spanning-tree guard loop

In this post i look at the 'spanning-tree guard loop' command. Not to be confused with the similar 'spanning tree guard root' command that performs a very different function.

Consider the above topology where 2 switches are directly connected via two trunk links. Switch 3 is elected as the root bridge and as such both trunk links fa0/13 and fa0/15 are Designated Ports. Vlan 258 is running across both trunks.

SW3#s span vlan 258

VLAN0258
Spanning tree enabled protocol ieee
Root ID Priority 33026
Address 0013.80de.b880
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33026 (priority 32768 sys-id-ext 258)
Address 0013.80de.b880
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- ---------------
Fa0/13 Desg FWD 19 128.13 P2p
Fa0/14 Desg FWD 19 16.14 P2p

On Switch 2 port fa0/14 is elected as the root port and port fa0/13 is blocked to so ensuring a loop free path at L2.

SW2#s span vlan 258

VLAN0258
Spanning tree enabled protocol ieee
Root ID Priority 33026
Address 0013.80de.b880
Cost 19
Port 14 (FastEthernet0/14)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33026 (priority 32768 sys-id-ext 258)
Address 0013.c34f.5000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- -------------
Fa0/13 Altn BLK 19 128.13 P2p
Fa0/14 Root FWD 19 128.14 P2p

Now consider the scenario where port fa0/13 on Switch 2 were to stop receiving BPDUs!? In this instance spanning tree would re-evaluate the ports role and as a result would make the port a designated port! In the above topology this createa a L2 loop!

To put this to the test i applied the command 'spanning-tree bpdufilter enable' on port fa0/13 on Switch 3. This confirmed this expected behaviour and the ports on my switches lit up like machines gun fire!! I had created an entertaining L2 loop.

This is precisely the scenario which the command 'spanning-tree guard loop' can prevent. I applied this command on Switch 2 fa0/13 port and repeated the above test. The resulting port state was then as below:-

SW2#s span vlan 258

VLAN0258
Spanning tree enabled protocol ieee
Root ID Priority 33026
Address 0013.80de.b880
Cost 19
Port 14 (FastEthernet0/14)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33026 (priority 32768 sys-id-ext 258)
Address 0013.c34f.5000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- ---------------
Fa0/13 Desg BKN*19 128.13 P2p *LOOP_Inc
Fa0/14 Root FWD 19 128.14 P2p

Instead of moving port fa0/13 to a Designated Role it is moved to the LOOP Inconsistent state. Once i re-enable BPDUs from Switch 3 then the port returned to its normal operation as a Altn Blk port.