Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1949
Views
6
Helpful
7
Replies

HOW TO AVOID GET DOWN LAYER 2 SWITCHES WHEN WE TIED TWO PORT TOGHETER

ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1

‎10-05-2011 09:43 PM - edited ‎03-07-2019 02:38 AM

We have a layer 2 platform switches and frequently some user make wrong connections and tied together two port of the same switch which produce a loop and all the platform get down.

All the pors are configured as access and we do not what command to apply to avoid this problem.

what command do you recommend?:

  1. spanning-tree guard
  2. spanning-tree bpduguard enable
  3. spanning-tree bpdufilter enable
  4. or what others?

Waiting your sooner answer.

Attn.

Roger Majo

Labels:
0 Helpful
7 Replies 7

Marius Gunnerud
VIP
VIP

‎10-05-2011 11:59 PM

I would use bpduguard (It will place the port in err-disabled state if another switch is connected to it).

There are two ways of doing this. One way is, as you have mentioned, issue the spanning-tree bpduguard enable interface command. The second way, is to configure all access ports with the spanning-tree portfast and then in global configuration mode issue the spanning-tree portfast bpduguard default command (this will enable bpduguard globally for all Access ports.)

Also I would configure all ports that are not to connect to other switches as Access ports (as it seems you have already done) and also shutdown all unused ports and place them in an unused VLAN.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

shehinpm1
Level 1
Level 1
In response to Marius Gunnerud

‎10-06-2011 02:44 AM

Hi,

the second option is enough to solve this problem,as marius explained if any bpdu received with BPDU guard enble the port wl go to err-diable state.also u can configure port security to restric maximum mac learning in each port,u can configure automatic err-disable recover option also.

pls rate if helpfull

BR,

shehin

0 Helpful

ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1
In response to shehinpm1

‎10-06-2011 10:03 AM

Dear, SHEHIM,

I want to explain a real problem that caused that all switches in a company go down:

a user connected (by mistake) an ip phone (nortel) to differente ports of the same switch generating a loop.

An ip phone is a small switch with three ports.

Using  the commands: spanning-tree bpduguard or bpdufilter or guard, are we  sure that in case this problema occurs again the port of the switch wiil  be error-disabled?

Thanking you sooner answer.

Attn.

Roger Majo

shehinpm1
Level 1
Level 1
In response to ROGER FERNANDO MAJO ZACARIAS

‎10-06-2011 12:29 PM

Hi Roger,

I know this issue,i hv faced this couple of times in my last client,with nortel phones ports get err-desabled bcoz of BPDU received in that port.but it was only rare case.keep the config under ports.but moving the phone in the same switch i dont think wl create loop,might be it wil take time to flush out the mac in cam table.

BR,

shehin.pm

0 Helpful

ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1
In response to shehinpm1

‎10-06-2011 02:28 PM

Hi Shehin,

The Nortel Ip Phone has two LAN port one for a PC (connected to the IP phone) and the second for network connection.

The user by mistake connect both LAN port to the same switch using different ports.

This creates a problem of mac-address flapping and all the layer 2 platform of switches get down.

All the ports of the switch are configured in access-mode and the user can connect either a workstation (PC) or an ip phone (Nortel) with a workstation connected to the ip phone.

Suppose we connect a Cisco Ip Phone to a LAN port of a switch and we configure in that port the option: spanning-tree bpduguard enable, what will be the result: the port will detect the BPDU message sent by the CISCO IP PHONE and block the port or the ignore it ?

Does the CISCO IP PHONE (wich is a switch with two LAN port) sent BPDU message through it LAN PORT?.

Tnaking you in advance your answer.

Attn.

Roger Majo

0 Helpful

ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1
In response to Marius Gunnerud

‎10-06-2011 10:02 AM

Dear, Marius.

I want to explain a real problem that caused that all switches in a company go down:

a user connected (by mistake) an ip phone (nortel) to differente ports of the same switch generating a loop.

An ip phone is a small switch with three ports.

Using the commands: spanning-tree bpduguard or bpdufilter or guard, we are sure that in case this problema occurs again the port of the switch wiil be error-disabled?

Thanking you sooner answer.

Attn.

Roger Majo

Marius Gunnerud
VIP
VIP
In response to ROGER FERNANDO MAJO ZACARIAS

‎10-06-2011 11:47 AM

If the three ports on the IP phone act as a normal switch then yes the port should be placed in err-disabled state. However as I have never dealt with phones that also function as a switch I am a little uncertain about this. I don't suppose you have the possibility of testing this before implementing in a live environment?

Also, bpdufilter will not place the port in err-disabled state, this command is quite dangerous as it just ignores any bpdu received on that interface. Root Guard, or guard as you say, only protects the location of the root bridge it will not help in preventing loops.

I suggest using bpduguard.

However it is still a best practice to configure all unused ports as Access ports and issue the shutdown command on the ports and place them in an unused vlan.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card