ELRP with dynamically changing vlan membership

  • 0
  • 1
  • Question
  • Updated 1 month ago
  • Answered
Create Date: Mar 13 2013 9:48PM

Hello Everyone,

I've been looking at ELRP to help prevent L2 loops. Our switches (one section of them) work in conjunction with Bradford NAC system, which based on the user's profile and settings, puts the edge port into either production vlan or registration or quarantine (non-production) vlans. ELRP if I understand correctly works per vlan only, right? For instance looping a edge port in production vlan with a an edge port in the non-production vlan will not cause either of the edge ports to shutdown, right? My final goal is to achieve prevent L2 loops when the vlan membership of an edge port is constantly changing.

Is there anyway to tweak this behavior of ELRP and if not, are there any alternatives to what I'm trying to achieve?

Thanks!
(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 14 2013 1:05PM

Hey Guys,

I think I found a solution.
Just create a control VLAN for ELRP. Tag it on all ports and done. ELRP works flawlessly.
Enter these two commands:

en elrp-client
conf elrp-client periodic "control-elrp" ports 1-24 log-and-trap disable-port permanent

The log looks something like this:
03/14/2013 05:55:36.56 <Warn:ELRP.DsblPortLoopDtect> Disabling port 21. Permanent
03/14/2013 05:55:36.56 <Warn:ELRP.Report.Message> [CLI:control-elrp:14] LOOP DETECTED : 67 transmited, 3 received, ingress slot:port (21) egress slot:port (1

Simple.
Hope it helps others in a similar situation

Note:
1. When looping two edge ports on different XoS switches, ELRP disables the uplink port
2. The "disable-port" keyword in the above config works only on XoS version 12.5 and above. For previous version to shut down a port, you'll have play around with UPM a little

(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 14 2013 6:27PM

Damn, I totally forgot about 3rd party switches that users may plug in and loop.
*Sigh* back to some more testing...

(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 14 2013 7:22PM

Hey Skumar

I have a few questions to help understand the issue.

1) why are they ports changing VLANs so much?  Are you using 802.1x?  if so we may be able to use a UPM profile to launch after the VLAN is moved.
2)  ELRP should shutdown a port with a remote loop, i.e. from a 3rd party switch.  What symptom are you seeing where it isn't?
3) is the control VLAN the untagged VLAN on the port?

Thanks
P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 14 2013 8:24PM

Thanks Prusso,

1. We have multiple vlans setup on the switch – production, registration, isolation and quarantine. The XOS switches are setup in conjunction with Bradford NAC. The default (not native) vlan configured on edge ports is untagged registration.

So when a student plugs into the switch, Bradford prompts the student to enter his details and register with Bradford. Once done, Bradford automatically moves  the student over to the production vlan. If the student’s laptop/PC health does not match set standards, then he is put into the quarantine vlan. Once the student disconnects, then the port is out back into the registration vlan

2. I tried this with a netgear home unmanaged switch, looped the netgear switch and connected it the XOS switch, the port wasn't disabled
I did not check to see if the ELRP counters changed.

3. No, the control vlan would always be tagged. The untagged vlans are registration, isolation, etc.

I'll test this again and see what comes up.

Thanks in advance for your help!!





(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 15 2013 5:31PM

Hey Prusso,

With a remote looped switch plugged in my XOS switch, I see that the ELRP counters are increasing, but no action seems to be taken.
The packets received counter is not increasing though.

* X250e-24p.16 # sh elrp

ELRP Standalone Client:       Enabled

Number of ELRP sessions:          1
Number of ELRP pkts transmitted:  92
Number of ELRP pkts received:     0

                                                Pkts     Pkts            Disable
Client  Vlan        Ports  Int.    Count Cyclic Xmit     Rcvd     Action Port (sec)
--------------------------------------------------------------------------------
CLI     control-elrp 1-24  1        0     Yes    92        0         LT    Perm    
--------------------------------------------------------------------------------
Action : (P) Print , (L) Log , (T) Trap , (C) Callback
(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 16 2013 11:12PM

Hey skumar


this came across a little off but I see the packets that are transmitted but none received which means that the switch isn't getting them back.  Is the remote switch tagged for this VLAN?

