Modern implementations of Spanning Tree like RSTP+ and MST include several different loop prevention mechanisms to stop misbehaving hardware from forming switching loops. Loop Guard is one of those STP enhancements designed specifically to protect against, you guessed it, loops. More specifically, loops from ports that unintentionally go unidirectional.
Unidirectional Loop Basics
Let’s first walk through how legacy STP would respond to a unidirectional link without Loop Guard protections. In the diagram below, all three switches are working as expected. The Root Bridge is sending BPDUs to SW2 and SW3. SW3 is receiving BPDUs directly from the Root Bridge and forwarded BPDUs from SW2. All is well.
Loop Phase 1: Sudden BPDU Loss
What happens if the link between SW2 and SW3 becomes unidirectional? In this example, let’s assume the transmit pair on SW2 fails or is cut, resulting in SW3 suddenly unable to receive BPDUs from SW2.
Loop Phase 2: All-Forwarding Loop
At this point, SW3 will wait for the MaxAge timer to expire (20 seconds by default) before transitioning its blocking interface to forwarding. All switch trunks are now in forwarding state. At this point a switching loop has formed.
Spanning Tree Loop Guard Protection
When a Root or Alternate port experiences a sudden loss of BPDUs, Loop Guard immediately transitions the port to loop-inconsistent blocking state. Loop Guard’s logic assumes that any trunk port that stops receiving BPDUs without the interface going down is evidence of a unidirectional link condition. By preventing the port from transitioning to Designated, the loop scenario is averted.
Once a port is placed into loop-inconsistent state, Loop Guard will bring the port out of the state automatically after BPDUs are received on the port again.
Loop Guard Configuration
Loop Guard is disabled by default and can be enabled globally or on a per-port basis. Keep in mind that Loop Guard’s policies and behavior only affect the local switch. Loop Guard doesn’t require any other switches in the environment to be configured for Loop Guard to work properly.
Loop Guard is applied globally using the spanning-tree loopguard default command from global configuration mode. Doing so applies Loop Guard protection to all Root and Alternate ports on point-to-point STP links.
Loop Guard can be configured at the interface level using the spanning-tree guard loop command. This enables Loop Guard on the port regardless if it is a shared or point-to-point link.
When enabled, Loop Guard protects trunk links but on a per-VLAN basis. For example, if a trunk is configured to pass traffic for VLANS 100-109 and BPDUs stop being received only on VLAN 109, the port would transition to loop-inconsistent state only for VLAN 109. The port would remain operationally active for all other VLANs.