Solved: Unmanaged Switch Loop Breaks Network - Solutions ?

Jacob Berger · ‎08-18-2013

last week we had a network outage because someone looped a unmanaged switch port to port.

i have read about some solutions that may help stopping this happening again.

(at this stage we cannot remove the unmanaged switches)

1. broadcast storm control

2. loopback err_disable (the port gets its own keepalive and err_disables the port)

3. port security

are there any other options?

i understand that BPDUguard didnt help becuse the switch with the loop was unmanaged.

i have just one qustion about BPDUguard

our switches are configed:

spanning-tree mode rapid-pvst

spanning-tree portfast bpduguard default

on ports:

interface GigabitEthernet1/0/3

switchport access vlan 2

switchport mode access

spanning-tree portfast

someone said that settings on specific ports override the global

and so the global BPDUguard setting wont work because spanning-tree portfast on the ports overrides it.

is this right ? and must the setting be changed?

thanks

Leo Laohoo · ‎08-18-2013

i understand that BPDUguard didnt help becuse the switch with the loop was unmanaged.

BPDU Guard should've kicked in because the BPDU is sent from one of the ports of the managed switch into the un-managed switch. The un-managed switched doesn't understand BPDU so the un-managed switch floods all ports with it and should send the BPDU is sent down the other interface and back to the managed switch.

Check to see if there's a global setting to disable the BPDU Guard error-disable state. I've seen this happen to my network before.

View solution in original post

Rolf Fischer · ‎08-18-2013

Hi Jacob,

someone said that settings on specific ports override the global

that's right.

the global BPDUguard setting wont work because spanning-tree portfast on the ports overrides it.

Portfast and BPDUguard are two different things. In your configuration you enable portfast on a per-port basis (as far as I see you don't have it enabled globally) and when you do this, BPDUguard is activated automatically for this port because the global configuration is conditionally (only for portfast-enabled ports).

i understand that BPDUguard didnt help becuse the switch with the loop was unmanaged.

This is unlikely. BPUDs are Layer-2 Multicasts and a unmanaged switch normally floods them over all ports with the exeption of the port where the original frame was received. So the BPDU should also be looped back to your switch and BPDUguard can break the loop.

The most efficient enhancement for bridging loop prevention is BPDUguard, of course you can combine it with storm control and port-security (they do not prevent the loop but can lessen the impact).

Hope that helps

Rolf

Jacob Berger · ‎08-18-2013

Thanks

so if i understand correctly.

my BPDU guard settings are OK ?

you write " unmanaged switch normally floods them over all ports with the exeption of the port where the original frame was received". if so how will the port get the BPDU and break the loop?

thanks again

Rolf Fischer · ‎08-18-2013

I thought the loop occurred on two different managed switchports. Are you saying the user interconnected two ports of the unmanaged switch and this resulted in an outage of your managed LAN-infrastructure?

However, BPDUguard should break the loop even in this scenario. From the unmanaged switch's perspective, we have different conversations.

Let's say port 1 is connected to the managed switch and a loop is formed by port 2 and 3.

So a BPDU is received on port 1 and flooded over port 2 and 3.

Then, port 3 and port 2 receive the copies of that BPDU and flood them again, port 3 to 1 and 2, port 2 to 1 and 3.

In this way the BPDUs are flooded back to the managed switch.

And yes, your BPDUguard settings are o.k. as long as you enable portfast on your edge-ports.

"show spanning-tree summary" and "show spanning-tree interface detail" provide useful information about the enabled features.

Sent from Cisco Technical Support Android App

Jacob Berger · ‎08-18-2013

yes , the user connected two ports on aan unmanaged switch

i will need to lab this and see why the BPDU guard didnt kick in

thanks

Leo Laohoo · ‎08-18-2013

i understand that BPDUguard didnt help becuse the switch with the loop was unmanaged.

BPDU Guard should've kicked in because the BPDU is sent from one of the ports of the managed switch into the un-managed switch. The un-managed switched doesn't understand BPDU so the un-managed switch floods all ports with it and should send the BPDU is sent down the other interface and back to the managed switch.

Check to see if there's a global setting to disable the BPDU Guard error-disable state. I've seen this happen to my network before.

Rolf Fischer · ‎08-18-2013

Hi Leo,

thanks for joining the disussion.

Check to see if there's a global setting to disable the BPDU Guard error-disable state.

Depending on the platform and IOS this may vary, but a c2960 can be configured to shutdown only the offending VLAN instead of the complete port:

(config)#do show errdisable detect

ErrDisable Reason Detection Mode

----------------- --------- ----

arp-inspection Enabled port

bpduguard Enabled port

(...)

(config)#errdisable detect cause bpduguard shutdown vlan

(config)#do show errdisable detect

ErrDisable Reason Detection Mode

----------------- --------- ----

arp-inspection Enabled port

bpduguard Enabled vlan

(...)

(config)#default errdisable detect cause bpduguard shutdown vlan

(config)#do show errdisable detect

ErrDisable Reason Detection Mode

----------------- --------- ----

arp-inspection Enabled port

bpduguard Enabled port

(...)

I haven't tested this option yet (interesting for IP phones I guess) but my understanding is that bridging-loop prevention still will take place.

Best regards

Rolf

Jacob Berger · ‎08-19-2013

ok

i checked:

sh errdisable detect

ErrDisable Reason Detection Mode

----------------- --------- ----

bpduguard Enabled port

sh errdisable recovery

ErrDisable Reason Timer Status

----------------- --------------

bpduguard Enabled

question is :

what happens after timer interval? does the port become enabled and then disable again because of new BPDU?

Rolf Fischer · ‎08-22-2013

question is :

what happens after timer interval? does the port become enabled and then disable again because of new BPDU?

That depends on the ErrDisable Recovery setting:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/commmand/reference/cli1.html#wp11896192

Switch> show errdisable recovery

ErrDisable Reason Timer Status

----------------- --------------

udld Disabled

bpduguard Disabled

Disabled means the port will not recover automatically, you'll have to reset it manually.