Broadcast storm or how to win "the small scoundrels" in your network. Part 2 Part 1
So, we continue to win the storm. Today, I will share the experience of using a dedicated loop-protection on Cisco and HP ProCurve.
Setting broadcast-limit on HP and storm-control with Cisco have helped, the situation in the network becomes much better, but not completely normalized. At the Cisco and HP have specialized tools to battle with loops, including loops to "unmanaged" equipment.
HP ProCurve.
On ProCurve this function is named a loop-protect, and works on a simple and reliable technology: send broadcast packet to the port, and if it returned, it means that on this port the "loop". Commutator sending broadcast packet to all ports excluding port from which it received the packet. If your network has the correct topology, packet can't return back. It is simple and reliable protocol for detection and blocking loops, even if the port is connected to a whole garland of unmanaged switches.
Configuration of this feature is very simple:
... receiver-action send-disable - block the port and no other actions,
... receiver-action send-recv-dis - block and try to recover after some time.
Example: "loop-protect A1-A24, B1-B24 receiver-action send-disable" - block the port if detected loop and do not restore it automatically. Maybe automatic port recovery is not necessary, because at first need to find and remove the loop, and only after removing, enable the port: int A17 enable
You can also specify global settings for loop-protect, define timers and etc:
loop-protect disable-timer - how much time after block the port to try to restore the port,
Cisco.
In general, good idea set BPDU Guard on client access port Cisco. BPDU Guard will block the port if incoming BPDU has been seen, for example in the case of a simple loop. In general, this is the fine tuning of STP, in the some following articles I will describe STP in more detail. BPDU Guard, and BPDU Filter, and much more i can tell :)
For the tests I used the HP ProCurve 5412zl and Cisco 2960G. As an unmanaged "the small scoundrel" i used the 8-port unmanaged D-Link with a loop in its ports.
Setting broadcast-limit on HP and storm-control with Cisco have helped, the situation in the network becomes much better, but not completely normalized. At the Cisco and HP have specialized tools to battle with loops, including loops to "unmanaged" equipment.
HP ProCurve.
On ProCurve this function is named a loop-protect, and works on a simple and reliable technology: send broadcast packet to the port, and if it returned, it means that on this port the "loop". Commutator sending broadcast packet to all ports excluding port from which it received the packet. If your network has the correct topology, packet can't return back. It is simple and reliable protocol for detection and blocking loops, even if the port is connected to a whole garland of unmanaged switches.
Configuration of this feature is very simple:
loop-protect A1-A24,B1-B24
A1-A24, B1-B24 - it ports range for apply the settings. Also this function has additional parameters for describe actions if detected loop:... receiver-action send-disable - block the port and no other actions,
... receiver-action send-recv-dis - block and try to recover after some time.
Example: "loop-protect A1-A24, B1-B24 receiver-action send-disable" - block the port if detected loop and do not restore it automatically. Maybe automatic port recovery is not necessary, because at first need to find and remove the loop, and only after removing, enable the port: int A17 enable
You can also specify global settings for loop-protect, define timers and etc:
loop-protect disable-timer - how much time after block the port to try to restore the port,
loop-protect mode port / vlan - to work with the ports or vlan's ?
loop-protect transmit-interval 1-10 - the time interval between sending the "detecting packets" to port,
trap, vlan и PORT-LIST - it is clear without explanation :)
Today I tested the loop-protect technology - works perfectly! Port which connected to D-Link with loop on the two ports, almost immediately blocked by ProCurve:
Today I tested the loop-protect technology - works perfectly! Port which connected to D-Link with loop on the two ports, almost immediately blocked by ProCurve:
Cisco.
Spanning-tree loopguard - It will not help us. This technology is based on "loss of BPDU communication", it for links between commutators, and not helps from loops on unmanaged network hardware.
UDLD:
Or global enable for all intefaces:
conf t
udld enable
Or on each interface separately:
conf t
interface GigabitEthernet0/1
udld port enable
This technology works well, but interval longer than the HP, 15 seconds against 5 at HP, and is not configurable. For this reason, network can a little shake before blocking the port. Also UDLD has two modes of operation: normal (just enable) and aggressive, but for our small tasks aggressive mode do not need, so we will not review aggressive mode :)
In general, good idea set BPDU Guard on client access port Cisco. BPDU Guard will block the port if incoming BPDU has been seen, for example in the case of a simple loop. In general, this is the fine tuning of STP, in the some following articles I will describe STP in more detail. BPDU Guard, and BPDU Filter, and much more i can tell :)
No comments:
Post a Comment