Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2440
Views
3
Helpful
8
Replies

How to prevent loop in this scenario

Difan Zhao
Level 5
Level 5

‎12-16-2010 12:26 PM - edited ‎03-06-2019 02:34 PM

Hi experts,

I recently run into an issue that somebody mistakenly interconnected two devices which are connected on two separate ports on the same switch. The devices are a  VOIP phone and an IPTV STB. They all have the 2nd port and sombody had the ports connected together and formed a loop.

I think the reason for the loop is that the either the phone or the STB discarded the BPDU packets received from one port so it can't be forwarded and received by another switch port to prevent the loop. The config on the switches only had spanning-tree portfast enabled but not bpdufilter or bpduguard. The port for the STB is configured to access the same VLAN as the Voice VLAN (however the access vlan set on the port for the phone is a different VLAN). The SPT is MST.


Anyway I can't control the behavior of either the phone or the STB. I was trying to find a way to prevent this from happening again. I found loopguard. However I don't think it can help me in my case since it's for preventing loops caused by unidirectional links and should only be enabled on non-desinated ports (while the two ports in my case are both designated ports for end devices).

However we do sometimes sell HP switches and they have similar thing called loop protection. It simply sends out a packet and if the packet is received on another port on the same switch then it shuts down the port...

"Loop Protection serves by transmitting loop protocol packets outward  from the ports on which it is enabled. Should a switch receive a  loop-protocol packet back on a port for which you have set the action to  “send-disable, then the port will be shut down."

Does Cisco has a similar feature??

Thanks!

Labels:
0 Helpful
8 Replies 8

cadet alain
VIP Alumni
VIP Alumni

‎12-16-2010 01:00 PM

Hi,

Does Cisco has a similar feature??

yes it is called keepalive (loopback frames) but  I read it is disabled by default on uplink ports and trunk ports

and I don't know if it's available for interface speed > 100Mbps.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Difan Zhao
Level 5
Level 5
In response to cadet alain

‎12-16-2010 02:14 PM

no I think it's for testing the physical connectivity. I think it's by default turned on and it sends it every 10 seconds. I saw it through Wireshark..

thanks for the response!

0 Helpful

AJ Cruz
Level 3
Level 3

‎12-16-2010 01:01 PM

why can't you put bpduguard on the switch?

0 Helpful

Difan Zhao
Level 5
Level 5
In response to AJ Cruz

‎12-16-2010 02:16 PM

I'm doing it now however in my case it won't help because BPDUs are all filtered by the phone or the STB so there won't be BPDU received so the two ports will stay up. Even without a bpduguard and even with portfast enabled the port will still be able to block itself if it sees BPDU packets.

Thanks,

0 Helpful

JoeKeegan3
Level 1
Level 1

‎12-16-2010 01:51 PM

I don't think Cisco has a feature to send out a frame and shutdown an interface it receives that frame above and beyond bpduguard, but if your device that is causing a loop discards BPDUs, which I have seen, then the remaining option is to use port security.

You setup port security to put a port in an error-disable state if it learns more then a few MAC addresses. In the case of a loop, many MACs will show up on a single port and it will shutdown that port.

So normally you set the port security to allow somewhere between 3 - 10 MACs, depending on your policy (if you allow phones, mini-switches, etc) and dynamically age out the MACs after a few minutes. There are some caveats about moving a host from one port to another so you need to understand all that stuff.

Hope this helps,

Joe

Difan Zhao
Level 5
Level 5
In response to JoeKeegan3

‎12-16-2010 02:17 PM

This makes sense to me. I will do more research on it. Thanks!

0 Helpful

sljwampa
Level 1
Level 1
In response to Difan Zhao

‎12-16-2010 04:10 PM

First I try not to use spanning-tree portfast in my enviroment.  Seems to work fine with phones.  Even with spanning tree and bpdu guard we get loops when devices that don't have spanning tree or bpdu get looped.  There doesn't appear to be a good solution expect port security or a NAC but they can cause more management headaches.

0 Helpful

Difan Zhao
Level 5
Level 5
In response to sljwampa

‎12-16-2010 04:19 PM

Without portfast it takes too long to bring up a port and phones (Telematrix 9600, cheap ones full of bugs, no fancy Cisco IP phones) sometimes can't get IP address and will not work...

I do have radius server onsite and it authenticates MAC addresses of the phones so rogue phones can't get on the Voice VLAN but I guess the problem is not about security...

Yes I think Cisco should develop a feature similar to what HP has. I like their logic very much, simple and clear:

Sends out a packet. If received on another port, then there is a loop so shut down the port!!!

I will bring this up with our Cisco Sale Engineer and see if he can request this feature in future IOS release.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents