We ran into a problem the other day when a member of our staff inadvertently doubly connected in a cheap switch (no STP) into another switch that had STP disabled. (The second switch was connected to our main network.) The resulting packet storm brought down our network.
If our simplified network topology looks something like this
.--. |S1| '--' | .--. ___ .--. |S2| ___ |S3| '--' '--'
(Sorry for the crude ascii art, I'm trying to illustrate that S2 and S3 are connected twice, creating a bridging loop)
- S1 is actually a rack of Cisco switches
- S2 is a Netgear smart switch with STP disabled
- S3 is an embedded switch with no STP
This area isn't my forte, so I'm not even sure if this is possible, but if our network looks something like this, is there a way to protect S1 from the ensuing broadcast storm between S2/S3?
Update with a little more info:
- Rack-mounted Cisco switches are a mix of SG200-50's, -26's, and -18's
- Netgear is a GS108Tv2 running firmware v5.0.5.7
- The more esoteric piece of equipment is a small embedded switch that goes in an industrial controller, link is here: https://www.phoenixcontact.com/online/portal/us?uri=pxc-oc-itemdetail:pid=2891001&library=usen&pcck=P-08-08-10-06-01&tab=2. The PDF (downloads tab) indicates something about a "multi-address function" but I don't think this is STP/RSTP.
Thanks for all the answers so far. I really appreciate it.
Best Answer
Agree with both Ron and Mike Pennington here. The entire point of Spanning Tree is to prevent broadcast storms from blowing up your network and you have just recently observed a practical lesson in how that happens.
Knowing the version of your Netgear switch would be helpful. I'm looking at an older version of the ProSafe switch user manual for the GS748TS and the Spanning-Tree settings are quite granular, so you should be able to configure the switch to prevent such things from happening in the future.
On the older NetGear ProSafe switches I have used the default configuration is that STP is enabled in RSTP (rapid spanning tree) with BPDU flooded to all ports on the switch. This is a good configuration for everyday use. In order to help you more, we would need to know how many VLANs are on your network and so forth.
But at the end of the day this is a hard lesson in the need for company policies that govern what can and cannot be connected to a production network. At my employer (a large Fortune 500 manufacturing enterprise) our network policy is that all access ports on switches are configured with BPDUguard enabled such that when any unknown switching device is plugged into it the port becomes error disabled. If you have SNMP monitoring on your switches, then you will get an alert.
There is a small price to be paid in user frustration but this is more than made up for in the fact that you will automatically have visibility and hopefully control over what gets connected and you won't have to deal with the network outages in the future.