cancel
Showing results for 
Search instead for 
Did you mean: 

A4H124-48 loop protection.

A4H124-48 loop protection.

Rahman_Duran1
New Contributor III
Hi,

Today I was configuring dhcpsnooping on A4H124-48. When I run "show neighbors" I was surprised to see that the switch is displaying it as a neighbor device on two of its ports.

ARHAVI_MYO_IDARI_A4-48(su)->show neighbors
Port Device ID Port ID Type Network Address
---------------------------------------------------------------------------------
fe.1.5 00:25:11:04:B5:5F 00-25-11-04-B5-5F lldp
fe.1.5 00:25:11:33:00:C5 00-25-11-33-00-C5 lldp
fe.1.6 70:71:BC:38:BA:22 70-71-BC-38-BA-22 lldp
fe.1.8 20b3990bea48 fe.1.9 ciscodp 192.168.14.22
fe.1.8 20:B3:99:0B:EA:48 fe.1.9 lldp
fe.1.9 20b3990bea48 fe.1.8 ciscodp 192.168.14.22
fe.1.9 20:B3:99:0B:EA:48 fe.1.8 lldp
fe.1.13 70:71:BC:38:BA:04 70-71-BC-38-BA-04 lldp
ge.1.50 001f45d250a2 ge.1.22 ciscodp 192.168.14.1
ge.1.50 00:1f:45:d2:50:a2 ge.1.22 cdp 192.168.14.1
ge.1.50 00:1F:45:D2:50:A2 ge.1.22 lldp

as you can see it on port 8 and 9. Quicly running "show mac port" command on the ports shows switches own mac address. So it seems someone just plugged the same cables each end to port 8 and 9.

CPU utilization etc are normal. No one complained about bad network connectivity yet.

Why the device did not blocked one of its ports yet? Spanning tree is enabled by default and both ports are on same vlan. Spanning tree LoopProtect and Spanguard is disabled btw. I am really surprised that the switch is now clear enough to detect a loop on itself, by default.

So how can I prevent such an incident again?

Regards

Rahman

3 REPLIES 3

Erik_Auerswald
Contributor II
Hi,

the output of
show spantree stats activeshould show one of the two ports as blocked by spanning tree protocol.

You can use spanguard to get a notification and/or disable the ports if this happens. Please see the GTAC Knowledge articles How to configure Spanguard on a SecureStack switch and Spanguard Considerations on EOS Switches.

Thanks,
Erik

STP does not disable a port, it blocks data frames from being sent or received. STP BPDUs are still sent and received, link local protocols may be as well (e.g. LLDP or CDP). VLANs are not shown as active on a port blocked by STP ("show vlan", "show port egress").

Spanguard should work for any BPDU received on the port, even a BPDU sent from that port and looped back via another switch with a local loop.

Hi,
ARHAVI_MYO_IDARI_A4-48(su)->show spantree stats active
Spanning tree status - enabled
Spanning tree instance - 0
Designated Root MacAddr - 00:1F:45:D2:50:A2
Designated Root Port - ge.1.50
Designated Root Priority - 8192
Designated Root Cost - 20000
Root Max Age - 20
Root Hello Time - 2
Root Forward Delay - 15
Bridge ID MAC Address - 20:B3:99:0B:EA:48
Bridge ID Priority - 32768
Bridge Max Age - 20
Bridge Hello Time - 2
Bridge Forward Delay - 15
Topology Change Count - 1
Time Since Top Change - 2 days 2:51:32
Max Hops - 20
SID Port State Role Cost Priority
--- ---------- ---------------- ----------- -------- --------
0 fe.1.8 Forwarding Designated 200000 128
0 fe.1.9 Discarding Backup 200000 128
0 ge.1.50 Forwarding Root 20000 128

Ok it seems blocked. I am confused by the output of "show port status" as it shows "Oper Status UP" and "Admin Status UP" for both ports.

As for spanguard, it says it is for foreign BDPU packets and wont work for its own BDPU packets

GTM-P2G8KFN