CCIE 400-101: Layer 2 Technologies - Loop Guard, Root Guard

Brief Summary of Port Roles

  • Internally, STP assigns to each switch port a role that is based on configuration, topology, relative position of the port in the topology, and other considerations. The port role defines the behavior of the port from the STP point of view. 
  • Based on the port role, the port either sends or receives STP BPDUs and forwards or blocks the data traffic. 
  • This list provides a brief summary of each STP port role:
    • Designated—One designated port is elected per link (segment). The designated port is the port closest to the root bridge. This port sends BPDUs on the link (segment) and forwards traffic towards the root bridge. In an STP converged network, each designated port is in the STP forwarding state.
    • Root—The switch can have only one root port. The root port is the port that leads to the root bridge. In an STP converged network, the root port is in the STP forwarding state.
    • Alternate—Alternate ports lead to the root bridge, but are not root ports. The alternate ports maintain the STP blocking state.
    • Backup—This is a special case when two or more ports of the same switch are connected together, directly or through shared media. In this case, one port is designated, and the remaining ports block. The role for this port is backup.

Loop Guard

  • When a redundant (blocking) port no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port (alternate or backup port) becomes designated and moves to a forwarding state. This situation creates a loop.
  • The loop guard feature makes additional checks. 
  • If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. 
  • Once the BPDU is received on a port in a loop-inconsistent STP state, the port transitions back into the STP forwarding state. According to the received BPDU, this means that the recovery is automatic and intervention is not necessary.
  • Loop guard must be enabled on the non-designated ports (more precisely, on root and alternate ports) for all possible combinations of active topologies.
  • Loop guard can only be enabled on point-to-point links.
  • Loop guard does not work with PortFast or root guard.
  • Loop guard and UDLD functionality overlap.
  • Both protect against STP failures caused by unidirectional links.
  • The highest level of protection is provided when both UDLD and loop guard are enabled.
  • The loop guard feature is enabled on a per-port basis. However, as long as it blocks a port on the STP level, loop guard blocks inconsistent ports on a per-VLAN basis (because of per-VLAN STP). That is, if BPDUs are not received on the trunk port for one particular VLAN, only that VLAN is blocked (moved to a loop-inconsistent STP state). 
  • For the same reason, if enabled on an EtherChannel interface, the entire channel is blocked for a particular VLAN, not just one link (because EtherChannel is regarded as one logical port from the STP point of view).
  • By default, loop guard is disabled. You can configure loop guard globally (global config mode: spanning-tree loopguard default) or on a per-port basis (interface config mode: spanning-tree guard loop).
  • If you enable loop guard globally, then it is effectively enabled on all point-to-point links. A point-to-point link is detected by the duplex status of the link. If duplex is full, the link is considered point-to-point. It is possible to configure, or override, global settings on a per-port basis.

spanning-tree loopguard default
interface FastEthernet0/22
 spanning-tree guard loop
Switch#show spanning-tree interface Fa0/22 detail
 Port 22 (FastEthernet0/22) of VLAN0001 is alternate blocking
   Port path cost 19, Port priority 128, Port Identifier 128.22.
   Designated root has priority 24577, address 0018.1820.2700
   Designated bridge has priority 28673, address 000d.bc91.7900
   Designated port id is 128.22, designated path cost 19
   Timers: message age 2, forward delay 0, hold 0
   Number of transitions to forwarding state: 0
   Link type is point-to-point by default
   Loop guard is enabled on the port
   BPDU: sent 2, received 796

Root Guard

  • The administrator can set the root bridge priority to 0 in an effort to secure the root bridge position. But there is no guarantee against a switch with a priority of 0 and a lower MAC address.
  • The root guard feature provides a way to enforce the root bridge placement in the network.
  • The root guard ensures that the port on which root guard is enabled is the designated port.
  • If the bridge receives superior BPDUs on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state, which is effectively equal to a listening state. No traffic is forwarded across this port.
  • Root guard is mutually exclusive with loop guard.
  • Root guard is used on designated ports, and it does not allow the port to become non-designated. Loop guard works on non-desginated ports and does not allow the port to become designated through the expiration of MaxAge.
  • When loop guard is configured on the port, it disables root guard configured on the same port.
  • You must enable root guard (spanning-tree guard root) on all ports where the root bridge should not appear.
DSW1(config)# interface Ethernet0/0
DSW1(config-if)# spanning-tree guard root

%SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port Ethernet0/0
  • If superior BPDUs are dectected, the port is put in the root inconsistent state. 
%SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port Ethernet0/0 on VLAN0001.
  • The show spanning-tree inconsistentports command verifies the Ethernet0/0 interface is in the root inconsistent state. 
DSW2# show spanning-tree inconsistentports

Name                 Interface                Inconsistency
-------------------- ------------------------ ------------------
VLAN0001             Ethernet0/0              Root Inconsistent

Number of inconsistent ports (segments) in the system : 1

  • The port will recover from root inconsistent state when it stops receiving superior BPDUs.
%SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard unblocking port Ethernet0/0 on VLAN0001.


STP Enhancements Using Loop Guard and BPDU Skew Detection Features
STP Root Guard Enhancement