- COURSES
- SPECIALS
- BLOG
- MEMBERS
- SHOP
- ABOUT
- ENROLL HERE
STP Loop Guard is a spanning tree loop preventing mechanism which prevents alternate or root ports to become designated ports when there is no BPDU transfer. In this lesson, we will learn what is Loop Guard and how to configure loop guard in Cisco switches. By the way, this STP lesson is an updated CCNA 200-301 v1.1 topic.
Table of Contents
STP Loop Guard is basically a mechanism which prevents layer 2 STP loop in a switching domain. So, when we need this spanning tree prevention mechanism? Sometimes, because of loss BPDUs (Bridge Protocol Data Unit), port status is changed and this cause STP loop. To prevent this layer 2 STP loop, Loop Guard is configured on switch to prevent alternative and root ports to change their status as designated.
What if there is no incoming BPDU (Bridge Protocol Data Unit) on the interface that we configure Loop Guard? At this time, the port is placed to ErrDisabled state.
Think about that you have an STP topology in which, you have three switches. Your root bridge and port roles are determined, everything is going good. Suddenly, a port stops receiving BPDUs somehow. When you check your cable, you see that, it is damaged. At this time, a port on a switch which is previously blocking can go to forwarding state. And this causes a layer 2 loop.
To prevent such layer 2 loops, we use Spanning Tree Loop Guard.
Loop Guard and Root Guard are both layer 2 spanning tree security mechanisms. But they have a main difference. Root Guard prevents any new switch to become a new root bridge in spanning tree domain. But Spanning Tree Loop Guard prevents port state changes due to the BPDU loss on the ports.
On Cisco switches, we can configure STP Loop Guard in two ways. The first one is global configuration and the other one is interface-based configuration.
For global STP Loop Guard configuration on Cisco switches, we use “spanning-tree loopguard default” command on Cisco switches globally.
Switch# configure terminal
Switch(config)# spanning-tree loopguard default
To configure STP Loop Guard on a switch interface, we use “spanning-tree guard loop” command under the interface.
Switch# configure terminal
Switch(config)# interface Gi1/1/7
Switch(config-if)# spanning-tree guard loop
! Placing BPDU filter on Switch’s RP (Gi1/1/7) bridge) triggers loop guard.
Here, there is an important point. You should not enable STP Loop Guard on the ports in which portfast is enabled. Because it directly conflicts with the port states.
Here, when the port that is configure with STP Loop guard stops receiving, it goes to inconsistent state and it does not forward traffic. At this time, to see the status of ports and learn the port which is in loop inconsistent state, we use “show spanning-tree vlan 1” command.
Switch# show spanning-tree vlan 1 | b Interface
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————–
Gi1/1/5 Root FWD 4 128.3 P2p
Gi1/1/6 Desg FWD 4 128.4 P2
Gi1/1/7 Root BKN*4 128.1 P2p *LOOP_Inc
As you can see above, Gi1/1/7 is in loop inconsistent state. To see port in this inconsistent state, we use “show spanning-tree inconsistentports” command on Cisco switches.
Switch# show spanning-tree inconsistentports
Name Interface Inconsistency
——————– ———————— ——————
VLAN0001 GigabitEthernet1/1/7 Loop Inconsistent
Number of inconsistent ports (segments) in the system : 1
Here, we have learned what is Loop Guard and how we use this STP mechanism to prevent layer 2 loops in STP domain. There are also other spanning tree mechanisms that we have talked about in different STP Lessons. To learn more on STP features and to have more secure switches, you can also view these lessons. Both STP Loop Guard and other STP security features are in the topics of updated CCNA 200-301 v1.1 Exam.
Leave a Reply