cisco support community - what is loopguard bpduguard rootguard - 2010-10-04

8/16/2019 Cisco Support Community - What is Loopguard Bpduguard Rootguard - 2010-10-04

1/11

Cisco Support Community

Home

what is loopguard , BPDUguard , Rootguard ?Answered Question

vinodjad1234 Oct 4th, 2010

Hi,

I am always confused about these three concepts.

I just want to know the basic understanding of this three features of STP.

where should i use and which mode i can configure this ?

I referred cisco website for the same but still not cleared about it ............

Please share the knowledge . It would be great help for getting cleared this concepts

....................

I have this problem too

0 votes

1

2

3

4

5

Overall Rating: 4.7 (8 ratings)

Replies

Collapse all

https://supportforums.cisco.com/https://supportforums.cisco.com/users/vinodjad1234https://supportforums.cisco.com/flag/flag/cisco_problem_node/11008016?destination=printpdf/11008016&token=obecCepz6zS96rJg5pSODlX1WW4CrNJWyg4G7qUSWIwhttps://supportforums.cisco.com/#https://supportforums.cisco.com/#https://supportforums.cisco.com/flag/flag/cisco_problem_node/11008016?destination=printpdf/11008016&token=obecCepz6zS96rJg5pSODlX1WW4CrNJWyg4G7qUSWIwhttps://supportforums.cisco.com/users/vinodjad1234https://supportforums.cisco.com/


2/11

Recent replies last

anasather_147 Fri, 12/25/2015 - 08:44

Does he mean to say "...If the port is NOT receiving BPDUs, the loop guard feature puts the

port into an inconsistent state until it starts receiving BPDUs again...."

Thanks

See More

1

23

4

5

Overall Rating: 0 (0 ratings)

https://supportforums.cisco.com/discussion/11008016/what-loopguard-bpduguard-rootguard?recent=0https://supportforums.cisco.com/users/anasather147http://supportforums.cisco.com/printpdf/11008016#https://supportforums.cisco.com/printpdf/11008016?rate=WHLdC-PlIGPojXfgABycnarXAIN1y6dog4VRTdwTdbIhttps://supportforums.cisco.com/printpdf/11008016?rate=2fuq_z2ONjQYHq0U28BA2co4oZ1AOqqUGYfDYF_qtrEhttps://supportforums.cisco.com/printpdf/11008016?rate=4AAMh2uKikaIk0a0TESItrOgnEhQ7WUexnUInSoRNTUhttps://supportforums.cisco.com/printpdf/11008016?rate=B6gbN1GPW4KBOkD_hYidhQuWVWStuIBpDUhvmVQxYjkhttps://supportforums.cisco.com/printpdf/11008016?rate=GcC-xBFkXKQetkFm77GkdMHURVnvBJ1z6a5cL7FvzE8https://supportforums.cisco.com/printpdf/11008016?rate=GcC-xBFkXKQetkFm77GkdMHURVnvBJ1z6a5cL7FvzE8https://supportforums.cisco.com/printpdf/11008016?rate=B6gbN1GPW4KBOkD_hYidhQuWVWStuIBpDUhvmVQxYjkhttps://supportforums.cisco.com/printpdf/11008016?rate=4AAMh2uKikaIk0a0TESItrOgnEhQ7WUexnUInSoRNTUhttps://supportforums.cisco.com/printpdf/11008016?rate=2fuq_z2ONjQYHq0U28BA2co4oZ1AOqqUGYfDYF_qtrEhttps://supportforums.cisco.com/printpdf/11008016?rate=WHLdC-PlIGPojXfgABycnarXAIN1y6dog4VRTdwTdbIhttp://supportforums.cisco.com/printpdf/11008016#https://supportforums.cisco.com/users/anasather147https://supportforums.cisco.com/discussion/11008016/what-loopguard-bpduguard-rootguard?recent=0


3/11

rajasha.cisco Fri, 06/07/2013 - 02:58

Hi Vinod

is it possible to list the commands for the Loop,BPDU,Root guard ? It is will be helpful if we

summarize it here.

