08-18-2013 06:40 AM - edited 03-07-2019 02:59 PM
last week we had a network outage because someone looped a unmanaged switch port to port.
i have read about some solutions that may help stopping this happening again.
(at this stage we cannot remove the unmanaged switches)
1. broadcast storm control
2. loopback err_disable (the port gets its own keepalive and err_disables the port)
3. port security
are there any other options?
i understand that BPDUguard didnt help becuse the switch with the loop was unmanaged.
i have just one qustion about BPDUguard
our switches are configed:
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
on ports:
interface GigabitEthernet1/0/3
switchport access vlan 2
switchport mode access
spanning-tree portfast
someone said that settings on specific ports override the global
and so the global BPDUguard setting wont work because spanning-tree portfast on the ports overrides it.
is this right ? and must the setting be changed?
thanks
Solved! Go to Solution.
08-18-2013 02:42 PM
i understand that BPDUguard didnt help becuse the switch with the loop was unmanaged.
BPDU Guard should've kicked in because the BPDU is sent from one of the ports of the managed switch into the un-managed switch. The un-managed switched doesn't understand BPDU so the un-managed switch floods all ports with it and should send the BPDU is sent down the other interface and back to the managed switch.
Check to see if there's a global setting to disable the BPDU Guard error-disable state. I've seen this happen to my network before.
08-18-2013 07:15 AM
Hi Jacob,
someone said that settings on specific ports override the global
that's right.
the global BPDUguard setting wont work because spanning-tree portfast on the ports overrides it.
Portfast and BPDUguard are two different things. In your configuration you enable portfast on a per-port basis (as far as I see you don't have it enabled globally) and when you do this, BPDUguard is activated automatically for this port because the global configuration is conditionally (only for portfast-enabled ports).
i understand that BPDUguard didnt help becuse the switch with the loop was unmanaged.
This is unlikely. BPUDs are Layer-2 Multicasts and a unmanaged switch normally floods them over all ports with the exeption of the port where the original frame was received. So the BPDU should also be looped back to your switch and BPDUguard can break the loop.
The most efficient enhancement for bridging loop prevention is BPDUguard, of course you can combine it with storm control and port-security (they do not prevent the loop but can lessen the impact).
Hope that helps
Rolf
08-18-2013 07:26 AM
Thanks
so if i understand correctly.
my BPDU guard settings are OK ?
you write " unmanaged switch normally floods them over all ports with the exeption of the port where the original frame was received". if so how will the port get the BPDU and break the loop?
thanks again
08-18-2013 08:11 AM
I thought the loop occurred on two different managed switchports. Are you saying the user interconnected two ports of the unmanaged switch and this resulted in an outage of your managed LAN-infrastructure?
However, BPDUguard should break the loop even in this scenario. From the unmanaged switch's perspective, we have different conversations.
Let's say port 1 is connected to the managed switch and a loop is formed by port 2 and 3.
So a BPDU is received on port 1 and flooded over port 2 and 3.
Then, port 3 and port 2 receive the copies of that BPDU and flood them again, port 3 to 1 and 2, port 2 to 1 and 3.
In this way the BPDUs are flooded back to the managed switch.
And yes, your BPDUguard settings are o.k. as long as you enable portfast on your edge-ports.
"show spanning-tree summary" and "show spanning-tree interface
Sent from Cisco Technical Support Android App
08-18-2013 01:03 PM
yes , the user connected two ports on aan unmanaged switch
i will need to lab this and see why the BPDU guard didnt kick in
thanks
08-18-2013 02:42 PM
i understand that BPDUguard didnt help becuse the switch with the loop was unmanaged.
BPDU Guard should've kicked in because the BPDU is sent from one of the ports of the managed switch into the un-managed switch. The un-managed switched doesn't understand BPDU so the un-managed switch floods all ports with it and should send the BPDU is sent down the other interface and back to the managed switch.
Check to see if there's a global setting to disable the BPDU Guard error-disable state. I've seen this happen to my network before.
08-18-2013 11:59 PM
Hi Leo,
thanks for joining the disussion.
Check to see if there's a global setting to disable the BPDU Guard error-disable state.
Depending on the platform and IOS this may vary, but a c2960 can be configured to shutdown only the offending VLAN instead of the complete port:
(config)#do show errdisable detect
ErrDisable Reason Detection Mode
----------------- --------- ----
arp-inspection Enabled port
bpduguard Enabled port
(...)
(config)#errdisable detect cause bpduguard shutdown vlan
(config)#do show errdisable detect
ErrDisable Reason Detection Mode
----------------- --------- ----
arp-inspection Enabled port
bpduguard Enabled vlan
(...)
(config)#default errdisable detect cause bpduguard shutdown vlan
(config)#do show errdisable detect
ErrDisable Reason Detection Mode
----------------- --------- ----
arp-inspection Enabled port
bpduguard Enabled port
(...)
I haven't tested this option yet (interesting for IP phones I guess) but my understanding is that bridging-loop prevention still will take place.
Best regards
Rolf
08-19-2013 01:18 AM
ok
i checked:
sh errdisable detect
ErrDisable Reason Detection Mode
----------------- --------- ----
bpduguard Enabled port
sh errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
bpduguard Enabled
question is :
what happens after timer interval? does the port become enabled and then disable again because of new BPDU?
08-22-2013 11:20 AM
question is :
what happens after timer interval? does the port become enabled and then disable again because of new BPDU?
That depends on the ErrDisable Recovery setting:
Switch> show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Disabled
Disabled means the port will not recover automatically, you'll have to reset it manually.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide