Loop Guard

1. Introduction to Loop Guard

Loop Guard in STP is a feature designed to mitigate the risks posed by unidirectional links in a Spanning Tree Topology.

You might be asking yourself: “What exactly is a unidirectional link?”
Great question! Let me break it down for you.

What is a unidirectional link?

Fiber optic link showing unidirectional transmission and reception between two network switches to explain Loop Guard.
Figure 1 – Fiber optic links use two fibers for full-duplex communication

Imagine you have a fiber optic link between two switches. Fiber optic cables typically consist of two fibers:

  • One for reception (Rx) => That will make sure you receive traffic on the fiber optic cable
  • One for transmission (Tx) => That will make sure you can sent your traffic on the fiber optic cable

These two fibers work together to enable two-way communication. However, fiber optic cables can be fragile. If one fiber is broken, you end up with a unidirectional link.

Unidirectional link in fiber optic cable showing transmission failure between two network switches.
Figure 2 – A unidirectional link occurs when one fiber is broken but interfaces stay up

This means data can flow in only one direction. The real problem?

Your switches might not detect the physical issue. The link will still appear as up/up, even though it’s not functioning properly. Now that you understand how a unidirectional link can occur, let’s move on to why this is a problem for spanning tree protocols (STP).

2. Understanding the Problem

In a typical STP topology:

  • BPDUs are sent from the Root Bridge to other switches via Designated Ports.
  • Non-designated ports receive these BPDUs to determine their role in the topology.
STP topology showing BPDU flow from Root Bridge to other switches with Designated and Root Ports.
Figure 3 – Normal STP operation with BPDUs received on all ports

What Happens Without Loop Guard?

Now, let’s say the link between SW2 and SW3 is a fiber optic link and one of the fiber is damaged. This unidirectional link will prevent SW3 from sending BPDUs back to SW2.

Unidirectional fiber optic link causing BPDU loss between switches in STP without Loop Guard.
Figure 4 – A broken fiber causes BPDU loss on the unidirectional link

Without Loop Guard:

  1. SW2 G0/1 blocking port will stop receiving BPDUs.
  2. After the Max Age timer expires (20 seconds), SW2 assumes the designated port on SW3 is dead.
  3. SW2 will transitions its blocking port g0/1 into a Designated Port.
Spanning Tree topology showing unidirectional link causing loss of blocking ports and risk of network loop without Loop Guard.
Figure 5 – Without Loop Guard, both ports become Designated

If you look at the spanning tree topology, you’ll notice that there are no longer any blocking ports, which could potentially create a loop!

Example of a Spanning Tree Loop

Let me show you how a spanning tree loop can occur:

  1. PC1 sends a broadcast frame to SW1.
  2. SW1 forwards the frame to SW2 and SW3.
  3. Due to the unidirectional link, SW3 cannot send the broadcast frame back to SW2.
Unidirectional link in a Spanning Tree topology causing broadcast loop between switches without Loop Guard.
Figure 6 – Broadcast traffic is sent from PC1 and propagated by switches

4. However, SW2 forwards the frame to SW3, which then sends it back to SW1 and the process repeats as the frame returns to SW2 creating a loop.

Spanning Tree loop causing broadcast storm due to unidirectional link failure without Loop Guard.
Figure 7 – Unidirectional link causes a broadcast loop between switches

This loop will severely disrupt your network by causing broadcast storms.

3. How Loop Guard Solves the Problem

To avoid scenarios like unidirectional links causing spanning tree loops, we have a tool in the Spanning Tree Protocol toolkit called Loop Guard.

The Role of Loop Guard

As its name suggests, Loop Guard helps protect your STP topology by preventing loops. It ensures that ports do not transition to the Designated Port role when BPDUs stop being received.

Loop Guard is especially effective in preventing ports with Loop Guard enabled from becoming designated ports after the Max Age timer expires.

Placement of Loop Guard in our STP Topology 1
Figure 8 – Loop Guard blocks the port and prevents the loop formation

Example with Loop Guard Enabled

Let’s revisit our earlier example to see how Loop Guard works in practice:

  1. Loop Guard is enabled on SW2’s G0/1 port.
  2. If BPDUs stop arriving on this port (due to a unidirectional link for example), the Max Age timer expires.
  3. The port transitions now to the Broken (Loop-Inconsistent) state instead of becoming a designated port.
Loop Guard blocking a port in Loop-Inconsistent state to prevent spanning tree loops during unidirectional link failure.
Figure 9 – Loop Guard blocks the port by putting it in Loop Inconsistent state

In the Broken (Loop-Inconsistent) state:

  • The port is blocked and cannot forward traffic.
  • This effectively prevents a spanning tree loop.