Thanks,

Sha

See More

1

2

3

4

5


https://supportforums.cisco.com/printpdf/11008016?rate=20lXUR4KVUA7VpLgYwvr67RhcdyeD_79R0qq1XcF3Bwhttps://supportforums.cisco.com/printpdf/11008016?rate=R9pM9IfkggZk1KOyQ0_lsQPyi0y4yaZB2Tfy6nQA3Hohttps://supportforums.cisco.com/printpdf/11008016?rate=FjJM2aXVBFPqilfdkgcqsTLsBBXWUckaFYG_q1IQM2Yhttps://supportforums.cisco.com/printpdf/11008016?rate=2sJLTdm3GeTsKdoc_N8lYlGyquAmQsW6NVaxVRcPB38https://supportforums.cisco.com/printpdf/11008016?rate=C3_r-YMuaQZR5PQooCKajwX1DKXVKHY-DmPhTIy_PK4http://supportforums.cisco.com/printpdf/11008016#https://supportforums.cisco.com/users/rajashacisco


4/11

InayathUlla Sharieff Fri, 06/07/2013 - 04:43

Hi Raja,

Here is the configuration:

Loopguard:

SW1----G1/1---------------G1/1 SW2

go to the respective switches and configure the cmd under the interface.

spanning-tree guard loop

Sw1(config)#interface gigabitEthernet 1/1

Sw1(config-if)#spanning-tree guard loop

2)

Root Guard:

Cat-IOS# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Cat-IOS#(config)# interface fastethernet 3/1

Cat-IOS#(config-if)# spanning-tree guard root

Example of this:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml

3)

BPDU Guard: We suggest you to enable bpduguard at the global level so that it gets

automatically inherited to the port-fast/access port configuation.

conf t

spanning-tree portfast bpduguard

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtmlhttp://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtmlhttps://supportforums.cisco.com/users/insharie


5/11

HTH

Regards

Inayath

*PLz rate all usefull posts.

See More

1

2

3

4

5


rajasha.cisco Fri, 06/07/2013 - 04:51

Got it. Thank you Sharieff !

See More

1

2

3

45


Calin Chiorean Mon, 10/04/2010 - 04:49

http://supportforums.cisco.com/printpdf/11008016#https://supportforums.cisco.com/printpdf/11008016?rate=5gP9hl5d0W9dOpNQJpYrnzgJkO0yDxLTmdikWqRHLs0https://supportforums.cisco.com/printpdf/11008016?rate=Vowt7ZOzY8iblSxYgWvdkna7O-LLn5MW4MQzzdYtYFQhttps://supportforums.cisco.com/printpdf/11008016?rate=Azq5-ZaH687rGAcmJKaRoDK_o4-1Fj-fommXs7eSAQYhttps://supportforums.cisco.com/printpdf/11008016?rate=sHDQnf5z-xUqpXUWIp4-gqbqnQDW79GhDNA8LI8AZkEhttps://supportforums.cisco.com/printpdf/11008016?rate=pCHkuwRvuweHutpN64COXtDcFHrWv-3jYsuT_PR_KIUhttps://supportforums.cisco.com/users/rajashaciscohttp://supportforums.cisco.com/printpdf/11008016#https://supportforums.cisco.com/printpdf/11008016?rate=wLBRCJze5PcxYT74WyvO1kKpISMNSF3_ScLcBDZZQ7ghttps://supportforums.cisco.com/printpdf/11008016?rate=HzIWdh20-06fsSbaWZtPwfjYGJMlVZfmx5Idboc-t7ghttps://supportforums.cisco.com/printpdf/11008016?rate=blV5QJoo_-X6BHvIJV5KoqSfm55yNje7D_ZhfIadzDYhttps://supportforums.cisco.com/printpdf/11008016?rate=TQ-ja15TPQqsH6YMoVZCxZmphamPZM3BES_cRVGgSb8https://supportforums.cisco.com/printpdf/11008016?rate=urc-e_W5saRUWNmnr7n0pfpD2vDOicb6V-707mMBspEhttps://supportforums.cisco.com/users/chioreancalinhttps://supportforums.cisco.com/users/chioreancalinhttps://supportforums.cisco.com/printpdf/11008016?rate=urc-e_W5saRUWNmnr7n0pfpD2vDOicb6V-707mMBspEhttps://supportforums.cisco.com/printpdf/11008016?rate=TQ-ja15TPQqsH6YMoVZCxZmphamPZM3BES_cRVGgSb8https://supportforums.cisco.com/printpdf/11008016?rate=blV5QJoo_-X6BHvIJV5KoqSfm55yNje7D_ZhfIadzDYhttps://supportforums.cisco.com/printpdf/11008016?rate=HzIWdh20-06fsSbaWZtPwfjYGJMlVZfmx5Idboc-t7ghttps://supportforums.cisco.com/printpdf/11008016?rate=wLBRCJze5PcxYT74WyvO1kKpISMNSF3_ScLcBDZZQ7ghttp://supportforums.cisco.com/printpdf/11008016#https://supportforums.cisco.com/users/rajashaciscohttps://supportforums.cisco.com/printpdf/11008016?rate=pCHkuwRvuweHutpN64COXtDcFHrWv-3jYsuT_PR_KIUhttps://supportforums.cisco.com/printpdf/11008016?rate=sHDQnf5z-xUqpXUWIp4-gqbqnQDW79GhDNA8LI8AZkEhttps://supportforums.cisco.com/printpdf/11008016?rate=Azq5-ZaH687rGAcmJKaRoDK_o4-1Fj-fommXs7eSAQYhttps://supportforums.cisco.com/printpdf/11008016?rate=Vowt7ZOzY8iblSxYgWvdkna7O-LLn5MW4MQzzdYtYFQhttps://supportforums.cisco.com/printpdf/11008016?rate=5gP9hl5d0W9dOpNQJpYrnzgJkO0yDxLTmdikWqRHLs0http://supportforums.cisco.com/printpdf/11008016#


