cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
434
Views
5
Helpful
3
Replies
vasil.nikolov1
Beginner

Question: Network storm prevention solution

Hey everyone.

I have around 70-100 users on our internal network and I am short on budget so what I did is a Tree topology with many dumb switches because of the building and office design. But now we had the network storm problem twice and that was not an option for the business, so now I got the budget to afford a professional Cisco equipment. I have read a lot of discussions and posts for the past few days so I could not really find the best solution in there so I decide to make a post about it.

The Problem:
I could not find out the problem easily, I shut down all the main switches and plug them in one by one, I was lucky that the loop stopped but late on I notice that someone plug a cable from a port on a switch to the other one and I assume there have been some broadcast during that time so the storm appears - I might be wrong on that but thats how I explain it to myself.

So I have 2 ideas that I would like to discuss and if someone has a better solution I am totally up for it.

What we got :
40+ VoIP phones - running in a physically separate network - cables and switches are next to each other but separated by different backbone cables.
70+ Users +3 servers running on the same network - physically separate from the VoIP.
1 Pfsense "gateway" used as a router,dhcp,tftp.

1th idea :
Replacing the dumb "backbone" switch we are using with a manageable Cisco switch and connect the other floor trunks in there, and then using the BPDU guard to shutdown a trunk line where the loop is coming from.

2th idea :
Get 2 manageable Cisco switches and run the 2 lines together for a reliable connection and separate the networks with VLAN's . Then run STP between the switches so whenever a loop occur, the STP stops it - Is that possible ?

Questions :
What might be the switch/es that suits best for the situation?
How far I should go with the solutions?
Is that the best way to deal with the problem?

Network Diagram : Coming up.
 

1 ACCEPTED SOLUTION

Accepted Solutions
Mark Malone
VIP Mentor

If your going to use a purely layer 2 network , setup storm control on the ports , use pvst+ and use stp portfast and bpduguard on the access ports , use port security as well to prevent anyone just connecting in any devices an causing loops or generating storms with faulty devices(bad nics)

Loops can be prevented with correct STP implementation but storms can still occur especially in large layer 2 networks

Basics 2960 switches should do the job and give you enough control to implement the necessary features

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_22ea/SCG/scg/swtrafc.html

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html

View solution in original post

3 REPLIES 3
Mark Malone
VIP Mentor

If your going to use a purely layer 2 network , setup storm control on the ports , use pvst+ and use stp portfast and bpduguard on the access ports , use port security as well to prevent anyone just connecting in any devices an causing loops or generating storms with faulty devices(bad nics)

Loops can be prevented with correct STP implementation but storms can still occur especially in large layer 2 networks

Basics 2960 switches should do the job and give you enough control to implement the necessary features

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_22ea/SCG/scg/swtrafc.html

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html

View solution in original post

Great reply, I will look deeper in to these now and test in emulator.
Do you think I can start with 1 switch as backbone switch and implement most of the features, and if its not good enough I go for 2 switches, so I can implement STP and start with VLAN's. I am not sure if I am able to route them with the pfsense or I need to go for cisco router as well.

If a loop occur and STP stops it, does it remain on the edge switches ?

I have checked on the switch you suggested, I see the price goest from 100$-4000$ and say its 2960, does that mean all of them have the same software features and the hardware make the difference? Like more ports, gigabit instead of 100mb?

For what you would be doing a 2960-S running lan base image will support what you need , i would go gig switch rather than fastethernet , around 800$  maybe 600,700 euro probably cheaper if you are getting a few depending on your vendor. Its the lowest end switch that you can get without going into small business types which may not have all the features and some people have ran into issues with these(SG-300s) , the 2960s are stable we have them in multiple networks without issue that's why i recommend them from experience.2960s only run lan base software as there pure layer 2 switches , the variations in price would be the amount of ports , hot swappable parts , stackable etc but the software will generally be the same for each 2960 platform, there is universal, lan base and lan lite , i think some of the universal images can support static routing as well , lan lite is very basic i would avoid that

You would not need any high end image for layer 2 anyway,  the security features are part of lan base image here is a doc showing some of what you would get in terms of features and different types of hardware available.

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-series-switches/product_data_sheet0900aecd80322c0c.html

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960.html

Here is the small business anyway to review for yourself

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-series-switches/product_data_sheet0900aecd80322c0c.html