Long time no here not to fast, sorry. Materials sufficient simply hands do not reach.
I'll try not to go for so long.
yet fresh in memory, tell you that we have happened recently (To be exact - the day before yesterday).
Nothing foretold troubles, when port-channel multiple 10GE interfaces (between cat6500 and extreme x650) crashed with the message
Jan 17 16:07:01.581 marmot:% PM-SP-4-ERR_DISABLE: channel-misconfig error detected on Po2, putting Po2 in err-disable state
at that the last configuration change that shestitonnika was three days before. Then (after half a minute), he ascended the autorecover and within minutes fell again with the same message. Rebuilding of the port-channel situation has not changed. In debug, too, nothing good.
In search of causes and methods of elimination took about an hour.
As it turned out, One client started to send strange bpdu, and because it was included in the x650, its port bpdu not filtered, and passed on in 6500. And while 6500 was putting port-channel with such strange diagnosis.
discovered the command "
no spanning-tree etherchannel guard misconfig ". Specifically, it ![[info]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_snk0BavCM_Td7hl_PFTf8MQd3-2k4Szd-WwyEh8hR3kc-_pGrRgMLL8YSLz3i-J8QHTmBDe2fnz4ZSD0EswzD318xruZdoQzQ1JbXVstji9zzNsw=s0-d){kind=small}
sha90w I opened it (and at the same time itself). Recommend it to everybody. Conclusions:
1. STP - evil. If its use is necessary, BPDU to walk only within its own network, and filtered on all client ports on both sides (do not be lazy do it through mac acl, where simpler methods do not). Although even in this case can not be completely calm.
2. Realization of L2 in the Cisco IOS mildly curious.
cite Another example, this time a hypothetical situation illustrates these two conclusions.
For example, we bought a L2-transport from a third party operator, q-in-q. And this statement (At our request or on its own initiative) has prescribed for us Tunneling bpdu, "
l2protocol-tunnel stp " at Catalyst. We carefully prescribed bpdufilter on client ports and use stp on this link of the. And then one of our customers sent us a tunneled bpdu-pack (actually, any multicast packet to the maximum 01:00:0 c: cd: cd: d0). This package passed our bpdufilter, because it is not bpdu, and went to this transport. The local Catalyst tunneling bpdu, detects already tunneled packet. Instead it dropnut, it is something not very clearly says in the log and close the port err-disable, though there are 8 * 10GE and 1000 Wilanow. And did not say in what came to him Wilanow cause such a reaction it package. And this errdisable not disabled.
In fact, we have approximately the same as that in the real case, the day before yesterday: the vulnerability of the activity with the client ports, scarce diagnosis Svicha diagnose the problem and the complexity of manually laying all ports (including port-channel) for a surprising package on the err-disable instead To simply dropnut this package to cisco ios (other vendors for this are not seen).
Somehow when the case will tell more about all sorts of interesting rake in mstp (due to which we now use only the pv-stp).
0 comments:
Post a Comment