6/11

Hello

Loopguard, BPDUguard and Rootguard are Spanning-Tree enhancements. Since STP is more a

LAN topic than a WAN one, this thread should be opened there. Just to know for future

questions related to STP

To explain here how each of this features work, would mean to either copy / paste from

Cisco.com or to write about 5-10 pages to really capture of all aspects, which is a high effort

for this topic which is explained very well at Cisco.com

Maybe you didn't found the right documentation, so here are some links that explain clear and

straightforward how this features work:

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml


7/11

vinodjad1234 Mon, 10/04/2010 - 05:01

Hi Calin,

As you said , this should be queried in LAN switching topic but i did not get any reply from

that forum , i have sent from want routing forum .....

you have sent proper link for my understanding ... thanks for that

But i was looking for a real scenario where somebody has configured the same.

I want to know ... where which STP enhacement feature to be enabled ?

this is somewhat confusing for me ................

I will just go through it and raise the query in case i have any doubt about it.

Thanks for your rapid response.

See More

1

2

3

4

5


InayathUlla Sharieff Fri, 06/07/2013 - 04:37

HI Vinod,

Okay,

https://supportforums.cisco.com/users/vinodjad1234http://supportforums.cisco.com/printpdf/11008016#https://supportforums.cisco.com/printpdf/11008016?rate=oZ7q-btTzdUS1xtRgHnk6WO9Wbs0lvCzbLhpoedaqf4https://supportforums.cisco.com/printpdf/11008016?rate=Yhtw4yS1zpsojPm0g74GtuucTiMBozZhrhO0_u1gf9Yhttps://supportforums.cisco.com/printpdf/11008016?rate=sGKBIPsJionrM-lZmDd3O6jBwqc0wsqMBSgpekTDb3khttps://supportforums.cisco.com/printpdf/11008016?rate=LtJtu4m-PHisY2J7ZtsJbUkB5KCwsfEzOJmAs4A8WRUhttps://supportforums.cisco.com/users/inshariehttps://supportforums.cisco.com/users/inshariehttps://supportforums.cisco.com/printpdf/11008016?rate=Iaj6-pQOhAI33bMnF1sAT8byjNO2u-7ljOslWarUKmwhttps://supportforums.cisco.com/printpdf/11008016?rate=LtJtu4m-PHisY2J7ZtsJbUkB5KCwsfEzOJmAs4A8WRUhttps://supportforums.cisco.com/printpdf/11008016?rate=sGKBIPsJionrM-lZmDd3O6jBwqc0wsqMBSgpekTDb3khttps://supportforums.cisco.com/printpdf/11008016?rate=Yhtw4yS1zpsojPm0g74GtuucTiMBozZhrhO0_u1gf9Yhttps://supportforums.cisco.com/printpdf/11008016?rate=oZ7q-btTzdUS1xtRgHnk6WO9Wbs0lvCzbLhpoedaqf4http://supportforums.cisco.com/printpdf/11008016#https://supportforums.cisco.com/users/vinodjad1234


