Spanning Tree Loop

[shetoshandasa]

Hi All ,

If we have a switched network with spanning Tree Protocol enabled.. all things are right and no problem here.

what about if some one come with a normal switch ( say DLink or any other type ) or even a cisco switch with SPT Disabled, and connected it to on of our switched with a parallel cables?

Of course a Layer 2 Loop will occur and network may become down..

what is a suitable method to avoid such a fool !!

Can i prevent it , or even detect it and determine the infected port !!

Thanks in advance

 

[DallasBPF]

umm... had this happen a a few times =) Only way we found the problem when we were a flat network (one giant subnet for everything) was process of elimination. Basically asked everyone in our IT department what they added to the network if anything (about 5 in the helpdesk area) and went from there. Another way to find out that we used was to disconnect your spoke switches from your core switch and plug them in one at a time, when the problem comes back you have your problem child, and then you can go to that switch and trouble shoot from there...

To prevent it? prohibit employees from add/changes to switchports, train IT staff, secure switches, disable ports that are not being used, enable port security to allow only 1 mac address and if it gets violated have the port shut down...

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works

 

[vipergg]

A lot of times we find when someone loops a port you can see it via cdp because the affected switch sees "itself" on more than 1 port in which case you can disable the port if the loop hasn't tied up the switch cpu so much you can't do any remote commands otherwise it manual intervention to pull one of the cables . You can use bpdu guard to prevent users from plugging in ports between themselves on the same switch but it won't guard against someone sticking a cheapo home router and looping ports on that .

 

[burtsbees]

MAC address security, my friend, Tedious, but it works.

Burt

 

[baddos]

I aggree with burt.
[ul]
Limit max mac address count on all user ports. (range 1-3 for a host port )
Define all access ports as access or host.
Enable bpduguard on all ports that have portfast
[/ul]

 

[Belushi]

BPDUGUARD is the answer. As for someone plugging in one of those cheapo router that was mentioned earlier, there are multiple variations of NAC and other security mechanisms that can help. personally, I like to stay away from the port security type configurations as they become administrator intensive. Works OK for smaller networks, pain in the you know what for larger netwoks.

Other options include DHCP snooping with dynamic ARP inspeciton, IP source guard, 802.1x authentication. They all have their little caveats and annoying issues but they are all useful in their own ways.

 

[vipergg]

Yeah mac security would probably work on a smaller network but when you are admin for 1000 plus devices and you basically have 2 people doing the whole network thats not feasible.

 

[lerdalt]

Belushi is right, bpduguard will shutdown the ports the 'rogue' device are connected to almost instantly.

Had it shut me down several times because I forgot it was enabled.

 

[burtsbees]

I didn't thing BDPU guard did that. Just thought it would prevent loops, like within the same switch...

Burt

 

[shetoshandasa]

i had done port security on the port before , but the trick is that when someone connect another switch which doesn't work with spanning-tree in a parallel connection with our switch , the loop will also occur

|__________|
| |
| |

i tried Bpdu Guard , it acts very well and it satisfied me very well.

the only thing that it only work when my switch port in access mode , and by default i think that the trunk link can't generate create loops

but really it's all right now ..

i found something called SPAN ( switch port analyzer ) , but it's a method of detecting the loop after happening , i'm now in a hard search for it and want to find a full simulation for .

really great thanks for sharing and happy new year

 

[Belushi]

Trunks can generate loops.

 

[lerdalt]

Actually the SPAN is for connecting a packet analyzer and mirroring the traffic from one port to another for analysis.

 

[baddos]

Don't hate port-security guys. You can use it with err-disable-recovery for large environments to reset the ports after a timeout or simply change the violation rule.

You should use some form of port-security on every access port regardless. Spoofing 8,000+ mac address on a port is a good way to start hacking.

 

[burtsbees]

i had done port security on the port before , but the trick is that when someone connect another switch..."
Well,limiting ports to only a few MAC addresses will ensure that NO switch can be plugged into the port, depending on the violation-action you set.

Burt

 

[Belushi]

The better answer is some for of network admission control, possibly DOT1X or Cisco clean access. The issue with that of course is that it isn't only a network function but you have to get the other groups of IT involved as well. The network is merely the conduit for which the access is controlled.

 

[mooneh]

erm Am I missing something here?
Of course there many tricks you can do to stop spanning tree shutting your network for reconvergence including port security, bpduguard, rapid per vlan spanning tree etc but surely the easiest way is to have the ports set as either disabled or access ports?
Cheers! Was just looking at this forum link from Google for another reason!

http://supportwiki.cisco.com/ViewWi...nding_Spanning-Tree_Protocol_Topology_Changes

 

[mooneh]

Sorry Head in a fuzz! Access ports for unused ports in a diff vlan to your data vlan Might as well keep ports disabled. I had another thought - if you do use RSTP you will not see more downtime than a second or so because convergence for RSTP is very fast!

RE: i had done port security on the port before , but the trick is that when someone connect another switch which doesn't work with spanning-tree in a parallel connection with our switch , the loop will also occur

Loop will occur if someone plugs a crossover cable between two ports of the same switch or plugs a switch with no STP running twice into same switch. Just use RSTP It will block one of the ports very fast. To stop someone plugging in their own switch - do not use DTP on the unused ports; stick them as access in a vlan. Then add port security features

 

[BuckWeet]

Use rapid spanning-tree, rootguard and bpduguard..

Those three features will protect you..

 

[pegraves]

it's a good start, but it will not protect you everytime. I have been testing with a 6500 and a linksys SD208. The 6500 ports are set port host (portfast enabled, trunk off, chan off) and bdpu-guard is enabled globally and I am running rapid. So initially, the linksys would connect to the switch fine and when I looped two ports on the linksys with a cable, the 6500 would errdisable the uplink port bpduguard. then I enabled the port while the linksys was looped and again the 6500 would errdisable the port. I was feeling pretty good. Then I removed the loop, renabled the 6500 port and then immediately looped the linksys. This time the 6500 thought about it ( I was watching router cpu the whole time) and most of the time the 6500 would catch it and errdisable the port. Then one time it did not. STORM! from that time on, it seemed it was a whole lot easier to STORM the network with a loop. Now it's everytime even when I reboot the 6500 which tells me something is remembering something and it isn't good. heck of a test so far. love to hear comments and/or test suggestions.

 

[baddos]

What version sofware and supervisor modules are you running?