12-16-2010 12:26 PM - edited 03-06-2019 02:34 PM
Hi experts,
I recently run into an issue that somebody mistakenly interconnected two devices which are connected on two separate ports on the same switch. The devices are a VOIP phone and an IPTV STB. They all have the 2nd port and sombody had the ports connected together and formed a loop.
I think the reason for the loop is that the either the phone or the STB discarded the BPDU packets received from one port so it can't be forwarded and received by another switch port to prevent the loop. The config on the switches only had spanning-tree portfast enabled but not bpdufilter or bpduguard. The port for the STB is configured to access the same VLAN as the Voice VLAN (however the access vlan set on the port for the phone is a different VLAN). The SPT is MST.
Anyway I can't control the behavior of either the phone or the STB. I was trying to find a way to prevent this from happening again. I found loopguard. However I don't think it can help me in my case since it's for preventing loops caused by unidirectional links and should only be enabled on non-desinated ports (while the two ports in my case are both designated ports for end devices).
However we do sometimes sell HP switches and they have similar thing called loop protection. It simply sends out a packet and if the packet is received on another port on the same switch then it shuts down the port...
"Loop Protection serves by transmitting loop protocol packets outward from the ports on which it is enabled. Should a switch receive a loop-protocol packet back on a port for which you have set the action to “send-disable, then the port will be shut down."
Does Cisco has a similar feature??
Thanks!
12-16-2010 01:00 PM
Hi,
Does Cisco has a similar feature??
yes it is called keepalive (loopback frames) but I read it is disabled by default on uplink ports and trunk ports
and I don't know if it's available for interface speed > 100Mbps.
Regards.
Alain.
12-16-2010 02:14 PM
no I think it's for testing the physical connectivity. I think it's by default turned on and it sends it every 10 seconds. I saw it through Wireshark..
thanks for the response!
12-16-2010 01:01 PM
why can't you put bpduguard on the switch?
12-16-2010 02:16 PM
I'm doing it now however in my case it won't help because BPDUs are all filtered by the phone or the STB so there won't be BPDU received so the two ports will stay up. Even without a bpduguard and even with portfast enabled the port will still be able to block itself if it sees BPDU packets.
Thanks,
12-16-2010 01:51 PM
I don't think Cisco has a feature to send out a frame and shutdown an interface it receives that frame above and beyond bpduguard, but if your device that is causing a loop discards BPDUs, which I have seen, then the remaining option is to use port security.
You setup port security to put a port in an error-disable state if it learns more then a few MAC addresses. In the case of a loop, many MACs will show up on a single port and it will shutdown that port.
So normally you set the port security to allow somewhere between 3 - 10 MACs, depending on your policy (if you allow phones, mini-switches, etc) and dynamically age out the MACs after a few minutes. There are some caveats about moving a host from one port to another so you need to understand all that stuff.
Hope this helps,
Joe
12-16-2010 02:17 PM
This makes sense to me. I will do more research on it. Thanks!
12-16-2010 04:10 PM
First I try not to use spanning-tree portfast in my enviroment. Seems to work fine with phones. Even with spanning tree and bpdu guard we get loops when devices that don't have spanning tree or bpdu get looped. There doesn't appear to be a good solution expect port security or a NAC but they can cause more management headaches.
12-16-2010 04:19 PM
Without portfast it takes too long to bring up a port and phones (Telematrix 9600, cheap ones full of bugs, no fancy Cisco IP phones) sometimes can't get IP address and will not work...
I do have radius server onsite and it authenticates MAC addresses of the phones so rogue phones can't get on the Voice VLAN but I guess the problem is not about security...
Yes I think Cisco should develop a feature similar to what HP has. I like their logic very much, simple and clear:
Sends out a packet. If received on another port, then there is a loop so shut down the port!!!
I will bring this up with our Cisco Sale Engineer and see if he can request this feature in future IOS release.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide