Spanning-tree portfast help.

Unanswered Question
Jul 6th, 2010
User Badges:

I have spanning-tree porfast enabled across all (non-trunk ports) in our enterprise. In fact, using the auxiliar vlan on ports ( switchport voice vlan X) enables spanning-tree on the port.  I have also enabled globally spaning-tree portfast bpdu guard default to mitigate the posibility of anyone plugging a smart switch in these port and create a loop.

Last friday, someone in the conference rooms looped 2 ports by plugging a dumb-switch (non managable) to 2 ports on the wall configured as edge port (spanning-tree portfast) and created a loop and the network almost dropped. Eventually one of the ports got disabled due to spaning treee portfast bpdu guard, but during 2 to 3 minutes the network was in disarray.


How can I mitigate this from ever happening again? I thought portfast bpdu guard default would do the trick but it did not, or at least not rapidly enough to avoid network problems and user complaints. Do I have to disable spanning tree portfast on all edge ports?  I have Voip phones on many of these ports. I've opened a case with cisco and basically that what they told me is to disable spaning tree porfast if I can  or advised me to enable port-security but that another topic I dont want to pursue just yet.


Any help, solutions would be welcomed and very well appreaciatted.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Tue, 07/06/2010 - 13:26
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Dumb switches do not send BPDUs so BPDUGuard won't be useful. What we usually recommend is implementing port-security in addition to BPDUGuard. If you know the port limit is 2 MAC-Address, implement port-security with such limit. As soon as a 3rd device is known via that switchport, it will go into err-disabled.



Regards,


Edison

amyskitchen Tue, 07/06/2010 - 14:00
User Badges:

Thanks for replying Edison,


Yes, dumb switches don't send BPDU's but since  the port its connected back to a second port on the managable switch wouldn't that send BPDUs'?


port1:switcha<-----(dumb-switch)------>port2:switcha  where switch a is a 3750 with bpdu guard-default and portfast on both ports.



Imagine a situacion where someone with a bit of knowledge maliciously take a patch cord and plug-it from porta to portb (patch cord might need to be X-over). If there is no other solution, but port-security I will or ultimately disable spanning-tree portfast across the enterprise.

Edison Ortiz Wed, 07/07/2010 - 13:35
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I understand your concern but there isn't any other solution to this dilemma.


Another common practice is to disable unused ports.


Regards,


Edison

amyskitchen Thu, 07/08/2010 - 16:37
User Badges:

For the record:

I intentionally created a loop using a dumb switch and also a direct connection from fast 0/z to fast 0/x and bpduguard seem to have mitigated the issue right away. One of the ports gets err-disabled right away. I tried several times, all all with the same results. 

Now I wonder why on our other building it took at least 5 minutes before detecting the anomally. ???

   Anyone has further ideas?

Actions

This Discussion