Preventing inadvertent loops

  • 0
  • 1
  • Question
  • Updated 4 years ago
Create Date: Oct 4 2012 2:34AM

We are currently using EAPS (with spatial reuse) and VRRP in our environment and are looking to possibly move to MLAG (maybe two-tier). EAPS does a great job when it comes to loop protection but that is on dedicated trunks/uplinks. What about edge/access ports. But cabling is a mess in my environment and I have had instances where people have used hubs and created loops using access layer ports both on same switches and between switches where VLANs are spanned across. On the older Extremeware based boxes, I used to use lbdetect which helped to an extent. Can you please advise on how best to go about preventing these pesky loops that can be triggered inadvertently using hubs and access ports. The devices at the other end could be Extreme or non-Extreme devices. Couple of suggestions:

1. ELSM and ELRP - I am guessing these are generally used on uplinks and not access ports.
2. CFM - can this be put to good use although I am pretty sure this is not what it is intended for
3. Can I possibly use MAC-address lockdown restricting MAC count to just 1.
4. Does it boil down to doing structured cabling and enabling ports and completing vlan assignment on an "on demand" basis. Tks for the help.

(from Anush_Santhanam)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Oct 4 2012 11:16AM

Hello ExcaliburI am assuming that these loops occurs on XoS based switches and not on the older EW switches. With that assumption there is no doubt that I would use ELRP to protect the edge ports. ELRP has changed a lot from EW where it can actually disable ports where before it was only able to notify of a loop. You can disable them permanently or set a time period where it would disable ports for 30 seconds, for example, and then bring the port back up. If the loop continues the port will go back down for another 30 seconds. Depending on which version of code you are using, needs to be 12.5 or higher you can mark the uplink ports so that if there is a loop between switches ELRP will block the edge and not the uplink ports.Finally ELRP will detect remote loops as well as direct loops. So if there is a loop at an edge switch ELRP will will detect it and disable the port.Let me know if this helps.P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Oct 9 2012 3:29AM

Great help with this. A couple of questions if I may:

1. Is it mandatory to bundle ELRP with ESRP or can it be used as a standalone protocol
2. Again, I will be protecting the uplinks (switch to switch P2P) through EAPS. My interest is in the edge ports which you have clarified that this will help.
3. Since this is Extreme proprietary, how about in cases where I may have a non Extreme switch inadvertently hooked up (edge port to edge port - single vlan in access mode not tagged).
4. Lastly, can ELRP be used with M-LAG. I know that it is recommended that you do not use ELSM.

Can you please advise. Thank you again for the time and effort.

(from Anush_Santhanam)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Oct 9 2012 3:56PM

Hey Excalibur

No it is not mandatory to use both ELRP and ESRP.  When ESRP is used in the core they do have hooks that make the overall solution better but they are independent protocols.

If you have two stacks or switches in the same closet that are connected to one another and both then have a link to the core it is important to run ELRP only on the links that connect the two together if there is a chance of looping ports on both switches/stacks.  So for example if you connect a l2 switch on port 1 on switch 1 and port 1 on switch 2.  ELRP will see the loop and will disable the edge ports.  If you do not have ELRP on the link between the two then you will not see the loop.  You configure ELRP to ignore uplink ports and you only want it on the ports directly connecting the two switches/stacks.

The nice thing with ELRP is that it is proprietary.  The edge switch will see the packet as a normal packet and forward it back up.  ELRP can see the remote loop and disable the ports.  In some cases when using STP the remote switch may try and process the BPDU packet which in cases of a loop can mean that the packet is dropped (High CPU) and the edge switch will not see the BPDU come back and can open up the port.

No do not sue any other blocking technology with MLAG. 

Hope this helps

P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Nov 6 2012 4:53PM

Thank you so much for this. I will try out ELRP in my lab environment. One question. Would you suggest using ELRP or possibly STP with edge safeguard. I am currently using EAPS for uplink protection and am aware that you cannot apply both STP and EAPS for the same vlan. My production vlan (ex: prod10) is protected by EAPS and ports are assigned to it as edge ports (untagged). How would I use edge safeguard in this instance. I was initially hoping of creating a dummy vlan and assigning that to the default SO STP instance. For this to work, would I need to assign the ports as untagged to this vlan. My idea is to prevent people creating loops using switches (non extreme as well) and mainly hubs.

(from Anush_Santhanam)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Nov 6 2012 6:30PM

Hey Excalibur

I am partial to ELRP as it is a much easier design in my opinion and you don't have to worry about STP BPDUs being affected by the end device.  I think STP can get confusing with setting the port type domain type and if you have to connect two switches/stacks together in a closet then the STP needs to be configured on the link between the two.

