Cisco Loop Prevention

We had an issue this morning where someone had joined two vlans together (by linking one data socket into another directly) creating massive problems!

Problem was traced down to VLAN and then the building from that when people got wrong IP addresses.

How can this be prevented in future? Is there something that can be enabled on the switches as a sort of loop-guard ?

Thanks,
LVL 11
gmbaxterAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
Hi,

You need to enable STP on all switches, and root guard!

What type of switches do you have?
0
gmbaxterAuthor Commented:
I've got spanning-tree portfast on all host ports

should spanning-tree portfast trunk be on all connects between switches?

switches are a mixture of:

3550
3500XL
3750

The problem with disabling portfast would be that the client startup and login time would be significantly decreased.
0
Istvan KalmarHead of IT Security Division Commented:
How can he connected two VLANs same time?
0
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

gmbaxterAuthor Commented:
^ one cable between two data outlets that were on different vlans.
0
Istvan KalmarHead of IT Security Division Commented:
ok, in this case STP blocking this port
0
Nayyar HH (CCIE RS)Network ArchitectCommented:
To prevent this from re-occuring you can look at implementing the following.
> STP use rapid PVST+
> Portfast: Enable this on End-user ports.
> BPDU Guard: Enable this on End-user ports. This will shutdown a portfast enabled port if it recieves a BPDU
> Loop Guard: Enable this on Uplinks and downlinks. This will put a non-designated port into loop-inconsistent blocking state when it stop recieving BPDU's.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Don JohnstonInstructorCommented:
This is NOT a problem that spanning-tree is designed to resolve.

> We had an issue this morning where someone had  joined two vlans together

Since two separate VLANs (networks/broadcast domains) were interconnected, spanning tree (being a layer 2 protocol) would not resolve this. Spanning tree, could however block one of the ports. The problem with that is there could be user on one network that would lose their connection on that network due to the blocked port.

>How can this be prevented in future?

It can't be prevented with a protocol.

>Is there  something that can be enabled on the switches as a  sort of loop-guard ?

 Not really.  Spanning-tree is designed to prevent loops within a network, not between networks. There's only so much we can do to prevent idiot users from causing problems. :-)

If the port is not in use, you can disable it. But that's about all you can do.



0
Istvan KalmarHead of IT Security Division Commented:
But, Cisco switches will be blocking that ports, with inconsistent port type, if the CDP enabled, or receiving from another VLAN a BPDU!
0
Nayyar HH (CCIE RS)Network ArchitectCommented:

donjohnston with all due respect I think you're wrong here. Can you provide something more substantial to support your opinion?
To support mine I will elaborate more:
When you configure a users switchport as portfast apart from transitioning into forward state almost immediately the port will still continue to send BPDUs see below....

#sh run int f1/0/5
!
interface FastEthernet1/0/5
 switchport access vlan 101
 switchport mode access
 .
 .
 .
 .
 spanning-tree portfast
spanning-tree bpdufilter disable
 .

#sh int f1/0/5
FastEthernet1/0/5 is up, line protocol is up (connected)
  .
  5 minute input rate 3000 bits/sec, 3 packets/sec
  5 minute output rate 4000 bits/sec, 5 packets/sec
  .
  .
#sh spanning-tree vl 101 detail | b 1/0/5
 Port 7 (FastEthernet1/0/5) of VLAN0101 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.7.
   Designated root has priority 8192, address 000a.42b0.9065
   Designated bridge has priority 32869, address 0024.507d.7d00
   Designated port id is 128.7, designated path cost 4
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 3815, received 0
BPDU count increases ...
#sh spanning-tree vl 101 detail | b 1/0/5
 Port 7 (FastEthernet1/0/5) of VLAN0101 is designated forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.7.
   Designated root has priority 8192, address 000a.42b0.9065
   Designated bridge has priority 32869, address 0024.507d.7d00
   Designated port id is 128.7, designated path cost 4
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 3871, received 0
Now if I enable BPDU guard on two edge port such as these and they receieve a BPDU due to a user connecting to ports together why will BPDU guard not shutdown the port?
0
Don JohnstonInstructorCommented:
Spanning Tree is a layer 2 protocol designed to prevent loops within a layer 2 network. What I am pointing out is that if you connect two separate networks together, you do not have a loop. Spanning tree is not designed to identify and prevent separate networks from being accidentally (or intentionally) connected.

When you start relying on a protocol to provide a service which is was not designed to preform, at some point, you will become... surprised.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.