[c-nsp] risks of assigning redundant paths on data link layer to end-customer

Keegan Holley keegan.holley at sungard.com
Tue Nov 22 18:22:18 EST 2011 

2011/11/21 Martin T <m4rtntns at gmail.com>

> Lets assume there is a following setup:
>
> http://img844.imageshack.us/img844/9133/stp.png
>
> ISP manages "R1", "C3550-24-A", "C-355-24-B" and "C2950-24-A".
> "Customer-SW" is fully under customer control. As you can see, there
> are two paths to "Customer-SW". What are the risks with such setups in
> general? I'm able to name two disadvantages:
>
> 1) in case customer configures (accidentally) "spanning-tree
> bpdufilter enable" on his ports Fa0/23 - 24 there will be L2 loop
> which causes very high PPS and CPU load in ISP devices
>

That is a risk, but control plane protection is a must for a router in an
environment like that so hopefully you're protected against it.  You could
also write the config for them or a config guide to keep them from messing
things up.  Is the environment multi-tennant?  If not the only risk is one
customer blowing up their own environment.  If not you or the ISP should
install some protections to contain bridging loops.

>
> 2) in case customer switch is a STP root(it's easy to become root
> switch by changing priority when "root guard" on ISP side is not
> configured) and customer VLAN is through many ISP switches,
> non-optimal paths for traffic can take place
>

You should never connect to a customer network without some protection.
Root-guard or setting your priority to extend sys-id +1 or something.  You
should also manipulate the spanning-tree priorities so that the same links
block in every vlan.

>
> Are there some other possibilities for L2 loop? Or anyone seen a
> hub/switch which handles 802.1d/802.1w BPDU's somewhat abnormally and
> might create a L2 loop(under certain circumstances)? Any other
> disadvantages which might arise with setups like this?
>

Unidirectional-links, bad-asics/switchports, cables plugged into the wrong
ports, bad copper/fiber patch panels.  There are several things that could
cause a bridging loop.  Layer-2 networks aren't to be feared it just needs
to be done right like everything else.  You can probably find some docs on
ISP best practices on google to fill in anything that doesn't come up in
this thread.

>
>
> regards,
> martin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list