Sunday, December 14, 2014

Preventing a User from Causing a Loop with an Unmanaged Switch

I bet you have been in this situation - A user brings in a Linksys or Netgear unmanaged switch and plug it in. Then they connect 5 devices and think they are network engineers.

It’s no problem, at least as far as loops go, until they unplug a couple devices and leave the cables laying there. Then someone else comes along and plugs the cable back into the switch. Now you have a loop and everything grinds to a halt while you start trouble shooting.

A better way
Use the interface command “spanning-tree bpduguard enable” to shut the port down as soon as it sees the BPDU it sent returned through the unmanaged switch.
You can enter “show interfaces status err” to see any ports that are in the Error-Disabled state.

Automatic recovery
You can enable automatic recovery from spanning-tree bpduguard enable using the global command “errdisable recovery cause bpduguard”. With this configured a timer will start as soon as the port is disabled. The default for the timer is 300 seconds. You can override this using “errdisable recovery interval xxx” to change the timer to a new value, for example “errdisable recovery interval 500” to make it 500 seconds.

A Cautionary Note
One thing to think about before you enable automatic recovery for BPDUguard is whether the user will notice the problem and remove the cable.

If they do the port will be re-enabled when the timer expires. The switch will now be working again and no call to the helpdesk is needed.

But what happens if the user just leaves the cable attached and leaves? The counter will expire, the port will be enabled and the loop will start again. This will repeat every “timer interval” until the cable is removed. It will create havoc on a schedule.

Here are messages from a switch with a looped unmanaged switch and auto recovery enabled:
* 000044: Dec 14 05:08:56.632 PST: %SPANTREE–2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/48 with BPDU Guard enabled. Disabling port.
* 000049: Dec 14 05:09:26.628 PST: %PM–4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Gi1/0/48
* 000050: *Dec 14 05:09:29.888 PST: %SPANTREE–2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/48 with BPDU Guard enabled. Disabling port.

My recommendation is NOT to use auto-recovery for BPDUguard.

Related commands
* show errdisable recovery - Lists all ErrDisable reasons and their state.
* show interfaces status err - Lists any interfaces that are in the Error Disabled state.

Reference
Cisco 3850 switch manual

No comments:

Post a Comment