ExtremeSwitching (EOS)

Expand all | Collapse all

A4H124-48 loop protection.

  • 1.  A4H124-48 loop protection.

    Posted 08-02-2017 09:18

    Today I was configuring dhcpsnooping on A4H124-48. When I run "show neighbors" I was surprised to see that the switch is displaying it as a neighbor device on two of its ports.

    ARHAVI_MYO_IDARI_A4-48(su)->show neighbors
    Port Device ID Port ID Type Network Address
    fe.1.5 00:25:11:04:B5:5F 00-25-11-04-B5-5F lldp
    fe.1.5 00:25:11:33:00:C5 00-25-11-33-00-C5 lldp
    fe.1.6 70:71:BC:38:BA:22 70-71-BC-38-BA-22 lldp
    fe.1.8 20b3990bea48 fe.1.9 ciscodp
    fe.1.8 20:B3:99:0B:EA:48 fe.1.9 lldp
    fe.1.9 20b3990bea48 fe.1.8 ciscodp
    fe.1.9 20:B3:99:0B:EA:48 fe.1.8 lldp
    fe.1.13 70:71:BC:38:BA:04 70-71-BC-38-BA-04 lldp
    ge.1.50 001f45d250a2 ge.1.22 ciscodp
    ge.1.50 00:1f:45:d2:50:a2 ge.1.22 cdp
    ge.1.50 00:1F:45:D2:50:A2 ge.1.22 lldp

    as you can see it on port 8 and 9. Quicly running "show mac port" command on the ports shows switches own mac address. So it seems someone just plugged the same cables each end to port 8 and 9.

    CPU utilization etc are normal. No one complained about bad network connectivity yet.

    Why the device did not blocked one of its ports yet? Spanning tree is enabled by default and both ports are on same vlan. Spanning tree LoopProtect and Spanguard is disabled btw. I am really surprised that the switch is now clear enough to detect a loop on itself, by default.

    So how can I prevent such an incident again?



  • 2.  RE: A4H124-48 loop protection.

    Posted 08-02-2017 10:46

    the output of
    show spantree stats active[/code]should show one of the two ports as blocked by spanning tree protocol.

    You can use spanguard to get a notification and/or disable the ports if this happens. Please see the GTAC Knowledge articles How to configure Spanguard on a SecureStack switch and Spanguard Considerations on EOS Switches.


  • 3.  RE: A4H124-48 loop protection.

    Posted 08-02-2017 10:46
    ARHAVI_MYO_IDARI_A4-48(su)->show spantree stats active
    Spanning tree status - enabled
    Spanning tree instance - 0
    Designated Root MacAddr - 00:1F:45:D2:50:A2
    Designated Root Port - ge.1.50
    Designated Root Priority - 8192
    Designated Root Cost - 20000
    Root Max Age - 20
    Root Hello Time - 2
    Root Forward Delay - 15
    Bridge ID MAC Address - 20:B3:99:0B:EA:48
    Bridge ID Priority - 32768
    Bridge Max Age - 20
    Bridge Hello Time - 2
    Bridge Forward Delay - 15
    Topology Change Count - 1
    Time Since Top Change - 2 days 2:51:32
    Max Hops - 20
    SID Port State Role Cost Priority
    --- ---------- ---------------- ----------- -------- --------
    0 fe.1.8 Forwarding Designated 200000 128
    0 fe.1.9 Discarding Backup 200000 128
    0 ge.1.50 Forwarding Root 20000 128

    Ok it seems blocked. I am confused by the output of "show port status" as it shows "Oper Status UP" and "Admin Status UP" for both ports.

    As for spanguard, it says it is for foreign BDPU packets and wont work for its own BDPU packets

  • 4.  RE: A4H124-48 loop protection.

    Posted 08-02-2017 10:46
    STP does not disable a port, it blocks data frames from being sent or received. STP BPDUs are still sent and received, link local protocols may be as well (e.g. LLDP or CDP). VLANs are not shown as active on a port blocked by STP ("show vlan", "show port egress").

    Spanguard should work for any BPDU received on the port, even a BPDU sent from that port and looped back via another switch with a local loop.