cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2667
Views
5
Helpful
5
Replies

Bridging loops - STP protection

Netnux
Level 1
Level 1

Hello Everybody.

I have a question, maybe a simple "classical" case study, I'm sorry, but I cannot figure out how to come out of this.


I have a network where if an end user attaches an hub to the network, or rather one of those cheap unmanaged 8-port mini-switches and then plugs the two ends of the same cable into two ports of that mini-switch, all the network goes down.


Loops are generated and many uplinks are shut down in err-disable state due to the loopback reason.

I know I could discourage the use of those mini-switches using port security.

I even have NAC (cisco) deployed on the network, but there are cases where that mini-switches are allowed by the managment.

In those cases, is not possible to exactly know wich hosts (mac addresses), and even how many of them will attach the network concurrently.
As I know, they could even chain many mini-switch one to another.


Of course, when even a single mini-switch is allowed on the network, it raises as a security hole.

Is there a way to allow the use of those devices without the risk of network outages?
Some STP protection method?


The best would be to have the Cisco access switch to get aware of the loop on its affected switchport (where the mini-switch is attached), immediately shutting down that port (to avoid loops on the network) and maybe sending an SNMP trap or a syslog message.

We are using Cisco Catalyst 2950 and 2960 for our access layer.


Any help is very appreciated
.
Really thank you for your help.


Giovanni

2 Accepted Solutions

Accepted Solutions

mvsheik123
Level 7
Level 7

Hello,

Try enabling 'spanning-tree portfast bpdu-guard' feature on the switch (global/interface). it should help.

Check the below link for more info...

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

hth

MS

View solution in original post

Ciao Giovanni,

I backup MS suggestion to enable BPDU guard; in your scenario it is the only feature which might help you. If a user connects such mini-switches and then PCs or other devices to them the only BPDUs you are supposed to see on your switch are the ones looped back which indicate a loop.

But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?

well, a L2 loop after all is a neverending flow of legitimate duplicated traffic. So it does not have any particular pattern or stamp which can be used as a marker. It is just your traffic flowing for ever. There is no feature able to distinguish such duplicate traffic from legitimate one.

Riccardo

View solution in original post

5 Replies 5

mvsheik123
Level 7
Level 7

Hello,

Try enabling 'spanning-tree portfast bpdu-guard' feature on the switch (global/interface). it should help.

Check the below link for more info...

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

hth

MS

Above all thank you for your reply.


I was thinking about bpdu-guard of course, among the "STP protection methods", but I have some doubt and I felt unsure about.

To enable bpduguard, I have to enable portfast on all the interfaces... but this could be also a good thing itself.


In this particular case, nothing advertised itself and the only bpdu from that interface I can think about are the "legitimate" bpdu messages that are looped back.
I will give it a try on a test network.

But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?


Let's say, on a stand alone, single switch.

Really thank you for your precious help.

Giovanni

Ciao Giovanni,

I backup MS suggestion to enable BPDU guard; in your scenario it is the only feature which might help you. If a user connects such mini-switches and then PCs or other devices to them the only BPDUs you are supposed to see on your switch are the ones looped back which indicate a loop.

But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?

well, a L2 loop after all is a neverending flow of legitimate duplicated traffic. So it does not have any particular pattern or stamp which can be used as a marker. It is just your traffic flowing for ever. There is no feature able to distinguish such duplicate traffic from legitimate one.

Riccardo

>>But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?

Port utilization/throughput will go through the roof on the port that has the loops attached to it.

Ciao Riccardo,

I tought there were no way other then bpduguard, but  I was unsure, and unsafe.

So your support is very precious to me.

Many Many thanks (you and MS, of course)

Regarding loop detection, I just rememberd that I had to disable "keepalives" on an interface going into err-disable state.

A quick refresh tells me you are right again. The keepalive is for checking the ethernet link...

Thank you all for your very kind and helpful support.

Giovanni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: