07-06-2010 01:18 PM - edited 03-06-2019 11:55 AM
I have spanning-tree porfast enabled across all (non-trunk ports) in our enterprise. In fact, using the auxiliar vlan on ports ( switchport voice vlan X) enables spanning-tree on the port. I have also enabled globally spaning-tree portfast bpdu guard default to mitigate the posibility of anyone plugging a smart switch in these port and create a loop.
Last friday, someone in the conference rooms looped 2 ports by plugging a dumb-switch (non managable) to 2 ports on the wall configured as edge port (spanning-tree portfast) and created a loop and the network almost dropped. Eventually one of the ports got disabled due to spaning treee portfast bpdu guard, but during 2 to 3 minutes the network was in disarray.
How can I mitigate this from ever happening again? I thought portfast bpdu guard default would do the trick but it did not, or at least not rapidly enough to avoid network problems and user complaints. Do I have to disable spanning tree portfast on all edge ports? I have Voip phones on many of these ports. I've opened a case with cisco and basically that what they told me is to disable spaning tree porfast if I can or advised me to enable port-security but that another topic I dont want to pursue just yet.
Any help, solutions would be welcomed and very well appreaciatted.
07-06-2010 01:26 PM
Dumb switches do not send BPDUs so BPDUGuard won't be useful. What we usually recommend is implementing port-security in addition to BPDUGuard. If you know the port limit is 2 MAC-Address, implement port-security with such limit. As soon as a 3rd device is known via that switchport, it will go into err-disabled.
Regards,
Edison
07-06-2010 02:00 PM
Thanks for replying Edison,
Yes, dumb switches don't send BPDU's but since the port its connected back to a second port on the managable switch wouldn't that send BPDUs'?
port1:switcha<-----(dumb-switch)------>port2:switcha where switch a is a 3750 with bpdu guard-default and portfast on both ports.
Imagine a situacion where someone with a bit of knowledge maliciously take a patch cord and plug-it from porta to portb (patch cord might need to be X-over). If there is no other solution, but port-security I will or ultimately disable spanning-tree portfast across the enterprise.
07-07-2010 01:35 PM
I understand your concern but there isn't any other solution to this dilemma.
Another common practice is to disable unused ports.
Regards,
Edison
07-08-2010 04:37 PM
For the record:
I intentionally created a loop using a dumb switch and also a direct connection from fast 0/z to fast 0/x and bpduguard seem to have mitigated the issue right away. One of the ports gets err-disabled right away. I tried several times, all all with the same results.
Now I wonder why on our other building it took at least 5 minutes before detecting the anomally. ???
Anyone has further ideas?
07-08-2010 10:47 PM
Hi,
Did you try bpdu filter?
Regards,
V Dinesh Kumar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: