[124303] in North American Network Operators' Group
RE: Auto MDI/MDI-X + conference rooms + bored == loop
daemon@ATHENA.MIT.EDU (William Mullaney)
Tue Mar 30 07:36:54 2010
Date: Tue, 30 Mar 2010 07:36:04 -0400
In-Reply-To: <20100326220922.GH12189@angus.ind.WPI.EDU>
From: "William Mullaney" <wmullaney@annese.com>
To: "Chuck Anderson" <cra@WPI.EDU>,
<nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We had a school district that had a large number of "dumb" switches in
each class room hanging off real ones. These would get looped when a
student or staff member plugged a patch cable into two ports on the end
switch, taking down large portions of the network. It seems Cisco
3500's ignore a BPDU that comes in the same port it comes out.
We switched them to 3750's as part of other upgrades, which eliminated
the BPDU problem (3560's and 3550's also work correctly), RSTP, enabled
port fast, root guard, loop back detection, and storm control. Then set
the switches to automatically come back in service from err-disable
after 60 seconds or so.
In every single test we did (looping off a dumb switch, looping two
ports on the 3750, looping between two 3750 in different stacks), there
was immediate blocking occurring that prevented any non-sense from
effecting the network. Of course the little switches get taken out
along with anything connected, but that's really just an indicator of
the need for more drops from real switches. Additionally, turning on
only one of the features at a time still shut down the port within a
second or so.
I don't really like BPDUGuard when rootguard is available, as I think
other devices should be able to participate in STP so long as they
aren't trying to reconverge the network by grabbing root or becoming a
transit between two building switches. As for RSTP, it's on for every
switch we deploy unless there is some compelling reason not to do so. I
have yet to find another switch that will not work even if it only
supports "old" STP.
-WT
-----Original Message-----
From: Chuck Anderson [mailto:cra@WPI.EDU]=20
Sent: Friday, March 26, 2010 6:09 PM
To: nanog@nanog.org
Subject: Auto MDI/MDI-X + conference rooms + bored =3D=3D loop
Anyone have suggestions on Ethernet LAN loop-prevention? With the=20
advent of Auto MDI/MDI-X ports on switches, it seems way too easy to=20
accidentally or maliciously create loops between network jacks. We=20
have bored or inattentive people plugging in patch cords between=20
adjacent network jacks. STP for loop-prevention isn't working so well=20
for us.
STP "edge" or "portfast" or "faststart" modes are required for=20
end-station ports (with normal STP, DHCP often times out after 30+=20
seconds it takes to go into Forwarding state). Since the "edge" STP=20
mode goes into Forwarding state immediately, there is a period when=20
loops will form, causing havok with upstream gear until STP blocks the=20
port (if it ever does see below).
"Desktop" switches. You know, those 4 or 5 port Gigabit Ethernet=20
switches. Apparently, many of them don't do any kind of STP at all. =20
Recommendations on ones that do STP?
RSTP: is it any better than traditional STP in regards to "edge" ports=20
and blocking before a loop gets out of hand? Or perhaps blocking for=20
5-10 seconds before going into Forwarding state, hopefully preventing=20
loops before they happen but also allowing DHCP clients to get an=20
address without timeouts? Recommendations on "Desktop" switches that=20
do RSTP?
Thanks for your suggestions/discussion.
--=20
- Chuck (354 Days until IPv4 depletion: http://ipv4depletion.com/)
