Cisco Support Community

Home

what is loopguard , BPDUguard , Rootguard ?

Answered Question

vinodjad1234 Oct 4th, 2010

Hi,
I am always confused about these three concepts.
I just want to know the basic understanding of this three features of STP.
where should i use and which mode i can configure this ?
I referred cisco website for the same but still not cleared about it ............
Please share the knowledge . It would be great help for getting cleared this concepts
....................
I have this problem too
0 votes
1
2
3
4
5
Overall Rating: 4.7 (8 ratings)

Replies

Collapse all

Recent replies last

anasather_147 Fri, 12/25/2015 - 08:44

Does he mean to say "...If the port is NOT receiving BPDUs, the loop guard feature puts the
port into an inconsistent state until it starts receiving BPDUs again...."
Thanks

See More
1
2
3
4
5
Overall Rating: 0 (0 ratings)

rajasha.cisco Fri, 06/07/2013 - 02:58

Hi Vinod
is it possible to list the commands for the Loop,BPDU,Root guard ? It is will be helpful if we
summarize it here.
Thanks,
Sha

See More
1
2
3
4
5
Overall Rating: 0 (0 ratings)

InayathUlla Sharieff Fri, 06/07/2013 - 04:43

Hi Raja,
Here is the configuration:
Loopguard:
SW1----G1/1---------------G1/1 SW2

go to the respective switches and configure the cmd under the interface.
spanning-tree guard loop

Sw1(config)#interface gigabitEthernet 1/1

Sw1(config-if)#spanning-tree guard loop

2)
Root Guard:
Cat-IOS# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Cat-IOS#(config)# interface fastethernet 3/1

Cat-IOS#(config-if)# spanning-tree guard root
Example of this:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

3)
BPDU Guard: We suggest you to enable bpduguard at the global level so that it gets
automatically inherited to the port-fast/access port configuation.
conf t
spanning-tree portfast bpduguard

HTH
Regards
Inayath
*PLz rate all usefull posts.

See More
1
2
3
4
5
Overall Rating: 4 (2 ratings)

rajasha.cisco Fri, 06/07/2013 - 04:51

Got it. Thank you Sharieff !

See More
1
2
3
4
5
Overall Rating: 0 (0 ratings)

Calin Chiorean Mon, 10/04/2010 - 04:49

Hello
Loopguard, BPDUguard and Rootguard are Spanning-Tree enhancements. Since STP is more a
LAN topic than a WAN one, this thread should be opened there. Just to know for future
questions related to STP
To explain here how each of this features work, would mean to either copy / paste from
Cisco.com or to write about 5-10 pages to really capture of all aspects, which is a high effort
for this topic which is explained very well at Cisco.com
Maybe you didn't found the right documentation, so here are some links that explain clear and
straightforward how this features work:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml
<- Loopguard
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
<- BPDUguard
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml
<- Root Guard
These explanations comes with example. Please study them and then if you have something
which is unclear you can ask here.
Good luck!
Calin

See More
1
2
3
4
5
Overall Rating: 0 (0 ratings)

vinodjad1234 Mon, 10/04/2010 - 05:01

Hi Calin,

As you said , this should be queried in LAN switching topic but i did not get any reply from
that forum , i have sent from want routing forum .....

you have sent proper link for my understanding ... thanks for that
But i was looking for a real scenario where somebody has configured the same.
I want to know ... where which STP enhacement feature to be enabled ?
this is somewhat confusing for me ................
I will just go through it and raise the query in case i have any doubt about it.
Thanks for your rapid response.

See More
1
2
3
4
5
Overall Rating: 0 (0 ratings)

InayathUlla Sharieff Fri, 06/07/2013 - 04:37

HI Vinod,
Okay,

Let me give it a try:

1)LoopGuard: Spanning Tree Loop Guard helps to prevent loops when you use fibre links. Fibre links
have a transmit and receive connector. If one of these links fails it's possible that interfaces that are
currently in "blocking" mode go to forwarding. This might cause a loop. Loop guard will ensure that if a
blocked interface no longer receives BPDUs from the other side that it will be shut down to prevent a
layer 2 loop.

