Troubleshooting Forwarding Loops

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080136673.shtml

show catalyst6000 traffic-meter

show interface | include line|\/sec

show interface g4/3 counters errors

cat 6500
remote command switch test spanning-tree process-stats

show spanning-tree vlan 1 detail < — look for topology chg

STP Debugging Commands

Many STP debug commands are intended for development engineering use. They do not provide any output that is meaningful to someone without detailed knowledge of the STP implementation in Cisco IOS software. Some debugs can provide output which is instantly readable, such as port state changes, role changes, events such as TCs, and a dump of received and transmitted BPDUs. This section does not provide a complete description of all of the debugs, but rather briefly introduces the most frequently used ones.

Note: When you use debug commands, enable the minimum necessary debugs. If real-time debugs are not needed, record the output to the log rather than print it to the console. Excessive debugs can overload the CPU and disrupt switch operation. To direct debug output to the log instead of to the console or to Telnet sessions, issue the logging console informational and no logging monitor commands in global configuration mode.

To see the general events log, issue the debug spanning-tree event command for Per VLAN Spanning-Tree (PVST) and Rapid-PVST. This is the first debug that gives a general idea of what is happening with STP.

In Multiple Spanning-Tree (MST) mode, it does not work to issue the debug spanning-tree event command. Therefore, issue the debug spanning-tree mstp roles command to see the port role changes.

To see the port STP state changes, issue the debug spanning-tree switch state command together with the debug pm vp command.

To understand why STP behaves in a certain way, it is often useful to see the BPDUs that are received and sent by the switch:

debug spanning-tree bpdu receive

This debug works for PVST, Rapid-PVST, and MST modes; but it does not decode the contents of the BPDUs. However, you can use it to ensure that BPDUs are received.

To see the contents of the BPDU, issue the debug spanning-tree switch rx decode command together with the debug spanning-tree switch rx process command for PVST and Rapid-PVST. Issue the debug spanning-tree mstp bpdu-rx command to see the contents of the BPDU for MST.

For the MST mode, you can enable detailed BPDU decode with this debug command:

debug spanning-tree mstp bpdu-rx

Note: For Cisco IOS Software Release 12.1.13E and later, conditional debugs for STP are supported. This means that you can debug BPDUs that are received or transmitted on a per-port or per-VLAN basis.

Issue the debug condition vlan vlan_num or debug condition interface interface commands, to limit the scope of the debug output to per-interface or per-VLAN.

Securing the Network Against Forwarding Loops

• When enabled, UDLD and Loop Guard eliminate the majority of the possible causes for forwarding loops. Rather than create a forwarding loop, the offending link (or all links dependent on the failing hardware) is shut down or blocked.
• Enable portfast on all end-station ports.
• Set EtherChannels to desirable mode on both sides (where supported) and non-silent  option.
• Do not disable auto-negotiation (if supported) on switch-to-switch links.
• Use caution when you tune the STP timers.
• If denial of service attacks are possible, secure the network STP perimeter with Root Guard.
• Enable BPDU Guard on portfast-enabled ports, to prevent STP from being affected by unauthorized network devices (such as hubs, switches, and bridging routers) that are connected to the ports.
• Avoid user traffic on the management VLAN. The management VLAN is contained to a building block, not the entire network.
• A predictable (hardcoded) STP root and backup STP root placement.