Header Only - DO NOT REMOVE - Extreme Networks

Help, I need to configure elrp


Userlevel 1
Hello All,

I need configure elrp in switch X460-24t version 16.1.4.2 patch1-7 but i don't know what option to choose, i have this options:
  • Log-and-trap disable-port egress permanent
  • Log disable-port ingress permanent
What is the difference between Log-and-trap disable-port egress permanent and Log disable-port ingress permanent

Thanks everyone for your help

[/code]

20 replies

Userlevel 7
Hi,

"log-and-trap" vs "log" is about what info will be sent to signal the loop detection. The "disable-port" is the action taken when a loop is detected, and the "permanent" keyword means the port will not go back up automatically, an admin will have to enable it. As for the "ingress" versus "egress" options, this is a new one since 16.1. It tells what port should be disabled, either the "ingress" one (where the elrp looped packet has been received) or the "egress" one (where the elrp looped packet has been transmitted).
Userlevel 1
Grosjean, Stephane wrote:

Hi,

"log-and-trap" vs "log" is about what info will be sent to signal the loop detection. The "disable-port" is the action taken when a loop is detected, and the "permanent" keyword means the port will not go back up automatically, an admin will have to enable it. As for the "ingress" versus "egress" options, this is a new one since 16.1. It tells what port should be disabled, either the "ingress" one (where the elrp looped packet has been received) or the "egress" one (where the elrp looped packet has been transmitted).

Thanks with your answer 🙂
Userlevel 6
You may also find these articles helpful:
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-ELRP-to-disable-ports/
https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-ELRP/
Userlevel 1
Thanks with your answer 🙂
Userlevel 7
Hi,

I prefer to enable ELRP on the access ports, but not on uplinks, and then disable the egress port if a loop is detected.

If e.g. a loop between two access switches is created, ELRP will see packets returning via the uplinks. The uplinks are usually exempted from being disabled by ELRP (otherwise the whole switch would be disabled, not just the access port that is part of the loop). Thus it does not help to act on the ingress port . But the egress port can (and should) be disabled in this situation.

Thanks,
Erik
Userlevel 7
Erik Auerswald wrote:

Hi,

I prefer to enable ELRP on the access ports, but not on uplinks, and then disable the egress port if a loop is detected.

If e.g. a loop between two access switches is created, ELRP will see packets returning via the uplinks. The uplinks are usually exempted from being disabled by ELRP (otherwise the whole switch would be disabled, not just the access port that is part of the loop). Thus it does not help to act on the ingress port . But the egress port can (and should) be disabled in this situation.

Thanks,
Erik

Happy to see egress mode is used in the field, and correctly understood. This is a nice improvement to ELRP that I have been advocating for a long time.
Userlevel 1
Erik Auerswald wrote:

Hi,

I prefer to enable ELRP on the access ports, but not on uplinks, and then disable the egress port if a loop is detected.

If e.g. a loop between two access switches is created, ELRP will see packets returning via the uplinks. The uplinks are usually exempted from being disabled by ELRP (otherwise the whole switch would be disabled, not just the access port that is part of the loop). Thus it does not help to act on the ingress port . But the egress port can (and should) be disabled in this situation.

Thanks,
Erik

Thanks with your answer 🙂
Userlevel 1
I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks
Userlevel 6
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

Generally, for egress blocking, yes enable it only on the edge ports
Userlevel 1
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

So best practice I should could enable ELRP blocking on edge switch access ports then on the uplinks that have LAG's to MLAGs to the cores enable egress blocking? Thanks Chad
Userlevel 6
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

I'm not sure I fully understand. If you enable egress on ALL edge ports, and have confidence that the other ports (i.e core and aggregation layer) are secure and will remain loop-free, you don't have to enable ELRP there. If not, then yes you could enable ELRP on egress going to your downstream edge switches. However, any loop detected on these ports could segment the entire downstream switch from the network.

When using ELRP at the core/aggregation layer it can make more sense to use ingress blocking with the exclude list excluding critical uplinks/downlinks.
Userlevel 1
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

Our VM environment and MLAG live on the 2 blackdiamonds and 10G DC670's that terminate to our cores. I'm thinking something could happen if hardware issue caused a loop regarding MLAG and ELRP would keep a loop from happening either by user error or by issue. Does this help? Thanks Chad.
Userlevel 6
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

Yea. I would consider VM's an "edge" port in this scenario, but some caution is needed there because you may have multiple VLANs on those links. A loop on ANY VLAN on the port would block ALL traffic. If you are okay with taking the MLAG ports down if a loop is detected, potentially segmenting downstream devices, then it can be enabled there as well.

I guess with ELRP egress blocking you can kind of boil it down to this:
  • If you enable it, you need to be willing for that port to be completely blocked should a loop be detected based on an ELRP frame that left that port.
  • If you do not enable it on a port, that port will never be blocked if a loop is detected on that port.
Of course, I am assuming you are disabling the ports, you don't have to disable them. You can simply log and/or trap.
Userlevel 1
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

We've been using ELRP perodic log without blocking and our vm environment takes a hit when a loop occurs. We have multiple MLAG 20 gig uplinks to edge switches, stacked switches, DC switches, WLAN controllers and firewalls which in the past have created a loop because of hardware failure or user miss-configure error. I believe I would rather it drop to 10G or half and still be up and working. Thanks for your help and I'm still working out the config. I wish it was a bit simpler like seeing a diagram. The diagrams I see don't include MLAGs, LAGs, or core where edge switching is connected too. I'm envisioning ELRP blocked on egress access ports like a 460 housing users then exclude sharing ports to cores. Then for the cores and DC670's ELRP blocking egress on the uplinks because this would stop non user traffic loops for HA hardware failures. Am I on the right path? Thanks.
Userlevel 6
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

Yea I think you are on the right track. Given your needs, that sounds like it is probably the best plan.
Userlevel 1
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

Thank you, and its time to implement. I appreciate the help.
Userlevel 1
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

Chad, when you mentioned edge ports your talking about end stations connected to switch ports (non trunking access ports)? Thank you
Userlevel 1
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

Chad, when you mentioned edge ports your talking about end stations connected to switch ports (non trunking access ports)? Thank you
Userlevel 6
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

Not always. Servers with multiple VLAN interfaces (i.e trunk) could still be considered "edge". Basically any switch port not connected to a switch/router.
Userlevel 1
Ted wrote:

I'm ready to enable this but just so I'm clear, I should enable ELRP blocking on egress on access ports and no ELRP on my uplinks? I have MLAG configured on all my edge and TOR switches and should have L2 loop prevention on those as well. Thanks

That makes sense, all our user ports trunk voice vlan but not trunk for the data side. I appreciate the explanation. 

Reply