Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2855
Views
0
Helpful
3
Replies

Layer 2 loop protection enhancement?

parisdooz12
Level 1
Level 1

‎02-20-2012 09:26 AM - edited ‎03-07-2019 05:03 AM

Hi,

we recently had on our network a simple layer 2 loop problem, with big effects.

Here is the situation: we have a C3750 switch, with STP activate on all ports.

We don't have total control on this switchs, and for some reasons, it is possible that people connect  a 2d switch on it (Cisco or non-Cisco).

What happened several times is a classic case: a person interconnect 2 ports of this 2d switch, creating a loop.

As the loop is created on the 2d switch only, the 1st switch detect no loop, the the uplink port keeps up.

Afer this loop created, a broadcast storm occurs through the link between 1st & 2d switch .. and the storm propgates all over the LAN.

I try to find some solutions to avoid that. One thing I would like to do is to find a mecanism on the first switch, which can permit to block the uplink port on the 1st switch if it sees the same MAC address as source in the 2 directions.

Note that storm control, even configured to a quite low value (ie: 2Mbps) is not efficient enough to protect equipment (we have had big CPU impact on LAN equipments).

Has anyone any idea?

Thanks.

P.

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎02-20-2012 09:37 AM

Hi,

It is generally difficult to protect a network from broadcast storms if a section of this network is not capable of protecting itself against switching loops.

I am not aware of any mechanism that would block a port just because a frame has both exited and entered the switch with the same source MAC address.

I would personally recommend configuring the BPDU Guard on these unprotected ports. If another switch is connected to such an unprotected port and emits a BPDU, either on its own or because this BPDU was received from your own switch, got caught in a loop and sent back, the port will be err-disabled. It is not a perfect protection but I believe it can help.

Best regards,

Peter

0 Helpful

lgijssel
Level 9
Level 9

‎02-20-2012 09:41 AM

The most obvious solution is to use bpduguard:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/guide/stp_enha.html#wp1019943

This feature will err-disable ports when receiving bpdu's on them.

regards,

Leo

0 Helpful

parisdooz12
Level 1
Level 1
In response to lgijssel

‎02-20-2012 10:16 AM

Unfortunatelly, BPDU guard is not, for the moment (I know it is heretic, but for some reasons, it is let to some people to add their own switches on our switch; we need at least to find a way to control this adding).

Regarding the storm-control level, I know it is a tricky question (I didn't find answer on the forums): what level to use? I think there are not some specific applications generating broadcast, so I just asked myself, in a classic network (normal network signalisation, PCs with Windows, etc..), what are the cases of important broadcast? What I would like to do is to aply a "packet pe second" limit, quite low (for example: 100 pps). What's your opinion (if even you already tried to determine a limit on your own network?)

Regards,

P.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card