Taking 3 switchs as a example: connecting in a triangle.

SW1
___|________
|

Sw2 T0/1---T0/2 SW3

Hence consider the above topology one of the link will be block.
think SW1 is the Root bridge hence the port T0/2 will be in blocking state.( To have the
loopfree topology)

It works similar to UDLD feature. The Sw2 and Sw3 is connected through fiber cable, One end
would be tx and other end would be rx.
As you know that blocked port would be recieving the BPDU's. what happens when it stopped
reciving the BPDU's? (Considering the example that there is some issue with the fiber cable
and Tx is haiving issue hence port T0/2 is not reciving it hence it waits for the max age timer
to expire after which the port transition from Blocking to forwarding mode which is not
supposed to hence there would be loop. Hence when you confiugre the loopguard/udld then
the port would go blocked.
Hence it is layer 1 cable issue STP would not be able to detect it automatically, hence you
would use the loopguard feature.

2) ROOT-GUARD

Root guard for spanning tree can be used to prevent a certain switch from becoming the root
bridge. Even if you receive a superior BPDU from another switch, root guard will prevent that
switch from becoming the root bridge.

SW1
___|_f01___
|
Sw2

|
SW3

In the above topology SW2 is root bridge for VLan 10 and you dont want any other switch in
the network to become the root bridge for this vlan 10 other than SW2.

What you need to do is configure root guard feature on F0/1 of SW1. What happens in this
case if if by mistake or intentionally someone configure SW3 to be root bridge for vlan 10 (by
lowering the priority) SW1 will put the ports into root-inconsistent port hence this BPDU will not
have any affect. It will through you the error in the log.

3) BPDU-GUARD
Spanning Tree BPDU guard ensures that an interface will be error disabled as soon as you
receive a BPDU on it. This is useful on access ports where you shouldn't expect any BPDUs and
will protect your switched network.

Access-Port-------------------F0/1 Switch

\BPDU guard goes hand in hand with Port-FAst.

Spanning tree shuts down ports that are in a Port Fast-operational state if any BPDU is
received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs.
Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the
connection of an unauthorized device, and the BPDU guard feature puts the port in the errordisabled state. When this happens, the switch shuts down the entire port on which the
violation occurred.

EG: If in case someone connect the bridge or switch to the ACcess port which has port-fast
configured then there are chances that the bpdu get leaked in to the network, hence to
prevent that you confiugre the BDPU guard.
When you configure the BPDU Guard the port when it sees the BPDU it put that respective port
into error-disabled .

Hope this helps. We always recommend customer to have this configuration on there devices
to prevent any type of STP issues and it works quite well which would prevent your network
from behaving abnormally and makes your life bit easier.
Regards
Inayath
*Plz rate if this information is helpfull.

See More
1
2
3
4
5
Overall Rating: 5 (3 ratings)

Correct Answer

shivlu jain Mon, 10/04/2010 - 04:25

Loopguard:- Unidirectional link failures may cause a root port or alternate port to become
designated as root if BPDUs are absent. Some software failures may introduce temporary loops
in the network. The loop guard feature checks if a root port or an alternate root port receives
BPDUs. If the port is receiving BPDUs, the loop guard feature puts the port into an inconsistent
state until it starts receiving BPDUs again.

BPDU Guard:-BPDUGuard enables on access port which helps the switches to put the port in
shut down mode once it receives the superior BPDU. e.g. In case of metro ethernet, SP puts
switches at customer building and make that switch ar root bridge. Now imagine if some other
customer switch sends a superior BPDU then the STP need to be converged again and lead of
serious issues.
Rootguard:- It is enabled on the designated ports of root switch, so that if those ports listen to
the superior BPDU then put that port in inconsistent state.
regards
Shivlu Jain
http://www.mplsvpn.info

See More
1
2
3
4
5
Overall Rating: 5 (3 ratings)

https://supportforums.cisco.com/discussion/11008016/what-loopguard-bpduguard-rootguard