Switch port Loop causing high CPU and outage

Unanswered Question
Aug 12th, 2010

Our office experienced an outage the other day and another network tech said it was caused by someone in the office connecting a hub into one of our access switch ports.  He said this caused a loop and both of our distribution switches, which are Cisco 6509s, went unreachable due to high cpu (%100).  He said the issue did not clear up until the hub was taken off the network.  The office is setup with multiple access switches, then two Cisco 6509s as distribution switches, and then 2 Cisco routers.  Is it possible that someone could plug in a hub and take down the entire network and office, putting both distribution switches at %100 cpu?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 08/12/2010 - 17:22

Yes it is absolutely possible. If the hub is connected to 2 switch ports it forms a L2 loop in your network which can create havoc with your network. STP loops can quite easily bring any switch to it's knees in a very short time.

BPDUGuard can be of help in these situations.

Jon

itninja2010 Thu, 08/12/2010 - 18:32

So it is possible for this loop to cause not only the access layer switch to become unreachable,

but also the distribution layer switches to become unreachable?  Is enabling BPDUGuard on all the access layer switchports a way to prevent this from happening again?  What else could be configured to prevent this from sending the distribution switches to %100 CPU? Thanks.

Leo Laohoo Thu, 08/12/2010 - 19:06

Enable BPDU Guard on all access ports but NOT on your uplink/trunk ports.  You also would like to enable port security, particularly "switchport port-security maximum 1" to allow only one MAC address from the port.

FUNNY STORY:

So we had an entire building go down because some "brainiac" of a contractor plugged his home-grown hub into two active ports and caused a loop.  We tracked it down to his desk so we sent three of my colleague, one guy is a small built but the other two are large 6-foot monsters.  The small guy, flanked by the two large people walks up to the cubicle and said, "Soooo ... we tracked down that you have a hub or a switch.  Do you know that this is what is causing the network issue?"  We didn't know what the poor bloke was paying attention to the small guy or the two others.  Needless to say, he got wiser.

Jon Marshall Fri, 08/13/2010 - 01:07

So it is possible for this loop to cause not only the access layer switch to become unreachable,

but also the distribution layer switches to become unreachable? 

Yes it's possible. If your access-layer switches are connected to your distribution with L2 links then it can very easily bring down the distribution switches as well. L2 loops in the network can send all switches up to 100% CPU. If your access-layer switches are connected via L3 uplinks ie. a routed access-layer then the L2 loop would be confined to the access-layer.

As Leo says, BPDUGuard on the access switches and possibly port security as well.

Jon

Actions

This Discussion