Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Bridging loops - STP protection

Hello Everybody.

I have a question, maybe a simple "classical" case study, I'm sorry, but I cannot figure out how to come out of this.


I have a network where if an end user attaches an hub to the network, or rather one of those cheap unmanaged 8-port mini-switches and then plugs the two ends of the same cable into two ports of that mini-switch, all the network goes down.


Loops are generated and many uplinks are shut down in err-disable state due to the loopback reason.

I know I could discourage the use of those mini-switches using port security.

I even have NAC (cisco) deployed on the network, but there are cases where that mini-switches are allowed by the managment.

In those cases, is not possible to exactly know wich hosts (mac addresses), and even how many of them will attach the network concurrently.
As I know, they could even chain many mini-switch one to another.


Of course, when even a single mini-switch is allowed on the network, it raises as a security hole.

Is there a way to allow the use of those devices without the risk of network outages?
Some STP protection method?


The best would be to have the Cisco access switch to get aware of the loop on its affected switchport (where the mini-switch is attached), immediately shutting down that port (to avoid loops on the network) and maybe sending an SNMP trap or a syslog message.

We are using Cisco Catalyst 2950 and 2960 for our access layer.


Any help is very appreciated
.
Really thank you for your help.


Giovanni

2 ACCEPTED SOLUTIONS

Accepted Solutions

Bridging loops - STP protection

Hello,

Try enabling 'spanning-tree portfast bpdu-guard' feature on the switch (global/interface). it should help.

Check the below link for more info...

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

hth

MS

Cisco Employee

Bridging loops - STP protection

Ciao Giovanni,

I backup MS suggestion to enable BPDU guard; in your scenario it is the only feature which might help you. If a user connects such mini-switches and then PCs or other devices to them the only BPDUs you are supposed to see on your switch are the ones looped back which indicate a loop.

But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?

well, a L2 loop after all is a neverending flow of legitimate duplicated traffic. So it does not have any particular pattern or stamp which can be used as a marker. It is just your traffic flowing for ever. There is no feature able to distinguish such duplicate traffic from legitimate one.

Riccardo

5 REPLIES

Bridging loops - STP protection

Hello,

Try enabling 'spanning-tree portfast bpdu-guard' feature on the switch (global/interface). it should help.

Check the below link for more info...

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

hth

MS

Community Member

Bridging loops - STP protection

Above all thank you for your reply.


I was thinking about bpdu-guard of course, among the "STP protection methods", but I have some doubt and I felt unsure about.

To enable bpduguard, I have to enable portfast on all the interfaces... but this could be also a good thing itself.


In this particular case, nothing advertised itself and the only bpdu from that interface I can think about are the "legitimate" bpdu messages that are looped back.
I will give it a try on a test network.

But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?


Let's say, on a stand alone, single switch.

Really thank you for your precious help.

Giovanni

Cisco Employee

Bridging loops - STP protection

Ciao Giovanni,

I backup MS suggestion to enable BPDU guard; in your scenario it is the only feature which might help you. If a user connects such mini-switches and then PCs or other devices to them the only BPDUs you are supposed to see on your switch are the ones looped back which indicate a loop.

But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?

well, a L2 loop after all is a neverending flow of legitimate duplicated traffic. So it does not have any particular pattern or stamp which can be used as a marker. It is just your traffic flowing for ever. There is no feature able to distinguish such duplicate traffic from legitimate one.

Riccardo

Bridging loops - STP protection

>>But, isn't there a way to simply detect a loop on an interface regardless of STP? Keepalives?

Port utilization/throughput will go through the roof on the port that has the loops attached to it.

Community Member

Bridging loops - STP protection

Ciao Riccardo,

I tought there were no way other then bpduguard, but  I was unsure, and unsafe.

So your support is very precious to me.

Many Many thanks (you and MS, of course)

Regarding loop detection, I just rememberd that I had to disable "keepalives" on an interface going into err-disable state.

A quick refresh tells me you are right again. The keepalive is for checking the ethernet link...

Thank you all for your very kind and helpful support.

Giovanni

1130
Views
5
Helpful
5
Replies
CreatePlease to create content