8/11

Let me give it a try:

1)LoopGuard: Spanning Tree Loop Guard helps to prevent loops when you use fibre links. Fibre links

have a transmit and receive connector. If one of these links fails it's possible that interfaces that are

currently in "blocking" mode go to forwarding. This might cause a loop. Loop guard will ensure that if a

blocked interface no longer receives BPDUs from the other side that it will be shut down to prevent a

layer 2 loop.

Taking 3 switchs as a example: connecting in a triangle.

SW1

___|________

| |

Sw2 T0/1---T0/2 SW3

Hence consider the above topology one of the link will be block.

think SW1 is the Root bridge hence the port T0/2 will be in blocking state.( To have the

loopfree topology)

It works similar to UDLD feature. The Sw2 and Sw3 is connected through fiber cable, One end

would be tx and other end would be rx.

As you know that blocked port would be recieving the BPDU's. what happens when it stopped

reciving the BPDU's? (Considering the example that there is some issue with the fiber cable

and Tx is haiving issue hence port T0/2 is not reciving it hence it waits for the max age timer

to expire after which the port transition from Blocking to forwarding mode which is not

supposed to hence there would be loop. Hence when you confiugre the loopguard/udld then

the port would go blocked.

Hence it is layer 1 cable issue STP would not be able to detect it automatically, hence you

would use the loopguard feature.

2) ROOT-GUARD

Root guard for spanning tree can be used to prevent a certain switch from becoming the root

bridge. Even if you receive a superior BPDU from another switch, root guard will prevent thatswitch from becoming the root bridge.


9/11

SW1

___|_f01___

| |

Sw2 SW3

In the above topology SW2 is root bridge for VLan 10 and you dont want any other switch in

the network to become the root bridge for this vlan 10 other than SW2.

What you need to do is configure root guard feature on F0/1 of SW1. What happens in this

case if if by mistake or intentionally someone configure SW3 to be root bridge for vlan 10 (by

lowering the priority) SW1 will put the ports into root-inconsistent port hence this BPDU will not

have any affect. It will through you the error in the log.

3) BPDU-GUARD

Spanning Tree BPDU guard ensures that an interface will be error disabled as soon as you

receive a BPDU on it. This is useful on access ports where you shouldn't expect any BPDUs and

will protect your switched network.

Access-Port-------------------F0/1 Switch

\BPDU guard goes hand in hand with Port-FAst.

Spanning tree shuts down ports that are in a Port Fast-operational state if any BPDU is

received on them. In a valid configuration, Port Fast-enabled ports do not receive BPDUs.

Receiving a BPDU on a Port Fast-enabled port means an invalid configuration, such as the

connection of an unauthorized device, and the BPDU guard feature puts the port in the error-

disabled state. When this happens, the switch shuts down the entire port on which the

violation occurred.

EG: If in case someone connect the bridge or switch to the ACcess port which has port-fast

configured then there are chances that the bpdu get leaked in to the network, hence to

prevent that you confiugre the BDPU guard.

When you configure the BPDU Guard the port when it sees the BPDU it put that respective port

into error-disabled .


10/11

Hope this helps. We always recommend customer to have this configuration on there devices

to prevent any type of STP issues and it works quite well which would prevent your network

from behaving abnormally and makes your life bit easier.

Regards

Inayath

*Plz rate if this information is helpfull.

