No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

There is a loop in the network due to USG6300 can not forward STP BPDU packets

Publication Date:  2015-10-30 Views:  140 Downloads:  0
Issue Description

This is the topology:

In the topology, the interfaces between USG6300 and S5700 and CE5800 worked in Layer-2, and all of them are added to vlan 100 except interface G0/0/2 in S5700. At first, the service in the network was normal. When the customer added vlan 100 to interface G0/0/2 of S5700 in the network and found that data center can’t be reached. And after he removed vlan 100 from interface G0/0/2 of S5700, the service in data center became normal.

The configuration for the interface is as follows:

For CE5800:

#

interface  GigabitEthernet0/0/1

 description Link to USG6300 G0/0/1

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094    //added vlan100

#

interface GigabitEthernet0/0/2

 description Link to S5700 G0/0/2

 port link-type trunk

 port trunk allow-pass vlan 2 to 4094   //added vlan100

#

For S5700:

#

interface  GigabitEthernet0/0/1

 description Link to USG6300 G0/0/0

 port link-type trunk

 port trunk allow-pass vlan100 4000  //added vlan100

#

interface GigabitEthernet0/0/2

 description Link to CE5800 G0/0/2

 port link-type trunk

 port trunk allow-pass vlan  4000   //there is no vlan 100 at first

#

For USG6300

#

interface GigabitEthernet 0/0/0

 description Link to S5700 G0/0/1

 portswitch

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 100 4000 //added vlan100

  #

interface GigabitEthernet 0/0/1

 description Link to CE5800 G0/0/1

 portswitch

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 100 4000 //added vlan100

#

 

Alarm Information
None
Handling Process

(1)    Check the STP configuration in S5700 and CE5800, and found that for all interface STP is enabled.  For USG6300, there no STP configuration, because USG6300 doesn’t support STP anymore, and it will forward STP BPDU packets directly. So in the topology, if  STP is configured in interface G0/0/1 of S5700 and interface G0/0/1 of CE5800, the loop should be broke.

(2)    Since CE5800 connected to data center directly, we investigated on CE5800 first. Check the output of “display mac-address flapping”, we found that there was mac address flapping for the Server(286e-xxxx-c847 ) in data center.

 

===============================================================

                 display mac-address flapping

===============================================================

 

Mac-address Flapping Configurations :

-------------------------------------------------------------------------------

  Flapping detection          : Enable

  Aging  time(s)              : 300

  Quit-vlan Recover time(m)   : --

  Exclude vlan-list           : --

-------------------------------------------------------------------------------

S  : start time    E  : end time    (D) : error down

-------------------------------------------------------------------------------

Time              VLAN MAC-Address    Original-Port  Move-Ports     MoveNum

-------------------------------------------------------------------------------

S:2015-08-25 12:07:39 100   286e-xxxx-c847     G0/0/3    G0/0/2     239   

E:2015-08-25 12:08:12                                                  

-------------------------------------------------------------------------------

Total items on slot 1: 1

When we checked the output of “display alarm history verbose”, we can see the mac flapping alarm too:

=================================================================

                 display alarm history verbose

=============================================================

 

Sequence    : 16146    

AlarmId     : 0x95E0012             AlarmName : hwMflpVlanLoopAlarm                                            

AlarmType   : quality_of_service    Severity  : Warning          State : cleared

StartTime   : 2015-08-25 12:07:40+10:00              

Description : MAC flapping detected, VlanId = 100, MacAddress = 286e-xxxx-c847, Original-Port = G0/0/3, Flapping port = G0/0/2,-. Please check the network to which the interface learning a flapping MAC address is connected.

ClearTime   : 2015-08-25 12:13:44+10:00              

ClearType   : service_resume     

ClearReason : Mac flapping detection recovered in vlan 100. 

So it’s obvious that there was a loop in the network.

(3)    Check the network topology, the only configuration change was that the customer added vlan 100 to interface G0/0/2 of S5700. So from the network topology, the loop should be between S5700->CE5800->USG6300->S5700. But the STP was configured in S5700 and CE5800, so the problem should be in USG6300.

(4)    Simulated in Lab, and found that with the current configuration on USG6300, it can’t forward STP BPDU packets as expected, which means the interface G0/0/1 of S5700 can’t receive STP BPDU packets from interface G0/0/1 of CE5800, and the same situation on the opposite direction.  Analyzed the working principle of USG6300 forwarding STP BPDU packets, and found that USG6300 considers BPDU packets as normal data packets. When STP BPDU packets arrive G0/0/1 of USG6300, it will add the vlan of PVID to this BPDU packets(by default it’s vlan 1), but vlan 1 is not allowed to pass in G0/0/1 and G0/0/0. This caused USG6300 can’t forward STP BPDU packets normally.

#

interface GigabitEthernet 0/0/0

 description Link to S5700 G0/0/1

 portswitch

 port link-type trunk

 undo port trunk permit vlan 1  //Vlan 1 is not allowed to pass this interface, and the pvid is vlan 1

 port trunk permit vlan 100 4000

  #

interface GigabitEthernet 0/0/1

 description Link to CE5800 G0/0/1

 portswitch

 port link-type trunk

 undo port trunk permit vlan 1 //Vlan 1 is not allowed to pass this interface, and the pvid is vlan 1

 port trunk permit vlan 100 4000

#

 

Root Cause

(1)    The working principle of USG6300 to forwarding STP BPDU packets is that it considers BPDU packets as normal data packets.

When STP BPDU packets arrive G0/0/1 of USG6300, it will add the vlan of PVID to this BPDU packets(by default it’s vlan 1), but vlan 1 is not allowed to pass in G0/0/1 and G0/0/0. This caused USG6300 can’t forward STP BPDU packets normally.
Solution

Change the configuration in G0/0/0 and G0/0/1 in USG6300 to allow them pass vlan 1.

Suggestions

When a interface of USG6300(and other USG6000 firewall of Huawei) works in Layer-2, and if you want it to pass STP BPDU packets, make sure that the pvid of the interface is allowed to pass.

END