Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3697
Views
0
Helpful
2
Replies

Method for detecting loops in environment with STP implemented

Go to solution
itconsultant9
Level 1
Level 1

‎03-08-2015 03:16 PM - edited ‎03-07-2019 11:00 PM

Good Day,

We have had some issues in the last couple of months with people plugging in devices to the network that caused network loops in the environment that STP did not seem to resolve. People plugging in VOIP phones to wrong ports and hubs into the environment.

Just wondering if people could provide feedback on how they deal with detecting network routing loops in their environment and the best ways to discover them quickly so we can remove the problematic device in the environment in an expedient manner. Also, any suggestions for prevention for this scenario from occurring in the first place would be appreciated as well.

Thanks in advance for reading the post, look forward to your feedback.

 

Regards,

 

itconsultant9

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-08-2015 03:44 PM

If you get an STP loop with a lot of traffic you will detect it very quickly because your network won't work :-)

If you do end up with a loop and it does not bring your network grinding to a halt a sure sign of it are messages in the logs about mac addresses flapping between ports although those messages do not always mean that.

In terms of preventative measures you should run BPDUGuard on your end user ports which should have portfast enabled. This means if a hub is connected to two switchports the switch will see BPDUs because the hub simply relays them and then error disable the port.

You can use port security to only allow a certain number of mac addresses per port which also means users would realise attaching a hub did not work.

In the end there is only so much you can do technically. Sometimes it comes down to user education and being able to meet their demands.

For example users generally don't connect up hubs unless they need extra ports. In one of the larger companies I worked for we had a very strict policy of no users were allowed to connect anything to the network unless authorised and it was a disciplinary matter if they did.

However we also recognised that they don't generally do it for fun so we always made sure we had spare switches in stock in case they did have a genuine need for extra ports.

I appreciate not all companies can do this but if you don't provide what they need for their work they generally will try and find a way around it.

Edit - also have a look at this link which contains some useful information for STP troubleshooting - 

https://supportforums.cisco.com/document/54376/spanning-tree-loop-troubleshooting-and-safeguards

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-08-2015 03:44 PM

If you get an STP loop with a lot of traffic you will detect it very quickly because your network won't work :-)

If you do end up with a loop and it does not bring your network grinding to a halt a sure sign of it are messages in the logs about mac addresses flapping between ports although those messages do not always mean that.

In terms of preventative measures you should run BPDUGuard on your end user ports which should have portfast enabled. This means if a hub is connected to two switchports the switch will see BPDUs because the hub simply relays them and then error disable the port.

You can use port security to only allow a certain number of mac addresses per port which also means users would realise attaching a hub did not work.

In the end there is only so much you can do technically. Sometimes it comes down to user education and being able to meet their demands.

For example users generally don't connect up hubs unless they need extra ports. In one of the larger companies I worked for we had a very strict policy of no users were allowed to connect anything to the network unless authorised and it was a disciplinary matter if they did.

However we also recognised that they don't generally do it for fun so we always made sure we had spare switches in stock in case they did have a genuine need for extra ports.

I appreciate not all companies can do this but if you don't provide what they need for their work they generally will try and find a way around it.

Edit - also have a look at this link which contains some useful information for STP troubleshooting - 

https://supportforums.cisco.com/document/54376/spanning-tree-loop-troubleshooting-and-safeguards

Jon

0 Helpful

Go to solution
itconsultant9
Level 1
Level 1
In response to Jon Marshall

‎03-08-2015 05:44 PM

Thanks for the feedback Jon, appreciate the suggestions, as they provide me with some options to look into for our environment.

0 Helpful
Customers Also Viewed These Support Documents