IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

Alert via e-mail if a loop occurs

frus92
Occasional Visitor

Alert via e-mail if a loop occurs

Hello!

I want to configure an alert in IMC version 7.2 that sends an e-mail if a loop occurs. The mail notification with other alarms is working allready. The problem is that the switch won't even send a trap if it detects a loop.

I configured the switch with the following commands:

loop-protect all
loop-protect trap loop-detected
snmp-server host xxx.xxx.xxx.xxx community "xxx" trap-level All
snmp-server community "xxx" Unrestricted

Is their any missing configuration on the switch or the IMC?

Thanks!

10 REPLIES
Vince-Whirlwind
Honored Contributor

Re: Alert via e-mail if a loop occurs

Describe the method you are using to create a loop in order to test loop detection.

LindsayHill
Honored Contributor

Re: Alert via e-mail if a loop occurs

The config looks OK.

Does the switch detect & log the loop?

If it does, check with tcpdump on the IMC server - does it receive a trap?

frus92
Occasional Visitor

Re: Alert via e-mail if a loop occurs

Describe the method you are using to create a loop in order to test loop detection.

- I'm connecting two ports of the switch with the same cable.

Does the switch detect & log the loop?

- Yes.

If it does, check with tcpdump on the IMC server - does it receive a trap?

- I did a tcpdump and there was no trap sent to the IMC server.

LindsayHill
Honored Contributor

Re: Alert via e-mail if a loop occurs

OK, so we've narrowed it down - looks like it must be something in the SNMP config on that device.

Do ANY traps get sent from that switch? (e.g. for link up/down, etc).  Wondering if there's something else not right - e.g. misconfigured SNMP host IP, or something filtering udp/162 from switch -> IMC server.

Vince-Whirlwind
Honored Contributor

Re: Alert via e-mail if a loop occurs

That's not a loop. That's a spanning-tree loop.

Loop-detect is for detecing a loop that has occurred on an upstream switch, not on the switch itself.

LindsayHill
Honored Contributor

Re: Alert via e-mail if a loop occurs


Vince-Whirlwind wrote:

That's not a loop. That's a spanning-tree loop.

Loop-detect is for detecing a loop that has occurred on an upstream switch, not on the switch itself.


No.

There is no such thing as a spanning-tree loop. Spanning tree is a protocol that exists to *prevent* layer-2 loops. It does not cause loops in itself.

Spanning-tree protocol is one method of detecting and preventing L2 frames from looping around a segment. But it is not the only method for doing so. HP Procurve switches include loop-detect for detecting and preventing such loops. This is *not* the same as Cisco's loopback detection, that detects traffic looped back into the same port.

Taking one cable, and plugging both ends into the same switch is a perfectly valid way of creating a loop. This will be detected by a Procurve switch. It works, and it generates a trap. I tested it myself https://lkhill.com/loop-detection-without-stp/

Besides, what exactly do you mean by "a loop that has occurred on an upstream switch" ? Are you referring to a frame leaving a switch, then coming back in the same port? Or being received by another port on the same switch?

Vince-Whirlwind
Honored Contributor

Re: Alert via e-mail if a loop occurs

I think you've misunderstood the purpose of Loop-protect.

It's not there to detect loops created on the local switch, but to detect loops that have occurred elsewhere.

"You can use BPDU protection for systems that have spanning tree enabled
(See "Configuring BPDU Protection" on page 5-27), however, the BPDU
protection feature cannot detect the formation of loops when an unmanaged
device on the network drops spanning tree packets. To protect against the
formation of loops in these cases, you can enable the Loop Protection feature"

 
Basically, you use spanning tree to ensure your users and staff don't mistakenly create a loop on the switch that you are managing.
You use loop-protect on edge ports so you can detect loops that have occurred elsewhere on the network, and set it to disable the port if the loop is detected.
It's all described pretty clearly in the manual for whichever switch it is you are working with.
I use Loop-protect as part of my standard build for any switch deployment.
It's definitely up there with DHCP snooping and bpdu-protection as vital things to include in your configs.
LindsayHill
Honored Contributor

Re: Alert via e-mail if a loop occurs


Vince-Whirlwind wrote:

I think you've misunderstood the purpose of Loop-protect.

It's not there to detect loops created on the local switch, but to detect loops that have occurred elsewhere.

I don't follow this - I must be missing something. How do you define a loop created on the local switch? A single cable that is connected to two ports on the same switch? And how do you define a loop that has occurred elsewhere? 

What would that second case look like from the perspective of a single switch? If a frame exits one port, and comes back in another port on the same switch, then there is a bridging loop, right? It makes no difference to the switch if that went through a single cable, or through 10 dumb hubs, or another switch that had STP disabled. Or are you thinking of something a bit different?

"You can use BPDU protection for systems that have spanning tree enabled
(See "Configuring BPDU Protection" on page 5-27), however, the BPDU
protection feature cannot detect the formation of loops when an unmanaged
device on the network drops spanning tree packets. To protect against the
formation of loops in these cases, you can enable the Loop Protection feature"

BPDU protection (aka BPDU guard in Cisco-speak) is only one part of network protection. The switch could process those BPDUs, and STP could run through its normal processes, and determine if there is the potential for a loop, and if so, may decide to put the port in blocking mode. It doesn't have to block the port just because BPDUs are received. I see BPDU protection as more about detecting unexpected BPDUs because of wilful (e.g. fake BPDUs) or accidental misconfiguration, rather than loop prevention.  From the docs:

BPDU protection is a security feature designed to protect the active STP topology by preventing spoofed BPDU packets from entering the STP domain.

 
Vince-Whirlwind
Honored Contributor

Re: Alert via e-mail if a loop occurs

I think the Procurve manual explains this very clearly.

Let me present a real-world example of the situation Loop-protect is designed for:

A user brings in their 8-port unmanaged switch from home. They patch it into the work network. At some point they absent-mindedly patch one of its ports to another. It's a kind of switch that does not forward BPDU frames.

Loop-protect protects your Edge switch from the broadcast storm which this user has just created by detecting the remote loop and shutting down the connecting Access port.

This scenario is at least as common as the problem of rogue BPDUs or DHCP services and I always use it.

Loop-protect is *not* designed to detect a local loop - that's what STP is for.

frus92
Occasional Visitor

Re: Alert via e-mail if a loop occurs

Do ANY traps get sent from that switch? (e.g. for link up/down, etc).

- After testing if traps are sent from the switch to the IMC it seems like the IMC only gets results by polling the devices. The traps are looking like this: "Interface "17" State DOWN found during IMC device poll". There is nothing between the switches and the IMC server that could filter udp/162 and the IP of the snmp host is correct.So I guess there is something configured in a wrong way or missing on the IMC server.