Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
37472
Views
5
Helpful
6
Replies

Broadcast storm prevention

Go to solution
cuellar52
Level 1
Level 1

‎02-12-2012 11:59 PM - edited ‎03-07-2019 04:53 AM

Hi,

I just wanted some advice last week while our company was doing some refurbishment a hired contractor came in and plugged on ethernet cable from one wall port directly into another wall port. This caused the end of the world till I managed to trace the issue, I just wanted to ask if anyone knew good prevention methods for storm control incidents.

The current setup was

4x 3750E poe switch stack for users workstations

That runs 2x dot1q trunks to the

2x distribution 3750G switches

then that runs to the

2x 6500 cores

Once the port was plugged into it's self this created a storm that from the first 3750e poe switch started bleeding the storm up the uplinks to affect finally the 6500 cores causing a halt to the entire system.

Standard configuration of a workstation port

interface GigabitEthernet1/0/1

description *** WORKSTATION PORT ***

switchport access vlan 40

switchport mode access

no logging event link-status

mls qos cos override

no snmp trap link-status

no cdp enable

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

spanning-tree guard root

end

and configuration on all switches

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree extend system-id

Ins't 802.1w spanning tree rapid met to to prevent this issue? or is portfast stuffing this up?  My current solutuion would be to enable on all workstation interfaces storm-control

storm-control broadcast level 20
storm-control action shutdown

ANY OTHER IDEAS? how this can be prevented?

any help would be great cheers

Eddy

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎02-13-2012 01:30 AM

Hi,

when BPDU filter  and BPDU guard are configured at the same time on a port then the BPDU filter takes precedence and so BPDU guard has no effect. You should only use BPDU guard by configuring it globally so it will be enabled on access ports and get rid of the BPDU filter.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

Go to solution
bridgepartners
Level 1
Level 1
In response to cuellar52

‎02-14-2012 05:04 AM

Eduardo

I agree with Alain, you need to be very careul with BPDUfilter as it will completely discard BPDUs and you will be vulnerable to a loop between two ports on a switch. I think that this is the fault condition that you described. Please see this post that discusses the same issue:

https://learningnetwork.cisco.com/thread/6604

I think that storm control at 20% and shutdown action could also be very useful. Perhaps make sure that you receive an alert if a port goes into errdisable.

Daniel

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mohit Chauhan
Level 1
Level 1

‎02-13-2012 12:11 AM

Hi Eddy,

"spanning-tree portfast bpduguard default" should ideally make all ports enabled with bpduguard, which basically means that if there is any bpdu detected on that port, it is shut down "err-disbale" status.

Those wall ports should be going to the access switches and I would double check those ports having bpdu guard enabled.

Also, it is a good practise to keep unused ports part of a bogus VLAN, and make sure this VLAN is shutdown. I usually use VLAN999 for the same.

Hope the above helps.

Regards,

Mohit

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎02-13-2012 01:30 AM

Hi,

when BPDU filter  and BPDU guard are configured at the same time on a port then the BPDU filter takes precedence and so BPDU guard has no effect. You should only use BPDU guard by configuring it globally so it will be enabled on access ports and get rid of the BPDU filter.

Regards.

Alain

Don't forget to rate helpful posts.

Go to solution
cuellar52
Level 1
Level 1

‎02-13-2012 11:44 PM

Hi Cadet Alian,

Thankyou very much for the advice you have provided, I tried the setup you suggested in a lab and SUCCESS!

What I have done is

switch running-config is like this

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree extend system-id

and Interface is

interface GigabitEthernet1/0/1

description *** WORKSTATION PORT ***

switchport access vlan 40

switchport mode access

no logging event link-status

mls qos cos override

no snmp trap link-status

no cdp enable

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree guard root

end

I have removed command spanning-tree bpduguard from the interface and have just left this feature enabled in a global scale. But I left the spanning bpdufilter in the interface. This worked in the test lab.

Would this setup be the ideal setup you were suggesting Cadet Alain?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to cuellar52

‎02-13-2012 11:57 PM

Hi,

I would completely get rid of the BPDU filter feature and let the BPDU guard do the trick on access ports.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
bridgepartners
Level 1
Level 1
In response to cuellar52

‎02-14-2012 05:04 AM

Eduardo

I agree with Alain, you need to be very careul with BPDUfilter as it will completely discard BPDUs and you will be vulnerable to a loop between two ports on a switch. I think that this is the fault condition that you described. Please see this post that discusses the same issue:

https://learningnetwork.cisco.com/thread/6604

I think that storm control at 20% and shutdown action could also be very useful. Perhaps make sure that you receive an alert if a port goes into errdisable.

Daniel

0 Helpful

Go to solution
cuellar52
Level 1
Level 1

‎02-15-2012 12:18 AM

Brillant!! thanks for all your help everyone!

I will be disabling all BPDU filtering features on all my workstation access switches and I will be enabling BPDU guard Globally as this has worked fantastic in a lab.

If anyone is keen to tackle on last questions please help.

I noticed in my config that each workstation port has rootguard enabled.

Standard configuration of a workstation port

interface GigabitEthernet1/0/1

description *** WORKSTATION PORT ***

switchport access vlan 40

switchport mode access

no logging event link-status

mls qos cos override

no snmp trap link-status

no cdp enable

spanning-tree portfast

spanning-tree guard root

end

This is to prevent a switch with a higher prioity coming into the network and taking the root bridge postion. I wouldn't think this feature needs to be enabled on all workstations ports? After all BPDU guard will err-disable any interface that gets any type of BPDU.

Wouldn't this feature best be suited to be enabled on the trunk port going up to the distrubtion switch from the access port switch? Hence just in case something did get pass it would never get to the core root bridge?

Is this correct?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card