Looping/Flooding issue + 1Gb/10Gb

  • 0
  • 1
  • Problem
  • Updated 4 months ago
  • Solved
Need recommendations on how to fix an issue with looping or flooding, likely due to 2 Ethernet Bridges on the same network.

On a network we are currently setting up, we have a Cisco switch, 2 Extreme switches, and a Sophos UTM Ethernet Bridge (2 ports on a UTM are bridged together, essentially creating another 2-port switch inside the UTM).

Cisco switch is the 'old network' and currently unplugged from the Extreme switches (the 'new network').  But plugging this into the 'new network' caused us to notice the amplification issues.

The 2 extreme switches are setup independently.  Not stacked.
They have 1 cable connecting the two Extreme switches together.

The 2-port bridge on the UTM has 1 port connected to Extreme1, and other port connected to Extreme2.

With this setup, the lights on both Extreme switches show constant activity.  Unplugging 1 of the 2 ports from the UTM seems to 'fix' the issue.  Also, as mentioned previously, with this setup also plugged into the Cisco 'old network', the lights on the Cisco showed constant activity and network issues occurred.

It seems like a possibly logical 'fix' would be to just use the UTM bridge to connect the two Extreme switches together (eliminating the cable connecting the 2 Extreme together).  The issue here though, is the UTM ports are 1Gb speed, whereas the Extreme switches are 10Gb.  
If we did this, the hardware connected between the two switches would be limited to 1Gb speed.  This also brings up a side question, which is with the current setup, how is the speed to use determined.. or how does it know which path to use?  Can we force 10Gb speeds somehow (bypassing the 1Gb UTM ports unless going to something on the UTM)?
Photo of jice

jice

  • 80 Points 75 badge 2x thumb

Posted 4 months ago

  • 0
  • 1
Photo of Robert Cummins

Robert Cummins

  • 612 Points 500 badge 2x thumb
I assume you are using the switches as L2 and not L3 devices and that the UTM and Extreme ISL are on the same VLAN correct?

While I am not familiar with Sophos bridge, ethernet bridges generally take packets from one side of the bridge and forward them to the other side of the bridge.    A switch takes an ethernet broadcast packet and forwards it to all ports in the VLAN.

Let's say you have the Extreme ISL on port 1 of both switches and the Sophos connected to port 2 on both switches.   Now let's say you have a broadcast packet on Extreme switch 1.  The packet is pushed to all ports in the VLAN, including port 1 and port 2.   The Extreme switch 2 receives the broadcast packet from Extreme switch 1 on port 1 and forwards it out all ports... including port 2, which is the Sophos device.  Extreme switch 2 also receives the same broadcast packet on port 2 from the Sophos device, which it will forward to all ports including port 1 which goes to Extreme switch 1.   

Back on the first Extreme switch we receive a broadcast packet from the Sophos on port 2.... which we send to all ports in the VLAN including the ISL on port 1... and we also receive a broadcast packet on the ISL...which we forward to all ports in the VLAN including port 2...

See what's happening?   When you remove either the Sophos connection or the ISL, you break the loop; switches to don't forward broadcast packets over ports on which they received a broadcast packet so there's no loop/ringing of the packet.  

What's the purpose of the Sophos in this network?   
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 966 Points 500 badge 2x thumb
As mentioned above, looks like you are encountering a classic loop scenario if the VLANs are present in all connections you have in your network. You can use STP which should help you to prevent these loops 

Here is an article that should help you configure this in Extreme -
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-RSTP-in-EXOS
Photo of jice

jice

  • 80 Points 75 badge 2x thumb
Thanks, all, for the help!

There is currently only 1 VLAN.  So the classic loop makes sense.

The Sophos connects devices out to the internet.  Since we have 2 Extreme switches, it seemed that an ethernet bridge was the only thing that made sense.  Otherwise the Sophos would need 2 internal IP addresses.  Or, would only be connected to 1 Extreme switch (and if that switches dies, we lose connectivity to the other Extreme).
It is possible that we may need a different setup here.  But I have so far not found how else we can connect two ports on the Sophos and only use 1 internal IP address.

I kind of gathered that STP was the 'fix', but wanted to hear it from the experts first :-)
Is there any difference between RSTP and STP?
Any caveats to enabling STP on the Extreme switches?

Also, the Sophos has an option to enable STP there as well.  Do we need to enable STP on both the Sophos & the 2 Extreme switches?  Or does this cause any potential issues?
Any idea if the Cisco needs to be aware of STP also?  That is connected to the same VLAN but through the Sophos.

Sorry for all the follow up questions!
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 966 Points 500 badge 2x thumb
RSTP has a faster convergence time than STP. STP must be enabled on all the ports/VLANs that are in the ring topology. If the CISCO switches also have the same VLANs available on all the ports, then looks like you will need to enable it there as well.