Switching loop has massive impact on rest of network

the_kirschi · ‎11-06-2017

Hi all,

in our network we have a lot of switches (at the moment about 150 online). We are running rapid-pvst but there is no router itself on the network. Only a 4500X that is routing between VLANs (we have 76 VLANs). From time to time we have someone here and there who is creating a network loop but instead of STP turning just the directly affected link down lots of uplink interface on mostly edge switches go into err-disabled state. I also experienced this weekend that at least some port-channels single interfaces that are part thereof are set to err-disabled while the remaining are not leaving the port-channel itself up and running. My question is: How can I restrict the impact of such a loop to not affect almost the whole network. Any help is greatly appreciated.

Thanks
Daniel

Mark Malone · ‎11-06-2017

Its not stps fault its the user whos causing it they shouldn't be causing loops here and there that's a sign of bad planning in configuration , nothing should be added or removed from the network without checking the consequences first , we all make mistakes but if its constantly happening you have another issue to deal with , even if you use err-disable recovery to come back from the loop it could bring it back online and the issue could be still there and take it back down anyway

You have a large stp domain 150 witches you should try and break it down segment it , or else lock down the network with port-security so people cant be causing outages like that , make sure portfast is in place where it should be and the likes of bpduguard is on ,the more protection in place the less the convergence will be but the larger your network is the worse the layer 2 convergence will be 2 when the outage occurs

take the automated control back from stp by manually setting link costs etc so you know even when the outage occurs which links will become active when the primary paths fail , basically take control back off stp it can be manipulated to an extent even though its automatic that your really controlling it

STP turning just the directly affected link down lots of uplink interface on mostly edge switches go into err-disabled state

Are these dual linked access switches as it shouldn't be shutting down the only active link , stp is to prevent a loop not break the access layer ?

Julio E. Moisa · ‎11-06-2017

Hi

First you must be aligned to a network model in this case you could use the two layered model or collapsed model. Where the 4500X will have the role of Core and Distribution (primary and secondary)

To study your infrastructure, I dont recommend cascade the switches, you can have direct uplinks from the access switches to the 4500X or create stacks and then connect one link to the 4500 primary and other link to the secondary.

All the access switches must be configured with the following commands under the interface used to connect end users (access mode only).

spanning-tree portfast

spanning-tree bpduguard enable

On the 4500X (primary and secondary) I suggest set up the STP primary root and secondary respectively.

Primary

spanning-tree mode rapid-pvst

spanning-tree VLAN A,B,C,D,..Z (your VLANs) priority <lowest for primary root / then higher for secondary>

example:

primary

spanning-tree vlan 10,11,15 priority 4096

secondary

spanning-tree vlan 10,11,15 priority 8192

Then under the interfaces facing the access switches, you can set up: spanning-tree guard root, it will protect the root devices, note: it must be configured on the designated ports (facing the access switches only)

Also remember to use the same Spanning-tree rapid-pvst on all the switches on your infrastructure.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<