cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2438
Views
3
Helpful
8
Replies

How to prevent loop in this scenario

Difan Zhao
Level 5
Level 5

Hi experts,

I recently run into an issue that somebody mistakenly interconnected two devices which are connected on two separate ports on the same switch. The devices are a  VOIP phone and an IPTV STB. They all have the 2nd port and sombody had the ports connected together and formed a loop.

I think the reason for the loop is that the either the phone or the STB discarded the BPDU packets received from one port so it can't be forwarded and received by another switch port to prevent the loop. The config on the switches only had spanning-tree portfast enabled but not bpdufilter or bpduguard. The port for the STB is configured to access the same VLAN as the Voice VLAN (however the access vlan set on the port for the phone is a different VLAN). The SPT is MST.


Anyway I can't control the behavior of either the phone or the STB. I was trying to find a way to prevent this from happening again. I found loopguard. However I don't think it can help me in my case since it's for preventing loops caused by unidirectional links and should only be enabled on non-desinated ports (while the two ports in my case are both designated ports for end devices).

However we do sometimes sell HP switches and they have similar thing called loop protection. It simply sends out a packet and if the packet is received on another port on the same switch then it shuts down the port...

"Loop Protection serves by transmitting loop protocol packets outward  from the ports on which it is enabled. Should a switch receive a  loop-protocol packet back on a port for which you have set the action to  “send-disable, then the port will be shut down."

Does Cisco has a similar feature??

Thanks!

8 Replies 8

cadet alain
VIP Alumni
VIP Alumni

Hi,

Does Cisco has a similar feature??

yes it is called keepalive (loopback frames) but  I read it is disabled by default on uplink ports and trunk ports

and I don't know if it's available for interface speed > 100Mbps.

Regards.

Alain.

Don't forget to rate helpful posts.

no I think it's for testing the physical connectivity. I think it's by default turned on and it sends it every 10 seconds. I saw it through Wireshark..

thanks for the response!

AJ Cruz
Level 3
Level 3

why can't you put bpduguard on the switch?

I'm doing it now however in my case it won't help because BPDUs are all filtered by the phone or the STB so there won't be BPDU received so the two ports will stay up. Even without a bpduguard and even with portfast enabled the port will still be able to block itself if it sees BPDU packets.

Thanks,

JoeKeegan3
Level 1
Level 1

I don't think Cisco has a feature to send out a frame and shutdown an interface it receives that frame above and beyond bpduguard, but if your device that is causing a loop discards BPDUs, which I have seen, then the remaining option is to use port security.

You setup port security to put a port in an error-disable state if it learns more then a few MAC addresses. In the case of a loop, many MACs will show up on a single port and it will shutdown that port.

So normally you set the port security to allow somewhere between 3 - 10 MACs, depending on your policy (if you allow phones, mini-switches, etc) and dynamically age out the MACs after a few minutes. There are some caveats about moving a host from one port to another so you need to understand all that stuff.

Hope this helps,

Joe

This makes sense to me. I will do more research on it. Thanks!

First I try not to use spanning-tree portfast in my enviroment.  Seems to work fine with phones.  Even with spanning tree and bpdu guard we get loops when devices that don't have spanning tree or bpdu get looped.  There doesn't appear to be a good solution expect port security or a NAC but they can cause more management headaches.

Without portfast it takes too long to bring up a port and phones (Telematrix 9600, cheap ones full of bugs, no fancy Cisco IP phones) sometimes can't get IP address and will not work...

I do have radius server onsite and it authenticates MAC addresses of the phones so rogue phones can't get on the Voice VLAN but I guess the problem is not about security...

Yes I think Cisco should develop a feature similar to what HP has. I like their logic very much, simple and clear:

Sends out a packet. If received on another port, then there is a loop so shut down the port!!!

I will bring this up with our Cisco Sale Engineer and see if he can request this feature in future IOS release.

Thanks!