A4H124-48 loop protection.

  • 0
  • 1
  • Question
  • Updated 11 months ago
  • Answered
Hi,

Today I was configuring dhcpsnooping on A4H124-48. When I run "show neighbors" I was surprised to see that the switch is displaying it as a neighbor device on two of its ports.

ARHAVI_MYO_IDARI_A4-48(su)->show neighbors
  Port       Device ID            Port ID           Type       Network Address
---------------------------------------------------------------------------------
fe.1.5      00:25:11:04:B5:5F    00-25-11-04-B5-5F lldp
fe.1.5      00:25:11:33:00:C5    00-25-11-33-00-C5 lldp
fe.1.6      70:71:BC:38:BA:22    70-71-BC-38-BA-22 lldp
fe.1.8      20b3990bea48         fe.1.9            ciscodp    192.168.14.22
fe.1.8      20:B3:99:0B:EA:48    fe.1.9            lldp
fe.1.9      20b3990bea48         fe.1.8            ciscodp    192.168.14.22
fe.1.9      20:B3:99:0B:EA:48    fe.1.8            lldp
fe.1.13     70:71:BC:38:BA:04    70-71-BC-38-BA-04 lldp
ge.1.50     001f45d250a2         ge.1.22           ciscodp    192.168.14.1
ge.1.50     00:1f:45:d2:50:a2    ge.1.22           cdp        192.168.14.1
ge.1.50     00:1F:45:D2:50:A2    ge.1.22           lldp


as you can see it on port 8 and 9. Quicly running "show mac port" command on the ports shows switches own mac address. So it seems someone just plugged the same cables each end to port 8 and 9.

CPU utilization etc are normal. No one complained about bad network connectivity yet.

Why the device did not blocked one of its ports yet? Spanning tree is enabled by default and both ports are on same vlan. Spanning tree LoopProtect and Spanguard is disabled btw. I am really surprised that the switch is now clear enough to detect a loop on itself, by default.

So how can I prevent such an incident again?

Regards

Rahman
Photo of Rahman Duran

Rahman Duran

  • 2,012 Points 2k badge 2x thumb

Posted 11 months ago

  • 0
  • 1
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi,

the output of
show spantree stats active
should show one of the two ports as blocked by spanning tree protocol.

You can use spanguard to get a notification and/or disable the ports if this happens. Please see the GTAC Knowledge articles How to configure Spanguard on a SecureStack switch and Spanguard Considerations on EOS Switches.

Thanks,
Erik
Photo of Rahman Duran

Rahman Duran

  • 2,012 Points 2k badge 2x thumb
Hi,
ARHAVI_MYO_IDARI_A4-48(su)->show spantree stats active
Spanning tree status       - enabled
Spanning tree instance     - 0
Designated Root MacAddr    - 00:1F:45:D2:50:A2
Designated Root Port       - ge.1.50
Designated Root Priority   - 8192
Designated Root Cost       - 20000
Root Max Age               - 20
Root Hello Time            - 2
Root Forward Delay         - 15
Bridge ID MAC Address      - 20:B3:99:0B:EA:48
Bridge ID Priority         - 32768
Bridge Max Age             - 20
Bridge Hello Time          - 2
Bridge Forward Delay       - 15
Topology Change Count      - 1
Time Since Top Change      - 2 days 2:51:32
Max Hops                   - 20
 SID   Port         State              Role          Cost        Priority
 ---   ----------   ----------------   -----------   --------    --------
 0      fe.1.8       Forwarding         Designated    200000      128
 0      fe.1.9       Discarding         Backup        200000      128
 0      ge.1.50      Forwarding         Root          20000       128

Ok it seems blocked. I am confused by the output of "show port status" as it shows "Oper Status UP" and  "Admin Status UP" for both ports.

As for spanguard, it says it is for foreign BDPU packets and wont work for its own BDPU packets
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
STP does not disable a port, it blocks data frames from being sent or received. STP BPDUs are still sent and received, link local protocols may be as well (e.g. LLDP or CDP). VLANs are not shown as active on a port blocked by STP ("show vlan", "show port egress").

Spanguard should work for any BPDU received on the port, even a BPDU sent from that port and looped back via another switch with a local loop.