Fortinet black logo

Administration Guide

Loop guard

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:287004
Download PDF

Loop guard

NOTE: This feature is different from STP loop protection.

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops.

The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. Each port that has loop guard enabled will periodically broadcast loop guard data packets (LGDP) packets to its network. If a broadcast packet is subsequently received by the sending port, a loop exists downstream.

You can also have the port check for a high rate of MAC address moves per second, which indicates a physical loop only when the rate exceeds the threshold for 6 consecutive seconds.

NOTE: If a port detects a loop, the system takes the port out of service to protect the overall network. The port returns to service after a configured timeout duration. If the timeout value is zero, you must manually reset the port.

By default, loop guard is disabled on all ports. When loop guard is enabled, the default loop-guard-timeout is 45 minutes, and the default loop-guard-mac-move-threshold is 0, which means that the traditional loop guard is used instead of the MAC-move loop guard.

Configuring loop guard

Using the GUI:
  1. Go to Switch > Interface > Physical or Switch > Interface > Trunk.
  2. Select one or more interfaces to update and then select Edit.
    If you selected more than one port, the port names are displayed in the name field, separated by commas.
  3. Select Enable Loop Guard.
  4. Select OK to save your changes.
Using the CLI:

config switch interface

edit port <number>

set loop-guard <enabled | disabled>

set loop-guard-timeout <0-120 minutes>

set loop-guard-mac-move-threshold <0-100 MAC address moves per second>

When loop guard takes a port out of service, the system creates the following log messages:

Loop Guard: loop detected on <port_name>. Shutting down <port_name>

Use the following command to reset a port that detected a loop:

execute loop-guard reset <port>

Viewing the loop guard configuration

Using the GUI:

Go to Switch > Interface > Physical and check the Loop Guard column.

Using the CLI:

diagnose loop-guard status

Loop guard

NOTE: This feature is different from STP loop protection.

A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops.

The loop guard feature is designed to work in concert with STP rather than as a replacement for STP. Each port that has loop guard enabled will periodically broadcast loop guard data packets (LGDP) packets to its network. If a broadcast packet is subsequently received by the sending port, a loop exists downstream.

You can also have the port check for a high rate of MAC address moves per second, which indicates a physical loop only when the rate exceeds the threshold for 6 consecutive seconds.

NOTE: If a port detects a loop, the system takes the port out of service to protect the overall network. The port returns to service after a configured timeout duration. If the timeout value is zero, you must manually reset the port.

By default, loop guard is disabled on all ports. When loop guard is enabled, the default loop-guard-timeout is 45 minutes, and the default loop-guard-mac-move-threshold is 0, which means that the traditional loop guard is used instead of the MAC-move loop guard.

Configuring loop guard

Using the GUI:
  1. Go to Switch > Interface > Physical or Switch > Interface > Trunk.
  2. Select one or more interfaces to update and then select Edit.
    If you selected more than one port, the port names are displayed in the name field, separated by commas.
  3. Select Enable Loop Guard.
  4. Select OK to save your changes.
Using the CLI:

config switch interface

edit port <number>

set loop-guard <enabled | disabled>

set loop-guard-timeout <0-120 minutes>

set loop-guard-mac-move-threshold <0-100 MAC address moves per second>

When loop guard takes a port out of service, the system creates the following log messages:

Loop Guard: loop detected on <port_name>. Shutting down <port_name>

Use the following command to reset a port that detected a loop:

execute loop-guard reset <port>

Viewing the loop guard configuration

Using the GUI:

Go to Switch > Interface > Physical and check the Loop Guard column.

Using the CLI:

diagnose loop-guard status