Loop Guard

📖 This is our second story about Ahmed!
(If you missed the first one, catch up here 👉
🔗 https://www.itwithhossam.com/bpdu-guard-vs-bpdu-filter

👨‍💻 Today's story:
Ahmed is a network engineer trying to protect the company’s network from any rogue switch attacks.

His plan? Use the BPDU Filter on an edge port to block any unwanted BPDUs. But… something went wrong.

🔌 Ahmed intended to configure port Gig0/1 (which is connected to a user device),
but instead, he typed the command on the wrong port:
SW(config)# int gig0/11
SW(config-if)# spanning-tree bpdufilter enable

⚠️ The issue?
Gig0/11 is not an edge port — it’s a trunk port connected
to another switch’s blocked port.

🌀 Now here’s the danger:
The blocked port relies on receiving BPDUs regularly to stay
in the blocking state. If no BPDUs are received,
it assumes the path is clear and transitions to forwarding,
💥 causing a loop in the network!

💡 So when Ahmed mistakenly enabled BPDU Filter on the
trunk port, it stopped sending BPDUs…

And guess what? The blocked port on the other switch moved
to forwarding, creating a network loop 😱

🔧 The Solution?
Use Loop Guard on any blocked port to prevent this behavior:
SW(config)# int gig0/11
SW(config-if)# spanning-tree guard loop

✅ Loop Guard ensures that the port remains blocked as long as no BPDUs are received — effectively preventing loops in this kind of scenario.

🔁 Lesson of the day:
Always double-check the interface before applying BPDU Filter,
and consider enabling Loop Guard on your blocked ports for extra protection!