Spanning Tree Loop Guard

Modern implementations of Spanning Tree like RSTP+ and MST include several different loop prevention mechanisms to stop misbehaving hardware from forming switching loops. Loop Guard is one of those STP enhancements designed specifically to protect against, you guessed it, loops. More specifically, loops from ports that unintentionally go unidirectional.

Unidirectional Loop Basics

Let’s first walk through how legacy STP would respond to a unidirectional link without Loop Guard protections. In the diagram below, all three switches are working as expected. The Root Bridge is sending BPDUs to SW2 and SW3. SW3 is receiving BPDUs directly from the Root Bridge and forwarded BPDUs from SW2. All is well.

Normal STP Operation

Normal STP Operation

Loop Phase 1: Sudden BPDU Loss

What happens if the link between SW2 and SW3 becomes unidirectional? In this example, let’s assume the transmit pair on SW2 fails or is cut, resulting in SW3 suddenly unable to receive BPDUs from SW2.

Loop phase 2: BPDUs Stop

Loop Phase 1: BPDUs Stop

Loop Phase 2: All-Forwarding Loop

At this point, SW3 will wait for the MaxAge timer to expire (20 seconds by default) before transitioning its blocking interface to forwarding. All switch trunks are now in forwarding state. At this point a switching loop has formed.

Spanning Tree all-forwarding loop

Loop Phase 2: Spanning Tree All-Forwarding Loop Forms

Spanning Tree Loop Guard Protection

When a Root or Alternate port experiences a sudden loss of BPDUs, Loop Guard immediately transitions the port to loop-inconsistent blocking state. Loop Guard’s logic assumes that any trunk port that stops receiving BPDUs without the interface going down is evidence of a unidirectional link condition. By preventing the port from transitioning to Designated, the loop scenario is averted.

Once a port is placed into loop-inconsistent state, Loop Guard will bring the port out of the state automatically after BPDUs are received on the port again.

Loop Guard Configuration

Loop Guard is disabled by default and can be enabled globally or on a per-port basis. Keep in mind that Loop Guard’s policies and behavior only affect the local switch. Loop Guard doesn’t require any other switches in the environment to be configured for Loop Guard to work properly.

Global Configuration

Loop Guard is applied globally using the spanning-tree loopguard default command from global configuration mode. Doing so applies Loop Guard protection to all Root and Alternate ports on point-to-point STP links.

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#spanning-tree loopguard default

Interface Configuration

Loop Guard can be configured at the interface level using the spanning-tree guard loop command. This enables Loop Guard on the port regardless if it is a shared or point-to-point link.

SW1(config)#int gig1/0/10
SW1(config-if)#spanning-tree guard loop

When enabled, Loop Guard protects trunk links but on a per-VLAN basis. For example, if a trunk is configured to pass traffic for VLANS 100-109 and BPDUs stop being received only on VLAN 109, the port would transition to loop-inconsistent state only for VLAN 109. The port would remain operationally active for all other VLANs.

Author Aaron

Aaron knows networks. He's been involved in building and supporting world-class data networks for the past 10 years - from international cloud service providers to Fortune 50 data centers. Aaron consults independently and is focused on building the best training platform available.

More posts by Aaron

Leave a Reply