Layer 2 loop problem because of default vlan

Publication Date:  2014-04-29 Views:  852 Downloads:  0
Issue Description
Even if you have STP or MSTP or SEP or RRPP inside your layer 2 network, managing faults is always challenging.  Failures often transform to layer 2 loops which severely impacts the business. Some time ago I had an engineering case and I would like to share the story with you. So let’s start.
Working environment is very simple. We have a single RRPP ring deployed like below:

SW3 (master RRPP related configuration)
#
vlan batch 2 to 4094
#
stp disable
#
rrpp enable
#

#
stp region-configuration
instance 1 vlan 2 to 4094
active region-configuration
#
rrpp domain 1
control-vlan 4091
protected-vlan reference-instance 1
ring 1 node-mode t primary-port XGigabitEthernet0/0/2 secondary-port XGigabitEthernet0/0/1 level 0
ring 1 enable
#
interface XGigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
stp disable
#
interface XGigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
stp disable
#

-----------------------------------------------------------------------------------------------------------------------------------------
SW1, SW2, SW4 and SW5 RRPP related configuration.

#
vlan batch 2 to 4094
#
stp disable
#
rrpp enable
#
stp region-configuration
instance 1 vlan 2 to 4094
active region-configuration
#
rrpp domain 1
control-vlan 4091
protected-vlan reference-instance 1
ring 1 node-mode transit primary-port XGigabitEthernet0/0/2 secondary-port XGigabitEthernet0/0/1 level 0
ring 1 enable
#
interface XGigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
stp disable
#
interface XGigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
stp disable
#

Alarm Information
Interface traffic volume for uplinks goes to 100% usage.
Handling Process
You have two solutions:
1.       1. Adjust region configuration to include vlan 1.
#
stp region-configuration
instance 1 vlan 1 to 4094
2.    #
2.     2. Remove vlan 1 from trunks.
#
interface XGigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4094
stp disable
#
That’s all, hope to find this case useful.  
Root Cause
What do you think it will happen if we deploy this configuration? It will successfully break the loop and avoid any broadcast storm? Apparently this configuration will guaranty a loop free domain, but we didn’t consider one point.
VLAN 1, default vlan, is not protected.   Even If we didn’t explicitly configured, as you can see below, VLAN 1 is contained by all interfaces, because is the default vlan, which cannot be deleted and does not need to be created.

--------------------------------------------------------------------------------
1    common  UT:GE0/0/2(D)      GE0/0/3(D)      GE0/0/4(U)      GE0/0/5(D)    
                GE0/0/6(D)      GE0/0/7(D)      GE0/0/8(D)      GE0/0/9(D)    
                GE0/0/10(D)     GE0/0/11(D)     GE0/0/12(D)     GE0/0/13(D)   
                GE0/0/14(D)     GE0/0/15(D)     GE0/0/16(D)     GE0/0/17(D)   
                GE0/0/18(D)     GE0/0/19(D)     GE0/0/20(D)     GE0/0/22(D)   
                GE0/0/23(U)     GE0/0/24(D)     XGE0/0/1(U)     XGE0/0/2(D)
#
vlan batch 2 to 4094
#
stp region-configuration
instance 1 vlan 2 to 4094

In this situation, broadcast storm might occur on vlan1 causing equipments to overload and disrupt traffic on other vlans, including control-vlan 4091, so hello control packets will be loss and RRPP ring will become unstable. You don’t to experience this. 
Suggestions
none. 

END