01-21-2012 09:00 PM - edited 03-07-2019 04:29 AM
Hello Everybody.
I have a question, maybe a simple "classical" case study, I'm sorry, but I cannot figure out how to come out of this.
I have a network where if an end user attaches an hub to the network, or rather one of those cheap unmanaged 8-port mini-switches and then plugs the two ends of the same cable into two ports of that mini-switch, all the network goes down.
Loops are generated and many uplinks are shut down in err-disable state due to the loopback reason.
I know I could discourage the use of those mini-switches using port security.
I even have NAC (cisco) deployed on the network, but there are cases where that mini-switches are allowed by the managment.
In those cases, is not possible to exactly know wich hosts (mac addresses), and even how many of them will attach the network concurrently.
As I know, they could even chain many mini-switch one to another.
Of course, when even a single mini-switch is allowed on the network, it raises as a security hole.
Is there a way to allow the use of those devices without the risk of network outages?
Some STP protection method?
The best would be to have the Cisco access switch to get aware of the loop on its affected switchport (where the mini-switch is attached), immediately shutting down that port (to avoid loops on the network) and maybe sending an SNMP trap or a syslog message.
We are using Cisco Catalyst 2950 and 2960 for our access layer.
Any help is very appreciated
.
Really thank you for your help.
Giovanni
Solved! Go to Solution.
01-21-2012 10:02 PM
Hello,
Try enabling 'spanning-tree portfast bpdu-guard' feature on the switch (global/interface). it should help.
Check the below link for more info...
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
hth
MS
01-22-2012 01:48 AM
Ciao Giovanni,
I backup MS suggestion to enable BPDU guard; in your scenario it is the only feature which might help you. If a user connects such mini-switches and then PCs or other devices to them the only BPDUs you are supposed to see on your switch are the ones looped back which indicate a loop.
But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?
well, a L2 loop after all is a neverending flow of legitimate duplicated traffic. So it does not have any particular pattern or stamp which can be used as a marker. It is just your traffic flowing for ever. There is no feature able to distinguish such duplicate traffic from legitimate one.
Riccardo
01-21-2012 10:02 PM
Hello,
Try enabling 'spanning-tree portfast bpdu-guard' feature on the switch (global/interface). it should help.
Check the below link for more info...
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
hth
MS
01-21-2012 11:55 PM
Above all thank you for your reply.
I was thinking about bpdu-guard of course, among the "STP protection methods", but I have some doubt and I felt unsure about.
To enable bpduguard, I have to enable portfast on all the interfaces... but this could be also a good thing itself.
In this particular case, nothing advertised itself and the only bpdu from that interface I can think about are the "legitimate" bpdu messages that are looped back.
I will give it a try on a test network.
But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?
Let's say, on a stand alone, single switch.
Really thank you for your precious help.
Giovanni
01-22-2012 01:48 AM
Ciao Giovanni,
I backup MS suggestion to enable BPDU guard; in your scenario it is the only feature which might help you. If a user connects such mini-switches and then PCs or other devices to them the only BPDUs you are supposed to see on your switch are the ones looped back which indicate a loop.
But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?
well, a L2 loop after all is a neverending flow of legitimate duplicated traffic. So it does not have any particular pattern or stamp which can be used as a marker. It is just your traffic flowing for ever. There is no feature able to distinguish such duplicate traffic from legitimate one.
Riccardo
01-22-2012 07:15 AM
>>But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?
Port utilization/throughput will go through the roof on the port that has the loops attached to it.
01-22-2012 05:08 AM
Ciao Riccardo,
I tought there were no way other then bpduguard, but I was unsure, and unsafe.
So your support is very precious to me.
Many Many thanks (you and MS, of course)
Regarding loop detection, I just rememberd that I had to disable "keepalives" on an interface going into err-disable state.
A quick refresh tells me you are right again. The keepalive is for checking the ethernet link...
Thank you all for your very kind and helpful support.
Giovanni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: