SecureStack/G/D Prevention of Network-Looped Traffic from outside the Spanning Tree

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 11765 

Products
SecureStack C3, firmware 1.x and lower
SecureStack C2, all firmware
SecureStack B3, firmware 1.x and lower
SecureStack B2, all firmware
SecureStack A2, all firmware
G-Series, firmware 1.x and lower
D-Series, firmware 1.x and lower 

Changes
Spanning Tree remains enabled on all ports.
A user has either accidentally or maliciously created a network loop beyond a Spanning Tree Edge port so that traffic transmitted out that port is endlessly replicated and reflected back into the port. 

Symptoms
802.1w / 802.1s STP has self-loopback protection, and has placed the port into a Blocking state.
The LED on the affected port is recording much activity.
CPU utilization (5894) is 80% or higher.
Management, switching, and routing performance is severely impacted. 

Cause
Any BPDUs either transmitted by the affected port or originated by other devices beyond the port are among the traffic being endlessly replicated and reflected back into the port. Though the Blocking state drops other packets, the BPDUs are forwarded to the CPU for interpretation, eventually overwhelming it with traffic and inhibiting it from performing its other duties. 

Certain types of network loops may be handled in different ways, but this particular type is only reliably (though incompletely) addressed by 802.1w/802.1s protections: 

  • SpanGuard ('set spanguard...') won't reliably engage, because not all such loops involve BPDU-emitting devices, and SpanGuard is not triggered by reflected "self" BPDUs (5258).
  • Spanning Tree Loop Protect ('set spantree lp...') only protects Inter-Switch Link (ISL) ports.
  • Linkflap ('set port linkflap...') can disable ports, but the port link state is not cycling during the problem scenario.
  • Policy rules (which, for example, could detect core resource traffic entering an edge port) cannot disable ports, on these products.
  • Policy's Inbound Rate Limitiing cannot disable ports, on these products.

Solution
For the C3, upgrade to firmware 6.03.00.0022 or higher. 
For the B3, upgrade to firmware 6.03.00.0022 or higher. 
For the G-Series, upgrade to firmware 6.03.00.0022 or higher. 
For the D-Series, upgrade to firmware 6.03.01.0008 or higher. 

Version 6.03.xx.xxxx release notes state, in the 'What's New in 6.03' section: 
Host Protect improves resiliency of the switching infrastructure by leveraging hardware-based rate limiters to protect the host CPU from being overburdened by control traffic. For example, using this functionality the switch CPU will be unaffected by network loops that occur in downstream hubs and unintelligent switches. Use it in combination with Loop Protect, SpanGuard, and disabling Auto MDI/MDI-X per port for the highest level of protection against inadvertent or malicious switching loops.

The relevant commands are 'set system hostprotect enable' (disabled by default), 'show system hostprotect', and 'clear system hostprotect'. 

As stated in the Configuration Guide:
Hostprotect uses hardware resources that are also used for priority queues, so if hostprotect is enabled, priority queues are limited. 
At boot time, if more than two priority queue mappings are defined in addition to the default mapping, hostprotect will be disabled. 
At run time, if hostprotect is enabled and you attempt to define more than two priority queue mappings (with the 'set port priority-queue' command), the set will fail and a warning message will be displayed. 
At run time, if more than two priority queue mappings exist and you attempt to enable hostprotect with this command, the set will fail and a warning message will be displayed. 
Changing the hostprotect status requires a reset of the switch or stack of switches. 

The Host Protect feature includes "BPDU Rate Limiting", which permits only a limited volume of the ingressed BPDUs (64 kb/s) to be forwarded to the CPU. Under the stated conditions, the unit will continue to perform in a stable manner while blocking the affected port, and will place the port back into a Forwarding state when the packet reflection ceases.

The C5 and B5 have no 'hostprotect' command set, but do support the feature. Their release notes state, in the 'Existing Product Features' section: "Host Protect (permanently enabled)".
The C2, B2, A4, and A2 do not support Host Protect and are not expected to, due to hardware limitations.
Photo of FAQ User

FAQ User, Official Rep

  • 13,610 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.