| Description | This article describes how to configure loop protection under FortiSwitch to prevent loops from transitioning to the forwarding state. |
| Scope | FortiSwitch. |
| Solution |
The loop protection prevents loops that are caused by the transitioning to the forwarding state of blocked ports that connect to network segments where a loop may still be present. When the STP converges, only designated ports are able to forward BPDUs down the spanning tree. Only non-designated ports—root and blocked ports—process incoming BPDUs. If a blocked port stops receiving BPDUs for a period longer than the max-age time (20 seconds by default), the port transitions to the forwarding state. Keep in mind that in the case of RSTP and MSTP, the ageing time is three times the hello time (6 seconds if using default hello time), and the blocked port is classified as an alternate or backup port. Imagine there is a unidirectional link failure (If one of the cables transmit or receive fails there will be a unidirectional link failure and this can cause spanning tree loops) that affects the BPDUs sent by a designated port to a blocked port. The opposite direction of the link, however, still works. After the blocked port transitions to the forwarding state, the port starts forwarding traffic in the working direction, which results in a broadcast storm due to the presence of a loop in that direction. One example is the following image which shows two switches interconnected through two links. The link from FortiSwitch1 Port1 to FortiSwitch2 Port1 is an alternate link and therefore is blocked by STP. If there is a unidirectional failure on the alternate link that affects downstream BPDUs, the blocked port on the alternate link eventually transitions to the forwarding state. As a result, broadcasts sent by the PC will loop in the network. Once the loop protection is enabled on a port, a blocked port is forced to remain in the blocking state, even if the port stops receiving BPDUs. The port does not transition to the forwarding state, nor does it forward user traffic.
Here is a little example in the topology:
FortiSwitch S248EPTF19-----0 is connected by CLI, the port 45 is under Alternative Role and Discarding State.
S248EPTF19-----0 # diagnose stp instance list
Port Speed Cost Priority Role State HelloTime Flags ________________ ______ _________ _________ ___________ __________ _________ _______________ port51 - 200000000 128 DISABLED DISCARDING 2 ED port52 - 200000000 128 DISABLED DISCARDING 2 ED internal 1G 20000 128 DESIGNATED FORWARDING 2 ED 4EPTF18004511-0 1G 1 128 ROOT FORWARDING 2 EN 8EPTF19002841-0 1G 1 128 ALTERNATIVE DISCARDING 2 EN
Let´s configure Loop Protection under the Port:
S248EPTF19-----0 # config switch interface S248EPTF19-----0 (interface) # edit 8EPTF19002841-0 S248EPTF19-----0 (8EPTF19002841-0) # show full-configuration}<----- Some information are missing here only to validate the feature is disabled. set stp-loop-protection disabled S248EPTF19-----0 (8EPTF19002841-0) # set stp-loop-protection enabled S248EPTF19-----0 (8EPTF19002841-0) # next S248EPTF 19-----0(interface) # end
'The loop protection feature is different from than loop guard. They both prevent loops, but they use different methods.
To use loop protection, it is recommended to enable the feature on all root, alternate, and backup ports. The reason is that is necessary to consider the different topologies that MSTP can calculate when having multiple instances. An example of this is for one instance, a port can be a root port, but for another, an alternate or backup port. With loop, protection will then be applied on the alternate or backup port on a per-instance basis. |