This behavior ensures that no traffic flows through the problematic port, maintaining the stability of the STP topology.

4. Configuring Loop Guard

Let’s configure Loop Guard to protect our STP topology. There are two ways to configure Loop Guard:

  1. Per-Port Configuration
  2. Global Configuration

Loop Guard Per-Port Configuration

We’ll start by enabling Loop Guard on an individual port:

SW2(config)# int g0/1
SW2(config-if)# spanning-tree guard loop
Configuring Loop Guard on a switch port to protect against unidirectional link failures in STP topology.
Figure 10 – Enabling Loop Guard on SW2’s G0/1 interface

Verifying the Configuration

To ensure that Loop Guard is correctly configured, use the following command:

SW2# show spanning-tree interface g0/1 detail 
 Port 2 (GigabitEthernet0/1) of VLAN0001 is alternate blocking 
   Port path cost 4, Port priority 128, Port Identifier 128.2.
   Designated root has priority 1, address 505a.4004.6e00
   Designated bridge has priority 28673, address 50d4.8304.7000
   Designated port id is 128.2, designated path cost 4
   Timers: message age 2, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   Loop guard is enabled on the port
   BPDU: sent 246, received 59

Now, If the port stops receiving BPDUs and the Max Age timer is gone : it transitions to the Loop-Inconsistent state and blocks traffic to prevent a loop.

Verifying Loop Guard activation with STP commands and preventing loops through the Loop-Inconsistent state.
Figure 11 – Verification of Loop Guard blocking a port in Loop Inconsistent state

We can verify with this command :

SW2# show spanning-tree Interface           
Role                Sts       Cost     Prio.Nbr Type 
------------------- ---- --- --------- -------- ------------------------ 
Gi0/1               Desg BKN* 4       128.2    P2p *LOOP_Inc£`

The port is in the Loop-Inconsistent state:

Disabling Loop Guard on an Interface

To disable Loop Guard on a specific interface, we can use the following command:

SW2(config)# int g0/1
SW2(config-if)# spanning-tree guard none

Loop Guard Global Configuration

To enable Loop Guard globally across all interfaces on the switch:

SW2(config)# spanning-tree loopguard default

5. Automatic Recovery with Loop Guard

One of the great advantages of Loop Guard is its automatic recovery mechanism.

When the issue causing the port to enter the Loop-Inconsistent state is resolved (example the unidirectional link is fixed) and the port starts receiving BPDUs again, it will automatically unblock and transition back to its normal STP states without requiring any manual intervention.

Automatic recovery of Loop Guard when BPDU communication is restored, preventing STP loops without manual intervention.
Figure 12 – Loop Guard automatically restores the port once BPDUs are received again

This recovery process ensures that once the network issue is resolved, your spanning tree topology can quickly return to a stable state without further configuration.

6. Loop Guard and Root Guard Placement

Now that we’ve covered Loop Guard, let’s recap both Root Guard and Loop Guard to clarify their differences and ensure you know how to apply them correctly in your topology.

Loop Guard and Root Guard placement example in STP topology showing protection against loops and rogue root bridge election.
Figure 13 – Loop Guard and Root Guard protect the STP topology from loops and rogue root bridges
  • Root Guard: This feature is applied to designated ports to prevent them from becoming root ports, ensuring the Root Bridge remains in its intended location.
  • Loop Guard: This feature is applied to non-designated ports (root ports or alternate ports) to prevent them from transitioning into designated ports when BPDUs are no longer received.

Keep in mind that Root Guard and Loop Guard in STP cannot be enabled on the same port. Each serves a unique purpose and applying both would create a conflict.

7. Conclusion

Loop Guard in STP is an essential tool for preventing spanning tree loops caused by unidirectional links.

By strategically enabling Loop Guard, you can protect your network from broadcast storms and maintain optimal performance. Remember, it’s always better to prevent issues before they occur.