Another Loop preventing question... !

[Guillaume]

Hi guys,

After reading a couple of topic reguarding STP, SLPP, Rate-Limit, I was still unable to figure out something. But I'm actually pretty sure to have the awnser to it. Just want to confirm.

So I understand that many use STP on access port. And we are using it as well. Because each of our past loop problem occured because of an end user doing incorrect manipulation.

STP on access port only (disabled on LACP or MLT) is fine when we only have a stack on a specific floor. Looping in the same switch won't work. But when one of our office have a floor with let's say, 3 x 4548GT stacked AND a Procurve (we are in the process to change the procurve switches), then if the user is creating a loop between 2 switch, the STP activated locally on both switch only won't prevent the loop.

And the only way to solve this is to have a fully configured STP network for that office. Am I right with this ?

My other question :

Is there a way to know that a port is currently dropping packet due to Rate-Limiting ? I saw in a old post that it wasn't possible to know it, but since many year pass, I'm asking again. Like a syslog message that can be send to my server ?

Thanks !

[TankII]

You will need STP between the switches to prevent loops, under legacy circumstances.
However, you can also implement BPDUGuard on both switches' access ports, which should address this issue.
TankII

[Øyvind Nikolaisen]

It all depends on your distribution layer...

If your distribution/aggregation layer is either ERS5x00, ERS8x00 or any VSP-platform, activate SLPP on all vlans going to your edge switches. Then, activate SLPPGuard on all access ports, preferably with a 0 timeout to keep it in shutdown until you can investigate the issue.

BPDUFiltering is, by all means, quite usable, but a whole lot of inexpensive desktop switches won't bother sending out BPDUs. Just using BPDUFiltering won't save you from creative users with inexpensive junk!

Brgds,
Øyvind

[TankII]

Øyvind is correct- Use SLPP-Guard when you can.  However, you mentioned Procurve switches, hence my suggestion of BPDU guard for consistency.
We use SLPP-Guard, and it really does a great job.  However, we are 95% Avaya edge, with 90% ERS5000 series.  What we found is SLPP and Fast Spanning-Tree do NOT prevent loops through VOIP phones if someone cross-connects them back into the network.  SLPP-Guard or BPDU guard do stop that from happening.

TankII

[Guillaume]

Correct me if i'm wrong, but I thought that the SLPP was mainly there for SMLT and MLT cases ?

Some of you are using it the same way we could use STP on access port only ?

[TankII]

SLPP packets will shut down a core switch uplink if it sees incorrect VLAN packets.  You apply it on a per-VLAN basis.
SLPP-Guard is applied on the user ports to disable the end-user ports before a loop hits the core.

TankII

[Guillaume]

Ok good. But again, does SLPP-Guard will prevent a loop between a port in my Avaya stack and a port in a Procurve switch ?

I don't think... ?

[TankII]

If the connection is looped within the Procurve back into the 45XX, and the uplink to the Procurve has slpp-guard, it will shut the originating port to the Procurve down.  That could be a problem!
That's why I would recommend using BPDUGuard, which, while slower, is a standard and is available on both switches.
TankII