Auto MDI/MDI-X + conference rooms + bored == loop

William Mullaney wmullaney at annese.com
Tue Mar 30 11:36:04 UTC 2010


We had a school district that had a large number of "dumb" switches in
each class room hanging off real ones.  These would get looped when a
student or staff member plugged a patch cable into two ports on the end
switch, taking down large portions of the network.  It seems Cisco
3500's ignore a BPDU that comes in the same port it comes out.

We switched them to 3750's as part of other upgrades, which eliminated
the BPDU problem (3560's and 3550's also work correctly), RSTP, enabled
port fast, root guard, loop back detection, and storm control.  Then set
the switches to automatically come back in service from err-disable
after 60 seconds or so.

In every single test we did (looping off a dumb switch, looping two
ports on the 3750, looping between two 3750 in different stacks), there
was immediate blocking occurring that prevented any non-sense from
effecting the network.  Of course the little switches get taken out
along with anything connected, but that's really just an indicator of
the need for more drops from real switches.  Additionally, turning on
only one of the features at a time still shut down the port within a
second or so.

I don't really like BPDUGuard when rootguard is available, as I think
other devices should be able to participate in STP so long as they
aren't trying to reconverge the network by grabbing root or becoming a
transit between two building switches.  As for RSTP, it's on for every
switch we deploy unless there is some compelling reason not to do so.  I
have yet to find another switch that will not work even if it only
supports "old" STP.

-WT

-----Original Message-----
From: Chuck Anderson [mailto:cra at WPI.EDU] 
Sent: Friday, March 26, 2010 6:09 PM
To: nanog at nanog.org
Subject: Auto MDI/MDI-X + conference rooms + bored == loop

Anyone have suggestions on Ethernet LAN loop-prevention?  With the 
advent of Auto MDI/MDI-X ports on switches, it seems way too easy to 
accidentally or maliciously create loops between network jacks.  We 
have bored or inattentive people plugging in patch cords between 
adjacent network jacks.  STP for loop-prevention isn't working so well 
for us.

STP "edge" or "portfast" or "faststart" modes are required for 
end-station ports (with normal STP, DHCP often times out after 30+ 
seconds it takes to go into Forwarding state).  Since the "edge" STP 
mode goes into Forwarding state immediately, there is a period when 
loops will form, causing havok with upstream gear until STP blocks the 
port (if it ever does see below).

"Desktop" switches.  You know, those 4 or 5 port Gigabit Ethernet 
switches.  Apparently, many of them don't do any kind of STP at all.  
Recommendations on ones that do STP?

RSTP: is it any better than traditional STP in regards to "edge" ports 
and blocking before a loop gets out of hand?  Or perhaps blocking for 
5-10 seconds before going into Forwarding state, hopefully preventing 
loops before they happen but also allowing DHCP clients to get an 
address without timeouts?  Recommendations on "Desktop" switches that 
do RSTP?

Thanks for your suggestions/discussion.

-- 
- Chuck (354 Days until IPv4 depletion: http://ipv4depletion.com/)





More information about the NANOG mailing list