Solved: rate-limit BPDU

matus.petrulak · ‎02-04-2008

hi all,

is there a posibility on 2960 or 3560 to limit number od BPDUs? for example to 100/s. Because when network loop occur the switch is bombarded with BPDUs and the swich has to process all of them by CPU.

thanks a lot

Kevin Dorrell · ‎02-04-2008

To go back to your original question, you say that "when network loop occur the switch is bombarded with BPDUs". As far as I know, that does not happen. Even if the fake switch forwards the BPDUs, the Cisco switch does not. The BPDUs are strictly switchport to switchport (or more correctly bridgeport to bridgeport), and therefore cannot loop in the way you might think.

I find it much more likely that what is hitting your switch is looping broadcast frames. But you say that you have bpduguard, so that should have protected you. OK, you may gat a storm for a couple of seconds, but the first BPDU that hits the access port should shut down that access port and cut the loop. So what is actually going on?

Well, I can think of two possible explanations. One is that bdpuguard is not actually configured on the access port. The other is that bpdufilter is. If you want the protection that bpduguard gives you, you should never never enable bdpufilter. In fact, you should never configure bpdufilter except in very rare corner cases; enabling bpdufilter is just not safe networking.

I have just one small doubt, and perhaps a switching expert can help me out on this one. If you configure storm control, can the storm control drop BPDUs as well. IMHO it shouldn't, but can someone confirm that?

There is one other corner case to consider. On these ports where they connected the fake switch, did you have port security configured? That can lead to unexpected trouble too, like blackholing MAC addresses that have nothing to do with this switch.

Kevin Dorrell

Luxembourg

View solution in original post

m.sir · ‎02-04-2008

Hello,

zdravim skoro krajana

Iam not sure if BPDUs can be limited , but if you are facing loop issues you can turn on some features like

BPDU guard (BPDU Guard shuts down Spanning Tree Protocol PortFast-enabled interfaces when BPDUs are received to avoid accidental topology loops)

http://cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swstpopt.html#wp1095752

Loop guard

http://cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swstpopt.html#wp1059167

Storm control can be helpful as well

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swtrafc.html#wp1085982

M.

matus.petrulak · ‎02-04-2008

Hello,

ahoj skoro krajan :)

i have bdpduguard, storm-control, udld, turned on..

but... if someone plug in my cisco switch another dumb switch and makes a loop in that dumb switch... cisco is bombarded with BPDU's, UDLD's and so on. i have tried storm-control for both multicast and broadcast, i even tried to use mac access list and to block BPDU and UDLD ethernet frames, but it does not work. when loop occurs the switch is not responding, i guess it is due to processing of every single BPDU in CPU :(

m.sir · ‎02-04-2008

To prevent pluging fake switch into your network you can enable port security

switchport port-security maximum 1

so only one host can be connected to the port of your switch

Or to be more complex deploy 802.1x or NAC solution

M.

Danilo Dy · ‎02-04-2008

Hi,

I'm not aware if it can be done. However, you can prevent the loop by configuring the primary and secondary/backup root bridge, there are other feature also that can protect your setup. Check this link http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml

Regards,

Dandy

Kevin Dorrell · ‎02-04-2008

To go back to your original question, you say that "when network loop occur the switch is bombarded with BPDUs". As far as I know, that does not happen. Even if the fake switch forwards the BPDUs, the Cisco switch does not. The BPDUs are strictly switchport to switchport (or more correctly bridgeport to bridgeport), and therefore cannot loop in the way you might think.

I find it much more likely that what is hitting your switch is looping broadcast frames. But you say that you have bpduguard, so that should have protected you. OK, you may gat a storm for a couple of seconds, but the first BPDU that hits the access port should shut down that access port and cut the loop. So what is actually going on?

Well, I can think of two possible explanations. One is that bdpuguard is not actually configured on the access port. The other is that bpdufilter is. If you want the protection that bpduguard gives you, you should never never enable bdpufilter. In fact, you should never configure bpdufilter except in very rare corner cases; enabling bpdufilter is just not safe networking.

I have just one small doubt, and perhaps a switching expert can help me out on this one. If you configure storm control, can the storm control drop BPDUs as well. IMHO it shouldn't, but can someone confirm that?

There is one other corner case to consider. On these ports where they connected the fake switch, did you have port security configured? That can lead to unexpected trouble too, like blackholing MAC addresses that have nothing to do with this switch.

Kevin Dorrell

Luxembourg

matus.petrulak · ‎02-04-2008

Yes, your answer solved my problem. Thank you very much. Enabling bgpduguard and disabling bpdufilter works fine even if someone connects dumb switch to that port and connect one cable with both ends to that dumb switch. BPDUguard will shutdown the port within 10 seconds, while the switch is still responding.

my problem was, that i had bpdufilter and UDLD enabled. I hoped that UDLD would shutdown the port..(yes, UDLD will shutdown the port, but it takes a lot of time and makes the switch not responding)

thank you very much... Matus