Solved: Re: Port Security on Truck

rakeshbiradar · ‎07-21-2021

Hey,

On interface truck can we give additional port security with the command "spanning-tree guard loop".

is that recommended STP on the trunk interface?

Regrads

paul driver · ‎07-21-2021

Hello

Spanning-tree isnt port-security , however it is highy recommended to have stp enabled especially when you have trunks

As for loopguard this protect against loops caused by unidirectional links and again is recommended to have this applied at a port or global level, but one caevat to it is it cannot applied to the same port as rootguard as when it is, then rootguard is disabled

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎07-21-2021

Hello

Yes it is.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

chesterr · ‎07-21-2021

Make sense when you use fibre-optic uplink. STP loop guard prevents any ATL or root ports from becoming "designated ports". If you use fibre-optic uplink you can consider UDLD too.

View solution in original post

rakeshbiradar · ‎07-21-2021

Kindly solve my confusion

paul driver · ‎07-21-2021

Hello

Spanning-tree isnt port-security , however it is highy recommended to have stp enabled especially when you have trunks

As for loopguard this protect against loops caused by unidirectional links and again is recommended to have this applied at a port or global level, but one caevat to it is it cannot applied to the same port as rootguard as when it is, then rootguard is disabled

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

pieterh · ‎07-21-2021

spanning-tree itself is a mechanism to prevent loops

there is an option you may refer to
Loopguard:- Unidirectional link failures may cause a root port or alternate port to become designated as root if BPDUs are absent. Some software failures may introduce temporary loops in the network. The loop guard feature checks if a root port or an alternate root port receives BPDUs. If the port is receiving BPDUs, the loop guard feature puts the port into an inconsistent state until it starts receiving BPDUs again.

-> it is not meant for port-security

rakeshbiradar · ‎07-21-2021

My simple question is - "spanning-tree guard loop" command recommended on trunk interface where my uplinks are connected.

SWITCH91#sh run int Te1/1/1
Building configuration...

Current configuration : 150 bytes
!
interface TenGigabitEthernet1/1/1
description UPlink_From_CoreSwitch
switchport mode trunk
spanning-tree guard loop
ip dhcp snooping trust
end

paul driver · ‎07-21-2021

Hello

Yes it is.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

chesterr · ‎07-21-2021

Make sense when you use fibre-optic uplink. STP loop guard prevents any ATL or root ports from becoming "designated ports". If you use fibre-optic uplink you can consider UDLD too.

MHM Cisco World · ‎07-21-2021

additional info.

Loop Guard is config in trunk and access port but which one??
the Admin must be know the topology and know that this port is BLK STP status to prevent loop if in some case the BPDU from the connect SW is not receive, so not config under trunk or not but where config it in topology.