Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
5
Helpful
5
Replies

Nexus 5000 and network loops

JACQUES DU PLESSIS
Level 1
Level 1

‎08-26-2015 11:31 AM - edited ‎03-01-2019 08:00 AM

Hi Guys, we recently had a contractor installing a VM (on vmware) with ESXi connected to redundant 5000/2000 pairs. They configured multiple NICs and the software they installed bridged the NICs. This caused absolute havoc on the 5000s. It did log messages about loops detected and that MAC learning is being disabled for I think 180 seconds. I have rarely seen loops causing this much chaos. Our 4500s for example does slow down with loops, but not to the point of nothing working.

So my question is if there is any way of making the 5000s react better when something like this happens? I know that they should not have been able to configure the VM like that in the first place, but unfortunately that is just the way things end up sometimes.

Jacques

 

 

 

Labels:
0 Helpful
5 Replies 5

aukhadiev
Level 1
Level 1

‎08-27-2015 07:00 AM

Hi, 

after a similar case we decided to disable bpdufilter on fex interfaces...

(http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/operations/interfaces/602_n1_1/N5K_Interfaces_Ops_Guide/n5k_ops_gde_fabricextenders.html)

...even despite the fact that this solution has its disadvantages

(http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2017193)

0 Helpful

Steve Fuller
Level 9
Level 9
In response to aukhadiev

‎08-27-2015 07:38 AM

We saw a similar issue which took down a whole vSphere cluster. When the VM sent the BPDU and the physical switch port was disabled by BPDU guard, the VM obviously went off air. VMware Fault Tolerance then very kindly moved the VM to another node of the cluster, and the process repeated again until we lost all the nodes in the cluster.

Note now though that VMware have added a feature to block BPDU from guests. See the VMware KB Understanding the BPDU Filter feature in vSphere 5.1 (2047822) for details.

Regards

0 Helpful

aukhadiev
Level 1
Level 1
In response to Steve Fuller

‎08-27-2015 08:03 AM

Hi, steve-fuller

Bpdufilter feature is prevent BPDU-based denial-of-service attack, but it's not prevent bridging-induced forwarding loops, in my opinion...

Please look article "DEAR VMWARE, BPDU FILTER != BPDU GUARD" by Ivan Pepelnjak:

http://blog.ipspace.net/2012/09/dear-vmware-bpdu-filter-bpdu-guard.html

p.s. sorry my English level does not allow me to enter into a detailed discussion...

Steve Fuller
Level 9
Level 9
In response to aukhadiev

‎08-27-2015 08:42 AM

Hi aukhadiev,

Your English is perfectly fine : )

I agree that the BPDU filter “fix” implemented by VMware doesn’t prevent forwarding loops in the scenario that Ivan describes, and that BPDU guard on the VM facing ports of the vSwitch would be the best approach.

Thanks for the link.

Regards

0 Helpful

aukhadiev
Level 1
Level 1
In response to Steve Fuller

‎08-27-2015 08:57 AM

> Your English is perfectly fine : )

...to my great regret, not my English is fine... Google Translator is fine :)

...btw, thanks for rating...

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card