Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 933
  • Last Modified:

Data Cable looped back, Took down Network.. Need help Preventing

Hello,

Please forgive me for any networking ignorance below. I'm not well versed in STP and other Switch Security Features.
-----------------------------------
Today we had a user plug their Data Network Cable coming from the wall into their Voice Network jack (also coming from the wall). Because the PVID on the Voice Network is the same as the Data Network (Mulit-purpose Jacks for Computers and phones) It caused a portion of the network to crash until the loopback was found.

The Trouble is that it was looped between 2 Separate switches from 2 different manufactures. How can I prevent things like this from happening in the future?

Typically in a loopback situation I check ports for errors. In this situation, every port showed no Errors. We finally went desk to desk and found the problem. It felt like it was a loopback issue even though no port errors were showing up.

I know there are STP and BPDU settings that are supposed to help with this but I'm not sure how to correctly set my devices.

It would have been great if one of the switches could have detected the problem and disabled or Flagged the port.

The two switches in question are:
Netgear GS748TPS
HP (3com) Baseline Switch 2952

How do I prevent this from happening in the future?
Thanks in advance.
0
varesources
Asked:
varesources
  • 3
  • 2
  • 2
2 Solutions
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
> How do I prevent this from happening in the future?

Generally, you already answered it ... make sure you have STP/RSTP activated on all switches in your network, and also ensure they play nice together ... I believe you may have the two devices set to different versions, which has caused the broadcast storm that took down your network ... when in doubt, go with the lowest possible version available on both devices, then do a test during a maintenance window and confirm it is working as desired ...
0
 
varesourcesAuthor Commented:
Garry-G

Thank you for the Response. I know this will sound ignorant (because it is) but do you have some documentation that would help me understand this better?

make sure you have STP/RSTP activated on all switches in your network, and also ensure they play nice together ... I believe you may have the two devices set to different versions, which has caused the broadcast storm that took down your network ... when in doubt, go with the lowest possible version available on both devices,

I checked both switches and STP was on and seemed functional. I had RapidSTP on the Netgear and Standard STP on the HP (3Com).

I have attempted to read the HP documentation on STP and RSTP and BPDU and i just continued getting confused. It seemed liked the settings all depended on what I was trying to protect from. (Security, Loopback etc)

I was hoping there would be a definitive... "To Prevent External Loop Backs do this" somewhere...

Could you possibly provide me a little more guidance?

TIA
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
I checked both switches and STP was on and seemed functional. I had RapidSTP on the Netgear and Standard STP on the HP (3Com).
There's your problem ... either STP, or RSTP, but not one on one switch and the other on the other switch ... the two protocols are not the same ... if both devices support it, go with RSTP, as it has shorter switchover times in a looped environment (multiple switches in a deliberate ring, with one logical "cut" in the ring to keep it from creating the broadcast storm), as well as some other advantages. If the HP switch does not support RSTP, stick with STP on both ...

As for the general function: When you have STP (any flavor) enabled on a switch, it will usually keep a port down once you put something new on it and listen for any *STP frames. If any are present, the devices will communicate and exchange topology information, which will lead to the port just going online, or certain blocking rules will go into effect. This blocking is also per VLAN, as the infrastructure and interconnections may look different in separate VLANs.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
varesourcesAuthor Commented:
Thank you! That makes a lot of sense. I will setup the STP to match on all switches and test in off hours. (I believe the HP supports STP but not RSTP)

Thank you so much for the expanded answer.
0
 
lrmooreCommented:
Ah, yes, we have been battling this for years when users (or it staff, for that matter) plug in a little 5 port switch in their office because there are not enough drops, then accidently plug both ends of the same cable into that switch.
Problem is that Spanning Tree's purpose is to prevent a loop between 2 ports on your switch, and it does not see the loop on the attached switch, only sees a flood of bpdu's that drives up the CPU usage until you have no choice but to reboot it.
On Cisco switches, we use a feature called bpdu guard along with port security on the switch. We set the maximum number of mac addresses allowed on the switchport to 1 and then if the user plugs in a little switch, the switchport shuts down, but the rest of the network is fine. If a little switch is required, just enable the bpdu guard feature on your switchport, and you should be fine. I just don't know how to tell you to enabled it or even if it is available on your Netgear and HP switches.
0
 
varesourcesAuthor Commented:
Thank you for your reply lrmoore.

The switch does have BDPU features but I'm not sure what to use.. Also, I've read that you can't use BDPU + STP. It seems to be 1 or the other. Do you know if that is true.

I found the BDPU Guard Option to Enable/Disable. Also there is an "Advanced" portion of the menu that gives me the below options.. I'm not sure what should be used

Here's a Snippet from the manual:

Protection type
Edged Port
Set the port as an edge port.
Some ports of access layer devices are directly connected to PCs or file servers, which cannot generate BPDUs. You can set these ports as edge ports to achieve fast transition for these ports.
HP recommends that you enable the BPDU guard function in conjunction with the edged port function to avoid network topology changes when the edge ports receive configuration BPDUs.

Root Protection
Enable the root guard function.
Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge, which causes a new root bridge to be elected and network topology change to occur. The root guard function is used to address such a problem.

Loop Protection
Enable the loop guard function.
By keeping receiving BPDUs from the upstream device, a device can maintain the state of the root port and other blocked ports. These BPDUs may get lost because of network congestion or unidirectional link failures. The device will re-elect a root port, and blocked ports may transit to the forwarding state, causing loops in the network. The loop guard function is used to address such a problem.
0
 
lrmooreCommented:
I would recommend enabling all ports that do not connect directly to another switch as Edge ports, with BPDU guard enabled. I think the root guard is a global on/off so I would turn it on.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now