If Default is untagged on this port try it with the untagged VLAN.

P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 18 2013 4:12PM

Hey Prusso,

The remote switch is unmanaged netgrear switch for home use.
I configured a port with untag control-elrp vlan and after that added the default vlan untagged to the same port. ELRP did not detect loops in both the instances.
I was wondering, since the ELRP transmit counter is increasing, if there would be a way to detect these specific ELRP transmit logs and wire a UPM for it? Would you happen to have or know where I could find a message decoder - similar to the one that's available for ExtremeWare?

(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 19 2013 7:27PM

Hey Skumar

So the netgear has all ports untagged and in the same VLAN correct?  You then take one port on the switch and assign the control-vlan to that port untagged with ELRP enabled on that port Correct?  That should work without any issue.  What I don't understand is the comment that you add the default to the port untagged.  Are you saying that you removed the control-VLAN then added the default VLAN?  You can not have to untagged VLANs on a port.

Can you please do the following commands and post the output of the config here for me to test?
Disable CLIP  < this just disables the cli paging so you wont have to hit the space bar.

<set up your emulator to capture all of the output>
type show config.

After you have the file upload it to the post.  You can then enable clip.

Thanks
P

Also what version of code are you running?

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 19 2013 9:31PM

Hey Prusso,

Yes, the netgear unmanaged switched presumably all ports untagged on the same vlan. The control-elrp vlan is tagged on all ports with elrp enabled. This is because in the live network, the Bradford NAC device constantly moves ports untagged in various vlans - production, registration, housing, etc. My test switch is setup to mimic the live environment.

My comment about control-vlan and default vlan is that I tried untagging control-elrp on a port, say port 24, tried looping it with a remote loop on netgear and observed elrp not catching the loop. Next I removed control-elrp from port 24 and untagged port 24 with the default vlan under the assumption that the remote netgear probably also passes traffic untagged/default/native to my XOS switch. Even in this scenario, elrp did not catch the loop and did not disable port 24.
Confusing, but hope it makes sense ? :)
The firmware we are using is 12.5.1.6 on the primary (active) partition and 12.3.3.6 on the secondary.

Attaching the configuration as requested.
Also attaching the XOS message decoder since I mentioned it earlier.

Btw, I greatly appreciate you taking the time and effort to answer my questions and help me.
Thanks!

Unable to attach files to ethernation.
Please download them here:
http://wikisend.com/download/708340/c...
http://wikisend.com/download/276684/E...


(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 20 2013 2:39PM

Hey Skumar

I did some testing on both 12.5.12.6 as well as on 15.1.3.4.  In my test I used a Summit x250 in default configuration where I used the default VLAN which is untagged on all ports.  I then enabled elrp and configure elrp-client periodic Default ports all interval 1 log-and-trap disable-port permanent.

I replicated connecting to a switch that did not know about ELRP. In my case I was using a Summit 300 with EDP and ELRP turned off.

If I had the edge switch connected prior to stating the loop ELRP caught it.  There were two times it didn't catch it but I believe that it was because I was moving the connection to a new port and starting the loop very quickly.  See results below

