Loop Guard - Cisco Nexus 9000 Series Configuration Manual

Loop Guard

Loop Guard
Loop Guard helps prevent bridging loops that could occur because of a unidirectional link failure on a
point-to-point link.
An STP loop occurs when a blocking port in a redundant topology erroneously transitions to the forwarding
state. Transitions are usually caused by a port in a physically redundant topology (not necessarily the blocking
port) that stops receiving BPDUs.
When you enable Loop Guard globally, it is useful only in switched networks where devices are connected
by point-to-point links. On a point-to-point link, a designated bridge cannot disappear unless it sends an
inferior BPDU or brings the link down. However, you can enable Loop Guard on shared links per interface,
You can use Loop Guard to determine if a root port or an alternate/backup root port receives BPDUs. If the
port that was previously receiving BPDUs is no longer receiving BPDUs, Loop Guard puts the port into an
inconsistent state (blocking) until the port starts to receive BPDUs again. If such a port receives BPDUs again,
the port—and link—is deemed viable again. The protocol removes the loop-inconsistent condition from the
port, and the STP determines the port state because the recovery is automatic.
Loop Guard isolates the failure and allows STP to converge to a stable topology without the failed link or
bridge. Disabling Loop Guard moves all loop-inconsistent ports to the listening state.
You can enable Loop Guard on a per-port basis. When you enable Loop Guard on a port, it is automatically
applied to all of the active instances or VLANs to which that port belongs. When you disable Loop Guard, it
is disabled for the specified ports.
Enabling Loop Guard on a root device has no effect but provides protection when a root device becomes a
nonroot device.
Root Guard
When you enable Root Guard on a port, Root Guard does not allow that port to become a root port. If a
received BPDU triggers an STP convergence that makes that designated port become a root port, that port is
put into a root-inconsistent (blocked) state. After the port stops receiving superior BPDUs, the port is unblocked
again. Through STP, the port moves to the forwarding state. Recovery is automatic.
When you enable Root Guard on an interface, this functionality applies to all VLANs to which that interface
belongs.
You can use Root Guard to enforce the root bridge placement in the network. Root Guard ensures that the
port on which Root Guard is enabled is the designated port. Normally, root bridge ports are all designated
ports, unless two or more of the ports of the root bridge are connected. If the bridge receives superior BPDUs
on a Root Guard-enabled port, the bridge moves this port to a root-inconsistent STP state. In this way, Root
Guard enforces the position of the root bridge.
You cannot configure Root Guard globally.
Applying STP Extension Features
We recommend that you configure the various STP extension features through your network as shown in this
figure. Bridge Assurance is enabled on the entire network. You should enable either BPDU Guard or BPDU
Filtering on the host interface.
Cisco Nexus 9000 Series NX-OS Layer 2 Switching Configuration Guide, Release 7.x
156
Configuring STP Extensions Using Cisco NX-OS