McAfee Secure

Troubleshoot Loop Prevention for VLAN Based Solution

Exam: Cisco 642-832 - Troubleshooting and Maintaining Cisco IP Networks (TSHOOT v1.0)

This article explains how to enable and configure loop free network.

  1. In existing network, first of all ensure that the primary core is the Root for all VLANs and secondary core will be the backup Root for all VLANs using the following commands.

    Primary
    spanning-tree vlan x-x root primary

    Secondary
    spanning-tree vlan x-x root secondary

    These commands forces the primary switch to become the root & the secondary to be the root if primary fails.

  2. All access switches trunk ports should have the following command:

    spanning-tree uplinkfast

    Although this command is used for spanning tree optimization but it also prevents loops beause it increases the sAllwitch priority to a very high value and also increases the port cost to a value greater than 3000 so that switches below this switch (in a tree) can never have root ports from this switch.

  3. All access switches trunk ports facing customer networks should have following commands:

    spanning-tree guard root

    This command ensures that these switches will not accept superior bpdu's from customer network.

  4. All access ports on any switch should have the following commands:

    switchport mode access
    spanning-tree portfast
    spanning-tree bpdu guard enable

    OR issue the following global configuration command which is suitable for access switches.

    spanning-tree portfast bpduguard default

  5. If possible, all access ports on any switch should have the following commands:

    switchport port-security maximum 1
    This command will also ensure that maximum of 1 MAC address can be learned on the access port. This will prevent a switch from being connected to that port. The number of maximum addresses can be changed to a greater value if you know there can be more than one MAC coming from the port, however, the greater the value, the more chance for a switch to be connected.

  6. If a fiber connection is present on the switch, its recommended to use UDLD (Unidirectional Link Detection) because fiber uses 1 pair to transfer and 1 pair to receive data and a pair failure can cause problems on the network. The following command can enable udld on the interface: udld port