disabled
Portfast Edge BPDU Filter Default is disabled
Loopguard Default is enabled
PVST Simulation Default is enabled but inactive in pvst mode
Bridge Assurance is enabled but inactive in pvst mode
EtherChannel misconfig guard is enabled
Configured Pathcost method used is short
UplinkFast is disabled
BackboneFast is disabled
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 1 0 0 1 2
---------------------- -------- --------- -------- ---------- ----------
1 vlan 1 0 0 1 2
SW3#
Filter BPDUs on SW2 towards SW3
Let’s see what happens on SW3 if we no longer receive BPDUs sent by SW2:
Filter BPDUs sent by SW2 on port Eth0/1 towards SW3:
! SW2
int e0/1
spanning-tree bpdufilter enable
On SW3 a log is displayed:
*Jan 10 13:49:43.760: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port Ethernet0/1 on VLAN0001.
Verification
! SW3
SW3#sh span
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address aabb.cc00.0100
Cost 100
Port 1 (Ethernet0/0)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0300
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 100 128.1 P2p
Et0/1 Desg BKN*100 128.2 P2p *LOOP_Inc
SW3#
SW3#sh span inconsistentports
Name Interface Inconsistency
-------------------- ------------------------ ------------------
VLAN0001 Ethernet0/1 Loop Inconsistent
Number of inconsistent ports (segments) in the system : 1
SW3#
When the BPDUs start being received again in SW3 Eth0/1, the port will recover:
! SW2
int e0/1
no spanning-tree bpdufilter enable
A log is again generated by SW3:
! SW3
*Jan 10 14:00:22.760: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port Ethernet0/1 on VLAN0001.
The port is back to its original state of being Alternate Blocking for Eth0/1:
! SW3
SW3#sh span
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address aabb.cc00.0100
Cost 100
Port 1 (Ethernet0/0)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0300
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Root FWD 100 128.1 P2p
Et0/1 Altn BLK 100 128.2 P2p
SW3#
Filter BPDUs on SW1 towards SW3
And if we filter BPDUs on SW1 towards SW3’s RP:
! SW1
int e0/0
spanning-tree bpdufilter enabled
Verification
Now, on SW3 the RP will be put into a loop inconsistency state and the alternate port should transition to forwarding:
SW3#
*Jan 10 14:06:28.760: STP[1]: Generating TC trap for port Ethernet0/0
*Jan 10 14:06:28.760: STP: VLAN0001 Et0/0 -> forwarding
SW3#
*Jan 10 14:06:42.760: STP: VLAN0001 sent Topology Change Notice on Et0/0
*Jan 10 14:06:42.760: STP[1]: Generating TC trap for port Ethernet0/0
*Jan 10 14:06:42.760: STP: VLAN0001 Et0/0 -> blocking
*Jan 10 14:06:42.760: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port Ethernet0/0 on VLAN0001.
SW3#
*Jan 10 14:06:42.760: STP: VLAN0001 new root port Et0/1, cost 200
*Jan 10 14:06:42.760: STP: VLAN0001 Et0/1 -> listening
SW3#
*Jan 10 14:06:44.760: STP: VLAN0001 sent Topology Change Notice on Et0/1
SW3#
*Jan 10 14:06:57.760: STP: VLAN0001 Et0/1 -> learning
SW3#
*Jan 10 14:07:12.760: STP[1]: Generating TC trap for port Ethernet0/1
*Jan 10 14:07:12.760: STP: VLAN0001 sent Topology Change Notice on Et0/1
*Jan 10 14:07:12.760: STP: VLAN0001 Et0/1 -> forwarding
SW3#
SW3#sh span
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address aabb.cc00.0100
Cost 200
Port 2 (Ethernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address aabb.cc00.0300
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg BKN*100 128.1 P2p *LOOP_Inc
Et0/1 Root FWD 100 128.2 P2p
SW3#
As can be seen loop guard also works on the root port - not just blocking port. It will protect the network from unidirectional loops. In fact, this feature could be configured along side with UDLD which is recommended.
Conclusion
STP loop guard is an enhancement that provide protection from the creation of a loop at layer 2. It relies on the receipt of BPDUs. If no BPDUs are received on a blocked port, it is not allowed to transition to the forwarding state. This prevents a loop from occurring. Also, for the root port will be put into an inconsistency state when BPDUs are no longer received. This also prevents a loop, because now another port will move to the forwarding state. When BPDUs are received again, the port can be un-blocked by loop guard and converge as usual.
I hope you found this little walkthrough of STP loop guard useful.
