This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Stopping/Identifying inadvertently collapsed VLAN's.

Stopping/Identifying inadvertently collapsed VLAN's.

Eric_Burke
New Contributor III

‎04-21-2020 01:03 PM

We’ve had one or two instances where a client bridged two vlans (connected two different wall outlets, with separate vlan’s, into one another with a switch). Since this does not create a loop, STP and ELRP don’t help. I’m wondering what others do to protect and alert when this happens? I’m thinking of starting with DHCP snooping; looking for an unexpected DHCP server from handing out addresses on the wrong VLAN. XMC and policy management is too expensive in the scenarios where this has occured. Are there other methods you can suggest?  Thanks in advance!

Eric

0 Kudos
2 REPLIES 2

FredrikB
Contributor II

‎04-30-2020 07:27 AM

Hi!

You could use spanning tree for this:

“To prevent the loops across the switches, the edge safeguard feature can be configured with the BPDU restrict function. When running in BPDU restrict mode, edge safeguard ports send STP BPDUs at a rate of one every two seconds. The port is disabled as soon as an STP BPDU is received on the BPDU restrict port, thereby preventing the loop.” [ExtremeXOS® User Guide for Version 30.6 9036618-00 Rev AA April 2020 page 1213]

https://documentation.extremenetworks.com/exos_commands_30.6/downloads/EXOS_Command_Reference_30_6.p...

I only ever recommend using STP for access port loop detection and blocking and never on network links. There are so much better ways to build redundant networks these days than to use (x)STP.

ELRP can detect loops for a specific VLAN and possibly for different VLANs. The documentation is not clear on what happens if port 1 sends ELRP for VLAN A and port 2 is part of ELRP on VLAN B. If port 2 receives the ELRP frame belonging to VLAN A it might not block the port. You can try this easily yourself.

One way to protect ports is to have a fake ELRP VLAN tagged on all access ports. Create an ACL that restricts all traffic on this VLAN if you like. By tagging this fake VLAN on all ports in all swithces gives you the ability to block loops between or within switches for ports that belong to different untagged VLANs. It is enough for ELRP to see an ELRP frame from one of the VLANs on the port to block the port. ELRP blocks the port, not a specific VLAN on the port.

https://gtacknowledge.extremenetworks.com/articles/Q_A/do-I-need-to-enable-ELRP-on-all-the-VLANs-whe...

https://gtacknowledge.extremenetworks.com/articles/Q_A/What-options-are-there-for-loop-protection-in...

/Fredrik

0 Kudos

Swen_Wulf
New Contributor

‎04-27-2020 11:09 PM

Hi Eric,

as you said, it doesn’t create a loop. This happens on my network as well, customer is asking for separate circuits, each which its own handoff port on my Extreme switch and they all end up in a common switch of the client, bridging these separate vlans together. I provide a layer2 service to my client, but I would think that if you provided a layer3 service, you could filter with an ACL’s to ensure only the traffic sources from the subnet you expect is passed on its respective port? 

 

Cheers.

0 Kudos
GTM-P2G8KFN