Comware

Hey!

In our network some guys recently plugged in the cable of a network jack in an unmanaged 8-port Netgear switch.

So Basically there is an existing connection between Port 3 of the HP J9728A 2920-48G Switch and the unmanaged 8-port Netgear switch right now.

On our HP Switch, STP is enabled and i guess thats why i got notifications at the Switch Web Client like "port 3 is Blocked by STP" 

So right now it is not possible to reach the hardware via icmp or something else which is connected to the unmanaged switch, whereas i am located in the conventionally network behind the HP Switch.

I guess that this behaviour should be completely right as it acts right now.

So my question is technically:

Why does this specific connection between the managed HP Switch and the unmanaged Netgear switch not work? 

Why i am not able to reach the respective hardware behind the unmanaged switch and what should i do to solve the problem? ( maybe just use another HP managed switch instead of the rubbish netgear switch, which is actually not possible right now) or is it just a software configuration issue? 

#unmanaged
#J9728A
#HP
#managed
#Netgear
#STP

Hi! on your HP 2920 please execute the commands reported below:

• show running-config interface ethernet 3
• show spanning-tree ethernet 3
• show spanning-tree ethernet 3 detail
• show spanning-tree ethernet 3 config

and paste here their outputs (sanitized = MAC Addresses obfuscated) using the "Insert/Edit code sample" </> customizing icon above for easy reading.

It's totally possible that you have a (STP related) running configuration that protect your port 3 when another switch is connected or that your connected unmanaged switch is hiding a loop that your HP 2920 is able to diagnose (and it is configured to protect itself in such a scenario).

 

Switch-1-1-1# show running-config interface ethernet 3 

Running configuration:

interface 3
   unknown-vlans block
   tagged vlan 1001-1004,1006,1008-1011,1013-1018,1029-1032,1034,1047-1051,1196,1201-1202
   untagged vlan 1
   loop-protect
   exit





Switch-1-1-1# show spanning-tree ethernet 3

 Multiple Spanning Tree (MST) Information

  STP Enabled   : Yes
  Force Version : RSTP-operation
  IST Mapped VLANs : 1-4094
  Switch MAC Address : xxxxxx-yyyyyy
  Switch Priority    : 32768
  Max Age  : 20
  Max Hops : 20   
  Forward Delay : 15

  Topology Change Count  : 5           
  Time Since Last Change : 16 days     

  CST Root MAC Address : xxxxxx-yyyyyy
  CST Root Priority    : 0           
  CST Root Path Cost   : 2000        
  CST Root Port        : A1                 

  IST Regional Root MAC Address : xxxxxx-yyyyyy
  IST Regional Root Priority    : 32768       
  IST Regional Root Path Cost   : 0           
  IST Remaining Hops            : 20          

  Root Guard Ports     : 
  Loop Guard Ports     : 
  TCN Guard Ports      : 
  BPDU Protected Ports :                                         
  BPDU Filtered Ports  :                                         
  PVST Protected Ports :                                         
  PVST Filtered Ports  :                                         

  Root Inconsistent Ports  :             
  Loop Inconsistent Ports  :             

                   |           Prio              | Designated    Hello         
  Port  Type       | Cost      rity State        | Bridge        Time PtP Edge
  ----- ---------- + --------- ---- ------------ + ------------- ---- --- ----
  3     100/1000T  | 20000     128  Forwarding   | xxxxxx-yyyyyy 2    Yes Yes 






 
Switch-1-1-1# show spanning-tree ethernet 3 detail

 Status and Counters - CST Port(s) Detailed Information

  Port                      : 3    
  Status                    : Up  
  BPDU Protection           : No 
  BPDU Filtering            : No 
  PVST Protection           : No 
  PVST Filtering            : No 
  Errant BPDU Count         : 0           
  Root Guard                : No 
  Loop Guard                : No 
  TCN Guard                 : No 
  MST Region Boundary       : Yes
  External Path Cost        : 20000       
  External Root Path Cost   : 2000        
  Administrative Hello Time : Global      
  Operational Hello Time    : 2           
  AdminEdgePort             : No 
  Auto Edge Port            : Yes         
  OperEdgePort              : Yes
  AdminPointToPointMAC      : True 
  OperPointToPointMAC       : Yes
  Aged BPDUs Count          : 0           
  Loop-back BPDUs Count     : 0         
  TC ACK Flag Transmitted   : 0         
  TC ACK Flag Received      : 0         