See More

1

2

3

45


http://supportforums.cisco.com/printpdf/11008016#https://supportforums.cisco.com/printpdf/11008016?rate=y1GeEQD_cPYRF5qUT5z7SwHbGRDZba4pnORfLqlNdgwhttps://supportforums.cisco.com/printpdf/11008016?rate=pME6u0o3-M_ihhzH_kmatjBzsf2YhDpt60RIHwhH8a8https://supportforums.cisco.com/printpdf/11008016?rate=nJzKRaWfAXzUVutxKt_uPalF1Sf9oJIx9b5yK40EdA8https://supportforums.cisco.com/printpdf/11008016?rate=oKm9fUnvHH_G2z9YCFBvT3xmrr-UX6id11hOJHQUQ1Uhttps://supportforums.cisco.com/printpdf/11008016?rate=iROzA8GzjFWJwSmsQNOJbvVvFWN-msPfOTthdGEQSrwhttps://supportforums.cisco.com/printpdf/11008016?rate=iROzA8GzjFWJwSmsQNOJbvVvFWN-msPfOTthdGEQSrwhttps://supportforums.cisco.com/printpdf/11008016?rate=oKm9fUnvHH_G2z9YCFBvT3xmrr-UX6id11hOJHQUQ1Uhttps://supportforums.cisco.com/printpdf/11008016?rate=nJzKRaWfAXzUVutxKt_uPalF1Sf9oJIx9b5yK40EdA8https://supportforums.cisco.com/printpdf/11008016?rate=pME6u0o3-M_ihhzH_kmatjBzsf2YhDpt60RIHwhH8a8https://supportforums.cisco.com/printpdf/11008016?rate=y1GeEQD_cPYRF5qUT5z7SwHbGRDZba4pnORfLqlNdgwhttp://supportforums.cisco.com/printpdf/11008016#


11/11

Correct Answer

shivlu jain Mon, 10/04/2010 - 04:25

Loopguard:- Unidirectional link failures may cause a root port or alternate port to becomedesignated as root if BPDUs are absent. Some software failures may introduce temporary loops

in the network. The loop guard feature checks if a root port or an alternate root port receives

BPDUs. If the port is receiving BPDUs, the loop guard feature puts the port into an inconsistent

state until it starts receiving BPDUs again.

BPDU Guard:-BPDUGuard enables on access port which helps the switches to put the port in

shut down mode once it receives the superior BPDU. e.g. In case of metro ethernet, SP puts

switches at customer building and make that switch ar root bridge. Now imagine if some other

customer switch sends a superior BPDU then the STP need to be converged again and lead of

serious issues.

Rootguard:- It is enabled on the designated ports of root switch, so that if those ports listen to

the superior BPDU then put that port in inconsistent state.

regards

Shivlu Jain

http://www.mplsvpn.info

See More

1

2

3

4

5


https://supportforums.cisco.com/discussion/11008016/what-loopguard-bpduguard-rootguard
http://supportforums.cisco.com/printpdf/11008016#https://supportforums.cisco.com/printpdf/11008016?rate=XP_nvaVwAau2qZtrWuY2p1EKTKPTfzSg8QNXfDTYDgkhttps://supportforums.cisco.com/printpdf/11008016?rate=k4FEC8Wy7qmqpd8lm94pUzk_mcM91iU3qRnMqfS8Pfwhttps://supportforums.cisco.com/printpdf/11008016?rate=KdTv6EeVU4axuhoxQytZ-65Q0e_BVnsBT8clmcbAt6ghttps://supportforums.cisco.com/printpdf/11008016?rate=sTVajVZej4EIlpMen6jpK7_g7wValsxwO4-8ci9DILshttps://supportforums.cisco.com/printpdf/11008016?rate=gmaf3MktKS_NB9FaJa4QADzvud_zfpRptT6XfXyXBSwhttps://supportforums.cisco.com/users/shivluhttps://supportforums.cisco.com/printpdf/11008016?rate=gmaf3MktKS_NB9FaJa4QADzvud_zfpRptT6XfXyXBSwhttps://supportforums.cisco.com/printpdf/11008016?rate=sTVajVZej4EIlpMen6jpK7_g7wValsxwO4-8ci9DILshttps://supportforums.cisco.com/printpdf/11008016?rate=KdTv6EeVU4axuhoxQytZ-65Q0e_BVnsBT8clmcbAt6ghttps://supportforums.cisco.com/printpdf/11008016?rate=k4FEC8Wy7qmqpd8lm94pUzk_mcM91iU3qRnMqfS8Pfwhttps://supportforums.cisco.com/printpdf/11008016?rate=XP_nvaVwAau2qZtrWuY2p1EKTKPTfzSg8QNXfDTYDgkhttp://supportforums.cisco.com/printpdf/11008016#http://www.mplsvpn.info/https://supportforums.cisco.com/users/shivlu

cisco support community - what is loopguard bpduguard rootguard - 2010-10-04

Documents