I have several locations with managed network switches – for example, one being a stack of 3com 4500's. On occasion we have an issue where a user somewhere in the building decides to plug in their own consumer grade switch, which is fine until they accidentally create a loop back by plugging a cable from one port to the other!
This ends up causing all kinds of havoc on the network, basically effectively taking it down in most cases.
Is there a way I can prevent this (and hopefully detect it if it happens)?
I believe that's what Spanning Tree Protocol (STP) is for, correct?
I see the device has a configuration screen for "MSTP", and by port and device I can configure it. Here is an example port MSTP status currently:
----[Port22(Ethernet1/0/22)][FORWARDING]----
Port Protocol :enabled
Port Role :CIST Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=auto / Active=200000
Desg. Bridge/Port :32768.0022-5782-5900 / 128.22
Port Edged :Config=enabled / Active=enabled
Point-to-point :Config=auto / Active=true
Transmit Limit :10 packets/hello-time
Protection Type :None
MSTP BPDU format :Config=auto / Active=legacy
Port Config
Digest Snooping :disabled
Rapid Fwd State :Rapid Forwarding
Num of Vlans Mapped :2
PortTimes :Hello 2s MaxAge 20s FwDly 15s MsgAge 0s RemHop 20
BPDU Sent :426
TCN: 0, Config: 0, RST: 0, MST: 426
BPDU Received :0
TCN: 0, Config: 0, RST: 0, MST: 0
And the device status:
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge :32768.0022-5782-5900
Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :32768.0022-5782-5900 / 0
CIST RegRoot/IRPC :32768.0022-5782-5900 / 0
CIST RootPortId :0.0
BPDU-Protection :disabled
TC-Protection :enabled / Threshold=6
Bridge Config
Digest Snooping :disabled
TC or TCN received :0
Time since last TC :0 days 16h:52m:12s
Device ports status:
MSTID Port Role STP State Protection
0 Ethernet1/0/2 DESI FORWARDING NONE
0 Ethernet1/0/3 DESI FORWARDING NONE
0 Ethernet1/0/4 DESI FORWARDING NONE
0 Ethernet1/0/5 DESI FORWARDING NONE
... etc ...
Best Answer
That's correct. You should turn on spanning tree for any port that may potentially have another bridge(switch) plugged into it. The only negative effect this will have is a reconvergence of spanning tree any time you plug a new device into a VLAN. This means that when you plug in a new device the port will be placed into a blocking state and you won't be able to use that port until spanning tree figures out that it's safe to use. This usually takes anywhere from 10 seconds (rapid stp) to a minute (per vlan stp). If you have any ports that you absolutely need to come up immediately or that you know will never have another bridge plugged into them you can disable spanning tree on those ports. Also with spanning tree if you're using multiple vendors on your switches be sure to use a version of spanning tree that is compatible throughout your network.