Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

rate-limit BPDU

hi all,

is there a posibility on 2960 or 3560 to limit number od BPDUs? for example to 100/s. Because when network loop occur the switch is bombarded with BPDUs and the swich has to process all of them by CPU.

thanks a lot

1 ACCEPTED SOLUTION

Accepted Solutions

Re: rate-limit BPDU

To go back to your original question, you say that "when network loop occur the switch is bombarded with BPDUs". As far as I know, that does not happen. Even if the fake switch forwards the BPDUs, the Cisco switch does not. The BPDUs are strictly switchport to switchport (or more correctly bridgeport to bridgeport), and therefore cannot loop in the way you might think.

I find it much more likely that what is hitting your switch is looping broadcast frames. But you say that you have bpduguard, so that should have protected you. OK, you may gat a storm for a couple of seconds, but the first BPDU that hits the access port should shut down that access port and cut the loop. So what is actually going on?

Well, I can think of two possible explanations. One is that bdpuguard is not actually configured on the access port. The other is that bpdufilter is. If you want the protection that bpduguard gives you, you should never never enable bdpufilter. In fact, you should never configure bpdufilter except in very rare corner cases; enabling bpdufilter is just not safe networking.

I have just one small doubt, and perhaps a switching expert can help me out on this one. If you configure storm control, can the storm control drop BPDUs as well. IMHO it shouldn't, but can someone confirm that?

There is one other corner case to consider. On these ports where they connected the fake switch, did you have port security configured? That can lead to unexpected trouble too, like blackholing MAC addresses that have nothing to do with this switch.

Kevin Dorrell

Luxembourg

6 REPLIES
Gold

Re: rate-limit BPDU

Hello,

zdravim skoro krajana

Iam not sure if BPDUs can be limited , but if you are facing loop issues you can turn on some features like

BPDU guard (BPDU Guard shuts down Spanning Tree Protocol PortFast-enabled interfaces when BPDUs are received to avoid accidental topology loops)

http://cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swstpopt.html#wp1095752

Loop guard

http://cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swstpopt.html#wp1059167

Storm control can be helpful as well

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swtrafc.html#wp1085982

M.

New Member

Re: rate-limit BPDU

Hello,

ahoj skoro krajan :)

i have bdpduguard, storm-control, udld, turned on..

but... if someone plug in my cisco switch another dumb switch and makes a loop in that dumb switch... cisco is bombarded with BPDU's, UDLD's and so on. i have tried storm-control for both multicast and broadcast, i even tried to use mac access list and to block BPDU and UDLD ethernet frames, but it does not work. when loop occurs the switch is not responding, i guess it is due to processing of every single BPDU in CPU :(

Gold

Re: rate-limit BPDU

To prevent pluging fake switch into your network you can enable port security

switchport port-security maximum 1

so only one host can be connected to the port of your switch

Or to be more complex deploy 802.1x or NAC solution

M.

Re: rate-limit BPDU

Hi,

I'm not aware if it can be done. However, you can prevent the loop by configuring the primary and secondary/backup root bridge, there are other feature also that can protect your setup. Check this link http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml

Regards,

Dandy

Re: rate-limit BPDU

To go back to your original question, you say that "when network loop occur the switch is bombarded with BPDUs". As far as I know, that does not happen. Even if the fake switch forwards the BPDUs, the Cisco switch does not. The BPDUs are strictly switchport to switchport (or more correctly bridgeport to bridgeport), and therefore cannot loop in the way you might think.

I find it much more likely that what is hitting your switch is looping broadcast frames. But you say that you have bpduguard, so that should have protected you. OK, you may gat a storm for a couple of seconds, but the first BPDU that hits the access port should shut down that access port and cut the loop. So what is actually going on?

Well, I can think of two possible explanations. One is that bdpuguard is not actually configured on the access port. The other is that bpdufilter is. If you want the protection that bpduguard gives you, you should never never enable bdpufilter. In fact, you should never configure bpdufilter except in very rare corner cases; enabling bpdufilter is just not safe networking.

I have just one small doubt, and perhaps a switching expert can help me out on this one. If you configure storm control, can the storm control drop BPDUs as well. IMHO it shouldn't, but can someone confirm that?

There is one other corner case to consider. On these ports where they connected the fake switch, did you have port security configured? That can lead to unexpected trouble too, like blackholing MAC addresses that have nothing to do with this switch.

Kevin Dorrell

Luxembourg

New Member

Re: rate-limit BPDU

Yes, your answer solved my problem. Thank you very much. Enabling bgpduguard and disabling bpdufilter works fine even if someone connects dumb switch to that port and connect one cable with both ends to that dumb switch. BPDUguard will shutdown the port within 10 seconds, while the switch is still responding.

my problem was, that i had bpdufilter and UDLD enabled. I hoped that UDLD would shutdown the port..(yes, UDLD will shutdown the port, but it takes a lot of time and makes the switch not responding)

thank you very much... Matus

634
Views
0
Helpful
6
Replies
CreatePlease to create content