Solved: Access layer - Loop prevention

fescribanoc · ‎04-28-2022

Looking for some advice on what would be the best approach to prevent physical loops at the access layer.

Our existing design is quite simple, it consists of several switches acting as layer 2 (around 6-7) and all of them are connected to a switch through single interface trunk ports. This switch is connected to a firewall which is the gateway for all VLANS defined, which are extended in all the switches. From a physical point of view we do not have loops.

We are running per VLAN RSTP and access ports are defined as port fast with storm control protection. No BPDU guard is enabled.

   storm-control broadcast level bps 10m
   storm-control multicast level bps 10m

From time to time we have situations where physical loops are created on access ports due to users physically connecting two of them through the wallports or by physically connecting the two access ports in the rack.

This is normally not creating enough level of broadcast at the access ports to trigger storm-control prevention, so we are thinking about decreasing the threshold level but also trying to figure out if there would be a better approach on this, some other options for example would be to limit the number of mac addresses allowed in the access ports through port security.

Any suggestions will be welcomed.

Thanks

David Ruess · ‎04-28-2022

Hello,

So spanning tree does a pretty good job of preventing loops by blocking ports that create the loop and unblocking when the loop is removed. You’re running RSTP so the transition to port states should be faster.

Something you could do is apply the ‘spanning-tree portfast' command on all access link switch ports (connecting to end devices such as PCs, printers, etc. And then enabling BPDUguard globally.

spanning-tree portfast edge bpduguard default

This enables BPDU guard on all portfast ports and if it received a BPDU from a switch it shuts down.

That along with Root guard and every port on your root bridge from to keep another switch from taking over as root.

Switch(config)#spanning-tree rootguard

Hope that helps

-David

View solution in original post

MHM Cisco World · ‎04-28-2022

are you config any BPDU filter in SW "global mode"" ??

BPDU filter will prevent the Portfast send BPDU and other port in same SW don't detect loop "since it not receive any BPDU", and here loop start.
disable BPDU filter and see the result.
no need change config of storm control

David Ruess · ‎04-28-2022

Hello,

So spanning tree does a pretty good job of preventing loops by blocking ports that create the loop and unblocking when the loop is removed. You’re running RSTP so the transition to port states should be faster.

Something you could do is apply the ‘spanning-tree portfast' command on all access link switch ports (connecting to end devices such as PCs, printers, etc. And then enabling BPDUguard globally.

spanning-tree portfast edge bpduguard default

This enables BPDU guard on all portfast ports and if it received a BPDU from a switch it shuts down.

That along with Root guard and every port on your root bridge from to keep another switch from taking over as root.

Switch(config)#spanning-tree rootguard

Hope that helps

-David

paul driver · ‎04-28-2022

Hello

@fescribanoc wrote:

we have situations where physical loops are created on access ports due to users physically connecting two of them through the wallports or by physically connecting the two access ports in the rack.

On all access ports apply port security and tie them down to a minimum of two entries per port, Also suggest apply portfast/bpduguard at interface level.

Example:

spanning-tree loopguard default
interface x/x
switchport host
switchport mode access ( puts the port into an administrative mode of access
switchport access vlan x
switchport voice vlan xx (if applicable)
switchport nonegotiate <-------------------------------------Disable DTP (dynamic trunking)
switchport port-security<------------------------------------ Port-security enabled
switchport port-security maximum 2<--------------------------Allows a maximum static/dynamic learned mac address
switchport port-security aging time 10<---------------------- Aging period of 10 mins or port inactivity
switchport port-security aging type inactivity<--------------Aging period is reached any learned mac address are flushed from the port
no logging event link-status<--------------------------------- disable logging buffer/syslog etc.. from report link status up/down
udld port aggressive<------------------------------------------enables unidirectional links for copper
no snmp trap link-status<--------------------------------------disable snmp trap being sent to snmp managers link status up/down
no mdix auto<------------------Optional------------------------disables MDIX automation for inserted cross-over cabling
storm-control broadcast level xx.00<----------------------------storm control for broadcast/multicast traffic % of link bandwidth
storm-control multicast level xx.00<----------------------------storm control for multicast/broadcast % of link bandwidth
spanning-tree portfast<-----------------------------------------doesn’t participate in stp learning process transition straight into forwarding state
spanning-tree bpduguard enable <-------- protects edge port from receiving switch bpdu's stp portfast not required when applied to interface

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

fescribanoc · ‎04-29-2022

Thank you all for your feedback, really appreciated.

@MHM Cisco World no, we are not applying BPDU filter.

@David Ruess the problem is normally happening on access ports configured with portfast so no BPDUs are received when both ports are interconnected, hence we think BPDU guard won't make any difference, am I right?

@paul driver port security and limit number of mac addresses learned is our main alternative now, there is another challenge here related with some scenarios where the number of MAC addresses to be allowed is difficult to estimate.

paul driver · ‎04-29-2022

Hello

@fescribanoc wrote:

, there is another challenge here related with some scenarios where the number of MAC addresses to be allowed is difficult to estimate

What devices do you have that require to multiple mac addresses assigned to an access port?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

David Ruess · ‎04-29-2022

Hello,

Great question @fescribanoc.

Portfast just means the port will start forwarding traffic immediately when a device is plugged in. However it still participates in STP. So when a BPDU is received it will go through the normal

STP modes of listening/learning and finally forwarding possibly causing a loop and/or blocking.

BPDU Guard protects that and err-disables the port requiring admin Intervention (or you could configure the err-disable recovery feature to do it by itself after a period of time)

That being said if you leave it to admin intervention it would give you (or network admin) a chance to educate the user on why that’s bad practice. I’m sure you already have but users always need constant updates and reminders (don’t we all)

Hope that helps

-David

fescribanoc · ‎04-29-2022

@David Ruess thanks for your input again, I was under the wrong assumption that portfast configuration was preventing the ports to send out BPDUs, we will have that tested in our lab, hopefully that will make the trick

MHM Cisco World · ‎04-29-2022

@fescribanoc there are two Loop
temporally and permanent
permanent what destroy your network.
you mention connect rack to two port ? you mean rack of server connect to two port in SW ?
the Server ports config with port channel ?