Cisco Loop Protection

Posted on 2013-09-17
Medium Priority
Last Modified: 2013-09-19
We are replacing some Extreme switches with Cisco 2960S-48 switches.

We ran ELRP on the Extreme switches to prevent loops.

Looking at the Cisco options I am a bit confused as to what option to use or multiple options.

I read that BPDU guard may not be enough to prevent loops.  Maybe the storm control should be used.  Loop guard ? UDLD ?

Here is the environment:
Several engineers hardware/software  have small desktop switches as they plug in numerous devices and I don't want to limit the MAC count.  

Two 1 Gig GBICS with be used as Etherchannel to the core.

Portfast on
Most user ports are access mode with a default vlan, data, and voice.

My main concern is to prevent users from looping the network with small switches.  We also have the occasional person  moving desks looping by plugging things in wrong.

UDLD and BPDU guard?

Example switch port or trunk port config ?
Thanks in advance
Question by:PostQ
LVL 11

Assisted Solution

gmbaxter earned 200 total points
ID: 39500452
I always found Bpdu guard to be sufficient, but looping in the small switches would have to be tested as I've not experimented with that configuration. Can you not increase the number of data ports to bypass the need for the switches?

Author Comment

ID: 39500546
A lot of the time that just becomes another budget item since we could not pick and chose who gets them.  It would be to run 2-4 more drops for each person, add more Cisco switches, and then only about 20% of the employees would need them.  As of now out of about 60 engineers 10-15 use the small switches on occasion.  ELRP running on the Extreme switches worked great.  Maybe I will test the BPDU.  I think another blog mentioned using UDLD on trucks to the core since we have fiber ports running Etherchannel.  I think it advised against loop guard since it would take down both Etherchannels where as UDLD would just drop one fiber connection and the second should work.  Small switches or not, I would like to have some sort of loop protection like Extreme ELRP.
LVL 18

Expert Comment

ID: 39501487
Udld works on uni directional connections like fiber as the name implies ( Uni Directional Link Detection). Fiber has 1 port sending and the other port receiving. When on port fails, spanning tree enables alternate port which may cause a loop because the other half of the failed fiber connection is still active. Udld ensures that the other half is disabled if one half fails

Spanning tree with bpdu guard should be sufficient. Since you have port fast enabled, do not use bpdu filter as that will convert to standard stp operation if bpdu is detected on the port. Bpdu guard on the other hand will disable the port to prevent loop. Also, hard code your access layer switch ports as access ports. Consider nonnegotiate option also.

You should only worry about loops on your up links
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!


Author Comment

ID: 39502355
So I will use UDLD on the 2 Etherchannel fiber trunks, and bpdu guard on the hard coded access ports?    Your last statement has me leaning toward applying nothing on the user ports, but I do want to halt user created loops.
LVL 26

Accepted Solution

Soulja earned 1800 total points
ID: 39502724
You can use UDLD on trunks whether fiber or copper, but most of the time on fiber.

On your access ports, enable portfast, bpdu guard, and you can enable port security to limit mac addresses on the interfaces to one MAC address. This way small switches will be somewhat ineffective for users trying to connect multiple devices to a port.
LVL 18

Expert Comment

ID: 39507544
You can use udld on copper but it has no effect

Hard coding access ports prevents loops automatically as the ports do not send dtp packets and can never form a trunk. Loops are only formed on trunk ports

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
If you are looking for an automated solution for backup single or multiple Office 365 user mailboxes to Outlook data file, then you can use Kernel Office 365 Backup & Restore tool. Go through the video to check out the steps to backup single or mult…
In the video, one can understand the process of resizing images in single or bulk. Kernel Bulk Image Resizer is an easy to use tool for resizing large number of images. One can add and resize multiple images with this tool in single go. The video sh…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question