Configuration guide

Preventing loops on
ProVision switches
Table of contents
Prevent loops at the network edge ....................................................................................................................................2
Topology ............................................................................................................................................................................2
Prevent users from connecting two Ethernet ports together.........................................................................................2
Prevent devices that present themselves as Spanning Tree device (block BDPUs) ....................................................3
Prevent loops created by edge devices not part of organizations administrative domain configuration ................3
Additional links ......................................................................................................................................................................4

Configuration guide | Preventing loops on ProVision switches

Prevent loops at the network edge

Network infrastructure is the main transport and communication service within overall IT infrastructure. When this service is
not available businesses get impacted. A lot of different edge devices are connected within network infrastructures. There is
a trend that not every edge device falls under administrative domain of the organization. For this reason network
administrators see more loops occurring that start at the edge of network infrastructure even when common loop
prevention techniques like Spanning Tree are enabled. These loops occur due:
Devices that will be connected to network edge that are not part of organizations administrative domain
Users that enable bridging on their PC

Bridging between wired and wireless

Bridging with virtual machines
Users that connect two Ethernet network ports together directly or indirectly
Switches that block Spanning Tree Bridge Protocol Data Units (BPDUs)

Within HP ProVision switches multiple technologies have been implemented to simply the prevention of these loops to
occur within the network infrastructure. This configuration example describes the following solutions:
Prevent users from connecting two Ethernet ports together
Prevent devices that present themselves as Spanning Tree device (block BDPUs)
Prevent loops created by edge devices not part of organizations administrative domain

All these technologies are simple and easy to configure and will be implemented at the edge of the network infrastructure.
Only one single ProVision switch is needed in order to test and configure these solutions.

Topology
Figure 1. Configuration example diagram

Uplink ports: 2324

ProVision switch

WAN

Edge ports: 122

Prevent users from connecting two Ethernet ports together

Within most network infrastructures straight Ethernet cables are used. The default setting for auto crossing on ProVision
switches is auto-mdix. This features simplifies cabling since the port is configured to automatically detect the cable type
(straight-through or crossover). When this feature is enabled a loop between two ports of a switch can be created. Network
administrators will be able to verify the loop when a lot of broadcast traffic is send and received on the port. Most of the
times Excessive Broadcast messages can be seen in logging of switch. This can be prevented by simply manually
configuring the edge ports to mdix configuration setting. This changes the connecting behavior of port to:
Connecting to switch, hub, or other MDIX device with crossover cable
Connecting to PC or other MDI device with straight-through cable

Manually configure edge port to mdix config:

#Enter configuration mode
HP# configure terminal
#Configure all edge ports to mdix setting
HP(config)# interface ethernet 1-22 mdix-mode mdix

Configuration guide | Preventing loops on ProVision switches

Prevent devices that present themselves as Spanning Tree device

(block BDPUs)
BPDU packets are used within Spanning Tree to send messages between network nodes that are part of Spanning Tree
topology. BDPU protection is a security feature implemented at network edge to protect the active STP topology from
entering wrong or spoofed BPDU packets into STP domain. BPDU protection will be implemented at the edge of network
infrastructure. When STP BDPU packets are received on network edge port the feature will disable the port and send alert
message to network management system like HP Intelligent Management System (IMS). The port can be disabled for
infinite timeout. In this case, network administrator needs to manually enable port. In this configuration example, the port
will be disabled for 5 minutes and then automatically enabled.
Spanning Tree BPDU protection config:
#Enter configuration mode
HP# configure terminal
#Enable BPDU protection on all edge ports
HP(config)# spanning-tree 1-22 bpdu-protection
#Configure duration in seconds that port will remain disabled when it receives unauthorized BPDU
HP(config)# spanning-tree bpdu-protection-timeout 300
#Enable sending SNMP notification trap
HP(config)# spanning-tree trap errant-bpdu
On the Internet multiple packet generators are available in order to test this feature. When working in test infrastructure
make sure Spanning Tree is enabled globally. During testing show spanning-tree bpdu-protection <port number> can be
used to verify if errant BPDUs have been received. A log message will also be logged when errant BPDU is received.

Prevent loops created by edge devices not part of organizations

administrative domain configuration
This feature will protect the network infrastructure from situations where users connect two edge ports to each other via
unmanaged switches for example. These switches will not forward BPDUs so Spanning Tree will not be able to detect the
loop. Loop protection provides protection against loops by transmitting loop protocol packets out of ports on which loop
protection has been enabled. When the switch sends out a loop protocol packet and then receives the same packet on a
port that has a receiver-action of send-disable configured (this is default value), it shuts down the port from which the
packet was sent. Loop protection can be combined with BPDU protection. In this configuration example, the port will remain
disabled for 5 minutes when loop is detected. This value can also be infinite. In this case network, administrator needs to
manually enable the port when network management system receives trap.
Loop protection config:
#Enter configuration mode
HP# configure terminal
#Enable loop protection on all edge ports
HP(config)# loop-protect ethernet 1-22
#Configure disable timer to 300 seconds
HP(config)# loop-protect disable-timer 300
#Send trap SNMP trap when loop is detected
HP(config)# loop-protect trap loop-detected
The above configuration uses the default transmit internal of 5 seconds and receiver action of send-disable. When loop
protection packet is received on port with send disable receiver action the port will be disabled for 5 minutes. A SNMP trap
will be sent to network management system and message with Loop Protect will be logged. With show loop-protect
command configuration and time since last loop can be seen.

Configuration guide | Preventing loops on ProVision switches

Additional links
Manuals for the HP Networking products can be found at:
http://h17007.www1.hp.com/us/en/networking/library/index.aspx#

Learn more at
hp.com/networking

Sign up for updates

hp.com/go/getupdated

Share with colleagues

Rate this document

Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for
HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
4AA5-8216ENW, June 2015