[c-nsp] HP Loop-protect on Cisco

[Peter Rathlev]

On Wed, 2011-12-07 at 21:39 +0100, Andrew Miehs wrote:
> Does anyone know if there is a Cisco catalyst equivalent of the HP
> Procurve loop-protect command?
> 
> I am trying to find a way of protecting our Catalysts from someone
> replacing an STP enabled switch connected via an access port with a
> "dumb hub".
> 
> The "spanning-tree guard loop" is one alternative, but that just
> checks whether or not BPDUs are being received. The HP loop-protect
> actually sends out packets with its own identifier, and shuts down
> ports if it see this packet come back to it.

AFAIK all Cisco switches always send "Ethernet Loopback" (ethertype
0x9000) packets on switchport interfaces and disable the port is things
loop. Loops would result in a message like this:

 %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/37

This would possibly be followed by:

 %PM-4-ERR_DISABLE: loopback error detected on Fa0/37, putting Fa0/37 in err-disable state

You could disable this with "no errdisable detect cause loopback". You
could also explicitly use "down-when-looped" on the interface
configuration to force the port down even if err-disable haven't shut it
down.

 %VDWL-3-LOOP_BACK_DETECTED: Loop-back detected on FastEthernet0/37

With "down-when-looped" the port would never transition to
"line-protocol up" state.

Physical loops like those that the Ethernet Loopback catch are not the
only possible problem. Also use copius amounts of "spanning-tree
bpduguard enable" so a "loop" through a switch would also be caught.
(Unless this switch blocks BPDUs of course.)

> Google mentioned using the Cisco "keepalive" interface command, but I
> don't see how that would help the situation.

I don't think keepalive (which AFAICT cannot be disabled on Catalyst
switches) would prevent loops. It just takes down the link when it loses
signaling. And 802.3z largely means this is superflous.

-- 
Peter