Mailing List Archive: nsp: foundry

protecting from network loops due to IP phones

Index | Next | Previous | View Threaded

rajasuperman at gmail

May 25, 2011, 11:56 AM

Post #1 of 8 (1812 views)
Permalink

protecting from network loops due to IP phones

Hi,

We are running multiple SX1600 switches in our access layer and have
several Cisco IP phones and desktops connected to dual-mode ports.
The devices are connected in this order: SX1600 -- IP phone -- end
user desktop.

Many of our desks have 2 ethernet points, one dual mode for voice/data
and the other in a different data VLAN. Sometimes the end user
incorrectly connects both ports on the IP phone back to the switch and
create a network loop between the voice/data and data VLANs. STP and
VRRPe (on the core) go wild and half our network stops working until
we manually remove the loop.

Ideally we want to shutdown such ports into an error disabled state
and save a larger network outage. BPDU Guard is not supported on
tagged ports, is there any other option we can use?

How do you guys handle this in your networks?

Thanks in advance.

- Raja
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

niels=foundry-nsp at bakker

May 25, 2011, 12:30 PM

Post #2 of 8 (1735 views)
Permalink

Re: protecting from network loops due to IP phones [In reply to]

* rajasuperman [at] gmail (Raja Subramanian) [Wed 25 May 2011, 20:59 CEST]:
>Ideally we want to shutdown such ports into an error disabled state
>and save a larger network outage. BPDU Guard is not supported on
>tagged ports, is there any other option we can use?

Port security might help you out.

-- Niels.

--
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

hidden at xmission

May 25, 2011, 12:56 PM

Post #3 of 8 (1739 views)
Permalink

Re: protecting from network loops due to IP phones [In reply to]

Look at "loop detect", strict or loose mode (depending on your particular
environment). It can be run side-by-side with STP or by itself.

Jared

-----Original Message-----
From: foundry-nsp-bounces [at] puck
[mailto:foundry-nsp-bounces [at] puck] On Behalf Of Raja Subramanian
Sent: Wednesday, May 25, 2011 12:56 PM
To: foundry-nsp [at] puck
Subject: [f-nsp] protecting from network loops due to IP phones

Hi,

We are running multiple SX1600 switches in our access layer and have
several Cisco IP phones and desktops connected to dual-mode ports.
The devices are connected in this order: SX1600 -- IP phone -- end
user desktop.

Many of our desks have 2 ethernet points, one dual mode for voice/data
and the other in a different data VLAN. Sometimes the end user
incorrectly connects both ports on the IP phone back to the switch and
create a network loop between the voice/data and data VLANs. STP and
VRRPe (on the core) go wild and half our network stops working until
we manually remove the loop.

Ideally we want to shutdown such ports into an error disabled state
and save a larger network outage. BPDU Guard is not supported on
tagged ports, is there any other option we can use?

How do you guys handle this in your networks?

Thanks in advance.

- Raja
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

rajasuperman at gmail

May 25, 2011, 1:09 PM

Post #4 of 8 (1743 views)
Permalink

Re: protecting from network loops due to IP phones [In reply to]

On Thu, May 26, 2011 at 1:26 AM, Jared Valentine <hidden [at] xmission> wrote:
> Look at "loop detect", strict or loose mode (depending on your particular
> environment). �It can be run side-by-side with STP or by itself.

Thanks for the tip!

Loose Mode is what is applicable in our environment. We have near fully
populated SX1600s with ~200 VLANs and 150 phones per chassis. Any
comments on the system performance impact on enabling Loose Mode
on such a setup? Other than possibly higher CPU utilization, do you foresee
any other impact?

FastIron Config Guide:

<quote>
Brocade recommends that you limit the use of Loose Mode. If you have a
large number of VLANS, configuring loop detection on all of them can
significantly affect system performance because of the flooding of
test packets to all configured VLANs. An alternative to configuring
loop detection in a VLAN-group of many VLANs is to configure a
separate VLAN with the same tagged port and configuration, and enable
loop detection on this VLAN only.
</quote>

Thanks again in advance.

- Raja

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

jjackson at aninetworks

May 25, 2011, 2:16 PM

Post #5 of 8 (1735 views)
Permalink

Re: protecting from network loops due to IP phones [In reply to]

Is there a corollary in Cisco land?

-----Original Message-----
From: foundry-nsp-bounces [at] puck [mailto:foundry-nsp-bounces [at] puck] On Behalf Of Jared Valentine
Sent: Wednesday, May 25, 2011 2:56 PM
To: 'Raja Subramanian'; foundry-nsp [at] puck
Subject: Re: [f-nsp] protecting from network loops due to IP phones

Look at "loop detect", strict or loose mode (depending on your particular
environment). It can be run side-by-side with STP or by itself.

