{"id":578,"date":"2017-07-01T17:24:00","date_gmt":"2017-07-01T17:24:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=578"},"modified":"2024-11-17T17:27:55","modified_gmt":"2024-11-17T17:27:55","slug":"loop-guard-concept-and-implementation","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/loop-guard-concept-and-implementation\/","title":{"rendered":"Loop Guard Concept and Implementation"},"content":{"rendered":"

Loop Guard and UDLD (Uni-directional Link Detection) are two ways to protect networks against loops. Loop guard is a spanning-tree optimisation protocol and can work with both Fibre and UTP cables while UDLD only works with fibre and is a layer 1\/2 protocol (unrelated to spanning-tree) that protects the upper layer protocols from causing loops.<\/p>\n

Loop Guard is generally used to protect against a mal-functioned switch. For example, in a normal STP state \u2013 the Root would send BPDU\u2019s into the network every two seconds to discover loops. If a loop is discovered the switch with the highest\u00a0\u201cBridge-ID\u201d\u00a0would block one if its links to prevent the loop, however it will continue to send and receive for BPDUs on that port.<\/p>\n

If for any reason BPDU\u2019s stop coming in on that blocked port from the neighbour device the switch will assume there is no longer a switch attached to that port and transitions the port into a forwarding (Designated) state. This has now caused a loop on the network.<\/p>\n

In reality the switch is still connected on the port and it is due to an issue with the switch itself that it has stopped sending BPDU\u2019s. If a switch malfunctions or the IOS crashes, the switch can continue to forward traffic but it can stop sending and receiving BPDU\u2019s.<\/p>\n

<\/p>\n

How can we protect against this?<\/strong><\/p>\n

We can use Loop Guard to protect the blocked port from transitioning into a forwarding state should the port stop receiving BPDU\u2019s from its neighbour switch.<\/p>\n

Loop Guard says, if I stop receiving BPDU\u2019s on my blocked port \u2013 this means something is wrong therefore I will keep it blocked by placing the port into an\u00a0\u201cLoop Inconsistent\u201d\u00a0mode. Once the issue is resolved I will transition the port back to blocking state automatically.<\/p>\n

Cisco recommends for the configuration to be applied on an interfaces by interfaces basis. Also a point to note would be that you cannot enable both loop guard and root guard at the same time.<\/p>\n

Configuration Example<\/strong><\/p>\n

In the example below we will emulate a malfunction with a switch using\u00a0\u201cBPDU filter\u201d\u00a0and see how the blocked port behaves as it stops receiving BPDUs. We will then configure Loop Guard on an interface basis and again observe the behaviour to ensure it places the blocked into an\u00a0\u201cLoop Consistence\u201d\u00a0state.<\/p>\n

The topology has been setup using GNS 3<\/p>\n

<\/p>\n

Step 1:<\/strong>\u00a0lets have a look at the spanning-tree topology and verify the state of each switch.<\/p>\n

SW-1<\/strong><\/p>\n

#show spanning-tree<\/p>\n

We can see that\u00a0\u201cSW-1\u201d\u00a0is running RSTP and it is the\u00a0\u201cRoot-Bridge\u201d\u00a0with the lowest\u00a0\u201cBridge-ID\u201d. All ports on the\u00a0\u201cRoot\u201d\u00a0are in a forwarding state.<\/p>\n

<\/p>\n

SW-2<\/strong><\/p>\n

#show spanning-tree<\/p>\n

\u201cSW-2\u201d\u00a0is running\u00a0\u201cRSTP\u201d\u00a0and it has identified\u00a0\u201cSW-1\u201d\u00a0as the\u00a0\u201cRoot-Bridge\u201d\u00a0E1\/0 is its\u00a0\u201cRoot Port\u201d\u00a0with the best path to the\u00a0\u201cRoot-Bridge\u201d<\/p>\n

<\/p>\n

SW-3<\/strong><\/p>\n

#show spanning-tree<\/p>\n

\u201cSW-3\u201d\u00a0is also running\u00a0\u201cRSTP\u201d, it has identified\u00a0\u201cSW-1\u201d\u00a0as the\u00a0\u201cRoot-Bridge\u201d, E1\/1 has been elected as the\u00a0\u201cRoot Port\u201d\u00a0and the redundant link on\u00a0\u201cE2\/2\u201d\u00a0is being blocked.<\/p>\n

<\/p>\n

Step 2:<\/strong>\u00a0on\u00a0\u201cSW-3\u201d\u00a0lets enable debugging to have a look at the BPDU\u2019s that are coming in on the blocked port.<\/p>\n

