Solved: Layer 2 looping in network

prince.p · ‎10-11-2017

Hi friends

we are using sonicwall NSA 2400 series firewall with 46 mbps leased line connection. most of the time my firewall cpu utlization gets nearly 98 percent . due to this my network is getting struck. we are using 2 cisco 2960 series switch. in this one of the switch we connected with vlan1 interface in gi0/2 and vlan2 in gi0/4 and dmz in gi0/29. when we contact firewall support,they informing that there is an looping in the network and they are suggesting us to use layer 3 switch for dmz zone or they want to connect dmz in seperate switch layer 2 switch.i need your support that will layer2 loop will occur due to DMZ interface connected in the switch or anything else below i attached our network diagram

Flavio Miranda · ‎10-11-2017

Hello Prince,

Is that Gi 0/29 Swtich port in a separated VLAN ? If true, there´s no possibility you face looping on the switch.

I read this recommendation elsewhere:

" For example, on a Cisco Catalyst-series switch, it is necessary to activate spanning tree port fast for each port connecting to the SonicWALL security appliance’s interfaces."

"When an Ethernet port becomes electrically active, most switches by default will activate the spanning-tree protocol on the port to determine if there are loops in the network topology. During this detection period of 50-60 seconds the port does not pass any traffic – this feature is well-known to cause problems with SonicPoints. If you do not need spanning-tree, disable it globally on the switch, or disable it on each port connected to a SonicPoint device. "

Maybe you could try that.

-If I helped you somehow, please, rate it as useful.-

View solution in original post

Mark Malone · ‎10-13-2017

Hi do you mean a layer 2 spanning-tree loop is occurring , you could rule that out pretty quick with this command it will show you if changes are constantly occurring and from which port , lt the output if your not sure

show spanning-tree detail | inc ieee|occurr|from|is exec

View solution in original post

chrihussey · ‎10-16-2017

I may be missing something here but there is an obvious issue with the current configuration. I assume the VLANs have been defined in the Sonicwall, but the switch has all ports (2, 4 and 29) in VLAN 1. That would cause the looping and problems you are experiencing. In the simplest terms, port 2 should be in VLAN 1, port 4 in VLAN 2 and 29 in another VLAN specific to the DMZ. In addition any ports that are associated with the networks belonging to VLAN 1, 2 and the DMZ should be put in those VLANs too.

Also, it is not unusual and a networking best practice to have a switch dedicated to the DMZ, but the logical separation with VLANs in a single switch would also work.

Hope this helps.

View solution in original post

Flavio Miranda · ‎10-11-2017

Hello Prince,

Is that Gi 0/29 Swtich port in a separated VLAN ? If true, there´s no possibility you face looping on the switch.

I read this recommendation elsewhere:

" For example, on a Cisco Catalyst-series switch, it is necessary to activate spanning tree port fast for each port connecting to the SonicWALL security appliance’s interfaces."

"When an Ethernet port becomes electrically active, most switches by default will activate the spanning-tree protocol on the port to determine if there are loops in the network topology. During this detection period of 50-60 seconds the port does not pass any traffic – this feature is well-known to cause problems with SonicPoints. If you do not need spanning-tree, disable it globally on the switch, or disable it on each port connected to a SonicPoint device. "

Maybe you could try that.