Jared

-----Original Message-----
From: foundry-nsp-bounces [at] puck
[mailto:foundry-nsp-bounces [at] puck] On Behalf Of Raja Subramanian
Sent: Wednesday, May 25, 2011 12:56 PM
To: foundry-nsp [at] puck
Subject: [f-nsp] protecting from network loops due to IP phones

Hi,

We are running multiple SX1600 switches in our access layer and have
several Cisco IP phones and desktops connected to dual-mode ports.
The devices are connected in this order: SX1600 -- IP phone -- end
user desktop.

Many of our desks have 2 ethernet points, one dual mode for voice/data
and the other in a different data VLAN. Sometimes the end user
incorrectly connects both ports on the IP phone back to the switch and
create a network loop between the voice/data and data VLANs. STP and
VRRPe (on the core) go wild and half our network stops working until
we manually remove the loop.

Ideally we want to shutdown such ports into an error disabled state
and save a larger network outage. BPDU Guard is not supported on
tagged ports, is there any other option we can use?

How do you guys handle this in your networks?

Thanks in advance.

- Raja
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

jjackson at aninetworks

May 25, 2011, 2:22 PM

Post #6 of 8 (1729 views)
Permalink

Re: protecting from network loops due to IP phones [In reply to]

No idea why I used the word corollary..

-----Original Message-----
From: Joseph Jackson
Sent: Wednesday, May 25, 2011 4:16 PM
To: 'Jared Valentine'; 'Raja Subramanian'; foundry-nsp [at] puck
Subject: RE: [f-nsp] protecting from network loops due to IP phones

Is there a corollary in Cisco land?

-----Original Message-----
From: foundry-nsp-bounces [at] puck [mailto:foundry-nsp-bounces [at] puck] On Behalf Of Jared Valentine
Sent: Wednesday, May 25, 2011 2:56 PM
To: 'Raja Subramanian'; foundry-nsp [at] puck
Subject: Re: [f-nsp] protecting from network loops due to IP phones

Look at "loop detect", strict or loose mode (depending on your particular
environment). It can be run side-by-side with STP or by itself.

Jared

-----Original Message-----
From: foundry-nsp-bounces [at] puck
[mailto:foundry-nsp-bounces [at] puck] On Behalf Of Raja Subramanian
Sent: Wednesday, May 25, 2011 12:56 PM
To: foundry-nsp [at] puck
Subject: [f-nsp] protecting from network loops due to IP phones

Hi,

We are running multiple SX1600 switches in our access layer and have
several Cisco IP phones and desktops connected to dual-mode ports.
The devices are connected in this order: SX1600 -- IP phone -- end
user desktop.

Many of our desks have 2 ethernet points, one dual mode for voice/data
and the other in a different data VLAN. Sometimes the end user
incorrectly connects both ports on the IP phone back to the switch and
create a network loop between the voice/data and data VLANs. STP and
VRRPe (on the core) go wild and half our network stops working until
we manually remove the loop.

Ideally we want to shutdown such ports into an error disabled state
and save a larger network outage. BPDU Guard is not supported on
tagged ports, is there any other option we can use?

How do you guys handle this in your networks?

Thanks in advance.

- Raja
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

rajasuperman at gmail

May 26, 2011, 12:35 AM

Post #7 of 8 (1728 views)
Permalink

Re: protecting from network loops due to IP phones [In reply to]

On Thu, May 26, 2011 at 2:46 AM, Joseph Jackson
<jjackson [at] aninetworks> wrote:
> Is there a corollary in Cisco land?

I believe default setup on Cat6500 is to automatically enable
BPDU Guard on all edge ports which have port-fast enabled.
Not sure if tagged ports are also protected. Can't understand
why BPDU Guard does not work with tagged ports on SX.

- Raja
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

rajasuperman at gmail

Jun 13, 2011, 12:44 AM

Post #8 of 8 (1680 views)
Permalink

Re: protecting from network loops due to IP phones [In reply to]

On Thu, May 26, 2011 at 1:05 PM, Raja Subramanian
<rajasuperman [at] gmail> wrote:
> Not sure if tagged ports are also protected. �Can't understand
> why BPDU Guard does not work with tagged ports on SX.

Had a chance to test loop detection during a maintenance window
last weekend. Here are my observations for anyone who may find
it useful.

BPDU guard worked perfectly whenever there was an actual loop.
When any 2 untagged ports were looped, or when 2 ports in same
tagged VLAN were looped, BPDU guard shutdown the ports as
expected.

When we had one port untagged, and the other tagged, BPDU guard
did not shutdown ports. It also did not shutdown ports when the two
were tagged in different VLANs. These two cases did not cause any
CPU/STP issues on LAN as I guess there was no data transfer possible
in this condition and there was no real loop happening here.

But loose mode loop detection also did not shutdown the ports when
BPDU Guard had failed. Enabling loop detection on ~40 ports did not
cause any appreciable CPU load on our SX1600. BPDU guard on
400 ports causes no CPU impact at all.

So for the moment, I'm happy with enabling stp-bpdu-guard on all
my edge ports.

- Raja

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads