Layer 2 Loop Concern in Network Topology

elkabeermg · ‎12-20-2024

Hello Cisco Community,

I am seeking your expertise regarding a potential Layer 2 loop in my network. Below is a summary of the situation:

Topology Overview:

As described in the image, i have 3 switches UPS one connected to SW177 ,SW180 with access ports [vlan 177, vlan 180], and i enable bpdufilter on both SW177 and SW180 to isolate STP calculations between 2 networks
some times i face mac address flapping on UPS switch, i don't have access to SW177 and SW180

Questions:

Based on the provided topology, is it possible for a loop to occur?
If yes, how can I effectively mitigate this using best practices like Spanning Tree Protocol (STP) or any other relevant technology?
Are there specific configurations you would recommend for Cisco switches to prevent or resolve this issue?

Additional Info:

I am using Cisco switches with the following details:
- UPS SW cat9200 - ios 17
- SW177 and SW180 cat2960 ios 12.3

MHM Cisco World · ‎12-20-2024

What is STP mode in each SW

And sure you will face issue since you enable bpdufilter

MHM

elkabeermg · ‎12-20-2024

UPS --> Rapid STP
SW177 and SW180 --> i don't have access
you can say that we have 2 networks network 1 edge UPS SW and network 2 edge SW177 and SW188

MHM Cisco World · ‎12-20-2024

How you isolate two network??

since you connect UPS to two SW that also interconnect then sure there is loop.

Indeed we use bpdufilter to isolate two STP domain but that Work only if there is one link connect two domain' here as I mention it two so idea of isolated doamin can not apply.

Remove bpdufilter and share show spanning tree of UPS

MHM

elkabeermg · ‎12-20-2024

we think the if we connect UPS sw to the other 2 switches with different access port [vlan177,vlan180] it may avoid loop
what is you opinion to connect UPS SW to one if the 2 other switches with trunk port and use trunk allow vlan 177 and 180 and enable stp and configure root bridge for vlan 177 and 180 in the network that contain 2 switches

MHM Cisco World · ‎12-20-2024

Access port not solution.

You can connect UPS to one SW via trunk and allow both vlan

Here you will get one link and yoh can use bdpufilter.

MHM

elkabeermg · ‎12-20-2024

ok i will apply and feedback you

balaji.bandi · ‎12-20-2024

If the requirement is Layer 2, you are expected to see the STP Loop that is expected according to your diagram.

in that case, the suggestion is as follows:

1. UPS_SW is your main switch then make sure that acts as always root bridge for all the VLAN

2. To avoid confusion, Only allow the required VLAN in the trunk rather than all 4K VLANs.

3. where is your Layer 3 SVI for that VLAN (I hope it's all in UPS_SW?) - then the root is the best place.

I've included the document below to help you understand how that works and what remediation is available for you to take action.

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol-stp-8021d/218321-configure-stp-with-loop-guard-and-bpdu-s.html

suggest Peter good explanation :

https://community.cisco.com/t5/switching/layer-2-loop-portfast-enabled-with-spanning-tree-portfast-edge/td-p/1708340

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

elkabeermg · ‎12-20-2024

SVI for VLAN 177 and VLAN 180 at sw 177 so i want to make him as root bridge for that network and connect ups switch with sw177 only with trunk port just allow vlan 177 , 180

balaji.bandi · ‎12-21-2024

SW 177 - as root for STP and allow only VLAN required for the respected Trunk will not cause any Loops.

SW177 and SW180 --> i don't have access

challenge you need to ask owner to make changes what needed on the respective switches.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎12-21-2024

Hello
As those ports on the UPS sw to either 177 &180 sws-are currently in administrative mode of access and the fact you don’t have access to them I envisage in initially setting this up was done with the cooperation of the administrator of those switches for their ports to be access ports also?

Currently these access ports to either sw177-188 from UPS is fine, you should not see any stp loop between the 3 switches providing as I have said the other side of the ports connections are also in access mode , just remove the bpdu filtering from the UPS sw you will be okay.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

elkabeermg · ‎12-21-2024

i am trying to investigate configuration of SW177 and SW180 and there are 2 SVIs there and routing is done between to switches
BPDU filter is done on SW177 and SW180 not UPS SW

paul driver · ‎12-21-2024

Hello
now i’m confused you say you have no access to those switchs and ONLY the ups sw?

what investigation are you querying?
and what is it you want to do with that information?
Also note - BPDU-FILTER can be a dangerous feature to implement depending how it’s applied -globally or at interface level

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

elkabeermg · ‎12-21-2024

I contact admin for SW177 and SW180 and know that there routing between 2 SVIs 177 and 180. I want to know full conf to decide that this topology that I mentioned above may lead to loop or not