Loop Guard is an additional STP protection mechanism that prevents Layer 2 loops by disabling a port if it unexpectedly stops receiving BPDUs, rather than allowing it to transition to the Forwarding state.
Unidirectional links are network links where data transmission occurs in only one direction, typically caused by Layer 1 physical issues, and are more common with fiber-optic cables than copper UTP cables.
Fiber-optic connections use two separate fibers (Tx and Rx), and if one fiber is damaged, it can disrupt data flow in one direction while the other remains functional, potentially creating a unidirectional link.
When a port stops receiving BPDUs without Loop Guard, its max age timer expires, and it assumes there's no longer a loop, causing it to become a Designated port and transition to Forwarding—potentially creating a Layer 2 loop.
Loop Guard and Root Guard are mutually exclusive—they cannot be enabled on the same port simultaneously because they serve opposite purposes.
Loop Guard protects Root ports and Non-Designated ports (ports that should receive BPDUs)
Root Guard protects Designated ports (ports that should send BPDUs)
When Loop Guard triggers, the port enters the broken (loop inconsistent) state
The port remains up/up but is blocked by STP (not physically shut down)
Recovery is automatic—when BPDUs resume, the port is re-enabled
More specific configurations (interface-level) override less specific ones (global)
Term
Definition
Loop Guard
STP feature that blocks a port if it stops receiving BPDUs unexpectedly
Unidirectional Link
A network link where data transmission occurs in only one direction
Broken State (Loop Inconsistent)
Port state when Loop Guard is triggered; port is blocked but remains up/up
Bidirectional Link
Normal link allowing data transmission in both directions
SFP (Small Form-factor Pluggable)
Transceivers used for fiber-optic connections
Tx (Transmission)
The sending side of a fiber connection
Rx (Reception)
The receiving side of a fiber connection
Max Age Timer: 20 seconds (default) - time before a port assumes BPDUs are lost
BPDU Hello Interval: 2 seconds
Purpose
Command
Mode
Enable Loop Guard per-port
spanning-tree guard loop
Interface config
Enable Loop Guard globally
spanning-tree loopguard default
Global config
Disable guard on specific port
spanning-tree guard none
Verify Loop Guard
show spanning-tree interface [int] detail
Privileged EXEC
Check port status
show spanning-tree
Confusing Loop Guard and Root Guard purposes
Loop Guard = Non-Designated/Root ports (receivers)
Root Guard = Designated ports (senders)
Thinking Loop Guard prevents unidirectional links
It does NOT prevent them; it only detects and protects against their effects
Forgetting they're mutually exclusive
You cannot have both Loop Guard and Root Guard on the same port
Confusing "broken" states
Loop Guard → "loop inconsistent"
Root Guard → "root inconsistent"
Assuming the port goes down
The port stays up/up; only STP blocks it
"Loop Guard Loves Listeners"
Loop Guard goes on ports that LISTEN for BPDUs (Root and Non-Designated ports)
"Root Guard Rules Roots"
Root Guard prevents ports from BECOMING Root ports (goes on Designated ports)
"BKN = Broken, LOOP_Inc = Loop Inconsistent"
Show command output indicators
"Fiber = Two Fibers, One Problem = Unidirectional"
Remember fiber's vulnerability to unidirectional issues
"Specific Beats General"
Interface commands override global commands in IOS
SW1 (Root Bridge)
/ \
SW2 ----------- SW3
SW3's port toward SW2 is Non-Designated (Blocking)
If SW2→SW3 fiber breaks (unidirectional), SW3 stops receiving BPDUs
Without Loop Guard: SW3 port becomes Designated → LOOP!
With Loop Guard: SW3 port enters Broken state → No loop
SW3 ports to SW1 and SW2: Loop Guard (receiving BPDUs)
SW3 port to untrusted switch: Root Guard (sending BPDUs)
What is the purpose of Loop Guard?
To protect the network by blocking a port if it unexpectedly stops receiving BPDUs, preventing it from becoming a Designated port and causing a Layer 2 loop.
What is a unidirectional link?
A network link where data transmission occurs in only one direction, typically caused by Layer 1 issues on fiber-optic cables.
Why are unidirectional links more common with fiber-optic than copper cables?
Fiber connections use two separate fibers (Tx and Rx). If one fiber is damaged, it disrupts data flow in one direction while the other remains functional. Fiber is also more vulnerable to physical damage.
What state does a port enter when Loop Guard is triggered?
Broken (loop inconsistent) state - the port is blocked but remains up/up.
What is the command to enable Loop Guard on a specific interface?
spanning-tree guard loop (in interface configuration mode)
What is the command to enable Loop Guard on all ports by default?
spanning-tree loopguard default (in global configuration mode)
Is Loop Guard recovery automatic or manual?
Automatic - when the port starts receiving BPDUs again, it's automatically re-enabled.
On which types of STP ports should Loop Guard be enabled?
Root ports and Non-Designated ports (ports that receive BPDUs from Designated ports).
On which types of STP ports should Root Guard be enabled?
Designated ports (ports that send BPDUs).
Can Loop Guard and Root Guard be enabled on the same port simultaneously?
No, they are mutually exclusive. Configuring one will disable the other.
What happens if Loop Guard is enabled by default and you configure Root Guard on a specific port?
Root Guard takes effect on that port (interface command overrides global command), and Loop Guard is disabled on that specific port.
What does "BKN" and "LOOP_Inc" indicate in show spanning-tree output?
BKN = Broken state; LOOP_Inc = Loop Inconsistent (Loop Guard has blocked the port)
What command verifies Loop Guard is enabled on an interface?
show spanning-tree interface [interface-id] detail
What causes a Layer 2 loop when a unidirectional link exists without Loop Guard?
The switch stops receiving BPDUs, the max age timer expires, the port becomes Designated and starts forwarding, creating a loop.
What is the default max age timer value in STP?
20 seconds
How often are BPDUs sent by default?
Every 2 seconds (Hello timer)
Does a Loop Guard-blocked port go to down/down state?
No, the port remains up/up; only STP blocks it.
What are two possible causes for a port to stop receiving BPDUs?
1) Software bug preventing a switch from sending BPDUs, 2) Hardware issue causing a unidirectional link
In IOS, when global and interface configurations conflict, which takes precedence?
The more specific configuration (interface-level) takes precedence over the less specific (global) configuration.
Last changed15 days ago