Spanning-Tree Bridge Assurance

(Rene Molenaar) #1

This topic is to discuss the following lesson:

(Ray J) #2

Hello Rene,

If I understand Rapid-PVST+ correctly, with rapid-pvst+ configured, it syncs with its neighbors by sending BPDU every hello time interval as a keep alive. Does Bridge assurance play a role with rapid-pvst+? Or by natural it’s not supported in rapid-pvst+ as it’s not needed?


(Lazaros Agapides) #3

Hello Ray

As mentioned by Rene, bridge assurance is only supported by PVRST+ and MST. PVRST+ is the same as Rapid PVST+. So to answer your question, bridge assurance does indeed play a role and it is supported. Note in the following Cisco documentation of the bridge assurance command that it states that it is compatible with Rapid PVST+ and MST.

I hope this has been helpful!


(Ray J) #4

Thanks Laz!

Isn’t BA built-in in PVRST+ ? By defualt, it syncs with its neighbors by sending BPDU every hello time interval as a keep alive. Why do we need a separate command to enable it ?

(Lazaros Agapides) #5

Hello Ray

Depending on the platform, the default state of bridge assurance may differ. On the 6500 series for example, bridge assurance is enabled globally by default and is enabled only on spanning tree network ports that are point to point links. On Nexus switches, it is enabled globally but disabled on individual ports and must be manually enabled.

The feature is specifically used to protect against a unidirectional link failure or other software failure and against a device that may continue to forward data traffic when it is no longer running the spanning tree algorithm.

Now there are times when you may want to disable this feature (or enable it on a port where it is disabled by default). Such instances are if you have a device on the other side of the point to point link that may not support it. If it is enabled only on one side of a link, the port will go into the blocking state.

You can find out more about how it works (at least for the 6500 catalyst platform) at this Cisco Documentation.

I hope this has been helpful!


1 Like
(Lukas E) #6

Hello Rene,

whats the difference between loopguard and bridge assurance?

Thanks a lot.

(Lazaros Agapides) #7

Hello Lukas

In its operation, STP relies on a continuous reception and transmission of BPDUs to determine the port role. Typically, a designated port transmits BPDUs and a non-designated port receives BPDUs.

Now when one of the ports in a redundant topology no longer receives BPDUs, STP believes that the topology is loop free. A blocked port in such a situation would become a designated port and move into ta forwarding state and this creates a loop. Now a topology is especially vulnerable to this when there is a unidirectional failure, that is, that traffic begins to flow only in one direction on a link.

Now loopguard makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into an STP loop-inconsistent blocking state, thus maintaining the loop free topology.

Bridge Assurance adds additional check to this procedure. Specifically, unlike loopguard, BPDUs are sent out of ALL operational network ports wherever it is enabled including alternate and backup ports. Similarly to loopguard, if a port does not receive a BPDU for a specified period, the port moves into an inconsistent state.

This fact allows bridge assurance to perceive situations that loopguard cannot such as:

  1. the fact that loopguard can only be enabled on root and alternate ports and not on designated ports
  2. loopguard is ineffective at detecting a port that has been unidirectional since link-up.

Bridge Assurance causes BPDUs to travel in both directions on all ports verifying health and awareness of switches. In other words, in the worst case scenario, if STP fails for whatever reason, it will fail by blocking rather than by unblocking an port, thus ensuring that a loop is not inadvertently created.

I hope this has been helpful!


(Lukas E) #8

Thanks a lot :slight_smile: this was really helpful

1 Like
(Ignacio R) #9

Hello Lazaros,
your post has been very helpful for me, but I still can come up with a (“2.loopguard is ineffective at detecting a port that has been unidirectional since link-up.”) situation. If you can give an example.
The loop problem come when a block port decide to change to forwarding when it shouldn’t.
The thing is if I have loopguard enable in all my blocked ports ( and root port (non-designated)), whenever they stop receiving bdpu they will go to an inconsistent state.
From my understanding only root or alternate ports are the ones who can change the state, for the same reason they are the ones that not send but receive bdpu, and its where you should have loop guard enable.
Thanks in advance.

(Lazaros Agapides) #10

Hello Ignacio

Such a situation would occur if a fibre optic port is initially connected with only one of the two fibres resulting in unidirectional link from the moment the link goes up. Loopguard will not “kick in” unless both fibres were initially connected and then one of them subsequently failed.

Let’s think about ports that rely on timely arrival of BPDUs to maintain their current role and state. These are root ports, alternate ports and backup ports. Loopguard is especially useful for the alternate and backup ports because these ports are in a discarding state. If they cease to receive BPDUs, they will move into the forwarding state possibly creating a loop.

So, Loopguard should be applied at least to alternate ports. However, because in a per-VLAN environment each trunk port can have various diverse roles or states for individual VLANs, it is good practice to simply configure loopguard on all ports using the global configuration level command spanning-tree loopguard default.

I hope this has been helpful!


1 Like