CCIE Routing & Switching v5 Workbook -
CCIE R&S v5 Advanced Technology Labs -
LAN Switching
STP Loop Guard
A Note On Section Initial Configuration Files: You must load the
initial configuration files for the section, named LAN Switching Initial
Spanning Tree, which can be found in
. Reference the Virtual Routers &
Physical Switches Diagram to complete this task.
Task
Configure Spanning-Tree Loop Guard to prevent unidirectional links from forming on
any of the inter-switch links in the Layer 2 network.
Do not use any interface level commands on SW1 and SW2.
Configuration
SW1 - SW2:
spanning-tree loopguard default
SW3 - SW4:
interface range FastEthernet0/19 - 20
spanning-tree guard loop
!
interface range FastEthernet0/23 - 24
spanning-tree guard loop
Verification
STP Loop Guard is used to prevent STP loops from occurring because of
unidirectional links. This feature is similar to Unidirectional Link Detection (UDLD),
but it uses STP BPDUs to determine whether there is a unidirectional link. Loop
Guard can be enabled globally at the switch level, or specific at the port level. Loop
Guard prevents a Non-Designated port from becoming Designated, thus it is the
opposite of Root Guard; for this reason Root Guard and Loop Guard cannot be
actively enabled at the same time on the same ports, and it doesn’t even make
sense to do it. When globally configured, although from the output it seems as being
enabled on all ports in the UP state, actually Loop Guard only monitors Non-
Designated ports.
In normal STP operation in a redundant topology, some links will be in designated
forwarding while the other end will be in alternate blocking or root forwarding. If one
of these blocking links transitions to forwarding state erroneously, a loop can occur.
Specifically, this can happen if there is a unidirectional link and the blocking port
stops receiving the BPDUs that the designated port it sending (on any given
segment BPDUs are sent only by the designated port, unless bridge assurance is
configured in which case all ports generate BPDUs regardless of the state and role).
Loop guard prevents this by transitioning blocking ports into Loop Inconsistent
state instead of forwarding if BPDUs stop being received from the designated port.
Just like Root Guard, although is enabled for a port, Loop Guard takes actions on a
per-VLAN level; for example if a trunk port is in blocking state and stops receiving
BPDUs for VLAN 2 from the designated port on the segment, it transitions the port
into Loop Inconsistent only for VLAN 2. Switch will automatically recover the port
from Loop Inconsistent state when it starts receiving BPDUs and the STP port
state is re-negotiated. Loop Inconsistent is also similar to blocking state, as no
BPDUs are sent outbound, BPDUs are accepted inbound and all received inbound
data frames are dropped.
Verify that Loop Guard is enabled at the global level on SW1 and SW2, but not on
SW3 and SW4:
SW2#show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID
is enabled
Portfast Default
is disabled
PortFast BPDU Guard Default
is disabled
Portfast BPDU Filter Default is disabledLoopguard Defaultis enabled
EtherChannel misconfig guard is enabled
UplinkFast
is disabled
BackboneFast
is disabled
Configured Pathcost method used is short
<output omitted>
!
!SW3#show spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID
is enabled
Portfast Default
is disabled
PortFast BPDU Guard Default
is disabled
Portfast BPDU Filter Default is disabledLoopguard Defaultis disabled
EtherChannel misconfig guard is enabled
UplinkFast
is disabled
BackboneFast
is disabled
Configured Pathcost method used is short
Verify that Loop Guard is enabled on all ports of SW1, because it was globally
configured:
SW1#show spanning-tree interface fastEthernet0/1 detail
Port 3 (FastEthernet0/1) of VLAN0001 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.3.
Designated root has priority 4097, address 0013.605f.f000
Designated bridge has priority 4097, address 0013.605f.f000
Designated port id is 128.3, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by defaultLoop guard is enabled by default on the port
BPDU: sent 1142, received 0
!
!SW1#show spanning-tree interface fastEthernet0/19 detail | i Port|Loop
Port 21 (FastEthernet0/19) of VLAN0001 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0002 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0005 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0007 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0008 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0009 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0010 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0022 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0043 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0058 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0067 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0079 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Port 21 (FastEthernet0/19) of VLAN0146 is designated forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled by default on the port
Verify that on SW3 and SW4, Loop Guard is enabled at the port level:
SW3#show spanning-tree interface fastEthernet0/19 detail | i Port|Loop
Port 21 (FastEthernet0/19) of VLAN0001 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0002 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0005 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0007 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0008 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0009 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0010 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0022 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0043 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0058 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0067 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0079 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Port 21 (FastEthernet0/19) of VLAN0146 is root forwarding
Port path cost 19, Port priority 128, Port Identifier 128.21.