ELRP has three main steps.  Enable the ELRP client, Configure the ELRP-client for either one-shot or periodic and then add the uplink ports as exclude from being disabled. The commands are all listed in the Appendix C of the Command Reference Guide.

Hope that helps

P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Nov 7 2012 2:21PM

Absolutely fabulous. I will stick with standalone ELRP. Thank you so much. One last question if I may. I have floors that have dot1x netlogin enabled. I am using netlogin in ISP mode. Now I believe that ELRP will not work with netlogin. What can I do here. Any suggestions pls Tks.

(from Anush_Santhanam)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Nov 8 2012 9:01AM

I am pretty sure it works with netlogin as well as it is just a multicast packet that would go through but let's wait on prusso for that.

Also, I would recommend yyou to not block EAPS ports if you are blocking at all. There is a command using which you can prevent ELRP from disabling the EAPS ports when a loop is seen This would help if you have ELRP protection for Uplink ports.

Let me know if that makes sense.

Thanks,
Arpit

(from Arpit_Bhatt)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Nov 8 2012 5:27PM

Hello Arpit,

Great thanks for this. You are absolutely right. I am aware that you can specifically exclude EAPS ring ports. In fact I just trialed this out in a PoC environment and it worked like a charm. The only thing is about Netlogin. I recollect that the XOS concepts guide indicates that this may not be possible. Lets leave this for prusso to confirm. Again tks a million for taking the time to respond. Great help. Tks.

(from Anush_Santhanam)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Nov 9 2012 3:08PM

Hello Excalibur


Sorry for the delay as I was off yesterday and today_x0010_.  :)   The Concepts guide does say they can't be configured on the same port however in my testing there is no warning or error that occurs.  What I found is that initially when the port is in my netlogin VLAN the port does not get disabled if it is connected to a remote loop.  In my configuration I have guest vlan enabled.  If I enable ELRP on both my netlogin VLAN and my guest VLAN I notice that once 802.1x authentication stops and the port is placed into the guest VLAN the remote loop is seen and the port is disabled.  One thing to note is that since the port is disabled it takes it out of the guest VLAN and places it into the netlogin VLAN and the port remains disabled until I re-enable it even if I have the timed duration on.

So it does appear to stop loops in the other VLANs that are not part of the netlogin VLAN after the port is moved.  If you look into the concepts guide STP also has limitaitons with netlogin.

I would recommend testing it in your lab with your netlogin configuration to see if the limitations work in your setup.  I only tested a remote loop scenario because I normally disable auto-polarity to make sure two ports on the switches do not link up unless there is a cross over cable.


Not sure if that completely answers your question.  Please let us know what you find in your testing.  As I have more time on Monday I will continue to test both STP and ELRP.

P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Nov 9 2012 3:09PM

Sorry Excalibur forgot to post the log

11/09/2012 17:45:20.31 <Info:nl.ClientLinkDown> Network Login user  cleared due to link down event, Mac 00:04:96:27:7C:09 port 9 VLAN(s) "PublicWirelessNetwork"
11/09/2012 17:45:20.27 <Info:vlan.msgs.portLinkStateDown> Port 9 link down
11/09/2012 17:45:20.05 <Info:vlan.dbg.info> Toggling AdminState on Port 9
11/09/2012 17:45:20.03 <Warn:ELRP.DsblPortLoopDtect> Disabling port 9. Auto re-enable port after 15 seconds
11/09/2012 17:45:20.03 <Warn:ELRP.Report.Message> [CLI:PublicWirelessNetwork:3] LOOP DETECTED : 355 transmited, 225 received, ingress slot:port (9) egress slot:port (9)

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Nov 14 2012 1:44PM

Hey Excalibur

Have you tried the ELSM with dot1x in your lab?  If so please post your findings.

Thanks
P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Official Rep

  • 20,340 Points 20k badge 2x thumb
Create Date: Oct 15 2013 3:50PM

I am going to necro this and bring it back up. Loops on the uplinks with EAPS has bitten me in the ass a few times now. The issue is my EAPS ring is running over a MAN basically so the telco is between the links. If the Telco does troubleshooting they loop their dmarc. this in turn causes my network to loop.

EAPS does not get his heartbeat so the secondary port on the master opens up where guess what is connected? the hard loop at the dmarc from the telco doing their troubleshooting.

So far I have not been able to get a solution as I want to use ELRP but everything i have read is do not put on the uplinks which is what keep looping.. 

Suggestions?

I have 4 8810's forming my eaps ring.  2 are at one location and 2 are at another with telco (dark fiber) between the sites.

(from Kyle_Buffington)

This conversation is no longer open for comments or replies.