X250e-24t.3 # sh log
03/20/2013 07:28:33.63 <Info:vlan.msgs.portLinkStateUp> Port 2 link UP at speed 100 Mbps and full-duplex
03/20/2013 07:28:28.60 <Info:vlan.msgs.portLinkStateDown> Port 4 link down
03/20/2013 07:28:28.57 <Info:vlan.dbg.info> Toggling AdminState on Port 1:4
03/20/2013 07:28:28.57 <Warn:ELRP.DsblPortLoopDtect> Disabling port 4. Permanent
03/20/2013 07:28:28.57 <Warn:ELRP.Report.Message> [CLI:Default:1] LOOP DETECTED : 249 transmited, 162 received, ingress slot:port (4) egress slot:port (4)
03/20/2013 07:28:20.87 <Info:vlan.msgs.portLinkStateUp> Port 4 link UP at speed 100 Mbps and full-duplex
03/20/2013 07:28:14.58 <Info:vlan.msgs.portLinkStateDown> Port 8 link down
03/20/2013 07:28:14.50 <Info:vlan.dbg.info> Toggling AdminState on Port 1:8
03/20/2013 07:28:14.49 <Warn:ELRP.DsblPortLoopDtect> Disabling port 8. Permanent
03/20/2013 07:28:14.49 <Warn:ELRP.Report.Message> [CLI:Default:1] LOOP DETECTED : 235 transmited, 88 received, ingress slot:port (8) egress slot:port (8)
03/20/2013 07:26:30.25 <Info:vlan.msgs.portLinkStateUp> Port 8 link UP at speed 100 Mbps and full-duplex
03/20/2013 07:26:22.08 <Info:vlan.msgs.portLinkStateDown> Port 12 link down
03/20/2013 07:26:22.02 <Info:vlan.dbg.info> Toggling AdminState on Port 1:12
03/20/2013 07:26:22.02 <Warn:ELRP.DsblPortLoopDtect> Disabling port 12. Permanent
03/20/2013 07:26:22.02 <Warn:ELRP.Report.Message> [CLI:Default:1] LOOP DETECTED : 122 transmited, 82 received, ingress slot:port (12) egress slot:port (18)
03/20/2013 07:26:22.00 <Info:vlan.msgs.portLinkStateUp> Port 12 link UP at speed 100 Mbps and full-duplex
03/20/2013 07:26:14.63 <Info:vlan.msgs.portLinkStateDown> Port 18 link down
03/20/2013 07:26:14.51 <Info:vlan.dbg.info> Toggling AdminState on Port 1:18
03/20/2013 07:26:14.50 <Warn:ELRP.DsblPortLoopDtect> Disabling port 18. Permanent
03/20/2013 07:26:14.50 <Warn:ELRP.Report.Message> [CLI:Default:1] LOOP DETECTED : 115 transmited, 1 received, ingress slot:port (18) egress slot:port (18)
03/20/2013 07:25:18.38 <Info:HAL.Sys.Info> Input voltage to Internal Power Supply power supply is on. Output enabled.
03/20/2013 07:25:18.38 <Info:HAL.Sys.Info> Internal Power Supply power supply is present.
03/20/2013 07:24:39.17 <Info:AAA.authPass> Login passed for user admin through serial
X250e-24t.4 # sh log
03/20/2013 07:30:14.67 <Info:vlan.msgs.portLinkStateDown> Port 1 link down
03/20/2013 07:30:14.52 <Info:vlan.dbg.info> Toggling AdminState on Port 1:1
03/20/2013 07:30:14.52 <Warn:ELRP.DsblPortLoopDtect> Disabling port 1. Permanent
03/20/2013 07:30:14.52 <Warn:ELRP.Report.Message> [CLI:Default:1] LOOP DETECTED : 355 transmited, 188 received, ingress slot:port (1) egress slot:port (1)
03/20/2013 07:30:04.63 <Info:vlan.msgs.portLinkStateUp> Port 1 link UP at speed 100 Mbps and full-duplex
03/20/2013 07:29:58.62 <Info:vlan.msgs.portLinkStateDown> Port 5 link down
03/20/2013 07:29:58.50 <Info:vlan.dbg.info> Toggling AdminState on Port 1:5
03/20/2013 07:29:58.50 <Warn:ELRP.DsblPortLoopDtect> Disabling port 5. Permanent
03/20/2013 07:29:58.50 <Warn:ELRP.Report.Message> [CLI:Default:1] LOOP DETECTED : 339 transmited, 163 received, ingress slot:port (5) egress slot:port (5)
03/20/2013 07:29:08.47 <Info:vlan.msgs.portLinkStateUp> Port 5 link UP at speed 100 Mbps and full-duplex
03/20/2013 07:29:05.88 <Info:


If the loop was already going then my results were sporadic which I would expect as the port util was at 100% on the port to the looped switch.

I hope this helps let me know if you do more testing and whether you are starting the loop after the connection is created or before.

