LAB GUIDE

Loop Protect
IMPORTANT! THIS GUIDE ASSUMES THAT THE AOS-CX OVA HAS BEEN INSTALLED AND WORKS IN GNS3 OR EVE-NG. PLEASE
REFER TO GNS3/EVE-NG INITIAL SETUP LABS IF REQUIRED.
https://www.eve-ng.net/index.php/documentation/howtos/howto-add-aruba-cx-switch/

TABLE OF CONTENTS
Lab Objective .............................................................................................................................................. 1
Lab Overview .............................................................................................................................................. 1
Lab Network Layout .................................................................................................................................... 2
Lab Tasks ................................................................................................................................................... 2
Task 1 – Lab setup ..................................................................................................................................... 2
Task 2 – Configure VLANs and Interfaces .................................................................................................. 3
Task 3 – Enable loop protect on Switch1 .................................................................................................... 3
Task 4 – Enable loop and verify loop is prevented on Switch1 .................................................................... 5
Appendix – Complete Configurations .......................................................................................................... 6

Lab Objective
This lab will provide hands on experience with the Loop Protect feature in AOS-CX.

Loop protect is helpful in environments where STP cannot be used to detect and prevent loops in an L2 network.

Lab Overview
This lab as shown in Figure 1 has 3 switches connected in a loop.

In this lab, you will:

- Configure 802.1Q trunks with 2 VLANs between the 3 switches

- Create an L2 loop between the 3 switches

- Use packet capture to identify loop protect packets being sent out of a switch

- Ensure loop protect detects and prevents a loop by shutting down a port

1
Lab Guide
Loop Protect

Lab Network Layout

Figure 1. Lab topology and addresses

Lab Tasks
Task 1 – Lab setup
For this lab refer to Figure 1 for topology and IP address details.

• Start all the devices, including hosts

• Open each switch console and log in with user “admin” and hit enter, so that no password is applied
• Set your desired password
• Change all hostnames as shown in the topology:
configure
hostname …
• On all devices, bring up required ports:
int 1/1/1-1/1/6
no shutdown
use “exit” to go back a level

• Validate LLDP neighbors appear as expected on each switch

show lldp neighbor

Switch1
Switch1(config)# sh lld nei

LLDP Neighbor Information

=========================

Total Neighbor Entries : 2

Total Neighbor Entries Deleted : 0
Total Neighbor Entries Dropped : 0
Total Neighbor Entries Aged-Out : 0

LOCAL-PORT CHASSIS-ID PORT-ID PORT-DESC TTL SYS-NAME

-----------------------------------------------------------------------------------------------
1/1/2 08:00:09:8a:14:fa 1/1/1 1/1/2 120 Switch2
1/1/3 08:00:09:12:8e:9e 1/1/2 1/1/2 120 Switch3

2
Lab Guide
Loop Protect

Task 2 – Configure VLANs and Interfaces

• Configure interfaces, 802.1Q trunks and required VLANs on these 3 switches
Switch1
Switch1(config)# vlan 10-11
Switch1(config-vlan-<10-11>)# int 1/1/2-1/1/3
Switch1(config-if-<1/1/2-1/1/3>)# no routing
Switch1(config-if-<1/1/2-1/1/3>)# vlan trunk allowed 10-11

! We will shut down 1/1/3 for now to break the loop

Switch1(config-if-<1/1/2-1/1/3>)# int 1/1/3
Switch1(config-if)# shu

Switch2
Switch2(config)# vlan 10-11
Switch2(config-vlan-<10-11>)# int 1/1/1-1/1/2
Switch2(config-if-<1/1/1-1/1/2>)# no routing
Switch2(config-if-<1/1/1-1/1/2>)# vlan trunk allowed 10-11

Switch3
Switch3(config)# vlan 10-11
Switch3(config-vlan-<10-11>)# int 1/1/1-1/1/2
Switch3(config-if-<1/1/1-1/1/2>)# no routing
Switch3(config-if-<1/1/1-1/1/2>)# vlan trunk allowed 10-11

Task 3 – Enable loop protect on Switch1

• Enable loop protect on ports to other switches, enabling it on 1 VLAN will be sufficient to detect loops
Switch1(config)# int 1/1/2-1/1/3
Switch1(config-if-<1/1/2-1/1/3>)# loop-protect vlan 10

• Verify loop protect on ports

Switch1(config-if-<1/1/2-1/1/3>)# do sh loop-protect

Status and Counters - Loop Protection Information

Transmit Interval : 5 (sec)

Port Re-enable Timer : Disabled
Loop Detected Trap : Disabled

Interface 1/1/2
Loop-protect enabled : Yes
Loop-Protect enabled VLANs : 10
Action on loop detection : TX disable
Loop detected count : 0
Loop detected : No
Interface status : up

Interface 1/1/3
Loop-protect enabled : Yes
Loop-Protect enabled VLANs : 10
Action on loop detection : TX disable
Loop detected count : 0
Loop detected : No
Interface status : down

3
Lab Guide
Loop Protect

• Start a packet capture on Switch1 (1/1/2) connected to Switch2

• You should see the protocol ID: 0x0003 packets being sent into the network that are used for loop protect detection with
source MAC info

