ExtremeSwitching (EXOS)

Expand all | Collapse all

Help, I need to configure elrp

Susana Tovar

Susana Tovar07-11-2017 18:49

Susana Tovar

Susana Tovar07-12-2017 11:50

  • 1.  Help, I need to configure elrp

    Posted 07-11-2017 18:29
    Hello All,

    I need configure elrp in switch X460-24t version 16.1.4.2 patch1-7 but i don't know what option to choose, i have this options:
    • Log-and-trap disable-port egress permanent
    • Log disable-port ingress permanent
    What is the difference between Log-and-trap disable-port egress permanent and Log disable-port ingress permanent

    Thanks everyone for your help

    [/code]


  • 2.  RE: Help, I need to configure elrp

    Posted 07-11-2017 18:49
    Hi,

    "log-and-trap" vs "log" is about what info will be sent to signal the loop detection. The "disable-port" is the action taken when a loop is detected, and the "permanent" keyword means the port will not go back up automatically, an admin will have to enable it. As for the "ingress" versus "egress" options, this is a new one since 16.1. It tells what port should be disabled, either the "ingress" one (where the elrp looped packet has been received) or the "egress" one (where the elrp looped packet has been transmitted).


  • 3.  RE: Help, I need to configure elrp



  • 4.  RE: Help, I need to configure elrp

    Posted 07-13-2017 07:09
    Hi,

    I prefer to enable ELRP on the access ports, but not on uplinks, and then disable the egress port if a loop is detected.

    If e.g. a loop between two access switches is created, ELRP will see packets returning via the uplinks. The uplinks are usually exempted from being disabled by ELRP (otherwise the whole switch would be disabled, not just the access port that is part of the loop). Thus it does not help to act on the ingress port . But the egress port can (and should) be disabled in this situation.

    Thanks,
    Erik



  • 5.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks


  • 6.  RE: Help, I need to configure elrp

    Posted 07-11-2017 18:49
    Thanks with your answer :)


  • 7.  RE: Help, I need to configure elrp

    Posted 07-12-2017 11:50
    Thanks with your answer :)


  • 8.  RE: Help, I need to configure elrp

    Posted 07-13-2017 07:09
    Happy to see egress mode is used in the field, and correctly understood. This is a nice improvement to ELRP that I have been advocating for a long time.


  • 9.  RE: Help, I need to configure elrp

    Posted 07-13-2017 07:09
    Thanks with your answer :)


  • 10.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    Generally, for egress blocking, yes enable it only on the edge ports


  • 11.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    So best practice I should could enable ELRP blocking on edge switch access ports then on the uplinks that have LAG's to MLAGs to the cores enable egress blocking? Thanks Chad


  • 12.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    I'm not sure I fully understand. If you enable egress on ALL edge ports, and have confidence that the other ports (i.e core and aggregation layer) are secure and will remain loop-free, you don't have to enable ELRP there. If not, then yes you could enable ELRP on egress going to your downstream edge switches. However, any loop detected on these ports could segment the entire downstream switch from the network.

    When using ELRP at the core/aggregation layer it can make more sense to use ingress blocking with the exclude list excluding critical uplinks/downlinks.


  • 13.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    Our VM environment and MLAG live on the 2 blackdiamonds and 10G DC670's that terminate to our cores. I'm thinking something could happen if hardware issue caused a loop regarding MLAG and ELRP would keep a loop from happening either by user error or by issue. Does this help? Thanks Chad.


  • 14.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    Yea. I would consider VM's an "edge" port in this scenario, but some caution is needed there because you may have multiple VLANs on those links. A loop on ANY VLAN on the port would block ALL traffic. If you are okay with taking the MLAG ports down if a loop is detected, potentially segmenting downstream devices, then it can be enabled there as well.

    I guess with ELRP egress blocking you can kind of boil it down to this:
    • If you enable it, you need to be willing for that port to be completely blocked should a loop be detected based on an ELRP frame that left that port.
    • If you do not enable it on a port, that port will never be blocked if a loop is detected on that port.
    Of course, I am assuming you are disabling the ports, you don't have to disable them. You can simply log and/or trap.


  • 15.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    We've been using ELRP perodic log without blocking and our vm environment takes a hit when a loop occurs. We have multiple MLAG 20 gig uplinks to edge switches, stacked switches, DC switches, WLAN controllers and firewalls which in the past have created a loop because of hardware failure or user miss-configure error. I believe I would rather it drop to 10G or half and still be up and working. Thanks for your help and I'm still working out the config. I wish it was a bit simpler like seeing a diagram. The diagrams I see don't include MLAGs, LAGs, or core where edge switching is connected too. I'm envisioning ELRP blocked on egress access ports like a 460 housing users then exclude sharing ports to cores. Then for the cores and DC670's ELRP blocking egress on the uplinks because this would stop non user traffic loops for HA hardware failures. Am I on the right path? Thanks.


  • 16.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    Yea I think you are on the right track. Given your needs, that sounds like it is probably the best plan.


  • 17.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    Thank you, and its time to implement. I appreciate the help.


  • 18.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    Chad, when you mentioned edge ports your talking about end stations connected to switch ports (non trunking access ports)? Thank you


  • 19.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    Chad, when you mentioned edge ports your talking about end stations connected to switch ports (non trunking access ports)? Thank you


  • 20.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    Not always. Servers with multiple VLAN interfaces (i.e trunk) could still be considered "edge". Basically any switch port not connected to a switch/router.


  • 21.  RE: Help, I need to configure elrp

    Posted 01-09-2018 20:56
    That makes sense, all our user ports trunk voice vlan but not trunk for the data side. I appreciate the explanation.