Network Management

 View Only
  • 1.  Loop Prevention (Spanning Tree)

    Posted Mar 19, 2021 12:53 PM
      |   view attached
    This diagram is a simplified version of how our network is set up.  Buildings have routers responsible for the subnets contained with in them.  Building routers exchange routes with one another via OSPF.  Switches connect to those routers and put user devices into vlans/ip subnets.

    How should I be guarding against users creating loops in a network like this?  Spanning tree, loop protect, both?  I've come to various conclusions on this as I've thought about it over the years, but I'm not sure I've ever gotten it right.

    ------------------------------
    Adam Forsyth
    ------------------------------


  • 2.  RE: Loop Prevention (Spanning Tree)

    Posted Apr 08, 2021 12:49 AM
    hi forsytad,

    from my point of view, you have two options. 
    First, you can work with loop protection. This will detect loops in your access area. Loop protect is not VLAN aware, which means that loops between VLAN's are not always detected if they are on different switches. Please check the manual for details. 

    You can also use BPDU protection. This will not only protect against loops but also against misconfigured devices with STP enabled. BPDU protection uses BPDU's to protect loops and/or misconfigured devices and therefore does not care about VLAN's- This means, loops between VLAN's will be detected as well, even on different switches. 

    BR
    Florian

    ------------------------------
    -------------------------------------------------------------------------------
    Florian Baaske
    -------------------------------------------------------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    -------------------------------------------------------------------------------
    Also visit the AirHeads Youtube Channel:
    https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
    -------------------------------------------------------------------------------
    Feel free to visit my personal Blog
    https://www.flomain.de
    ------------------------------



  • 3.  RE: Loop Prevention (Spanning Tree)

    Posted Apr 09, 2021 09:35 AM
    As Florian points out, there are two main alternatives and pros and cons to each.  In general, spanning tree will function to arbitrate between alternate paths between anticipated switches - the stacking process for AOS-CX depends on this to choose one of the available paths between two switches linked at high speed for VSF setup.  It's also the basis of the longstanding Cisco-promoted Enterprise Architecture, with pairs of switches at each of three levels.  STP blocks one path until the other fails.  It also protects against issues with link aggregation, where an expected "port channel" or aggregation fails to form, and leaves a loop instead.

    Where an STP variant will be used, configuration is important.  Defaults work against you - if all switches are at default bridge priorities, the MAC addresses are used to determine the root bridge and other elements of the system.  Therefore, the intended root bridge (typically the core switch) should have a priority of 0, and an alternate should have a priority of 1 (this is assuming the AOS model of 0 to 15, which is commonly used).  Edge switches should have a priority of 15, so they only become the root bridge when nothing else is available.  On a given switch, port priorities can be used as well, to help with STP topology decisions.

    Your question goes to another issue - people bring in things from home and create problems for you.  And Florian hits the solution precisely - use BPDU protection to block connection of any device capable of emitting BPDUs (Bridge Protocol Data Units - I know that may be basic, but I wrote training and dislike having undefined acronyms).  Loop protection goes beyond not being VLAN-aware.  It uses a non-standard payload to determine if its own traffic is looping back to it, addressing devices that are not emitting BPDUs.  This would cover bridged interfaces on a system (wired and wireless interfaces on a PC, for example), as well as old hubs and any consumer-grade device that isn't capable of working with BPDUs.

    With BPDU or loop protection, once a loop is detected, the port is shut.  It can be configured to remain shut until administrator action is taken, or to reenable in a specified timeframe.

    I've worked with some larger networks, and prefer to enable both BPDU and loop protection on intended edge ports.  You can also write MAC-based ACLs that either exclude certain makers' devices or permit only those devices your organization owns - typically by using the MAC Organizational Unique Identifier or OUI.  The challenge here is keeping this up to date, but in secure networks such as financial or HIPAA-compliant applications, it can help with audits.

    Hopefully that adds a bit of information.  Good that you're considering this.

    ------------------------------
    Timothy Leadbetter
    ACMP, ACSP, ACCA
    CWNA, CWDP
    ECSE-Design
    ------------------------------