  MST        MST        CFG        CFG        TCN        TCN       
  BPDUs Tx   BPDUs Rx   BPDUs Tx   BPDUs Rx   BPDUs Tx   BPDUs Rx  
  ---------- ---------- ---------- ---------- ---------- ----------
  0          0          0          0          0          0         







Switch-1-1-1# show spanning-tree ethernet 3 config

 Multiple Spanning Tree (MST) Configuration Information

  STP Enabled [No] : Yes
  Force Version [MSTP-operation] : RSTP-operation
  Default Path Costs [802.1t] : 802.1t              
  Port State Events Logging : Disabled  
  MST Configuration Name : xxxxxx-yyyyyy                   
  MST Configuration Revision : 0        Switch Priority : 32768
  Forward Delay [15] : 15               Hello Time [2] : 2 
  Max Age [20] : 20                     Max Hops [20] : 20   

                  | Path      Prio Admin Auto Admin Hello  Root TCN Loop BPDU
  Port Type       | Cost      rity Edge  Edge PtP   Time   Grd  Grd Grd  Flt
  ---- ---------- + --------- ---- ----- ---- ----- ------ ---- --- ---- ---
  3    100/1000T  | Auto      128  No    Yes  True  Global No   No  No   No

Hi, well the port 3 is in Forwarding state...so STP is not blocking that port (actually). I strongly suspect (the reason, from the Unmanaged Netgear switch, was explained here) that the only packet's tagging understood and admitted by the Unmanaged Netgear Switch is indeed the "untagged" one thus the VLAN id 1 you configured the port 3 to be untagged member of; any other packet leaving the port 3 tagged with any of the VLAN ids you have the port 3 configured to be member of (VLAN id 1001-1004, 1006, 1008-1011, 1013-1018, 1029-1032, 1034, 1047-1051, 1196 and 1201-1202 [*]) is going to be dropped on the incoming port of the Unmanaged Switch.

Since you already have RSTP enabled, I suggest you to setup root-guard, bpdu-protection and loop protection on port 3...see here to understand why.

[*] A nice way to easily understand, from the port standpoint, how is the VLAN membership on a particular port (or range) is to use the show vlan port <port-id> detail command.

So in addition, all the components behind the unmanaged switch are in VLAN 1 and apart from that, the managed HP switch is also in VLAN 1

So concerning your statement "Since you already have RSTP enabled, I suggest you to setup root-guard, bpdu-protection and loop protection on port 3...see here to understand why."

Who do i do that? 

Sorry, do you want to really ask: Why or How I do that? ...I really can't understand the "Who do i do that?" question.

Sorry, i must have been mentally absent at the time.

Yeah, i want to know, why do i have to do that and especially how, so which commands do i have to use?

@parnassus Do you have more information for me right now?

Hello, isn't the content available at the second link I provided you already self-explaining enough?

IMHO that blog entry (in a more discorsive way with respect to what official reference guides are generally able to provide) there is the "Why" (protect your network) against the "Who" (can cause you issues) and the "How" (do that in terms of configuration) specifying the "Where" (you should enforce your protective mechanisms).

@parnassus in the meantime I have found out something new.

So the device which is plugged in to the unmanaged switch, is located in the default, untagged VLAN.

So from any device in this VLAN, i am able to reach this device via icmp but if i try to reach the respective device on the unmanaged switch from another vlan, i get back a timeout. So no connection is possible.

So IMHO i guess, i am not able to reach that device from another VLAN because the unmanaged switch didn't tagg the ethernet packet with the expected VLAN ID or pvid ? 

Do you have any idea, how i could be able to reach this device from another specific vlan ? Maybe with masquerading or NAT or something else?

@parnassus do you have any update to my latest comment?