Thanks
P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 27 2013 2:47PM

Hey Prusso,

But in my scenario, we have multiple vlans in a switch and vlan membership of a port changes dynamically. Which is why I created a dummy vlan called 'control'elrp' and tagged it on all ports
Anyways, here's what I did:
1. Upgraded my switch to 15.1.3.4
2. Created a dummy vlan called 'control'elrp' and tagged it all ports 1-24
3. Created a bunch of dummy vlans - prod, reg, quaruntine
4. untagged port 1-5 on prod, 6-11 on reg, 12-17 on quaruntine

Test:
1. Loop port 1 and 2, elrp works fine
2. Loop port 3 and por 11 - elrp works just fine, sicne both these ports have common tagged vlan
3. Loop a remote switch (ExtremeWare, unmanaged home switch, etc) and then connect to XOS switch running elrp. This is where elrp does not catch the loop.
4. Tagged default vlan on ports 1-24 and tried connecting to remote switch, elrp did not catch the loop
5. Undid the prior config, added default vlan untagged to all the ports and then tried catching  a remote loop - elrp worked when the remote switch was ExtremeWare, but not when the remote switch was a netgear home unmanaged switch.

I guess i'll have to skip ELRP for what I'm trying to achieve. I'll look into something else and post it here when I have a solid working config.
Meanwhile, if anyone has any suggestions, please do let me know.

Thanks for all you help thus far Prusso!
(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 27 2013 6:32PM

Hey Skumar

ELRP will not work when your control VLAN is tagged on the port.  The reason is that the switch, netgear for example, will not have that VLAN tagged on the port to the extreme switch.  The ELRP packet is going out with a 802.1Q tag on it but the remote switch will not understand the tag and will drop the packet on its port.  Since the packet is dropped it will not be looped back to extreme.  When ever you have more than one VLAN on a port then you need to have a control VLAN that is untagged.  This is the same for STP as well as it is a tag issue.

How are the ports being moved into the VLAN?  802.1x?  if so then we may be able launch a IDM or UPM profile to en elrp on that port for the VLAN that it gets added to.

As for it working on ExtremeWare versus netgear there should be no difference if the VLAN is untagged and the switches have all ports on the same VLAN.

Hope that helps to clear some things up.

P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 27 2013 7:19PM

Thanks Prusso,

Yes, that makes sense.
We have a Bradford NAC system that works in conjunction with XOS switches. Each time a student connects to the XOS switch, relevant snmp traps are sent to the NAC. Based on these traps and the student's info, the NAC moves the edge port to either a production vlan or reregistration vlan or quarantine vlan.
A UPM profile for something like this would be cool. What log would we be able to send the UPM profile? The 'ELRP.Report.Message' event seems to only get generated when a loop is detected. Is there anyway that I can modify this behavior and generate a log when ELRP transmit packet count increases? Is there a way to "create" my own syslog event?
I have no experience with IDM. Is there a separate license for IDM or does it just need to be enabled on Ridgeline?

I came across broadcast storm control app https://xkit.extremenetworks.com/app/...; any idea what this is?
I'll look into this as well.

Edit: I noticed this syslog today:

03/27/2013 13:45:11.96 Our own packet received. Mac address of the received packet is [0:4:96:35:75:d4],there could be physical loop in the network

I wonder if could modify this syslog to read the FDB table and give me the port number on which the MAC address is received?
(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 28 2013 12:33PM

Hey skumar


We should be able to.  We can filter on this message and if the MAC is a variable we can run the command to do a show FDA on the MAC address and find the port.  I would need to try and reproduce this and see if the UPM will work.  I am out until next Wed so I may not have anything

let me see what we can do.

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 28 2013 2:58PM

Thanks Prusso,

In my previous post, I somehow missed posting the syslog event.

It was an IPMC.Warning event

03/27/2013 13:45:11.96 <Warn:IPMC.Warning> Our own packet received. Mac address of the received packet is [0:4:96:35:75:d4],there could be physical loop in the network

(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 28 2013 8:23PM

thanks Skumar I will look into this and see what the profile could look like.

Also when Bradford changes the port assignment does it create a log entry?  If so can you send me what that looks like?

