Some Info or Spec Sheets

[jcny21]

Hi All,

Today we experienced a problem with a broadcast issue. We have 2 Core 8600's MLT to 4 Edge 5698 switches. The 5698 switches are on seperate networks of course and we have set the boradcast and cp limit to 4000. Today we had a user plug in a dirty D-link switch to one of his jacks which would plugged into the 5698. It created a storm so the switch shutdown its uplink ports which what its suppose to do to protect the core. My question is on the net or someone may have a best practice about not daisy chaining switches, especially when you have a network which is worth over 100K with a small piece of junk like d-link switch? Any documentation would be greatly appreciated.

Thanks again

[bylie]

So if I understand this correctly you had a network loop on the D-Link switch which was injecting all the broadcasts back into the rest of the network?

To combat this we use STP and BPDU-filtering on all our accessports. The idea is that when someone makes a loop on such an accessport the STP will produce a packet at a fixed interval which then also will start looping and come right back in the originating accessport, this is where the BPDU-filtering finally kicks in and shuts down the port.

I must admit however that we have seen mixed results using this method on our Nortel ERS 2500's. In a lab/test environment this works 10 times out of 10 but when we tested this on a production stack it sometimes produced strange results. We saw things like BPDU-received messages followed by port shutdown messages in the log but physically the port stayed up and was still taking in all the broadcasts continuing to spread the love , sometimes the countdowntimer wouldn't start running which meant that accessports stayed down indefinitely instead of the 5 minutes we configured. We have been working on this with Nortel over the past months and have already replaced some switches to see if that resolves the issue, no definitive answer on this yet.

Our higher ERS models like the ERS 4500's, ERS 5500's, ... however seem to behave more reliable regarding this in the field, maybe because they have more powerful hardware which doesn't looses it's cool in such situations .

[Michael McNamara]

There are three features you'll want to look at;

• rate-limiting
• BPDU-guard
• Spanning Tree Protocol

As bylie mentioned these features will help you protect your network. BPDU-guard will disable any switch port that sees a BPDU. So if you connect any device/switch/appliance/etc which transmits STP BPDUs the switch will immediately disable the port. This feature alone will help keep 99% of unauthorized switches off your network. Spanning Tree will help prevent any loops from being formed within the network and rate-limiting (very important to understand that this feature is implemented in hardware and not subject to overload) helps to protect the switch and network from becoming overloaded by broadcast and multicast traffic.

As bylie makes reference to... I've seen BayStack 450 and BayStack 460 switches become overloaded to the point where Spanning Tree (and other features) stop functioning properly because the switch software has gone "mad" trying to process all the broadcast and multicast packets. The rate-limiting feature is implemented in the ASICs (hardware) and helps to protect the switch from going mad by ingesting too many broadcast or multicast frames.

With all that said I'm not sure that all of those features are available on the ERS 2500 series switch.

Cheers!

[bylie]

The ERS 2500's are capable of rate-limiting but there were some limitations if I recall correctly. We currently haven't implemented rate-limiting on those switches as we've experienced in our testlab that rate-limiting alone really did not help much to prevent a switch from crumbling when a network loop occurred. That's why we, back then, decided to just not use rate-limiting and rely on BPDU-filtering and STP instead. But as suggested by Michael maybe rate-limiting actually might still have a positive effect on the other features in case a loop occurs? We'll have to try to see if rate-limiting can make our BPDU-filtering act more reliable.

[nightwatch]

Apart from what was said already, If you have a stable network where MACs don't change often you can use port-security and set the maximum allowed MACs to 1 on edge ports

[Paul L]

look at enabling SLPP on your two cores.  that does an extremely good job at taking down the SMLT or MLT before the whole sites gets taken down.  If you set the timers properly it will only take down half of the SMLTorMLT.

and like mentioned above, BPDU filtering works well at the edge. 

another thing I have done at the edge is to enable "MAC learning limiting".  you set each port to only learn one mac, the second it sees two macs it shuts downs the port. then killing a d-link switch or dumb hub. because I have found that not all COTS switches send out the BPDU frame.