Commands for loop avoidance

k_bhavsar · ‎07-27-2013

Hi All,

I have little confusion for loop avoidance in network.

I want to know that which commands I should configure on switch ports for

1. Core to distribution switch port - Fibre Uplink

2. Distribuition to Access switch port- Fibre Uplink

3. Access to Access switch port - UTP Uplink

4. Access switch to Unmanaged switch port - UTP uplink

Please suggest that which commands are suitable to configure for loop avoidance.

Thanks.

JohnTylerPearce · ‎07-28-2013

This really depends on how the topology is laid out, and at what point L3 comes into play. Remember that Spanning Tree will create a loop free path for frames to follow.

On ports connected to end-users, I would configure portfast, and bpduguard. This will err-disable a port, that receives a BPDU.

I would configure the switch in your network, that you want to be the root switch manually, by changing the priority.

On Fiber and Copper links, you can implement UDLD, which will send out a echo and expect a message in return, to verify bidirectional communication. You can configure this in one of two modes. Loose and Strict Mode. With Loose mode, a syslog event is created (I recommend this to start out with), and with Stick Mode, the port will be shut down.

I would also configure RPVST+, also known as Rapid Spanning tree. Think includes built in functionality, for technologies such as uplinkfast, backbonefast etc.

Peter Paluch · ‎07-28-2013

Hello John,

Nicely put down! Please allow me to make a couple of additional suggestions.

After extensive discussions with Leo Laohoo, running UDLD on copper ports is not useful, and if something goes wrong, it may actually be an unpleasant thing to debug and troubleshoot. Therefore, fully following Leo's professional opinion, I suggest running UDLD only on fiber ports. The only exception to this could be interconnections using TP ports on switches and TP/fiber converters along the line. Just to keep the proper terminology, the official names for UDLD modes are normal and aggressive mode.

Running Rapid STP is absolutely a must, and if mixed vendor environment is to be used, then MSTP would be my preferred choice. With RSTP, it is absolutely crucial to define ports towards end stations as edge ports, either directly on the ports using the spanning-tree portfast command, or in the global configuration using the spanning-tree portfast default command (for this global command to have effect, all ports towards end stations must be configured as access ports).

Protecting the edge ports with BPDU Guard is another sensible precaution. I personally recommend using global configuration:

spanning-tree portfast default

spanning-tree portfast bpduguard default

that will make sure that all ports that operate as edge ports (and those will be the access ports thanks to the first comand) are also protected by BPDU Guard.

Additionally, I suggest running LoopGuard in global configuration mode:

spanning-tree loopguard default

If Layer2 EtherChannels are being used, avoid the static "on" mode at all costs, and instead, use LACP or PAgP to negotiate their establishment, i.e. either channel-group n mode active for LACP, or channel-group n mode desirable for PAgP.

My two cents...

Best regards,

Peter

JohnTylerPearce · ‎07-28-2013

I do know that third part vendors support RSTP, but if it were me, I would implement MST.

k_bhavsar · ‎07-28-2013

Hi Peter

Thanks for your valuable suggestion.

We have few non cisco unmanaged switches connected to our network. On cisco switches which commands are prefferable for loop avaoidance.

Thanks

Krunal

Peter Paluch · ‎07-29-2013

Hello Krunal,

On cisco switches which commands are prefferable for loop avaoidance.

Most of the commands mentioned above.

spanning-tree mode rapid-pvst

spanning-tree portfast default

spanning-tree portfast bpduguard default

spanning-tree loopguard default

Best regards,

Peter

k_bhavsar · ‎07-29-2013

Hi peter

My cisco switch gi0/4 is connected to non cisco unmanaged switch. On port gi0/4 which command i have to configure

to avoid flapping/loop.

JohnTylerPearce · ‎07-29-2013

Krunal, just make sure if you run the 'spanning-tree portfast default' command, that no ports to other switches have portfast. You don't want to configure ports going to other switches as portfast, unless you want L2 loops to form.

'spanning-tree portfast bpduguard default' will put bpduguard on all ports configured with portfast.

Peter Paluch · ‎07-29-2013

John,

Umm, a good observation. While the spanning-tree portfast default command applies only to access ports, Krunal has mentioned that he has a bunch of unmanaged switches. That changes the situation dramatically - using RSTP is not recommended because he would have to configure all links towards unmanaged switches as shared, and because the unmanaged switches do not support VLANs, ports towards them will be configured as access ports and the global PortFast will apply to them - again something that is not recommended.

So I take my original recommendation back. The recommended configuration in this setup is to run PVST with no additional protections, so to put the configuration back:

spanning-tree mode pvst

no spanning-tree portfast default

no spanning-tree portfast bpduguard default

no spanning-tree loopguard default

The BPDU Guard and Loop Guard in this network are not particularly usable because of the shared segments formed by the unmanaged switches.

Best regards,

Peter

JohnTylerPearce · ‎07-29-2013

Peter, I've seen all kinds of weird situations pop up. Where, there is a switch, connected to an other switch that no one knows about. It ends up being some old 1900, that was put in an office to just connect two users way back in the day, and no one bothered to take it out, once network jacks were installed.

k_bhavsar · ‎07-30-2013

Thanks Peter and John for your comments.