Thanks
P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Apr 1 2013 2:37PM

Logs on the switches you mean?
This is all I see:

03/27/2013 08:47:39.18 <Info:AAA.logout> Slot-1: User bf-nac logout from telnet (172.28.3.250)
03/27/2013 08:47:37.77 <Info:AAA.authPass> Slot-1: Login passed for user bf-nac through telnet (172.28.3.250)
03/27/2013 08:47:27.23 <Info:AAA.logout> Slot-1: User bf-nac logout from telnet (172.28.3.250)

Would it help if I turned on syslogging for "cli.logLocalCmd" and "cli.logRemoteCmd" events?

Or do you mean logs on the Bradford server?

(from Shashank_S Kumar)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: May 14 2013 2:22PM

Any new updates? I am looking at this as well. Trying to test it out in my lab. Will let you know what I come up with!

(from Michael_Lunde)
Photo of Matt Myers

Matt Myers

  • 70 Points
Funny how EXOS implementation of this is really poor in my opinion.  I too have fought with how to handle this as a Partner installing in many installations.  I also Install Cisco.  In Cisco(to prevent loops) you enable spanning-tree portfast and done.  If you change the port to trunk(tagged) port automatically disables portfast.  Cisco is all automatic.  EXOS you have to reinvent some ridiculous method or accept the shortcomings of ELRP.  The fact that someone in this post asked why you would want to change vlans often is a null point.  Customer need vlans changed on ports all the time.  The switches need a better way to handle these port changes.  Writing complex scripts etc... is not even near a good solution when Cisco had this handled well over a decade ago.  It's going to be that 1% of the time where ELRP did not offer protection(because of vlan changes) that the whole network will be brought down to it's knees.
Photo of EtherMAN

EtherMAN, Embassador

  • 6,960 Points 5k badge 2x thumb
Matt I certainly don't want to start a post war about this but for me and our staff I much prefer having to set a switch up as I want and according to my needs and network design.  I can not tell you as a service providor which is all Purple and most of my clients are Cisco how many outages they have had due to the fact that portfast and BPDU protection are enabled by default on their WAN facing ports where we are handing services off.  Nothing like their port on their remote site going into error-disable due this being enabled and not adjusted to come back up.  To many network support calls and then the poor customers network guy having to drive to that remote site due to his port being shut down by this "feature".  I like having the control over when I want ELRP on or off and on what vlan.  

I am not saying what you are asking for is bad or not a better way of doing things but I am saying that for us we like the way it is and don't like portfast and bpdu protection... Dont like spanning tree being enabled every time you build a vlan.  Of course we live in a world that is much more mixed on how folks use our service and what is plugged into our Extreme switches than most folks on this forum....  
Photo of Matt Myers

Matt Myers

  • 70 Points
Sure I see your point and have run into the scenario you pointed out regarding the WAN connection.  Always best on Cisco to do "spanning-tree bpdufilter enable" for the WAN facing port.    With cisco you end up with loops when switch software wigs out in rare cases.  With Extreme you end up with a loop because a network admin forgot to update the elrp config when a vlan change was made.  My experience is that the network admin will forget to update the elrp config many more times than a software failure will occur.  I just wish Extreme had a better implementation of loop prevention/auto configuration.
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,346 Points 10k badge 2x thumb
Hi,

I wanted to point out that 22.2 introduced: "Extreme Loop Recovery Protocol (ELRP) on Dynamic VLANs"

Starting with ExtremeXOS 22.2, ELRP supports dynamically created VLANs created by:
• NetLogin
• Extreme Network Virtualization (XNV)
• Multiple Registration Protocol (MVRP)
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,446 Points 10k badge 2x thumb
As far as I could get ELRP on dynamic VLANs to work, it just allows to statically configure ELRP on all ports of a switch where an already existing VLAN may be dynamically assigned, and have ELRP automatically started/stopped whenever one of those specific VLANs is dynamically assigned/removed from one of the ELRP configured ports.

This still needs manual configuration to add ELRP to the VLAN, there is no setting to automatically add ELRP to all VLANs on a set of ports (usually the front ports).

Additionally, for each port that has is not yet dynamically assigned to a VLAN (because you are still configuring the switch and it is not yet in use), ELRP will issue a warning. But this is just a warning, the configuration is applied regardless.

Thanks,
Erik