4
Lab Guide
Loop Protect

Task 4 – Enable loop and verify loop is prevented on Switch1

• On Switch1, unshut 1/1/3 to create loop
Switch1
Switch1(config-if-<1/1/2-1/1/3>)# int 1/1/3
Switch1(config-if)# no shu

If a loop protect packet is received by the same switch that sent it, it indicates a loop exists and one of the following actions is
taken:
- Discovery of the loop is logged but port states are not changed
- The sending port is disabled
- The sending and receiving ports are both disabled

• Verify loop is detected and prevented as 1 of the ports is disabled (default loop protect behaviour)
Switch1(config-if)# do sh loop-pro

Status and Counters - Loop Protection Information

Transmit Interval : 5 (sec)

Port Re-enable Timer : Disabled
Loop Detected Trap : Disabled

Interface 1/1/2
Loop-protect enabled : Yes
Loop-Protect enabled VLANs : 10
Action on loop detection : TX disable
Loop detected count : 1
Loop detected : Yes
Detected on VLAN : 10
Detected at : 2021-06-09T22:57:12
Interface status : down

Interface 1/1/3
Loop-protect enabled : Yes
Loop-Protect enabled VLANs : 10
Action on loop detection : TX disable
Loop detected count : 0
Loop detected : No
Interface status : up

5
Lab Guide
Loop Protect

Appendix – Complete Configurations

• If you face issues during your lab, you can verify your configs with the configs listed in this section

• If configs are the same, try powering off/powering on the switches to reboot them

Switch1
Switch1# sh run
Current configuration:
!
!Version ArubaOS-CX Virtual.10.07.0004
!export-password: default
hostname Switch1
user admin group administrators password ciphertext
AQBapfLDQUyYkc7G8jiiLYsVnVobj/u9GrYoWrQhC8Bh+ntZYgAAAKOg2fGgyuPFaVC3uFWTfi6WvU6/1BdR2bZw0wU/WN0
Cj7UO55iWY2vKztqXIDrAQdc8TAuZkFGwg0Jp3by5k2
uqtI6kkkQvRzTUxHB0orUPOke1I/qbUjfR3Mh+nJpQ9O23
led locator on
ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst
ntp enable
!
!
!
!
!
!
ssh server vrf mgmt
vlan 1,10-11
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
interface 1/1/2
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 10-11
loop-protect
loop-protect vlan 10
interface 1/1/3
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 10-11
loop-protect
loop-protect vlan 10
interface 1/1/4
no shutdown
interface 1/1/5
no shutdown
interface 1/1/6
no shutdown
!
!
!
!
!
https-server vrf mgmt
https-server vrf mgmt

6
Lab Guide
Loop Protect

Switch2
Switch2# sh run
Current configuration:
!
!Version ArubaOS-CX Virtual.10.07.0004
!export-password: default
hostname Switch2
user admin group administrators password ciphertext
AQBapThMptxqFInprZFYSpfPwBfxijWFnBfUzZe+BxJ5fLofYgAAACZtxwdeBkcZfgVmJccE1ku3trTvX1kGFIAiejEGkNK
Ok8biKq/n9Es5h1jhrzPDjYgz6caIUuPIoZDok8GL2u
3aegtAv9K3DtF2299xDkEhzwUJneH94hoWxsLEjKGU9fFa
led locator on
ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst
ntp enable
!
!
!
!
!
!
ssh server vrf mgmt
vlan 1,10-11
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 10-11
interface 1/1/2
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 10-11
interface 1/1/3
no shutdown
interface 1/1/4
no shutdown
interface 1/1/5
no shutdown
interface 1/1/6
no shutdown
!
!
!
!
!
https-server vrf mgmt

Switch3
Switch3# sh run
Current configuration:
!
!Version ArubaOS-CX Virtual.10.07.0004
!export-password: default
hostname Switch3
user admin group administrators password ciphertext
AQBapVspfXYst0T2YjNexlVhZr+WzEpljJGdqToDdWVsSNp7YgAAAE82gWYabqopE61bU2c/Z5C5cOJgoIqRc/LbA2S2gVu
7pulAJqtp7NOhYtmOdwKUXmv4ybkygabKIKEUs5IRDm
G/H1JnB2Poo44H+MI/m8J8dmI0Yn9xuDzyGu/TCozjgn+a
led locator on

7
Lab Guide
Loop Protect

ntp server pool.ntp.org minpoll 4 maxpoll 4 iburst

ntp enable
!
!
!
!
!
!
ssh server vrf mgmt
vlan 1,10-11
interface mgmt
no shutdown
ip dhcp
interface 1/1/1
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 10-11
interface 1/1/2
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 10-11
interface 1/1/3
no shutdown
interface 1/1/4
no shutdown
interface 1/1/5
no shutdown
interface 1/1/6
no shutdown
!
!
!
!
!
https-server vrf mgmt

8
www.arubanetworks.com
3333 Scott Blvd. Santa Clara, CA 95054
1.844.472.2782 | T: 1.408.227.4500 | FAX: 1.408.227.4550 | [email protected]
9