Loop guard is enabled on the port
Configure BPDU Filter on SW3’s FastEthernet0/19 port, at the port level, which
means SW3 will no longer send outbound BPDUs and filter all inbound BPDUs.
Although, as seen from above output, SW1 seems to have Loop Guard enabled on
its FastEthernet0/19 port, this will not cause SW1 to transition the port into Loop
Inconsistent, as Loop Guard only monitors Non-Designated ports and the failure on
receiving BPDUs, and SW1 being the root bridge has all ports as Designated
forwarding. This will however cause SW3 itself to transition FastEthernet0/19 into
Loop Inconsistent. Initially, SW3’s Root Port was FastEthernet0/19, thus the port
was Non-Designated; upon enabling BPDU Filter on the port, as inbound BPDUs
are filtered, port should transition to Desginated after the max_age expires, however
Loop Guard will prevent this from happening, FastEthernet0/20 will be elected as
the new Root Port:
SW3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.SW3(config)#interface fastEthernet0/19
SW3(config-if)#spanning-tree bpdufilter enable
!
!SW3#show spanning-tree interface fastEthernet0/19
VlanRole Sts CostPrio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------VLAN0001Desg BKN*
19128.21P2p *LOOP_Inc
VLAN0002Desg BKN*19128.21P2p *LOOP_Inc
VLAN0005
Desg BKN*19
128.21 P2p *LOOP_Inc
VLAN0007
Desg BKN*19
128.21 P2p *LOOP_Inc
VLAN0008
Desg BKN*19
128.21 P2p *LOOP_Inc
VLAN0009
Desg BKN*19
128.21 P2p *LOOP_Inc
VLAN0010
Desg BKN*19
128.21 P2p *LOOP_Inc
VLAN0022
Desg BKN*19
128.21 P2p *LOOP_Inc
VLAN0043
Desg BKN*19
128.21 P2p *LOOP_Inc
VLAN0058
Desg BKN*19
128.21 P2p *LOOP_Inc
VLAN0067
Desg BKN*19
128.21 P2p *LOOP_Inc
VLAN0079
Desg BKN*19
128.21 P2p *LOOP_Inc
VLAN0146
Desg BKN*19
128.21 P2p *LOOP_Inc
!
!SW3#show spanning-tree interface fastEthernet0/20
VlanRole Sts CostPrio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------VLAN0001Root FWD
19128.22
P2p VLAN0002Root FWD
19128.22
P2p
VLAN0005
Root FWD 19
128.22 P2p
VLAN0007
Root FWD 19
128.22 P2p
VLAN0008
Root FWD 19
128.22 P2p
VLAN0009
Root FWD 19
128.22 P2p
VLAN0010
Root FWD 19
128.22 P2p
VLAN0022
Root FWD 19
128.22 P2p
VLAN0043
Root FWD 19
128.22 P2p
VLAN0058
Root FWD 19
128.22 P2p
VLAN0067
Root FWD 19
128.22 P2p
VLAN0079
Root FWD 19
128.22 P2p
VLAN0146
Root FWD 19
128.22 P2p
SW3 will also log messages similar with the following, notifying of the problem:
%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/19 on VLAN0001.
%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/19 on VLAN0002.
Upon removing BPDU Filter on Fa0/19 of SW3, as inbound BPDUs are accepted,
SW3 will remove the port from Loop Inconsistent state and negotiate the STP port
state and role. Fa0/19 is re-elected as the Root Port:
SW3#show spanning-tree interface fastEthernet0/19
VlanRole Sts CostPrio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------VLAN0001Root FWD
19128.21
P2p VLAN0002Root FWD
19128.21
P2p
VLAN0005
Root FWD 19
128.21 P2p
VLAN0007
Root FWD 19
128.21 P2p
VLAN0008
Root FWD 19
128.21 P2p
VLAN0009
Root FWD 19
128.21 P2p
VLAN0010
Root FWD 19
128.21 P2p
VLAN0022
Root FWD 19
128.21 P2p
VLAN0043
Root FWD 19
128.21 P2p
VLAN0058
Root FWD 19
128.21 P2p
VLAN0067
Root FWD 19
128.21 P2p
VLAN0079
Root FWD 19
128.21 P2p
VLAN0146
Root FWD 19
128.21 P2p
SW3 will also log messages similar with the following, notifying that port was
recovered:
%SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port FastEthernet0/19 on VLAN0001.
%SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port FastEthernet0/19 on VLAN0002.