02-04-2008 05:06 AM - edited 03-05-2019 08:55 PM
hi all,
is there a posibility on 2960 or 3560 to limit number od BPDUs? for example to 100/s. Because when network loop occur the switch is bombarded with BPDUs and the swich has to process all of them by CPU.
thanks a lot
Solved! Go to Solution.
02-04-2008 07:56 AM
To go back to your original question, you say that "when network loop occur the switch is bombarded with BPDUs". As far as I know, that does not happen. Even if the fake switch forwards the BPDUs, the Cisco switch does not. The BPDUs are strictly switchport to switchport (or more correctly bridgeport to bridgeport), and therefore cannot loop in the way you might think.
I find it much more likely that what is hitting your switch is looping broadcast frames. But you say that you have bpduguard, so that should have protected you. OK, you may gat a storm for a couple of seconds, but the first BPDU that hits the access port should shut down that access port and cut the loop. So what is actually going on?
Well, I can think of two possible explanations. One is that bdpuguard is not actually configured on the access port. The other is that bpdufilter is. If you want the protection that bpduguard gives you, you should never never enable bdpufilter. In fact, you should never configure bpdufilter except in very rare corner cases; enabling bpdufilter is just not safe networking.
I have just one small doubt, and perhaps a switching expert can help me out on this one. If you configure storm control, can the storm control drop BPDUs as well. IMHO it shouldn't, but can someone confirm that?
There is one other corner case to consider. On these ports where they connected the fake switch, did you have port security configured? That can lead to unexpected trouble too, like blackholing MAC addresses that have nothing to do with this switch.
Kevin Dorrell
Luxembourg
02-04-2008 05:40 AM
Hello,
zdravim skoro krajana
Iam not sure if BPDUs can be limited , but if you are facing loop issues you can turn on some features like
BPDU guard (BPDU Guard shuts down Spanning Tree Protocol PortFast-enabled interfaces when BPDUs are received to avoid accidental topology loops)
Loop guard
Storm control can be helpful as well
M.
02-04-2008 06:26 AM
Hello,
ahoj skoro krajan :)
i have bdpduguard, storm-control, udld, turned on..
but... if someone plug in my cisco switch another dumb switch and makes a loop in that dumb switch... cisco is bombarded with BPDU's, UDLD's and so on. i have tried storm-control for both multicast and broadcast, i even tried to use mac access list and to block BPDU and UDLD ethernet frames, but it does not work. when loop occurs the switch is not responding, i guess it is due to processing of every single BPDU in CPU :(
02-04-2008 07:08 AM
To prevent pluging fake switch into your network you can enable port security
switchport port-security maximum 1
so only one host can be connected to the port of your switch
Or to be more complex deploy 802.1x or NAC solution
M.
02-04-2008 05:45 AM
Hi,
I'm not aware if it can be done. However, you can prevent the loop by configuring the primary and secondary/backup root bridge, there are other feature also that can protect your setup. Check this link http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml
Regards,
Dandy
02-04-2008 07:56 AM
To go back to your original question, you say that "when network loop occur the switch is bombarded with BPDUs". As far as I know, that does not happen. Even if the fake switch forwards the BPDUs, the Cisco switch does not. The BPDUs are strictly switchport to switchport (or more correctly bridgeport to bridgeport), and therefore cannot loop in the way you might think.
I find it much more likely that what is hitting your switch is looping broadcast frames. But you say that you have bpduguard, so that should have protected you. OK, you may gat a storm for a couple of seconds, but the first BPDU that hits the access port should shut down that access port and cut the loop. So what is actually going on?
Well, I can think of two possible explanations. One is that bdpuguard is not actually configured on the access port. The other is that bpdufilter is. If you want the protection that bpduguard gives you, you should never never enable bdpufilter. In fact, you should never configure bpdufilter except in very rare corner cases; enabling bpdufilter is just not safe networking.
I have just one small doubt, and perhaps a switching expert can help me out on this one. If you configure storm control, can the storm control drop BPDUs as well. IMHO it shouldn't, but can someone confirm that?
There is one other corner case to consider. On these ports where they connected the fake switch, did you have port security configured? That can lead to unexpected trouble too, like blackholing MAC addresses that have nothing to do with this switch.
Kevin Dorrell
Luxembourg
02-04-2008 01:36 PM
Yes, your answer solved my problem. Thank you very much. Enabling bgpduguard and disabling bpdufilter works fine even if someone connects dumb switch to that port and connect one cable with both ends to that dumb switch. BPDUguard will shutdown the port within 10 seconds, while the switch is still responding.
my problem was, that i had bpdufilter and UDLD enabled. I hoped that UDLD would shutdown the port..(yes, UDLD will shutdown the port, but it takes a lot of time and makes the switch not responding)
thank you very much... Matus
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide