cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2886
Views
0
Helpful
4
Replies

Switch port Loop causing high CPU and outage

itninja2010
Level 1
Level 1

Our office experienced an outage the other day and another network tech said it was caused by someone in the office connecting a hub into one of our access switch ports.  He said this caused a loop and both of our distribution switches, which are Cisco 6509s, went unreachable due to high cpu (%100).  He said the issue did not clear up until the hub was taken off the network.  The office is setup with multiple access switches, then two Cisco 6509s as distribution switches, and then 2 Cisco routers.  Is it possible that someone could plug in a hub and take down the entire network and office, putting both distribution switches at %100 cpu?

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Yes it is absolutely possible. If the hub is connected to 2 switch ports it forms a L2 loop in your network which can create havoc with your network. STP loops can quite easily bring any switch to it's knees in a very short time.

BPDUGuard can be of help in these situations.

Jon

So it is possible for this loop to cause not only the access layer switch to become unreachable,

but also the distribution layer switches to become unreachable?  Is enabling BPDUGuard on all the access layer switchports a way to prevent this from happening again?  What else could be configured to prevent this from sending the distribution switches to %100 CPU? Thanks.

Enable BPDU Guard on all access ports but NOT on your uplink/trunk ports.  You also would like to enable port security, particularly "switchport port-security maximum 1" to allow only one MAC address from the port.

FUNNY STORY:

So we had an entire building go down because some "brainiac" of a contractor plugged his home-grown hub into two active ports and caused a loop.  We tracked it down to his desk so we sent three of my colleague, one guy is a small built but the other two are large 6-foot monsters.  The small guy, flanked by the two large people walks up to the cubicle and said, "Soooo ... we tracked down that you have a hub or a switch.  Do you know that this is what is causing the network issue?"  We didn't know what the poor bloke was paying attention to the small guy or the two others.  Needless to say, he got wiser.

So it is possible for this loop to cause not only the access layer switch to become unreachable,

but also the distribution layer switches to become unreachable? 

Yes it's possible. If your access-layer switches are connected to your distribution with L2 links then it can very easily bring down the distribution switches as well. L2 loops in the network can send all switches up to 100% CPU. If your access-layer switches are connected via L3 uplinks ie. a routed access-layer then the L2 loop would be confined to the access-layer.

As Leo says, BPDUGuard on the access switches and possibly port security as well.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco