cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1344
Views
3
Helpful
7
Replies
Highlighted
Beginner

STP - not protecting from a loop

I have a switch WS-C2960G-24TC-L with an 12.2(55)SE1 IOS version.

Port G0/1 and G0/2 were configured this way:

interface GigabitEthernet0/1

description ViosAlicorp-AM38 RU 9-12

switchport trunk native vlan 999

switchport trunk allowed vlan 852,857

switchport mode trunk

switchport nonegotiate

no keepalive

speed 1000

duplex full

end

!

interface GigabitEthernet0/2

description ViosAlicorp-AM38 RU 9-12

switchport trunk native vlan 999

switchport trunk allowed vlan 852,857

switchport mode trunk

switchport nonegotiate

no keepalive

speed 1000

duplex full

end

An IBM Power 7 server was connected in 2 of their network interfaces and made a loop. I noticed that because I saw the same switch with the show cdp neighbor command:

plm-sw-t4-gsni-38#show cdp neighbors gigabitEthernet 0/1 detail

-------------------------

Device ID: plm-sw-t4-gsni-38.sni.peru.ibm.com

Entry address(es):

IP address: 129.39.162.179

Platform: cisco WS-C2960G-24TC-L, Capabilities: Switch IGMP

Interface: GigabitEthernet0/1, Port ID (outgoing port): GigabitEthernet0/2

Holdtime : 124 sec

Version :

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(55)SE1, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Thu 02-Dec-10 08:16 by prod_rel_team

advertisement version: 2

Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF000000000000D0574CA3BF80FF0000

VTP Management Domain: 'plm'

Native VLAN: 999

Duplex: full

Management address(es):

IP address: 129.39.162.179

MAC flapping logs were shown on many network devices, this were the ones on the plm-sw-t4-gsni-38 switch (the 2960 I mentioned):

Oct  8 23:58:02.241 GMT-5: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.561e.50f7 in vlan 857 is flapping between port Gi0/22 and port Gi0/1

Oct  8 23:58:02.250 GMT-5: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5644.6d13 in vlan 852 is flapping between port Gi0/1 and port Gi0/22

Oct  8 23:58:02.258 GMT-5: %SW_MATM-4-MACFLAP_NOTIF: Host 001e.1393.4cc0 in vlan 857 is flapping between port Gi0/1 and port Gi0/22

Oct  8 23:58:02.266 GMT-5: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5694.105b in vlan 857 is flapping between port Gi0/22 and port Gi0/1

Oct  8 23:58:02.266 GMT-5: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5681.5724 in vlan 857 is flapping between port Gi0/22 and port Gi0/1

My question is, should the STP block one of these 2 ports to prevent the loop?

I have this STP detail on one of the affected VLANs:

VLAN0857

  Spanning tree enabled protocol rstp

  Root ID    Priority    4953

             Address     001e.7aca.4d80

             Cost        12

             Port        22 (GigabitEthernet0/22)

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    33625  (priority 32768 sys-id-ext 857)

             Address     d057.4ca3.bf80

             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi0/22              Root FWD 4         128.22   P2p

Gi0/24              Desg FWD 4         128.24   P2p

This was captured after the incident.

Everyone's tags (3)
7 REPLIES 7
Highlighted
VIP Advisor

STP - not protecting from a loop

Just put ports 0/1 and 0/2 in a port channel!

=============================
Please remember to rate useful posts, by clicking on the stars below. 

=============================

Please remember to rate useful posts, by clicking on the stars below.

Highlighted
Participant

Re: STP - not protecting from a loop

Hello slizarraga.

My question is, should the STP block one of these 2 ports to prevent the loop?

STP works based on BPDUs to calculate a bridge topology. If switch sends a BPDU though interface 0/1 that BPDU will not be forwarded by the IBM server across 0/2 (because the server is not a bridge) so the switch itself doesn't have any way of knowing that it is a looped connection.

The scenario that you described is complete expected, actually it would be weird if spanning-tree blocks an edge ports like in your case.

By the way; the solution is to configure a port-channel between the two interfaces, since 0/1 and 0/2 will be bundle in a logical interface, STP is going to be bypass and you will be able to use both NIC of the server in an active/active role.

Regards.

Wilson B.

Highlighted
Beginner

STP - not protecting from a loop

Wilson,

First, thanks for your advice. We configured the switch ports independenly because this server was suppose to have 2 separated logical instances, each one using on switch port; having no internal connection.

Because of that, I think that the port configuration should stay the same. But, I want to know what security mechanism would prevent this loop for making a mess in the rest of the network (VLAN).

Would the BPDU guard command prevent me of this?

Thanks!

Highlighted
Contributor

STP - not protecting from a loop

I'm not sure if  I understand your topology to give any suggestions..

BPDU Guard should work, beause as soon as this Port with BPDUGUARD enabled will receive a BPDU it will block the port. depending on your recovery config the port stays err-diss until u "shut" "unshut" the port..

Sebastian

Highlighted
Participant

Re: STP - not protecting from a loop

Hello Slizarraga.

By definition BPDU guard shuts down a port that receives BPDUs. I mentioned that when you connected a server to two different switches, the server doesn't work as a bridge between them(the server is not a bridge), BPDUs sent from one interfaces doesn't reach the remote switch switchport, therefore configuring BPDU Guard may not take effect in this specific scenario.

The problem is caused due to mac flapping, mac flapping corrupts mac address table and high amount of topology change notification is generated by the affected switches and impacting other switches CPU utilization, BPDU TCN is processed at CPU level.

I want to share the following document it talks about securing your network agains l2 loops from different perspectives. I hope it's useful.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080136673.shtml#secure_loops

Regards.

Wilson B

Highlighted
Hall of Fame Community Legend

STP - not protecting from a loop

%SW_MATM-4-MACFLAP_NOTIF: Host  in vlan XXX is flapping between port  and port 

This kind of message does NOT have anything to do with STP.

This is a a sign that your switchports are NOT configured properly for Etherchannel.  It doesn't matter what the "server guys" say, configure your ports for Etherchannel.  At the same time, you may want to check with the server guys because there's a chance that the said server is operating at 50% due to MAC address is flapping between the two ports.

STP - not protecting from a loop

Hi slizarraga,

From my undestanding

      "Gi0/1 & Gi0/2 (trunk ports) of your Switch is connected to 2 different NIC of the same server"

     Configured Native Vlan is 999

From the CDP neighborship details, it is clearly evident that there is some sort of bridging presently available in the NIC cards of your server. Because, CDP frames are transmitted as a L2 frame with Multicast Destination MAC address.

The CDP frames sent out via Gi0/2 must have hit one of the NIC of your server.

The same CDP frame was also received and processed by Gi0/1 of the switch which is connected to another NIC.

Few more queries / clarification required:

Are these NIC cards treated as separate Interfaces by OS?

Are these NIC cards assigned with different IP addressess?

Is there any NIC teaming / bonding configured in the server? If configured what is the mode of NIC teaming?

NIC teaming mode best suited for your scenario is Active / Passive. (NICs connected to two different Switch Ports)

Both NIC share same MAC address. However at any point of time one NIC assumes the role of active NIC and the other one in Passive mode. On failure of Active NIC, Passive NIC will take on the role of Active NIC.

If the NIC teaming configure is SLB (Smart Load Balancing), then as suggested in the previous posts, those two switchports need to be bundled as single Etherchannel so that they are considered as single link by switch. Packets to/from the server will be load balanced in these member links of the etherchannel.

MAC Flapping logs:

Oct  8 23:58:02.266 GMT-5: %SW_MATM-4-MACFLAP_NOTIF: Host 0050.5681.5724  in vlan 857 is flapping between port Gi0/22 and port Gi0/1

From the STP details for the vlan 857, you have two possible uplinks (Gi0/22 & Gi0/24)

Gi0/22 being the root port for this VLAN, leads the shortest path to the Root bridge for this VLAN.

Gi0/24 (Designated role /Forwarding state), is the port pointing downstream to another switch away from the root.

A frame (Broadcast/Multicast Frame) generated from the server with MAC 0050.5681.5724, first hit Gi0/1 port and MAC address is learnt on this port.

The frame is then forwarded out both Gi0/22 & Gi0/24 (B'cast & M'cast Frame are forwarded out all ports with the appropriate VLANs allowed).

The frame forwarded via Gi0/24 had somehow reached the Root Bridge for VLAN 857 (Root Bridge MAC: 001e.7aca.4d80).

From the Root Bridge, the same frame had reached this Switch via port Gi0/22. Hence the same MAC address is again learnt on Gi0/22. Hence the MAC flap notification event log is generated by this Switch.

There is some STP configuration issues in the downstream switch (s) cascaded with this switch.

The frames forwarded via Gi0/24 should not reach the root Bridge via another path.

Rajmohan R
CreatePlease to create content
Content for Community-Ad