#debug spanning-tree bpdu receive<\/p>\n

We can see that BPDU\u2019s are being received from\u00a0\u201cSW-1\u201d\u00a0on\u00a0\u201cE1\/1\u201d\u00a0and\u00a0\u201cSW-2\u201d\u00a0on\u00a0\u201cE2\/2\u201d\u00a0every 2 seconds. These are being sent by the\u00a0\u201cRoot-Bridge\u201d<\/p>\n

<\/p>\n

Step 3:<\/strong>\u00a0Configure\u00a0\u201cBPDU Filter\u201d\u00a0on\u00a0\u201cSW-2\u201d\u00a0to emulate a malfunction with the device, as BPDU filter is enabled on interface\u00a0\u201cE2\/0\u201d\u00a0the interface will not receive or send BPDU frames, essentially not participating in STP<\/p>\n

#conf t<\/p>\n

#Int e2\/0<\/p>\n

#spanning-tree bpdu filter enable<\/p>\n

<\/p>\n

Step 4:<\/strong>\u00a0lets verify on\u00a0\u201cSW-3\u201d\u00a0that it can no longer see BPDU\u2019s on Interface\u00a0\u201cE2\/2\u201d\u00a0by looking at the debug messages.<\/p>\n

We can only see BPDU\u2019s coming in from\u00a0\u201cSW-1\u201d\u00a0on int\u00a0\u201cE1\/1\u201d\u00a0this is indicating that\u00a0\u201cSW-2\u201d\u00a0has a problem.<\/p>\n

<\/p>\n

Step 5:<\/strong>\u00a0On\u00a0\u201cSW-3\u201d\u00a0Lets take a look at the state of interface\u00a0\u201cE2\/2\u201d\u00a0which was previously blocking.<\/p>\n

#show spanning-tree<\/p>\n

As suspected interface\u00a0\u201cE2\/2\u201d\u00a0should now be forwarding, STP assumes that there is no longer a switch plugged into this port so it transitions it to a forwarding state. This has now caused a loop.<\/p>\n

<\/p>\n

Step 6:<\/strong>\u00a0Remove the BPDU filter configuration from interface\u00a0\u201cE2\/0\u201d\u00a0on\u00a0\u201cSW-2\u201d\u00a0so that the port is blocked by spanning-tree again<\/p>\n

#no spanning-tree bpdufilter enable<\/p>\n

<\/p>\n

Step 7:<\/strong>\u00a0lets configure\u00a0\u201cLoop Guard\u201d\u00a0on\u00a0\u201cSW-3\u201d\u00a0and protect against the failure<\/p>\n

#conf t<\/p>\n

#int e2\/2<\/p>\n

#spanning-tree guard loop<\/p>\n

<\/p>\n

Step 8:<\/strong>\u00a0re-enable BPDU Filter on interface\u00a0\u201cE2\/0\u201d\u00a0on\u00a0\u201cSW-2\u201d\u00a0to replicate a switch malfunction once again.<\/p>\n

#spanning-tree bpdufilter enable<\/p>\n

<\/p>\n

On\u00a0\u201cSW-3\u201d\u00a0we can see that interface\u00a0\u201cE2\/2\u201d\u00a0has realised its not receiving any BPDU\u2019s on a port that was previously blocked by STP therefore it has placed the port into a loop in-consistence state to prevent a loop.<\/p>\n

<\/p>\n

If we take a look at the spanning-tree topology, we can see the port has been placed into a\u00a0\u201cLoop In-consistence\u201d\u00a0state<\/p>\n

#show spanning-tree<\/p>\n

<\/p>\n

Step 9:<\/strong>\u00a0lets now remove BPDU filter on int\u00a0\u201c2\/0\u201d\u00a0on\u00a0\u201cSW-2\u201d\u00a0to emulate the issue has been resolved with the malfunctioned switch<\/p>\n

#no spanning-tree bpdufilter enable<\/p>\n

<\/p>\n

We can see on\u00a0\u201cSW-3\u201d\u00a0that Loop Guard has started receiving BPDU\u2019s on int\u00a0\u201cE2\/2\u201d\u00a0and has now restored the port back to a STP blocking state.<\/p>\n

<\/p>\n

<\/p>\n

Global configuration<\/strong><\/p>\n

To configure Loop Guard globally enter the following:<\/p>\n

#conf t<\/p>\n

#spanning-tree loopguard default<\/p>\n

<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Loop Guard and UDLD (Uni-directional Link Detection) are two ways to protect networks against loops. Loop guard is a spanning-tree optimisation protocol and can work<\/p>\n","protected":false},"author":1,"featured_media":598,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,9],"tags":[14,66,65,23],"class_list":["post-578","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-switching","tag-bpdu","tag-loop-guard","tag-spanning-tree-2","tag-stp"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/578","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=578"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/578\/revisions"}],"predecessor-version":[{"id":599,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/578\/revisions\/599"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/598"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=578"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}