-If I helped you somehow, please, rate it as useful.-

prince.p · ‎10-13-2017

hi

below is my switch configuration

crypto pki trustpoint TP-self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Cer
revocation-check none
rsakeypair TP-self-signed-193394803
!
!
crypto pki certificate chain TP-self
certificate self-signed 01
30820240 308201A9 A0030201 0202010
31312F30 2D060355 04031326 494F532
69666963 6174652D 31393333 3934383
33365A17 0D323030 31303130 3030303
4F532D53 656C662D 5369676E 65642D4
34383033 3230819F 300D0609 2A86488
81009E35 C478D1ED 3D904811 C8D09D1
E1709102 9D15269F 18E6E5D8 9A78D8D
57949035 2F99F4A5 200DAC2E 87687EF
C19AF909 A36C583F 405C659D 560DC6A
D4A50203 010001A3 68306630 0F06035
551D1104 0C300A82 08547269 2D53773
9267DE0F 093E3F73 E28307EC CBE60BF
67DE0F09 3E3F73E2 8307ECCB E60BFCA
03818100 5EFF39D3 9CCCA744 C0FDDBA
2C839CE0 36F093CD 060EA577 CDB345A
CC655198 63597A93 2A32E5F8 5692591
7E8F3E70 6252B00F A9C566F4 0A9A827
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy asce
!
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet0/1
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet0/2
switchport mode access
!
interface GigabitEthernet0/3
switchport mode access
!
interface GigabitEthernet0/4
switchport mode access
!
interface GigabitEthernet0/5
switchport mode access
!
interface GigabitEthernet0/6
switchport mode access
!
interface GigabitEthernet0/7
switchport mode access
!
interface GigabitEthernet0/8
switchport mode access
!
interface GigabitEthernet0/9
switchport mode access
!
interface GigabitEthernet0/10
switchport mode access
!
interface GigabitEthernet0/11
switchport mode access
!
interface GigabitEthernet0/12
switchport mode access
!
interface GigabitEthernet0/13
switchport mode access
!
interface GigabitEthernet0/14
switchport mode access
!
interface GigabitEthernet0/15
switchport mode access
!
interface GigabitEthernet0/16
switchport mode access
!
interface GigabitEthernet0/17
switchport trunk allowed vlan 1-5
switchport mode trunk
!
interface GigabitEthernet0/18
switchport mode access
!
interface GigabitEthernet0/19
switchport mode access
!
interface GigabitEthernet0/20
switchport mode access
!
interface GigabitEthernet0/21
switchport trunk allowed vlan 1-5
switchport mode trunk
!
interface GigabitEthernet0/22
switchport mode access
!
interface GigabitEthernet0/23
switchport trunk allowed vlan 1-5
switchport mode trunk
!
interface GigabitEthernet0/24
switchport mode access
!
interface GigabitEthernet0/25
switchport mode access
!
interface GigabitEthernet0/26
switchport mode access
!
interface GigabitEthernet0/27
switchport mode access
!
interface GigabitEthernet0/28
switchport mode access
!
interface GigabitEthernet0/29
switchport mode access
!
interface GigabitEthernet0/30
switchport mode access
!
interface GigabitEthernet0/31
switchport mode access
!
interface GigabitEthernet0/32
switchport mode access
!
interface GigabitEthernet0/33
switchport mode access
!
interface GigabitEthernet0/34
switchport mode access
!
interface GigabitEthernet0/35
switchport mode access
!
interface GigabitEthernet0/36
switchport mode access
!
interface GigabitEthernet0/37
switchport mode access
!
interface GigabitEthernet0/38
switchport mode access
!
interface GigabitEthernet0/39
switchport mode access
!
interface GigabitEthernet0/40
switchport mode access
!
interface GigabitEthernet0/41
switchport mode access
!
interface GigabitEthernet0/42
switchport mode access
!
interface GigabitEthernet0/43
switchport mode access
!
interface GigabitEthernet0/44
switchport mode access
!
interface GigabitEthernet0/45
switchport mode access
!
interface GigabitEthernet0/46
switchport mode access
!
interface GigabitEthernet0/47
switchport mode access
!
interface GigabitEthernet0/48
switchport trunk allowed vlan 1-5
switchport mode trunk
!
interface GigabitEthernet0/49
switchport trunk allowed vlan 2,3
switchport mode access
!
interface GigabitEthernet0/50
switchport trunk allowed vlan 2,3
switchport mode access
!
interface Vlan1
ip address 10.1.0.7 255.255.255.0
!
ip default-gateway 10.1.0.10
ip http server
ip http secure-server
!
line con 0
line vty 0 4
password cisco
login
line vty 5
password cisco
login
line vty 6 15
login
!
end

Mark Malone · ‎10-13-2017

Hi do you mean a layer 2 spanning-tree loop is occurring , you could rule that out pretty quick with this command it will show you if changes are constantly occurring and from which port , lt the output if your not sure

show spanning-tree detail | inc ieee|occurr|from|is exec

prince.p · ‎10-16-2017

for WAN interface and DMZ interface weather i need to configure separate vlan in cisco 2960 series switch

prince.p · ‎10-16-2017

whether i need to configure separate Vlan for WAN interface and DMZ zone

chrihussey · ‎10-16-2017

I may be missing something here but there is an obvious issue with the current configuration. I assume the VLANs have been defined in the Sonicwall, but the switch has all ports (2, 4 and 29) in VLAN 1. That would cause the looping and problems you are experiencing. In the simplest terms, port 2 should be in VLAN 1, port 4 in VLAN 2 and 29 in another VLAN specific to the DMZ. In addition any ports that are associated with the networks belonging to VLAN 1, 2 and the DMZ should be put in those VLANs too.

Also, it is not unusual and a networking best practice to have a switch dedicated to the DMZ, but the logical separation with VLANs in a single switch would also work.

Hope this helps.