• Loop Guard
The Loop Guard feature provides an additional layer of protection against the Layer 2 forwarding loops (STP loops) by preventing alternative or root ports from becoming designated ports because of a failure resulting in a unidirectional link. This feature works best when enabled on all switches across a network. By default, the spanning tree does not send BPDUs on root or alternative ports.
The Loop Guard feature can be enabled by using the spanning-tree loopguard default global configuration command.
---
interface Port-channel1
switchport
switchport access vlan 112
switchport mode access
load-interval 30
spanning-tree guard loop
end
show spanning-tree int po 1 detail
Port 641 (Port-channel1) of MST00 is root forwarding
Port path cost 10000, Port priority 128, Port Identifier 128.641.
Designated root has priority 24576, address 001e.4961.4000
Designated bridge has priority 24576, address 001e.4961.4000
Designated port id is 128.1667, designated path cost 0
Timers: message age 4, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default, Internal
Loop guard is enabled on the port
BPDU: sent 3, received 5163410
Port 641 (Port-channel1) of MST01 is root forwarding
Port path cost 10000, Port priority 128, Port Identifier 128.641.
Designated root has priority 24577, address 001e.4961.4000
Designated bridge has priority 24577, address 001e.4961.4000
Designated port id is 128.1667, designated path cost 0
Timers: message age 4, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default, Internal
Loop guard is enabled on the port
BPDU: sent 3, received 5163410
---
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml#loop_guard
• STP Loop Guard
▶ Feature Description
The STP loop guard feature provides additional protection against Layer 2 forwarding loops (STP loops). An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs.When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop.
The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop.
When the loop guard blocks an inconsistent port, this message is logged:
- CatOS
%SPANTREE-2-LOOPGUARDBLOCK: No BPDUs were received on port 3/2 in vlan 3. Moved to loop-inconsistent state.
- Cisco IOS
%SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port FastEthernet0/24 on VLAN0050.
- CatOS
%SPANTREE-2-LOOPGUARDUNBLOCK: port 3/2 restored in vlan 3.
- Cisco IOS
%SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port FastEthernet0/24 on VLAN0050.
Switch A is the root switch. Switch C does not receive BPDUs from switch B due to unidirectional link failure on the link between switch B and switch C.
Without loop guard, the STP blocking port on switch C transitions to the STP listening state when the max_age timer expires, and then it transitions to the forwarding state in two times the forward_delay time. This situation creates a loop.
With loop guard enabled, the blocking port on switch C transitions into STP loop-inconsistent state when the max_age timer expires. A port in STP loop-inconsistent state does not pass user traffic, so a loop is not created. (The loop-inconsistent state is effectively equal to blocking state.)
▶ Configuration Considerations
The loop guard feature is enabled on a per-port basis. However, as long as it blocks the port on the STP level, loop guard blocks inconsistent ports on a per-VLAN basis (because of per-VLAN STP). That is, if BPDUs are not received on the trunk port for only one particular VLAN, only that VLAN is blocked (moved to loop-inconsistent STP state). For the same reason, if enabled on an EtherChannel interface, the entire channel is blocked for a particular VLAN, not just one link (because EtherChannel is regarded as one logical port from the STP point of view).On which ports should the loop guard be enabled? The most obvious answer is on the blocking ports. However, this is not totally correct. Loop guard must be enabled on the non-designated ports (more precisely, on root and alternate ports) for all possible combinations of active topologies. As long as the loop guard is not a per-VLAN feature, the same (trunk) port might be designated for one VLAN and non-designated for the other. The possible failover scenarios should also be taken into account.
Consider this example:
By default, loop guard is disabled. This command is used to enable loop guard:
- CatOS
set spantree guard loop
Console> (enable) set spantree guard loop 3/13 Enable loopguard will disable rootguard if it's currently enabled on the port(s). Do you want to continue (y/n) [n]? y Loopguard on port 3/13 is enabled. - Cisco IOS
spanning-tree guard loop Router(config)#interface gigabitEthernet 1/1 Router(config-if)#spanning-tree guard loop
Issue this command in order to enable loop guard globally:
- CatOS
Console> (enable) set spantree global-default loopguard enable - Cisco IOS
Router(config)#spanning-tree loopguard default
- CatOS
Console> (enable) set spantree guard none
- Cisco IOS
Router(config-if)#no spanning-tree guard loop
- CatOS
Console> (enable) set spantree global-default loopguard disable - Cisco IOS
Router(config)#no spanning-tree loopguard default
- CatOS
show spantree guard
Console> (enable) show spantree guard 3/13 Port VLAN Port-State Guard Type ------------------------ ---- ------------- ---------- 3/13 2 forwarding loop Console> (enable) - Cisco IOS
show spanning-tree Router#show spanning-tree summary Switch is in pvst mode Root bridge for: none EtherChannel misconfig guard is enabled Extended system ID is disabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is enabled UplinkFast is disabled BackboneFast is disabled Pathcost method used is short Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- Total 0 0 0 0 0
▶ Loop Guard versus UDLD
Loop guard and Unidirectional Link Detection (UDLD) functionality overlap, partly in the sense that both protect against STP failures caused by unidirectional links. However, these two features differ in functionality and how they approach the problem. This table describes loop guard and UDLD functionality:| Functionality | Loop Guard | UDLD |
|---|---|---|
| Configuration | Per-port | Per-port |
| Action granularity | Per-VLAN | Per-port |
| Autorecover | Yes | Yes, with err-disable timeout feature |
| Protection against STP failures caused by unidirectional links | Yes, when enabled on all root and alternate ports in redundant topology | Yes, when enabled on all links in redundant topology |
| Protection against STP failures caused by problems in the software (designated switch does not send BPDU) | Yes | No |
| Protection against miswiring. | No | Yes |
Based on the various design considerations, you can choose either UDLD or the loop guard feature. In regards to STP, the most noticeable difference between the two features is the absence of protection in UDLD against STP failures caused by problems in software. As a result, the designated switch does not send BPDUs. However, this type of failure is (by an order of magnitude) more rare than failures caused by unidirectional links. In return, UDLD might be more flexible in the case of unidirectional links on EtherChannel. In this case, UDLD disables only failed links, and the channel should remain functional with the links that remain. In such a failure, the loop guard puts it into loop-inconsistent state in order to block the whole channel.
Additionally, loop guard does not work on shared links or in situations where the link has been unidirectional since the link-up. In the last case, the port never receives BPDU and becomes designated. Because this behaviour could be normal, this particular case is not covered by loop guard. UDLD provides protection against such a scenario.
As described, the highest level of protection is provided when you enable UDLD and loop guard.
No comments:
Post a Comment